Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Python: enable diff-informed data flow queries #18341

Merged
merged 7 commits into from
Feb 11, 2025
Merged

Python: enable diff-informed data flow queries #18341

merged 7 commits into from
Feb 11, 2025

Conversation

asgerf
Copy link
Contributor

@asgerf asgerf commented Dec 20, 2024
edited
Loading

The first commit is an auto-generated patch that enables diff-informed data flow in the obvious cases, and inserts a TODO comment in the non-obvious cases. Later commits fix up the TODOs.

Unavoidable test failure in --check-diff-informed

Diff-informedness can be tested with codeql test run --check-diff-informed (not currently run by CI).

Note that this PR is currently observing a test failure from --check-diff-informed due to this situation in the PartialServerSideRequestForgery test case:

conn = HTTPConnection(unsafe_host) # <-- 'unsafe_host' is the sink
conn.request("GET", unsafe_path) # <-- related location inside the diff, causes the sink to be active
conn.request("GET", "/foo") # <-- outside the diff, test fails due to this being wrongly included

At the moment there is no way to satisfy the test runner without relying on AlertFiltering directly or outright disabling diff-informedness for that query. I believe the plan is to fix this on the CLI side, in which case we should be able to keep the PartialServerSideRequestForgery query diff-informed. (See internal discussion)

@asgerf asgerf force-pushed the py/diff-informed branch 2 times, most recently from cd0e37a to 6d41b4a Compare January 23, 2025 09:17
@asgerf asgerf added the no-change-note-required This PR does not need a change note label Feb 6, 2025
asgerf added 2 commits February 6, 2025 11:30
@asgerf
JS: Disable diff-informedness for full SSRF
7d6abb4 
Partial SSRF uses its result in a way that prevents diff-informedness
@asgerf
JS: Partial SSRF does not select the sink location
d3b9d1d
@asgerf asgerf marked this pull request as ready for review February 10, 2025 09:49
@Copilot Copilot bot review requested due to automatic review settings February 10, 2025 09:49
@asgerf asgerf requested a review from a team as a code owner February 10, 2025 09:49
Copilot
Copilot AI reviewed Feb 10, 2025
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 54 out of 54 changed files in this pull request and generated no comments.

Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more
adityasharad
adityasharad approved these changes Feb 10, 2025
View reviewed changes
Copy link
Collaborator

@adityasharad adityasharad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks reasonable, I appreciate the inline comments about the exceptional cases.

python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll
Comment on lines +35 to +39
result = sink.(Sink).getLocation()
or
result = sink.(Sink).getStringConstruction().getLocation()
or
result = sink.(Sink).getCommandExecution().getLocation()
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Optional thought: This pattern makes me think we should allow the custom Sink classes to expose a getASelectedLocation predicate and expand it through overrides, then just call result = sink.(Sink).getASelectedLocation() here. Not necessary to figure out for this PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pattern I have in mind is that the select clause must only select entities that are returned from a member predicate on the Source and Sink classes, and then those same predicates must be mentioned in the config. This can be enforced with a QL4QL query without needing too much static analysis.

The problem with putting a getASelectedLocation member on Sink is that it must still be implemented far away from the select clause. It doesn't avoid the strong coupling between two things that are far apart.

@asgerf asgerf merged commit eedfa4d into github:main Feb 11, 2025
13 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@adityasharad adityasharad adityasharad approved these changes

Assignees
No one assigned
Labels
no-change-note-required This PR does not need a change note Python
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@asgerf @adityasharad