Merge pull request #14059 from RasmusWL/fix-loginjection-tests

Python: Fix stdlib sinks in LogInjection query
github · Aug 28, 2023 · 2e981e3 · 2e981e3
2 parents 6e05246 + c807ab4
commit 2e981e3
Showing 1 changed file with 29 additions and 1 deletion.
diff --git a/python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll
@@ -47,7 +47,35 @@ module LogInjection {
    * A logging operation, considered as a flow sink.
    */
   class LoggingAsSink extends Sink {
-    LoggingAsSink() { this = any(Logging write).getAnInput() }
+    LoggingAsSink() {
+      this = any(Logging write).getAnInput() and
+      // since the inner implementation of the `logging.Logger.warn` function is
+      // ```py
+      // class Logger:
+      //     def warn(self, msg, *args, **kwargs):
+      //         warnings.warn("The 'warn' method is deprecated, "
+      //             "use 'warning' instead", DeprecationWarning, 2)
+      //         self.warning(msg, *args, **kwargs)
+      // ```
+      // any time we would report flow to such a logging sink, we can ALSO report
+      // the flow to the `self.warning` sink -- obviously we don't want that.
+      //
+      // However, simply removing taint edges out of a sink is not a good enough solution,
+      // since we would only flag one of the `logging.info` calls in the following example
+      // due to use-use flow
+      // ```py
+      // logger.warn(user_controlled)
+      // logger.warn(user_controlled)
+      // ```
+      //
+      // The same approach is used in the command injection query.
+      not exists(Module loggingInit |
+        loggingInit.getName() = "logging.__init__" and
+        this.getScope().getEnclosingModule() = loggingInit and
+        // do allow this call if we're analyzing logging/__init__.py as part of CPython though
+        not exists(loggingInit.getFile().getRelativePath())
+      )
+    }
   }
 
   /**