Merge pull request #14068 from RasmusWL/dataflow-config-refactor

Python: Use new dataflow API
github · Sep 4, 2023 · 49f5d38 · 49f5d38
2 parents 4a1163b + ce63358
commit 49f5d38
Show file tree

Hide file tree

Showing 108 changed files with 1,032 additions and 728 deletions.
diff --git a/python/ql/lib/semmle/python/security/dataflow/CleartextLoggingQuery.qll b/python/ql/lib/semmle/python/security/dataflow/CleartextLoggingQuery.qll
@@ -16,9 +16,11 @@ private import semmle.python.dataflow.new.SensitiveDataSources
 import CleartextLoggingCustomizations::CleartextLogging
 
 /**
+ * DEPRECATED: Use `CleartextLoggingFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "Clear-text logging of sensitive information".
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "CleartextLogging" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -31,3 +33,14 @@ class Configuration extends TaintTracking::Configuration {
     node instanceof Sanitizer
   }
 }
+
+private module CleartextLoggingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "Clear-text logging of sensitive information" vulnerabilities. */
+module CleartextLoggingFlow = TaintTracking::Global<CleartextLoggingConfig>;
diff --git a/python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll b/python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll
@@ -16,9 +16,11 @@ private import semmle.python.dataflow.new.SensitiveDataSources
 import CleartextStorageCustomizations::CleartextStorage
 
 /**
+ * DEPRECATED: Use `CleartextStorageFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "Clear-text storage of sensitive information".
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "CleartextStorage" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -31,3 +33,14 @@ class Configuration extends TaintTracking::Configuration {
     node instanceof Sanitizer
   }
 }
+
+private module CleartextStorageConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "Clear-text storage of sensitive information" vulnerabilities. */
+module CleartextStorageFlow = TaintTracking::Global<CleartextStorageConfig>;
diff --git a/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll
@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import CodeInjectionCustomizations::CodeInjection
 
 /**
+ * DEPRECATED: Use `CodeInjectionFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "code injection" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "CodeInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module CodeInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "code injection" vulnerabilities. */
+module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;
diff --git a/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll
@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import CommandInjectionCustomizations::CommandInjection
 
 /**
+ * DEPRECATED: Use `CommandInjectionFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "command injection" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "CommandInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,17 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+/**
+ * A taint-tracking configuration for detecting "command injection" vulnerabilities.
+ */
+module CommandInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "command injection" vulnerabilities. */
+module CommandInjectionFlow = TaintTracking::Global<CommandInjectionConfig>;
diff --git a/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll
@@ -14,10 +14,12 @@ import semmle.python.dataflow.new.RemoteFlowSources
 import LdapInjectionCustomizations::LdapInjection
 
 /**
+ * DEPRECATED: Use `LdapInjectionDnFlow` module instead.
+ *
  * A taint-tracking configuration for detecting LDAP injection vulnerabilities
  * via the distinguished name (DN) parameter of an LDAP search.
  */
-class DnConfiguration extends TaintTracking::Configuration {
+deprecated class DnConfiguration extends TaintTracking::Configuration {
   DnConfiguration() { this = "LdapDnInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -31,11 +33,24 @@ class DnConfiguration extends TaintTracking::Configuration {
   }
 }
 
+private module LdapInjectionDnConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof DnSink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof DnSanitizer }
+}
+
+/** Global taint-tracking for detecting "LDAP injection via the distinguished name (DN) parameter" vulnerabilities. */
+module LdapInjectionDnFlow = TaintTracking::Global<LdapInjectionDnConfig>;
+
 /**
+ * DEPRECATED: Use `LdapInjectionFilterFlow` module instead.
+ *
  * A taint-tracking configuration for detecting LDAP injection vulnerabilities
  * via the filter parameter of an LDAP search.
  */
-class FilterConfiguration extends TaintTracking::Configuration {
+deprecated class FilterConfiguration extends TaintTracking::Configuration {
   FilterConfiguration() { this = "LdapFilterInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -48,3 +63,19 @@ class FilterConfiguration extends TaintTracking::Configuration {
     guard instanceof FilterSanitizerGuard
   }
 }
+
+private module LdapInjectionFilterConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof FilterSink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof FilterSanitizer }
+}
+
+/** Global taint-tracking for detecting "LDAP injection via the filter parameter" vulnerabilities. */
+module LdapInjectionFilterFlow = TaintTracking::Global<LdapInjectionFilterConfig>;
+
+/** Global taint-tracking for detecting "LDAP injection" vulnerabilities. */
+module LdapInjectionFlow =
+  DataFlow::MergePathGraph<LdapInjectionDnFlow::PathNode, LdapInjectionFilterFlow::PathNode,
+    LdapInjectionDnFlow::PathGraph, LdapInjectionFilterFlow::PathGraph>;
diff --git a/python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll
@@ -1,5 +1,5 @@
 /**
- * Provides a taint-tracking configuration for tracking untrusted user input used in log entries.
+ * Provides a taint-tracking configuration for tracking "log injection" vulnerabilities.
  *
  * Note, for performance reasons: only import this file if
  * `LogInjection::Configuration` is needed, otherwise
@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import LogInjectionCustomizations::LogInjection
 
