Skip to content

TarSlip vulnerability improvements #10851

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 11 commits into from
Closed

TarSlip vulnerability improvements #10851

wants to merge 11 commits into from

Conversation

Sim4n6
Copy link
Contributor

@Sim4n6 Sim4n6 commented Oct 16, 2022
edited
Loading

Hi,

  • add two new sources, as such:
tarfile.TarFile()
MKtarfile.Tarfile.open()
  • add one more new source, which is the use of a context manager for auto-closing, as such:
contextlib.closing(XXXX)
  • add a new sink for the method _extract_member()
  • distinguish two cases for the method extractall()
  • combine the use of the previous sources with the sinks.

In the folder /examples/, you would find the bad samples named as: TarSlip_xxx.py and the relatively good samples as NoHIT_TarSlip_xxx.py. Plus to that, a little bash script script.sh that is supposed to execute the good and the bad samples using the malicious tarball archive_malign.tar.

Thank you

@Sim4n6 Sim4n6 requested a review from a team as a code owner October 16, 2022 22:57
@Sim4n6 Sim4n6 mentioned this pull request Oct 16, 2022
Closed
2 tasks
yoff
yoff requested changes Oct 18, 2022
View reviewed changes
Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good start. It would be nice if the examples were turned into query tests.

At the moment, you are making changes in the shipped query, so we will require fairly high quality before merging. Alternatively, you copy the whole query to experimental, and it could basically be merged as is.

I have given some pointers to things to improve. Further to that would be the comments referring to relevant APIs so other developers can convince themselves that the model is reasonable.

python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll
Comment on lines +55 to +66
class AllTarfileOpens extends API::CallNode {
AllTarfileOpens() {
exists(TarfileOpens tfo | this = tfo.getACall())
or
exists(API::Node closing, Node arg, TarfileOpens tfo |
closing = API::moduleImport("contextlib").getMember("closing") and
this = closing.getACall() and
arg = this.getArg(0) and
arg = tfo.getACall()
)
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The extra source added here is better handled by an additional taint step. Then paths will start at the open call rather than at the closing call, and, if the two a separated in the code, we would find the data flow to connect them.

Sim4n6 and others added 6 commits October 19, 2022 11:05
@Sim4n6 @yoff
Update python/ql/lib/semmle/python/security/dataflow/TarSlipCustomiza…
49830f2 
…tions.qll


Use of the predicate.

Co-authored-by: yoff <lerchedahl@gmail.com>
@Sim4n6 @yoff
Update python/ql/lib/semmle/python/security/dataflow/TarSlipCustomiza…
391a209 
…tions.qll


adjust to the use of the predicate.

Co-authored-by: yoff <lerchedahl@gmail.com>
@Sim4n6 @yoff
Update python/ql/lib/semmle/python/security/dataflow/TarSlipCustomiza…
0d25261 
…tions.qll


adjust to the use of the predicate.

Co-authored-by: yoff <lerchedahl@gmail.com>
@Sim4n6
rename to ExtractAllWithoutMembersSink
23f35ed
@Sim4n6
update the comment for ExtractAllwMembersSink
81c9a00
@Sim4n6
rename to ExtractAllwithMembersSink
f0fb8e5
@Sim4n6
Copy link
Contributor Author

Sim4n6 commented Oct 19, 2022
edited
Loading

Good start. It would be nice if the examples were turned into query tests.

I did not get this one "query tests", please.

At the moment, you are making changes in the shipped query, so we will require fairly high quality before merging. Alternatively, you copy the whole query to experimental, and it could basically be merged as is.

I have given some pointers to things to improve. Further to that would be the comments referring to relevant APIs so other developers can convince themselves that the model is reasonable.

Ok, I will close this PR, take into consideration the previously suggested changes and make a new PR with a separate query within this folder as /CWE-022bis/.

@Sim4n6 Sim4n6 closed this Oct 19, 2022
@yoff
Copy link
Contributor

yoff commented Oct 19, 2022

That is fine, but it would also be fine to do it in this PR..

@Sim4n6 Sim4n6 mentioned this pull request Oct 19, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yoff yoff

Assignees

@yoff yoff

Labels
documentation Python
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Sim4n6 @yoff