New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Python: CWE-079 - Add Email injection query #7127
Conversation
Most of these query tests need to be cleaned up. Also, some of these query tests will fail because no user-tainted data is passing into the email bodies that are generated and sent to a victim user.
Besides removing comments, I also reduced the complexity of some of the Python code examples.
…am/codeql into jty/python/emailInjection
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the changes, I think this is now acceptable to merge into experimental. However, you might want to hold off and retain your ability to address a potential high FP rate, in case you move forward with your bounty submission?
You currently only have the string comparison sanitizer. Is that how people would normally protect themselves?
Thank you for the suggestion! We've based this query's sanitizers on main's XSS query's (only codeql/python/ql/lib/semmle/python/security/dataflow/SqlInjectionCustomizations.qll Line 62 in 85f00fd
Would you suggest any other sanitizer? :) |
|
This is an interesting question about sanitizers. I did some research and only found one sanitizer that looks to be popular called Bleach. I don't think this is something the CodeQL library accounts for at this time. It has some popularity with 2k stars and it has 163k dependent repositories. Bleach is pretty simple to use: import bleach
bleach.clean('evil text') // this sanitizes text
bleach.linkify('evil text with a link: github.com') // this also sanitizes textIt might be worth it add this sanitizer. Idk. It looks to be a pretty simple step we can add in the query but at the same time I think Bleach also has a lot of weird ways to sanitize text which can impact how long this will take (see here). Also, this seems like something that should be baked into the CodeQL library and could deserve it's own PR. |
codeql/python/ql/lib/semmle/python/security/dataflow/ReflectedXSSCustomizations.qll Line 68 in 85f00fd
Oops, I referenced (and took into account) the wrong query type. I've added |
As discussed offline, we believe adding Bleach would require an additional PR given its complexity. We will work on that in the future in case this query arises many repos using Bleach for this :) |
|
The |
|
This submission has now been scored. Can I ask you to solve the conflicts and fix the expected test output so that we can get it merged? :-) |
|
The merge conflict was resolved by overriding our branch's private import of Also, sorry I missed the mention of expected test output. I haven't looked at the expected test output. I'll take a look and see how to fix it. Sorry for alerting you to review this PR when it's actually not ready :(. |
| private DataFlow::Node getSMTPSubscriptByIndex(DataFlow::CallCfgNode sendCall, string index) { | ||
| exists(DefinitionNode def, Subscript sub | | ||
| sub = def.getNode() and | ||
| DataFlow::exprNode(sub.getObject()).getALocalSource() = | ||
| [sendCall.getArg(2), sendCall.getArg(2).(DataFlow::MethodCallNode).getObject()] | ||
| .getALocalSource() and | ||
| sub.getIndex().(StrConst).getText() = index and | ||
| result.asCfgNode() = def.getValue() | ||
| ) | ||
| } |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
| private class SMTPMessageConfig extends TaintTracking2::Configuration { | ||
| SMTPMessageConfig() { this = "SMTPMessageConfig" } | ||
|
|
||
| override predicate isSource(DataFlow::Node source) { source = mimeText(_) } | ||
|
|
||
| override predicate isSink(DataFlow::Node sink) { | ||
| sink = smtpMimeMultipartInstance().getACall().getArgByName("_subparts") | ||
| } | ||
| } |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
It should probably be private, but I do not think you have to fix that in this PR.. |
python/ql/src/experimental/semmle/python/frameworks/Sendgrid.qll
Outdated
Show resolved
Hide resolved
python/ql/src/experimental/semmle/python/frameworks/Sendgrid.qll
Outdated
Show resolved
Hide resolved
python/ql/src/experimental/semmle/python/libraries/FlaskMail.qll
Outdated
Show resolved
Hide resolved
|
It seems the dead code has to be removed before we can merge. I do not have permission to do it for you, but I have created suggestions that you should be able to simply accept. |
Co-authored-by: yoff <lerchedahl@gmail.com>
|
Thanks @yoff, done! |
|
Hm, you have to format |
|
Friendly ping @yoff :D |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
This PR introduces a new query that searches for reflected XSS email injections. This query specifically looks for vulnerabilities that utilize any one of these major Python email libraries:
The most common scenario this query looks for is a Python application that utilizes an email library to deliver emails. The Python application passes user input into an email's HTML body, which can result in a reflective XSS attack on the email recipient.
PS: Please note that both @mrthankyou and @jorgectf wrote this query. If accepted as a bug bounty we would like a 100% of the reward to go to @jorgectf. This will be re-iterated in the bug bounty submission.