Skip to content

Python: Fix CWE tag for py/use-of-input #6071

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 21, 2021
Merged

Python: Fix CWE tag for py/use-of-input #6071

merged 1 commit into from
Jun 21, 2021

Conversation

RasmusWL
Copy link
Member

@RasmusWL RasmusWL commented Jun 14, 2021
edited
Loading

So it better matches what is in py/code-injection. I had my doubts about CWE-95, but after reading
https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection I think it's fine to add CWE-95 as well 👍

Definitions are:

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

@RasmusWL
Python: Fix CWE tag for py/use-of-input
4eed94a 
So it better matches what is in `py/code-injection`. I had my doubts
about CWE-95, but after reading
https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection
I think it's fine to add CWE-95 as well 👍

Definitions are:

CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated
Code ('Eval Injection')
@RasmusWL RasmusWL requested a review from a team as a code owner June 14, 2021 12:09
@RasmusWL RasmusWL added no-change-note-required This PR does not need a change note and removed Python labels Jun 14, 2021
@RasmusWL RasmusWL requested a review from calumgrant June 14, 2021 12:09
calumgrant
calumgrant approved these changes Jun 16, 2021
View reviewed changes
Copy link
Contributor

@calumgrant calumgrant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall I think the new tags make sense. I think that the reason you wanted to change this is because the original score (5.9) was too low, and your intuition would be correct. However, the way the algorithm was specified was using the CVE "impact score" which often gives quite low numbers. Like any heuristic, they can be off.

A new algorithm has been proposed to use the "base score" of the CVE, which gives higher numbers in general. In this case, the severity of the error goes from 9.8 to 9.3, both of which are "Critical" which feels right for this query.

@RasmusWL
Copy link
Member Author

:shipit:

@codeql-ci codeql-ci merged commit 565af1a into github:main Jun 21, 2021
@RasmusWL RasmusWL deleted the fix-input-cwe branch June 21, 2021 13:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tausbn tausbn tausbn approved these changes

+1 more reviewer

@calumgrant calumgrant calumgrant approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@RasmusWL @tausbn @calumgrant @codeql-ci