Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fails on Python 3.9.0 #207

Open
matthewdeanmartin opened this issue Oct 8, 2020 · 7 comments
Open

Fails on Python 3.9.0 #207

matthewdeanmartin opened this issue Oct 8, 2020 · 7 comments

Comments

@matthewdeanmartin
Copy link

Looks like pyt took a dependency on a private attribute that has disappeared. Yes. I saw the tool is no longer maintained, but it used to at least run on 3.8.x

Traceback (most recent call last):
  File "/root/.local/bin/pyt", line 8, in <module>
    sys.exit(main())
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/__main__.py", line 101, in main
    cfg = make_cfg(
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/make_cfg.py", line 36, in make_cfg
    visitor = ExprVisitor(
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/expr_visitor.py", line 69, in __init__
    self.init_cfg(node)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/expr_visitor.py", line 76, in init_cfg
    module_statements = self.visit(node)
  File "/usr/local/lib/python3.9/ast.py", line 407, in visit
    return visitor(node)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/stmt_visitor.py", line 67, in visit_Module
    return self.stmt_star_handler(node.body)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/stmt_visitor.py", line 88, in stmt_star_handler
    node = self.visit(stmt)
  File "/usr/local/lib/python3.9/ast.py", line 407, in visit
    return visitor(node)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/stmt_visitor.py", line 1069, in visit_ImportFrom
    return self.add_module(
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/stmt_visitor.py", line 807, in add_module
    self.visit(tree)
  File "/usr/local/lib/python3.9/ast.py", line 407, in visit
    return visitor(node)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/stmt_visitor.py", line 67, in visit_Module
    return self.stmt_star_handler(node.body)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/stmt_visitor.py", line 88, in stmt_star_handler
    node = self.visit(stmt)
  File "/usr/local/lib/python3.9/ast.py", line 407, in visit
    return visitor(node)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/stmt_visitor.py", line 460, in visit_Assign
    label.visit(node)
  File "/usr/local/lib/python3.9/ast.py", line 407, in visit
    return visitor(node)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/helper_visitors/label_visitor.py", line 56, in visit_Assign
    self.visit(node.value)
  File "/usr/local/lib/python3.9/ast.py", line 407, in visit
    return visitor(node)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/helper_visitors/label_visitor.py", line 334, in visit_IfExp
    self.visit(node.orelse)
  File "/usr/local/lib/python3.9/ast.py", line 407, in visit
    return visitor(node)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/helper_visitors/label_visitor.py", line 173, in visit_Subscript
    self.slicev(node.slice)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/helper_visitors/label_visitor.py", line 190, in slicev
    self.visit(node.value)
  File "/usr/local/lib/python3.9/ast.py", line 407, in visit
    return visitor(node)
  File "/usr/local/lib/python3.9/ast.py", line 411, in generic_visit
    for field, value in iter_fields(node):
  File "/usr/local/lib/python3.9/ast.py", line 249, in iter_fields
    for field in node._fields:
AttributeError: 'str' object has no attribute '_fields'
@FredHappyface
Copy link

Hi

I've been looking at this and pyre-check. I've found myself looking at this issue because I can't be bothered with setting up a bunch of config files with pyre-check - anyway, I've managed to stop things crashing

At the following line

File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/helper_visitors/label_visitor.py", line 190, in slicev
    self.visit(node.value)

Change self.visit(node.value) to self.visit(node) and it seems to be fixed

Output:

21 vulnerabilities found (plus 3 sanitised):
Vulnerability 1:
File: .\XSS.py
 > User input at line 6, source "request.args.get(":
         ~call_1 = ret_request.args.get('param', 'not set')
Reassigned in:
        File: .\XSS.py
         > Line 6: param = ~call_1
File: .\XSS.py
 > reaches line 9, sink "replace(":
        ~call_5 = ret_html.replace('{{ param }}', param)

[...]

Given that this is now an unsupported project I'm wondering if you (and anyone else) would see the value in me/ a group or enthusiastic python devs creating a fork for python 3.9?

@FredHappyface
Copy link

I've decided to maintain this for the foreseeable future: https://github.com/FHPythonUtils/PyTaintX

@KevinHock
Copy link
Collaborator

Would you like to maintain the non-fork @FredHappyface? i.e. this repo.

You'd certainly get more views/contributions, maintaining this repo.

@KevinHock
Copy link
Collaborator

(Happy to still mention your repo at the top of the README of this one, if not.)

@FredHappyface
Copy link

FredHappyface commented Oct 30, 2020

Yeah I'd love to maintain the non fork!

(Would be good to have issues in one place too)

Edit: clarify that I'd be interested in maintaining the non forked repo

@KevinHock
Copy link
Collaborator

Thanks, I'll ask @Thalmann and @StefanMich to give you the same access as I have.

@FredHappyface
Copy link

Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants