Python : Add sanitizers for Path Injection Query #7009
Conversation
This PR adds a few sanitizers to the exisitng Path injection query.
| */ | ||
| private class OsPathAbsoluteCallAsSanitizer extends Sanitizer { | ||
| OsPathAbsoluteCallAsSanitizer() { | ||
| this = API::moduleImport("os").getMember("path").getMember("abspath").getACall().getArg(_) |
I might be wrong, but isn't this saying that the argument to abspath has been sanitized?
Don't we instead want to say that the result of such a call has been sanitized?
So in this example:
sanitizedPath = os.path.abspath(taintedPath)
dangerousUse(taintedPath)taintedPath could not flow to dangerousUse because it is used once as an argument to abspath and therefore considered sanitized (which is not correct).
If I'm right you could add new tests that show the improvements of this PR.
I considered it when writing this PR. Yes, what you are saying is true. But consider the case here. https://github.com/kizniche/Mycodo/blob/6c0d710c8138aa06e6dcd909097854afe0d5cebe/mycodo/mycodo_flask/routes_general.py#L120-L121
In this case, since file_path is checked earlier, the code is not exploitable. So I thought it would be best to avoid multiple FPs and accept a reduced TP count instead.
|
@RasmusWL The query currently flags some sinks which shouldn't otherwise be there. For ex, a simple run of the query with the proposed changes included leads to 3 results. Of which 2 of them are calls to |
This PR adds a few sanitizers to the exisitng Path injection query.
The text was updated successfully, but these errors were encountered: