diff --git a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll index 89aa4961e6ef..0e52764c1950 100644 --- a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll @@ -18,7 +18,17 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } - predicate observeDiffInformedIncrementalMode() { any() } + // Diff-informed incremental mode is currently disabled for this query due to + // API limitations. The query exposes sink.getABacktrackingTerm() as an alert + // location, but there is no way to express that information through + // getASelectedSinkLocation() because there is no @location in the CodeQL + // database that corresponds to a term inside a regular expression. As a + // result, this query could miss alerts in diff-informed incremental mode. + // + // To address this problem, we need to have a version of + // getASelectedSinkLocation() that uses hasLocationInfo() instead of + // returning Location objects. + predicate observeDiffInformedIncrementalMode() { none() } Location getASelectedSinkLocation(DataFlow::Node sink) { result = sink.(Sink).getHighlight().getLocation() diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-104,106-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-104,106-201.expected new file mode 100644 index 000000000000..638341e63231 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-104,106-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-104 + UnsafeUnpack.py:106-201 +Wrongly included: | UnsafeUnpack.py:105:35:105:42 | ControlFlowNode for savepath | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-111,113-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-111,113-201.expected new file mode 100644 index 000000000000..227ee12e2a85 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-111,113-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-111 + UnsafeUnpack.py:113-201 +Wrongly included: | UnsafeUnpack.py:112:35:112:43 | ControlFlowNode for file_path | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-119,121-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-119,121-201.expected new file mode 100644 index 000000000000..63e6ad6d1dc9 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-119,121-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-119 + UnsafeUnpack.py:121-201 +Wrongly included: | UnsafeUnpack.py:120:41:120:58 | ControlFlowNode for uploaded_file_path | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-141,143-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-141,143-201.expected new file mode 100644 index 000000000000..bdbb5c401720 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-141,143-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-141 + UnsafeUnpack.py:143-201 +Wrongly included: | UnsafeUnpack.py:142:49:142:51 | ControlFlowNode for tar | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-166,168-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-166,168-201.expected new file mode 100644 index 000000000000..9c94c7b0a5b5 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-166,168-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-166 + UnsafeUnpack.py:168-201 +Wrongly included: | UnsafeUnpack.py:167:67:167:72 | ControlFlowNode for result | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-175,177-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-175,177-201.expected new file mode 100644 index 000000000000..3abf3ade3f9c --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-175,177-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-175 + UnsafeUnpack.py:177-201 +Wrongly included: | UnsafeUnpack.py:176:1:176:34 | ControlFlowNode for Attribute() | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-18,20-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-18,20-201.expected new file mode 100644 index 000000000000..75c809596bd9 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-18,20-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-18 + UnsafeUnpack.py:20-201 +Wrongly included: | UnsafeUnpack.py:19:35:19:41 | ControlFlowNode for tarpath | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-200.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-200.expected new file mode 100644 index 000000000000..7b67373bc6cb --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-200.expected @@ -0,0 +1,3 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-200 +Wrongly included: | UnsafeUnpack.py:201:29:201:36 | ControlFlowNode for Attribute | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-33,35-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-33,35-201.expected new file mode 100644 index 000000000000..0d876dfb8b34 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-33,35-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-33 + UnsafeUnpack.py:35-201 +Wrongly included: | UnsafeUnpack.py:34:23:34:38 | ControlFlowNode for local_ziped_path | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-47,49-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-47,49-201.expected new file mode 100644 index 000000000000..f20b971d45ed --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-47,49-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-47 + UnsafeUnpack.py:49-201 +Wrongly included: | UnsafeUnpack.py:48:23:48:37 | ControlFlowNode for compressed_file | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-51,53-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-51,53-201.expected new file mode 100644 index 000000000000..7701b7cdc968 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-51,53-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-51 + UnsafeUnpack.py:53-201 +Wrongly included: | UnsafeUnpack.py:52:23:52:37 | ControlFlowNode for compressed_file | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-65,67-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-65,67-201.expected new file mode 