Python: promote nosql query #14070
Query operators that interpret JavaScript are no longer considered sinks. Instead they are considered decodings and the output is the tainted dictionary. The state changes to `DictInput` to reflect that the user now controls a dangerous dictionary. This fixes the spurious result and moves the error reporting to a more logical place.
- Loading branch information
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -123,40 +123,49 @@ private module NoSql { | |
| } | ||
|
|
||
| /** The `$where` query operator executes a string as JavaScript. */ | ||
| private class WhereQueryOperator extends DataFlow::Node, Decoding::Range { | ||
| API::Node dictionary; | ||
| DataFlow::Node query; | ||
|
|
||
| WhereQueryOperator() { | ||
| dictionary = | ||
| mongoCollection().getMember(mongoCollectionMethodName()).getACall().getParameter(0) and | ||
| query = dictionary.getSubscript("$where").asSink() and | ||
| this = dictionary.asSink() | ||
|
Member
There was a problem hiding this comment. I don't quite know what to think about this... I wasn't quite sure if either the old or the new these solutions could handle when the dictionary is not constructed inside the argument to the call, such as: search = {'$where': 'this.author === "'+author+'"'}
post = posts.find_one(search) # $ result=BADBut I tried it out locally, and it did in fact work. I guess they would since the So basically you seem to be creating an additional taint-step specifically for NoSQL injection directly from the element of a dictionary with key I think that works great for simple examples, but if there is any interprocedural steps, it will not be so nice. So I think we need to track these things with data-flow, so it can be part of the path shown to end-users. We might be able to achieve that with a string->dict taint-step directly when constructing a dictionary with a You could apply the same logic to the decoded = json.loads(user_controlled)
search = {
"body": decoded,
"args": [ "$author" ],
"lang": "js"
}
posts.find_one({'$expr': {'$function': search}}) # $ result=BAD
posts.find_one({'$expr': {'$function': decoded}}) # $ result=BAD
posts.find_one({'$expr': decoded}) # $ result=BAD
posts.find_one(decoded) # $ result=BADAdding query specific taint-steps that mutate flow-state doesn't play very nicely with using Concepts, so I understand the temptation to just reuse the decoding Concepts, but I would argue that in fact no Decoding is taking place here. What I've done previously is to add query specific logic to the library modeling file, which is certainly something we could also do here (example from flask, originally added in #6989)
Contributor
Author
There was a problem hiding this comment.
This is basically what we are doing. We just require that the dictionary also flows to a harmful place. Anyway, I added the above tests, and they all pass out of the box...
Member
There was a problem hiding this comment.
Nice 👍 I guess that comes from the fact that we say after a
Member
There was a problem hiding this comment. I still think we could end up with a very long jumpstep due to the way it's written right now, which I don't think is a good solution.
Contributor
Author
There was a problem hiding this comment. Ah, that is a reasonable objection (especially now that we got better path explanations in general). I made the step target the created dictionary instead of the argument that the dictionary flows to. Dataflow is able to link the two for us. |
||
| } | ||
|
|
||
| override DataFlow::Node getAnInput() { result = query } | ||
|
|
||
| override DataFlow::Node getOutput() { result = this } | ||
|
|
||
| override string getFormat() { result = "NoSQL" } | ||
|
|
||
| override predicate mayExecuteInput() { any() } | ||
|
yoff marked this conversation as resolved.
Outdated
|
||
| } | ||
|
|
||
| /** The `$function` query operator executes its `body` string as JavaScript. */ | ||
| private class FunctionQueryOperator extends DataFlow::Node, Decoding::Range { | ||
| API::Node dictionary; | ||
|
|
||
| DataFlow::Node query; | ||
|
|
||
| FunctionQueryOperator() { | ||
| dictionary = | ||
| mongoCollection() | ||
| .getMember(mongoCollectionMethodName()) | ||
| .getACall() | ||
| .getParameter(0) | ||
| .getASubscript*() and | ||
| query = dictionary.getSubscript("$function").getSubscript("body").asSink() and | ||
| this = dictionary.asSink() | ||
| } | ||
|
|
||
| override DataFlow::Node getAnInput() { result = query } | ||
|
|
||
| override DataFlow::Node getOutput() { result = this } | ||
|
|
||
| override string getFormat() { result = "NoSQL" } | ||
|
|
||
| override predicate mayExecuteInput() { any() } | ||
| } | ||
|
|
||
| /** | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.