Skip to content

Python: Add Server-side Request Forgery sinks #8275

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Mar 8, 2022
Merged

Python: Add Server-side Request Forgery sinks #8275

merged 13 commits into from
Mar 8, 2022

Conversation

haby0
Copy link
Contributor

@haby0 haby0 commented Feb 28, 2022

Add some sinks in the CodeQL-Python SSRF model. Modeled Python libraries are: Aiohttp, Httpx, Libtaxii, Urllib, Urllib2, Urllib3.

There may be inappropriate modeling, please point out the project maintainer so that I can improve it.

@haby0 haby0 requested a review from a team as a code owner February 28, 2022 07:34
@haby0 haby0 mentioned this pull request Feb 28, 2022
Closed
2 tasks
@RasmusWL RasmusWL self-assigned this Feb 28, 2022
RasmusWL
RasmusWL requested changes Feb 28, 2022
View reviewed changes
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this contribution 👍

Please do the same rewrites I have suggested for python/ql/lib/semmle/python/frameworks/Aiohttp.qll to the other files as well.

Also please add tests to highlight the cases we can now handle, like in https://github.com/github/codeql/blob/main/python/ql/test/library-tests/frameworks/requests/test.py

python/ql/lib/semmle/python/frameworks/Aiohttp.qll Outdated
Comment on lines 671 to 681
DataFlow::Node getUrlArg() {
result = this.getArgByName("url")
or
not methodName = "request" and
result = this.getArg(0)
or
methodName = "request" and
result = this.getArg(1)
}

override DataFlow::Node getAUrlPart() { result = this.getUrlArg() }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see any reason to have this separate predicate, can we just do

Suggested change
DataFlow::Node getUrlArg() {
result = this.getArgByName("url")
or
not methodName = "request" and
result = this.getArg(0)
or
methodName = "request" and
result = this.getArg(1)
}
override DataFlow::Node getAUrlPart() { result = this.getUrlArg() }
override DataFlow::Node getAUrlPart() {
result = this.getArgByName("url")
or
not methodName = "request" and
result = this.getArg(0)
or
methodName = "request" and
result = this.getArg(1)
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also please add tests to highlight the cases we can now handle, like in https://github.com/github/codeql/blob/main/python/ql/test/library-tests/frameworks/requests/test.py

Please review whether the test file is correct, thank you!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They looked great, but there was a failure for httpx. Next time you should run the tests in all directories before submitting 😉

@RasmusWL
Copy link
Member

RasmusWL commented Mar 4, 2022

Thanks for the updates @haby0. Since you did not target experimental/, I've had to ensure that everything is 100% good looking before merging this PR, so I have incorporated my changes on this PR directly.

@haby0
Copy link
Contributor Author

haby0 commented Mar 7, 2022

Thanks for the updates @haby0. Since you did not target experimental/, I've had to ensure that everything is 100% good looking before merging this PR, so I have incorporated my changes on this PR directly.

@RasmusWL 👍
I tested the test files in the codeql\python\ql\test\experimental\library-tests path, and they were all executed successfully

@RasmusWL
Copy link
Member

RasmusWL commented Mar 7, 2022

Performance looks good 👍

@haby0
Copy link
Contributor Author

haby0 commented Mar 7, 2022

Performance looks good 👍

Thanks.

@RasmusWL RasmusWL merged commit cbe3964 into github:main Mar 8, 2022
@haby0 haby0 deleted the py/add-ssrf-sinks branch March 9, 2022 02:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RasmusWL RasmusWL RasmusWL approved these changes

Assignees

@RasmusWL RasmusWL

Labels
documentation Python
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@haby0 @RasmusWL