Py: Why a sanitizer blocks a NotNormalized Path before Safe checking it ? #14361

Sim4n6 · 2023-10-03T08:09:16Z

Sim4n6
Oct 3, 2023

Hey,

To my understanding of the path injection, the only safe case is when the state of the path goes through the following states:

    Path is NotNormaliazed --- NormalizedUnchecked --- (Get SafeChecked)

The problem is within the sanitizer, it contains:

    // Block `NotNormalized` paths here, since they change state to `NormalizedUnchecked`
    node instanceof Path::PathNormalization and state instanceof NotNormalized

So that means a NotNormalized path would get sanitized and blocked without being Safe checked, right? Am I missing something in here, please?

The path state NotNormalized has been switched permanently in the isAdditionalTaintStep() to NormalizedUnchecked. A bit troubled in here? can you please explain?

Answered by RasmusWL

Oct 9, 2023

In the additional taint step, we add an EXTRA edge to the taint-tracking graph to the new state. If there was an existing data-flow/taint-tracking edge to/from the same nodes, we would continue tracking with both states.

For example, if there is a general taint-step saying that the output of os.path.abspath is tainted if the first argument is tainted, in the code below, we would have that norm on the second line would be considered BOTH NormalizedUnchecked and NotNormalized, which is obviously wrong.

source # NotNormalized
norm = os.path.abspath(source) # norm is NormalizedUnchecked
if norm.startswith(f"{ROOT}/user_uploads/"):
    open(norm) # flow to norm is blocked
else:
    open(norm) #…

View full answer

Sim4n6 · 2023-10-06T13:55:04Z

Sim4n6
Oct 6, 2023
Author

I'm still interested on understanding this one ... it looks like I am missing a small detail ... can't figure it out. Please let me know if my question is not clear ?

0 replies

RasmusWL · 2023-10-09T13:45:16Z

RasmusWL
Oct 9, 2023
Maintainer

In the additional taint step, we add an EXTRA edge to the taint-tracking graph to the new state. If there was an existing data-flow/taint-tracking edge to/from the same nodes, we would continue tracking with both states.

For example, if there is a general taint-step saying that the output of os.path.abspath is tainted if the first argument is tainted, in the code below, we would have that norm on the second line would be considered BOTH NormalizedUnchecked and NotNormalized, which is obviously wrong.

source # NotNormalized
norm = os.path.abspath(source) # norm is NormalizedUnchecked
if norm.startswith(f"{ROOT}/user_uploads/"):
    open(norm) # flow to norm is blocked
else:
    open(norm) # unsafe, norm is NormalizedUnchecked

4 replies

Sim4n6 Oct 9, 2023
Author

You got me reading your reply three times. Thanks @RasmusWL

Sim4n6 Nov 10, 2023
Author

By the way, for debugging reasons, what are the ways to visualize the taint tracking graph (edges/nodes)? thx

RasmusWL Nov 10, 2023
Maintainer

By the way, for debugging reasons, what are the ways to visualize the taint tracking graph (edges/nodes)? thx

Open a new question instead of reusing old ones please 🙏

Sim4n6 Nov 10, 2023
Author

sorry about that, righ away ...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Py: Why a sanitizer blocks a NotNormalized Path before Safe checking it ? #14361

{{title}}

Replies: 2 comments 4 replies

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

Select a reply

Py: Why a sanitizer blocks a NotNormalized Path before Safe checking it ? #14361

Sim4n6 Oct 3, 2023

Replies: 2 comments · 4 replies

Sim4n6 Oct 6, 2023 Author

RasmusWL Oct 9, 2023 Maintainer

Sim4n6 Oct 9, 2023 Author

Sim4n6 Nov 10, 2023 Author

RasmusWL Nov 10, 2023 Maintainer

Sim4n6 Nov 10, 2023 Author

Sim4n6
Oct 3, 2023

Replies: 2 comments 4 replies

Sim4n6
Oct 6, 2023
Author

RasmusWL
Oct 9, 2023
Maintainer

Sim4n6 Oct 9, 2023
Author

Sim4n6 Nov 10, 2023
Author

RasmusWL Nov 10, 2023
Maintainer

Sim4n6 Nov 10, 2023
Author