Skip to content

Python: CWE-943 - Add NoSQL injection query #5612

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RasmusWL merged 81 commits into from
Aug 24, 2021
Merged

Python: CWE-943 - Add NoSQL injection query #5612

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
81 commits
Select commit Hold shift + click to select a range
517a920
PR init
jorgectf Mar 30, 2021
aea7546
Add Concepts
jorgectf Mar 30, 2021
bd5ff01
PyMongo and Mongoengine sinks
jorgectf Mar 30, 2021
d856f16
Adapt query configs and custom classes
jorgectf Mar 30, 2021
4579132
Add left tests
jorgectf Mar 30, 2021
ccd57be
Fix imports
jorgectf Mar 30, 2021
01f9d4a
Fix MongoEngine Sink
jorgectf Mar 31, 2021
7a4dc46
Fix Sinks
jorgectf Mar 31, 2021
5a1dc48
Fix Mongoengine test
jorgectf Mar 31, 2021
017a826
Remove unused class variables
jorgectf Mar 31, 2021
f0a50eb
Polish up configs
jorgectf Mar 31, 2021
3a47a45
Attempt to apply TaintTracking2
jorgectf Mar 31, 2021
c8740a2
Update naming
jorgectf Apr 1, 2021
f980d06
Fix taint configs
jorgectf Apr 1, 2021
15e176a
Polish query select
jorgectf Apr 1, 2021
9072d19
Update qhelp file
Apr 5, 2021
be9a3a9
Add relevant PyMongo sink methods
Apr 5, 2021
80216f6
Rename classes
Apr 5, 2021
3f0c758
Add required __raw__ keyword
mrthankyou Apr 5, 2021
759fa2c
Update query to search for more pymongo sink methods
mrthankyou Apr 6, 2021
6ade120
Add check for mongoengine raw queries
mrthankyou Apr 6, 2021
ac31260
Made grammar changes
mrthankyou Apr 6, 2021
520e65e
Remove unnecessary example code
mrthankyou Apr 6, 2021
dc274ec
Improve sentence structure and grammar
mrthankyou Apr 6, 2021
4e98348
Remove comment
mrthankyou Apr 6, 2021
719c30b
Fix file name and adjust where the test points to
mrthankyou Apr 7, 2021
83f28bf
Catch any keyword argument passed to MongoEngine's objects method
mrthankyou Apr 7, 2021
0e51dbe
Polish tests
jorgectf Apr 9, 2021
a6b3aef
Add flask_mongoengine sink
jorgectf Apr 9, 2021
fa5869a
Polish qhelp and examples
jorgectf Apr 9, 2021
983af32
Polish qhelp examples
jorgectf Apr 9, 2021
208b53e
Polish query file
jorgectf Apr 9, 2021
1663857
Polish Calls naming
jorgectf Apr 9, 2021
4615927
Fix flask_mongoengine Call
jorgectf Apr 9, 2021
5d25a27
Add .expected
jorgectf Apr 9, 2021
bbd3552
Rename predicate to getQuery
mrthankyou Apr 20, 2021
7773c53
Replace any(string) with _ wildcard
mrthankyou Apr 20, 2021
62f3e8d
Add sanitizer for ObjectId
mrthankyou Apr 26, 2021
d85b1a2
Replace recursive getAMember*() method
mrthankyou Apr 28, 2021
56dc4d8
Add comment on BsonObjectIdCall
mrthankyou May 4, 2021
c4a67e5
Rewrite query to take into account MongoClient and subscript expressions
mrthankyou May 4, 2021
1d36aa6
Add additional querying for mongoengine Document subclassing
mrthankyou May 7, 2021
7693d69
Add additional query tests
mrthankyou May 7, 2021
8f8eff2
Fix comment description of predicate
mrthankyou May 7, 2021
9a44020
Rename StdLib.qll file to NoSQL.qll file
mrthankyou May 7, 2021
83f0870
Update file path of module
mrthankyou May 7, 2021
aa24c68
Add back accidentally deleted StdLib.qll file
mrthankyou May 7, 2021
65c6f19
Rename mongoengine-flask-db-document-subclass
jorgectf May 7, 2021
e7bdc73
Update .expected
jorgectf May 7, 2021
0fc044d
Checkout Stdlib.qll
jorgectf May 7, 2021
67bc576
Delete StdLib.qll
mrthankyou May 7, 2021
07c3e22
Fix method name to match flask_mongoengine library
mrthankyou May 9, 2021
0238e51
Add checks for EmbeddedDocument classes
mrthankyou May 9, 2021
3e25b14
Update NoSQLInjection.expected
mrthankyou May 12, 2021
c948970
resolve merge conflicts
jorgectf Jun 14, 2021
6bed859
Match sanitizer inputs' naming
jorgectf Jun 15, 2021
e61cf9a
Simplify tests
jorgectf Jun 15, 2021
5123b8f
Update .expected
jorgectf Jun 15, 2021
81505fb
Normalize tests
jorgectf Jun 16, 2021
5c7229c
Optimize Type Tracking stuff
jorgectf Jun 16, 2021
8527ccc
Update .expected
jorgectf Jun 16, 2021
b8e619a
Extend qhelp references
jorgectf Jun 17, 2021
8e3d5ff
Rename mongoclient tests
jorgectf Jun 17, 2021
7e6032f
Port to Decoding
jorgectf Jun 17, 2021
4e74003
Polish Concepts documentation
jorgectf Jun 17, 2021
eb16018
Update .expected
jorgectf Jun 17, 2021
5971142
Python: Fix qhelp for NoSQL injection
RasmusWL Jun 28, 2021
318694c
Python: Don't rely on `d = d.getOutput()` for `Decoding`
RasmusWL Jun 28, 2021
a5009ef
Merge pull request #5 from RasmusWL/nosql-fixes
jorgectf Jun 28, 2021
0ca4f24
Merge tests and update `.expected`
jorgectf Jun 28, 2021
3fd1129
Delete trivial tests
jorgectf Jun 28, 2021
68c6831
Polish documentation, `mongoCollectionMethod()` and update `.expected`
jorgectf Jun 28, 2021
3504408
Apply suggestions from code review
jorgectf Jun 28, 2021
51395d1
Move `xmltodict` to its own file under `frameworks/`
jorgectf Jun 28, 2021
0819090
Fix qldocs typo
jorgectf Jun 29, 2021
9a8d1f8
Take back non-trivial tests
jorgectf Jun 29, 2021
621a810
Update `.expected`
jorgectf Jun 29, 2021
e02a63a
Delete trivial `*_good.py` tests
jorgectf Jun 29, 2021
51a6140
Change variable name to correct sanitized input variable
mrthankyou Jul 13, 2021
6f09b95
Update `.expected`
jorgectf Jul 15, 2021
e6ce10b
Merge remote-tracking branch 'origin/main' into jty/python/nosqlInjec…
jorgectf Aug 10, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Attempt to apply TaintTracking2
  • Loading branch information
@jorgectf
jorgectf committed Mar 31, 2021
commit 3a47a45e47c698be906bb77856d1a09dfd54847c
7 changes: 5 additions & 2 deletions python/ql/src/experimental/Security/CWE-943/NoSQLInjection.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,8 @@

