Python: Weak file permissions query.

markshannon · markshannon · commit a3b5769c2ce5 · 2019-01-22T11:33:19.000Z
diff --git a/change-notes/1.20/analysis-python.md b/change-notes/1.20/analysis-python.md
@@ -10,6 +10,7 @@
  | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
 | Default version of SSL/TLS may be insecure (`py/insecure-default-protocol`) | security, external/cwe/cwe-327 | Finds instances where an insecure default protocol may be used. Results are shown on LGTM by default. |
+| Overly permissive file permissions (`py/overly-permissive-file`) | security, external/cwe/cwe-732 | Finds instances where a file is created with overly permissive permissions. Results are not shown on LGTM by default. |
 | Use of insecure SSL/TLS version (`py/insecure-protocol`) | security, external/cwe/cwe-327 | Finds instances where a known insecure protocol has been specified. Results are shown on LGTM by default. |
 
  ## Changes to existing queries
diff --git a/python/ql/src/Security/CWE-732/WeakFilePermissions.qhelp b/python/ql/src/Security/CWE-732/WeakFilePermissions.qhelp
@@ -0,0 +1,26 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+When creating a file POSIX systems allow permissions to be specified
+for owner, group and others separately. Permissions should be kept as
+strict as possible, preventing access to the files contents by other users.
+</p>
+
+</overview>
+
+<recommendation>
+<p>
+Restrict the file permissions of files to prevent any but the owner being able to read or write to that file
+</p>
+</recommendation>
+
+<references>
+<li>
+Wikipedia:
+<a href="https://en.wikipedia.org/wiki/File_system_permissions">File system permissions</a>.
+</li>
+</references>
+
+</qhelp>
diff --git a/python/ql/src/Security/CWE-732/WeakFilePermissions.ql b/python/ql/src/Security/CWE-732/WeakFilePermissions.ql
@@ -0,0 +1,42 @@
+/**
+ * @name Overly permissive file permissions
+ * @description Allowing files to be readable or writable by users other than the owner may allow sensitive information to be accessed.
+ * @kind problem
+ * @id py/overly-permissive-file
+ * @problem.severity warning
+ * @sub-severity high
+ * @precision medium
+ * @tags external/cwe/cwe-732
+ *       security
+ */
+import python
+
+bindingset[p]
+int world_permission(int p) {
+    result = p % 8
+}
+
+bindingset[p]
+int group_permission(int p) {
+    result = (p/8) % 8
+}
+
+bindingset[p]
+string access(int p) {
+    p%4 >= 2 and result = "writable" or
+    p%4 < 2 and p != 0 and result = "readable"
+}
+
+bindingset[p]
+string permissive_permission(int p) {
+    result = "world " + access(world_permission(p))
+    or
+    world_permission(p) = 0 and result = "group " + access(group_permission(p))
+}
+
+from FunctionObject chmod, CallNode call, NumericObject num, string permission
+where
+    any(ModuleObject os | os.getName() = "os").getAttribute("chmod") = chmod and
+    chmod.getACall() = call and call.getArg(1).refersTo(num) and
+    permission = permissive_permission(num.intValue())
+select call, "Overly permissive mask in chmod sets file to " + permission + "."
diff --git a/python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.expected b/python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.expected
@@ -0,0 +1,6 @@
+| test.py:7:1:7:19 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to world writable. |
+| test.py:8:1:8:20 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to world writable. |
+| test.py:9:1:9:21 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to world writable. |
+| test.py:11:1:11:21 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group readable. |
+| test.py:13:1:13:28 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group writable. |
+| test.py:14:1:14:19 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group writable. |
diff --git a/python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.qlref b/python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.qlref
@@ -0,0 +1 @@
+Security/CWE-732/WeakFilePermissions.ql
diff --git a/python/ql/test/query-tests/Security/CWE-732/options b/python/ql/test/query-tests/Security/CWE-732/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: --max-import-depth=2 -p ../lib
+optimize: true
diff --git a/python/ql/test/query-tests/Security/CWE-732/test.py b/python/ql/test/query-tests/Security/CWE-732/test.py
@@ -0,0 +1,14 @@
+import os
+import stat
+
+file = 'semmle/important_secrets'
+
+
+os.chmod(file, 0o7) # BAD
+os.chmod(file, 0o77) # BAD
+os.chmod(file, 0o777) # BAD
+os.chmod(file, 0o600) # GOOD
+os.chmod(file, 0o550) # BAD
+os.chmod(file, stat.S_IRWXU) # GOOD
+os.chmod(file, stat.S_IWGRP) # BAD
+os.chmod(file, 400) # BAD -- Decimal format.
diff --git a/python/ql/test/query-tests/Security/lib/os/__init__.py b/python/ql/test/query-tests/Security/lib/os/__init__.py
@@ -3,3 +3,6 @@ def system(cmd, *args, **kwargs):
 
 def popen(cmd, *args, **kwargs):
     return None
+
+def chmod(path, mode):
+    pass

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Security/CWE-732/WeakFilePermissions.ql`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+semmle-extractor-options: --max-import-depth=2 -p ../lib`
	`2`	`+optimize: true`