 /**
+ * DEPRECATED: Use `LogInjectionFlow` module instead.
+ *
  * A taint-tracking configuration for tracking untrusted user input used in log entries.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "LogInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module LogInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "log injection" vulnerabilities. */
+module LogInjectionFlow = TaintTracking::Global<LogInjectionConfig>;
diff --git a/python/ql/lib/semmle/python/security/dataflow/PamAuthorizationQuery.qll b/python/ql/lib/semmle/python/security/dataflow/PamAuthorizationQuery.qll
@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import PamAuthorizationCustomizations::PamAuthorizationCustomizations
 
 /**
+ * DEPRECATED: Use `PamAuthorizationFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "PAM Authorization" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "PamAuthorization" }
 
   override predicate isSource(DataFlow::Node node) { node instanceof Source }
@@ -37,3 +39,28 @@ class Configuration extends TaintTracking::Configuration {
     exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c)
   }
 }
+
+private module PamAuthorizationConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // Models flow from a remotely supplied username field to a PAM `handle`.
+    // `retval = pam_start(service, username, byref(conv), byref(handle))`
+    exists(API::CallNode pamStart, DataFlow::Node handle, API::CallNode pointer |
+      pointer = API::moduleImport("ctypes").getMember(["pointer", "byref"]).getACall() and
+      pamStart = libPam().getMember("pam_start").getACall() and
+      pointer = pamStart.getArg(3) and
+      handle = pointer.getArg(0) and
+      pamStart.getArg(1) = node1 and
+      handle = node2
+    )
+    or
+    // Flow from handle to the authenticate call in the final step
+    exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c)
+  }
+}
+
+/** Global taint-tracking for detecting "PAM Authorization" vulnerabilities. */
+module PamAuthorizationFlow = TaintTracking::Global<PamAuthorizationConfig>;
diff --git a/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll
@@ -13,6 +13,8 @@ import semmle.python.dataflow.new.TaintTracking
 import PathInjectionCustomizations::PathInjection
 
 /**
+ * DEPRECATED: Use `PathInjectionFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "path injection" vulnerabilities.
  *
  * This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`,
@@ -25,7 +27,7 @@ import PathInjectionCustomizations::PathInjection
  *
  * Such checks are ineffective in the `NotNormalized` state.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "PathInjection" }
 
   override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
@@ -74,3 +76,52 @@ class NotNormalized extends DataFlow::FlowState {
 class NormalizedUnchecked extends DataFlow::FlowState {
   NormalizedUnchecked() { this = "NormalizedUnchecked" }
 }
+
+/**
+ * This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`,
+ * to track the requirement that a file path must be first normalized and then checked
+ * before it is safe to use.
+ *
+ * At sources, paths are assumed not normalized. At normalization points, they change
+ * state to `NormalizedUnchecked` after which they can be made safe by an appropriate
+ * check of the prefix.
+ *
+ * Such checks are ineffective in the `NotNormalized` state.
+ */
+module PathInjectionConfig implements DataFlow::StateConfigSig {
+  class FlowState = DataFlow::FlowState;
+
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    source instanceof Source and state instanceof NotNormalized
+  }
+
+  predicate isSink(DataFlow::Node sink, FlowState state) {
+    sink instanceof Sink and
+    (
+      state instanceof NotNormalized or
+      state instanceof NormalizedUnchecked
+    )
+  }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate isBarrier(DataFlow::Node node, FlowState state) {
+    // Block `NotNormalized` paths here, since they change state to `NormalizedUnchecked`
+    node instanceof Path::PathNormalization and
+    state instanceof NotNormalized
+    or
+    node instanceof Path::SafeAccessCheck and
+    state instanceof NormalizedUnchecked
+  }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node nodeFrom, FlowState stateFrom, DataFlow::Node nodeTo, FlowState stateTo
+  ) {
+    nodeFrom = nodeTo.(Path::PathNormalization).getPathArg() and
+    stateFrom instanceof NotNormalized and
+    stateTo instanceof NormalizedUnchecked
+  }
+}
+
+/** Global taint-tracking for detecting "path injection" vulnerabilities. */
+module PathInjectionFlow = TaintTracking::GlobalWithState<PathInjectionConfig>;
diff --git a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSCustomizations.qll
@@ -6,7 +6,6 @@
 
 private import python
 private import semmle.python.dataflow.new.DataFlow
-private import semmle.python.dataflow.new.DataFlow2
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
 private import semmle.python.dataflow.new.RemoteFlowSources

diff --git a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll
@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import PolynomialReDoSCustomizations::PolynomialReDoS
 
 /**
+ * DEPRECATED: Use `PolynomialReDoSFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "PolynomialReDoS" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities. */
+module PolynomialReDoSFlow = TaintTracking::Global<PolynomialReDoSConfig>;
diff --git a/python/ql/lib/semmle/python/security/dataflow/ReflectedXssQuery.qll b/python/ql/lib/semmle/python/security/dataflow/ReflectedXssQuery.qll
@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import ReflectedXSSCustomizations::ReflectedXss
 
 /**
+ * DEPRECATED: Use `ReflectedXssFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "ReflectedXSS" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -27,3 +29,14 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof SanitizerGuard
   }
 }
+
+private module ReflectedXssConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "reflected server-side cross-site scripting" vulnerabilities. */
+module ReflectedXssFlow = TaintTracking::Global<ReflectedXssConfig>;