import python
import experimental.semmle.python.security.injection.NoSQLInjection
import DataFlow::PathGraph
// from, where, select statements

// https://github.com/github/codeql/blob/e266cedc84cf73d01c9b2d4b0e4313e5d96755ba/python/ql/src/semmle/python/security/dataflow/PathInjection.qll#L103
from CustomPathNode source, CustomPathNode sink
where noSQLInjectionFlow(source, sink)
select source, sink
2 changes: 1 addition & 1 deletion python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ private module NoSQL {
override DataFlow::Node getQueryNode() { result = this.getArg(0) }
}

// pending: look for more Sanitizer libs
// more sanitizer libs?
private class MongoSanitizerCall extends DataFlow::CallCfgNode, NoSQLSanitizer::Range {
MongoSanitizerCall() {
this =
Expand Down
24 changes: 18 additions & 6 deletions python/ql/src/experimental/semmle/python/security/injection/NoSQLInjection.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
import python
import experimental.semmle.python.Concepts
import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.DataFlow2
import semmle.python.dataflow.new.TaintTracking
// https://ghsecuritylab.slack.com/archives/CQJU6RN49/p1617022135088100
import semmle.python.dataflow.new.TaintTracking2
import experimental.semmle.python.Concepts
import semmle.python.dataflow.new.RemoteFlowSources
import semmle.python.ApiGraphs
// temporary imports (change after query normalization)
import semmle.python.security.dataflow.ChainedConfigs12

// custom no-Concepts classes
class JsonLoadsCall extends DataFlow::CallCfgNode {
JsonLoadsCall() { this = API::moduleImport("json").getMember("loads").getACall() }

Expand Down Expand Up @@ -47,9 +48,9 @@ class NoSQLInjectionConfig extends TaintTracking::Configuration {
}
}

// I hate the name ObjectBuilderFunctionConfig so this can be renamed
class ObjectBuilderFunctionConfig extends TaintTracking2::Configuration {
ObjectBuilderFunctionConfig() { this = "ObjectBuilderFunctionConfig" }
// better name?
class FromJSONConfig extends TaintTracking2::Configuration {
FromJSONConfig() { this = "FromJSONConfig" }

override predicate isSource(DataFlow::Node source) { source instanceof JSONRelatedSink }

Expand All @@ -61,3 +62,14 @@ class ObjectBuilderFunctionConfig extends TaintTracking2::Configuration {
sanitizer = any(NoSQLSanitizer noSQLSanitizer).getSanitizerNode()
}
}

predicate noSQLInjectionFlow(CustomPathNode source, CustomPathNode sink) {
exists(
FromJSONConfig config, DataFlow::PathNode mid1, DataFlow2::PathNode mid2,
NoSQLInjectionConfig config2
|
config.hasFlowPath(source.asNode1(), mid1) and
config2.hasFlowPath(mid2, sink.asNode2()) and
mid1.getNode().asCfgNode() = mid2.getNode().asCfgNode()
)
}