Skip to content

Python: Add Server-side Request Forgery sinks#8275

Merged
RasmusWL merged 13 commits intogithub:mainfrom
haby0:py/add-ssrf-sinks
Mar 8, 2022
Merged

Python: Add Server-side Request Forgery sinks#8275
RasmusWL merged 13 commits intogithub:mainfrom
haby0:py/add-ssrf-sinks

Conversation

@haby0
Copy link
Contributor

@haby0 haby0 commented Feb 28, 2022

Add some sinks in the CodeQL-Python SSRF model. Modeled Python libraries are: Aiohttp, Httpx, Libtaxii, Urllib, Urllib2, Urllib3.

There may be inappropriate modeling, please point out the project maintainer so that I can improve it.

@haby0 haby0 requested a review from a team as a code owner February 28, 2022 07:34
@haby0 haby0 mentioned this pull request Feb 28, 2022
Closed
2 tasks
@RasmusWL RasmusWL self-assigned this Feb 28, 2022
RasmusWL
RasmusWL requested changes Feb 28, 2022
View reviewed changes
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this contribution 👍

Please do the same rewrites I have suggested for python/ql/lib/semmle/python/frameworks/Aiohttp.qll to the other files as well.

Also please add tests to highlight the cases we can now handle, like in https://github.com/github/codeql/blob/main/python/ql/test/library-tests/frameworks/requests/test.py

python/ql/lib/semmle/python/frameworks/Aiohttp.qll Outdated
Comment on lines +671 to +681
DataFlow::Node getUrlArg() {
result = this.getArgByName("url")
or
not methodName = "request" and
result = this.getArg(0)
or
methodName = "request" and
result = this.getArg(1)
}

override DataFlow::Node getAUrlPart() { result = this.getUrlArg() }
Copy link
Member

@RasmusWL RasmusWL Feb 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see any reason to have this separate predicate, can we just do

Suggested change
DataFlow::Node getUrlArg() {
result = this.getArgByName("url")
or
not methodName = "request" and
result = this.getArg(0)
or
methodName = "request" and
result = this.getArg(1)
}
override DataFlow::Node getAUrlPart() { result = this.getUrlArg() }
override DataFlow::Node getAUrlPart() {
result = this.getArgByName("url")
or
not methodName = "request" and
result = this.getArg(0)
or
methodName = "request" and
result = this.getArg(1)
}

Copy link
Contributor Author

@haby0 haby0 Feb 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also please add tests to highlight the cases we can now handle, like in https://github.com/github/codeql/blob/main/python/ql/test/library-tests/frameworks/requests/test.py

Please review whether the test file is correct, thank you!

Copy link
Member

@RasmusWL RasmusWL Mar 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They looked great, but there was a failure for httpx. Next time you should run the tests in all directories before submitting 😉

@RasmusWL
Copy link
Member

RasmusWL commented Mar 4, 2022

Thanks for the updates @haby0. Since you did not target experimental/, I've had to ensure that everything is 100% good looking before merging this PR, so I have incorporated my changes on this PR directly.

@haby0
Copy link
Contributor Author

haby0 commented Mar 7, 2022

Thanks for the updates @haby0. Since you did not target experimental/, I've had to ensure that everything is 100% good looking before merging this PR, so I have incorporated my changes on this PR directly.

@RasmusWL 👍
I tested the test files in the codeql\python\ql\test\experimental\library-tests path, and they were all executed successfully

@RasmusWL
Copy link
Member

RasmusWL commented Mar 7, 2022

Performance looks good 👍

@haby0
Copy link
Contributor Author

haby0 commented Mar 7, 2022

Performance looks good 👍

Thanks.

@RasmusWL RasmusWL merged commit cbe3964 into github:main Mar 8, 2022
@haby0 haby0 deleted the py/add-ssrf-sinks branch March 9, 2022 02:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RasmusWL RasmusWL RasmusWL approved these changes

Assignees

@RasmusWL RasmusWL

Labels

documentation Python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@haby0 @RasmusWL