100644 index 000000000000..526193cad021 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-65,67-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-65 + UnsafeUnpack.py:67-201 +Wrongly included: | UnsafeUnpack.py:66:23:66:37 | ControlFlowNode for compressed_file | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-86,88-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-86,88-201.expected new file mode 100644 index 000000000000..bf35c97fddd4 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-86,88-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-86 + UnsafeUnpack.py:88-201 +Wrongly included: | UnsafeUnpack.py:87:23:87:29 | ControlFlowNode for tarpath | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-10,12-89.expected b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-10,12-89.expected new file mode 100644 index 000000000000..a2f9b06ddc20 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-10,12-89.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + test.py:1-10 + test.py:12-89 +Wrongly included: | test.py:11:9:11:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-20,22-89.expected b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-20,22-89.expected new file mode 100644 index 000000000000..c7a502e290b3 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-20,22-89.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + test.py:1-20 + test.py:22-89 +Wrongly included: | test.py:21:9:21:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-30,32-89.expected b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-30,32-89.expected new file mode 100644 index 000000000000..52d6a0ac12d3 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-30,32-89.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + test.py:1-30 + test.py:32-89 +Wrongly included: | test.py:31:9:31:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-42,44-89.expected b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-42,44-89.expected new file mode 100644 index 000000000000..e2861a0c2f24 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-42,44-89.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + test.py:1-42 + test.py:44-89 +Wrongly included: | test.py:43:9:43:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-74,76-89.expected b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-74,76-89.expected new file mode 100644 index 000000000000..85b1e2f26fbe --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-74,76-89.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + test.py:1-74 + test.py:76-89 +Wrongly included: | test.py:75:9:75:10 | ControlFlowNode for bc | Unsafe usage of v1 version of Azure Storage client-side encryption | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-346/DIFF-INFORMED/CorsBypass/1-7,9-17.expected b/python/ql/test/experimental/query-tests/Security/CWE-346/DIFF-INFORMED/CorsBypass/1-7,9-17.expected new file mode 100644 index 000000000000..c6023d1864f8 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-346/DIFF-INFORMED/CorsBypass/1-7,9-17.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + Cors.py:1-7 + Cors.py:9-17 +Wrongly included: | Cors.py:8:12:8:17 | ControlFlowNode for origin | Potentially incorrect string comparison which could lead to a CORS bypass. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/26566.expected b/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/26566.expected new file mode 100644 index 000000000000..852d26e4eb90 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/26566.expected @@ -0,0 +1,7 @@ +Filtering alerts to these ranges: + ldap2_private.py:all + ldap2_remote.py:all + ldap3_private.py:all + ldap3_remote.py:1-114 + ldap3_remote.py:116-146 +Wrongly included: | ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/6ecfd.expected b/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/6ecfd.expected new file mode 100644 index 000000000000..f19dd276aec9 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/6ecfd.expected @@ -0,0 +1,7 @@ +Filtering alerts to these ranges: + ldap2_private.py:all + ldap2_remote.py:all + ldap3_private.py:all + ldap3_remote.py:1-138 + ldap3_remote.py:140-146 +Wrongly included: | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/70ac5.expected b/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/70ac5.expected new file mode 100644 index 000000000000..3e4a6322d643 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/70ac5.expected @@ -0,0 +1,7 @@ +Filtering alerts to these ranges: + ldap2_private.py:all + ldap2_remote.py:all + ldap3_private.py:all + ldap3_remote.py:1-101 + ldap3_remote.py:103-146 +Wrongly included: | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/81fd1.expected b/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/81fd1.expected new file mode 100644 index 000000000000..ca807a3b06d7 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/81fd1.expected @@ -0,0 +1,7 @@ +Filtering alerts to these ranges: + ldap2_private.py:all + ldap2_remote.py:all + ldap3_private.py:all + ldap3_remote.py:1-126 + ldap3_remote.py:128-146 +Wrongly included: | ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/DIFF-INFORMED/PartialServerSideRequestForgery/3bb27.expected b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/DIFF-INFORMED/PartialServerSideRequestForgery/3bb27.expected new file mode 100644 index 000000000000..cda13af94ed7 --- /dev/null +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/DIFF-INFORMED/PartialServerSideRequestForgery/3bb27.expected @@ -0,0 +1,6 @@ +Filtering alerts to these ranges: + full_partial_test.py:all + test_http_client.py:2-21 + test_http_client.py:23-37 + test_requests.py:all +Wrongly included: | test_http_client.py:22:5:22:31 | ControlFlowNode for Attribute() | Part of the URL of this request depends on a $@. | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |