Skip to content

Python: promote log injection #7735

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RasmusWL merged 18 commits into from
Feb 23, 2022
Merged

Python: promote log injection #7735

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
20d5454
python: move log injection out of experimental
yoff Jan 25, 2022
8b5114d
python: Add standard customization setup
yoff Jan 25, 2022
bf1145e
python: Add change note
yoff Jan 25, 2022
9d41666
python: modern change note
yoff Jan 25, 2022
c03f89d
Apply suggestions from code review
yoff Feb 1, 2022
7511b33
python: "command" -> "log"
yoff Feb 1, 2022
26befeb
python: drop precision and add severity score
yoff Feb 1, 2022
ecea392
python: rewrite qhelp overview
yoff Feb 1, 2022
119a7e4
python: provide links for Flask
yoff Feb 1, 2022
c587084
python: use standard `InstanceSource` construction
yoff Feb 1, 2022
bec8c0d
python: update change note
yoff Feb 1, 2022
448e078
python: `logging.root` is not a call
yoff Feb 2, 2022
f21ac04
Update python/ql/lib/semmle/python/frameworks/Stdlib.qll
yoff Feb 9, 2022
bd14ade
python: add apologetic comment
yoff Feb 14, 2022
62598c0
Update python/ql/lib/semmle/python/security/dataflow/LogInjectionCust…
yoff Feb 14, 2022
3a995ec
Update python/ql/lib/semmle/python/security/dataflow/LogInjectionCust…
yoff Feb 14, 2022
62d4bb5
Python: Autoformat
RasmusWL Feb 15, 2022
b59ab7f
Merge branch 'main' into python/promote-log-injection
RasmusWL Feb 21, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
python: move log injection out of experimental 
- move from custom concept `LogOutput` to standard concept `Logging`
- remove `Log.qll` from experimental frameworks
  - fold models into standard models (naively for now)
    - stdlib:
      - make Logger module public
      - broaden definition of instance
      - add `extra` keyword as possible source
   - flak: add app.logger as logger instance
   - django: `add django.utils.log.request_logger` as logger instance
     (should we add the rest?)
- remove LogOutput from experimental concepts
  • Loading branch information
@yoff
yoff committed Jan 31, 2022
commit 20d54543fd9e45012b970e30f1de6d6d32c9aef8
13 changes: 13 additions & 0 deletions python/ql/lib/semmle/python/frameworks/Django.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2295,4 +2295,17 @@ module PrivateDjango {

override string getMimetypeDefault() { none() }
}

// ---------------------------------------------------------------------------
// Logging
// ---------------------------------------------------------------------------
/**
* Django provides a standard Python logger.
*/
Comment thread
yoff marked this conversation as resolved.
private class DjangoLogger extends Stdlib::Logger::LoggerInstance {
DjangoLogger() {
this =
API::moduleImport("django").getMember("utils").getMember("log").getMember("request_logger")
}
}
}
11 changes: 11 additions & 0 deletions python/ql/lib/semmle/python/frameworks/Flask.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ private import semmle.python.dataflow.new.RemoteFlowSources
private import semmle.python.dataflow.new.TaintTracking
private import semmle.python.Concepts
private import semmle.python.frameworks.Werkzeug
private import semmle.python.frameworks.Stdlib
private import semmle.python.ApiGraphs
private import semmle.python.frameworks.internal.InstanceTaintStepsHelper
private import semmle.python.security.dataflow.PathInjectionCustomizations
Expand Down Expand Up @@ -569,4 +570,14 @@ module Flask {
result in [this.getArg(0), this.getArgByName("filename_or_fp")]
}
}

// ---------------------------------------------------------------------------
// Logging
// ---------------------------------------------------------------------------
/**
* The attribute `logger` on a Flask application is a standard Python logger.
*/
private class FlaskLogger extends Stdlib::Logger::LoggerInstance {
FlaskLogger() { this = FlaskApp::instance().getMember("logger") }
}
}
63 changes: 38 additions & 25 deletions python/ql/lib/semmle/python/frameworks/Stdlib.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -237,6 +237,42 @@ module Stdlib {
}
}
}

// ---------------------------------------------------------------------------
// logging
// ---------------------------------------------------------------------------
/**
* Provides models for the `logging.Logger` class and subclasses.
*
* See https://docs.python.org/3.9/library/logging.html#logging.Logger.
*/
module Logger {
/**
* An instance of `logging.Logger`. Extend this class to model new instances.
* Most major frameworks will provide a logger instance as a class attribute.
*/
abstract class LoggerInstance extends API::Node {
override string toString() { result = "logger" }
}

/** Gets a reference to the `logging.Logger` class or any subclass. */
API::Node subclassRef() {
result = API::moduleImport("logging").getMember("Logger").getASubclass*()
}

/** Gets a reference to an instance of `logging.Logger` or any subclass. */
API::Node instance() {
result instanceof LoggerInstance
or
result = subclassRef().getReturn()
or
result = API::moduleImport("logging")
or
result = API::moduleImport("logging").getMember("root")
or
result = API::moduleImport("logging").getMember("getLogger").getReturn()
}
}
Comment on lines +249 to +287
Copy link
Copy Markdown
Member

@RasmusWL RasmusWL Jan 31, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that I created this non-standard setup with just using API::Node, but now that we're exposing it more publicly, we need to rewrite this to use the standard library modeling setup with InstanceSource and type-tracking (which has a snippet, so it's quite easy).

Looking over the code again, I don't quite know why I did this in the first place. LoggerLogCall can easily be written with the standard approach together with DataFlow::MethodCallNode 🤷

Copy link
Copy Markdown
Contributor Author

@yoff yoff Feb 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Surely it is nicer, if we can get away with using an API:Node?

Copy link
Copy Markdown
Contributor Author

@yoff yoff Feb 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved to standard setup as discussed offline.

}

/**
Expand Down Expand Up @@ -2642,27 +2678,6 @@ private module StdlibPrivate {
// ---------------------------------------------------------------------------
// logging
// ---------------------------------------------------------------------------
/**
* Provides models for the `logging.Logger` class and subclasses.
*
* See https://docs.python.org/3.9/library/logging.html#logging.Logger.
*/
module Logger {
/** Gets a reference to the `logging.Logger` class or any subclass. */
API::Node subclassRef() {
result = API::moduleImport("logging").getMember("Logger").getASubclass*()
}

/** Gets a reference to an instance of `logging.Logger` or any subclass. */
API::Node instance() {
result = subclassRef().getReturn()
or
result = API::moduleImport("logging").getMember("root")
or
result = API::moduleImport("logging").getMember("getLogger").getReturn()
}
}

/**
* A call to one of the logging methods from `logging` or on a `logging.Logger`
* subclass.
Expand All @@ -2683,14 +2698,12 @@ private module StdlibPrivate {
method = "log" and
msgIndex = 1
|
this = Logger::instance().getMember(method).getACall()
or
this = API::moduleImport("logging").getMember(method).getACall()
Copy link
Copy Markdown
Member

@RasmusWL RasmusWL Jan 31, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't agree about this removal. I see that API::moduleImport("logging") is now modeled as a LoggerInstance... but that is not true, these are helper methods defined on the module leve.

Copy link
Copy Markdown
Contributor Author

@yoff yoff Feb 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there value in modelling instances specifically? Or could we just rename instance to something like loggingMethodProvider?

Copy link
Copy Markdown
Contributor Author

@yoff yoff Feb 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reverted to previous modelling approach as discussed offline.

this = Stdlib::Logger::instance().getMember(method).getACall()
)
}

override DataFlow::Node getAnInput() {
result = this.getArgByName("msg")
result = this.getArgByName(["msg", "extra"])
or
result = this.getArg(any(int i | i >= msgIndex))
}
Expand Down
4 changes: 2 additions & 2 deletions ...ython/security/injection/LogInjection.qll → ...python/security/dataflow/LogInjection.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import python
import semmle.python.Concepts
import experimental.semmle.python.Concepts
import semmle.python.Concepts
import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking
import semmle.python.dataflow.new.RemoteFlowSources
Expand All @@ -13,7 +13,7 @@ class LogInjectionFlowConfig extends TaintTracking::Configuration {

override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

override predicate isSink(DataFlow::Node sink) { sink = any(LogOutput logoutput).getAnInput() }
override predicate isSink(DataFlow::Node sink) { sink = any(Logging write).getAnInput() }

override predicate isSanitizer(DataFlow::Node node) {
exists(CallNode call |
Expand Down
0 ...ental/Security/CWE-117/LogInjection.qhelp → ...l/src/Security/CWE-117/LogInjection.qhelp
View file
Open in desktop
File renamed without changes.
2 changes: 1 addition & 1 deletion ...rimental/Security/CWE-117/LogInjection.ql → ...n/ql/src/Security/CWE-117/LogInjection.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
*/

import python
import experimental.semmle.python.security.injection.LogInjection
import semmle.python.security.dataflow.LogInjection
import DataFlow::PathGraph

from LogInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
Expand Down
0 ...ental/Security/CWE-117/LogInjectionBad.py → ...l/src/Security/CWE-117/LogInjectionBad.py
View file
Open in desktop
File renamed without changes.
0 ...ntal/Security/CWE-117/LogInjectionGood.py → .../src/Security/CWE-117/LogInjectionGood.py
View file
Open in desktop
File renamed without changes.
30 changes: 0 additions & 30 deletions python/ql/src/experimental/semmle/python/Concepts.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,36 +14,6 @@ private import semmle.python.dataflow.new.RemoteFlowSources
private import semmle.python.dataflow.new.TaintTracking
private import experimental.semmle.python.Frameworks

/** Provides classes for modeling log related APIs. */
module LogOutput {
/**
* A data flow node for log output.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `LogOutput` instead.
*/
abstract class Range extends DataFlow::Node {
/**
* Get the parameter value of the log output function.
*/
abstract DataFlow::Node getAnInput();
}
}

/**
* A data flow node for log output.
*
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `LogOutput::Range` instead.
*/
class LogOutput extends DataFlow::Node {
LogOutput::Range range;

LogOutput() { this = range }

DataFlow::Node getAnInput() { result = range.getAnInput() }
}

/** Provides classes for modeling LDAP query execution-related APIs. */
module LDAPQuery {
/**
Expand Down
1 change: 0 additions & 1 deletion python/ql/src/experimental/semmle/python/Frameworks.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ private import experimental.semmle.python.frameworks.Django
private import experimental.semmle.python.frameworks.Werkzeug
private import experimental.semmle.python.frameworks.LDAP
private import experimental.semmle.python.frameworks.NoSQL
private import experimental.semmle.python.frameworks.Log
private import experimental.semmle.python.frameworks.JWT
private import experimental.semmle.python.libraries.PyJWT
private import experimental.semmle.python.libraries.Authlib
Expand Down
118 changes: 0 additions & 118 deletions python/ql/src/experimental/semmle/python/frameworks/Log.qll
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion python/ql/test/experimental/query-tests/Security/CWE-117/LogInjection.qlref
View file
Open in desktop

This file was deleted.

0 ...ts/Security/CWE-117/LogInjection.expected → ...WE-117-LogInjection/LogInjection.expected
View file
Open in desktop
File renamed without changes.
1 change: 1 addition & 0 deletions python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjection.qlref
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Security/CWE-117/LogInjection.ql
0 ...tests/Security/CWE-117/LogInjectionBad.py → ...y/CWE-117-LogInjection/LogInjectionBad.py
View file
Open in desktop
File renamed without changes.
0 ...ests/Security/CWE-117/LogInjectionGood.py → .../CWE-117-LogInjection/LogInjectionGood.py
View file
Open in desktop
File renamed without changes.