Skip to content

Conversation

@RasmusWL
Copy link
Member

My main goal for this PR was to provide something that is useful fairly quickly. Therefore I'm doing a few dirty tricks. See more details in the .qll file.

As indicated in the test-file, there are a few limitations.

In from unknown.lib import func; func(data), func will point-to Missing module attribute unknown.lib.func, so there will not even be a DataFlowPrivate::DataFlowCall.

In import unknown.lib; unknown.lib.func(data), func doesn't have any points-to information. Again, no DataFlowPrivate::DataFlowCall for this call.

I could have tried to handle this, but I decided not to invest more time in this. The query is not perfect, but should be helpful by now. Let's discuss if you think that's wrong :)


P.S. I added the ExternalAPIs.qll file right next to the query files. This means it can't be imported by anyone else (since there is a - in the path to it). Initially I just had it there because it was easy, but I was slightly skeptical about moving it to python/ql/src/semmle/python/security/dataflow/ExternalAPIs.qll, just because I wasn't too happy about publicly exposing it and having to think about deprecations for a file that I'm already actively planning to rewrite in the future. Let me know if you think we should do it differently.

@RasmusWL RasmusWL requested review from a team and felicitymay as code owners November 26, 2020 17:21
@RasmusWL RasmusWL removed the request for review from felicitymay November 26, 2020 17:21
@RasmusWL
Copy link
Member Author

Removed review from docs team, since qhelp files are (almost) identical to the ones from Java.

Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a fine place to start. Ship to learn!

@yoff yoff merged commit 39acc9a into github:main Dec 17, 2020
@RasmusWL RasmusWL deleted the python-untrusted-flow branch December 18, 2020 13:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants