Python: Untrusted data used in external APIs #4735
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Like Java did in github#4184
A port of the one for Java that was added in github#3938
Member
Author
|
Removed review from docs team, since |
The hmac.digest function was only added in python 3.7, so obviously doesn't work on Python 2
Conflict arose since the Unit in DataFlowPrivate was added in a merged PR. The behavior from this PR will make it match what java does (https://github.com/github/codeql/blob/931322e4c5c05e150bed41cb837e8ecc23c32427/java/ql/src/semmle/code/Unit.qll)
yoff
approved these changes
Dec 17, 2020
Contributor
yoff
left a comment
There was a problem hiding this comment.
This looks like a fine place to start. Ship to learn!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
My main goal for this PR was to provide something that is useful fairly quickly. Therefore I'm doing a few dirty tricks. See more details in the
.qllfile.As indicated in the test-file, there are a few limitations.
In
from unknown.lib import func; func(data),funcwill point-to Missing module attribute unknown.lib.func, so there will not even be aDataFlowPrivate::DataFlowCall.In
import unknown.lib; unknown.lib.func(data),funcdoesn't have any points-to information. Again, noDataFlowPrivate::DataFlowCallfor this call.I could have tried to handle this, but I decided not to invest more time in this. The query is not perfect, but should be helpful by now. Let's discuss if you think that's wrong :)
P.S. I added the
ExternalAPIs.qllfile right next to the query files. This means it can't be imported by anyone else (since there is a-in the path to it). Initially I just had it there because it was easy, but I was slightly skeptical about moving it topython/ql/src/semmle/python/security/dataflow/ExternalAPIs.qll, just because I wasn't too happy about publicly exposing it and having to think about deprecations for a file that I'm already actively planning to rewrite in the future. Let me know if you think we should do it differently.