Skip to content

Python: promote log injection #7735

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RasmusWL merged 18 commits into from
Feb 23, 2022
Merged

Python: promote log injection #7735

Changes from 1 commit
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
20d5454
python: move log injection out of experimental
yoff Jan 25, 2022
8b5114d
python: Add standard customization setup
yoff Jan 25, 2022
bf1145e
python: Add change note
yoff Jan 25, 2022
9d41666
python: modern change note
yoff Jan 25, 2022
c03f89d
Apply suggestions from code review
yoff Feb 1, 2022
7511b33
python: "command" -> "log"
yoff Feb 1, 2022
26befeb
python: drop precision and add severity score
yoff Feb 1, 2022
ecea392
python: rewrite qhelp overview
yoff Feb 1, 2022
119a7e4
python: provide links for Flask
yoff Feb 1, 2022
c587084
python: use standard `InstanceSource` construction
yoff Feb 1, 2022
bec8c0d
python: update change note
yoff Feb 1, 2022
448e078
python: `logging.root` is not a call
yoff Feb 2, 2022
f21ac04
Update python/ql/lib/semmle/python/frameworks/Stdlib.qll
yoff Feb 9, 2022
bd14ade
python: add apologetic comment
yoff Feb 14, 2022
62598c0
Update python/ql/lib/semmle/python/security/dataflow/LogInjectionCust…
yoff Feb 14, 2022
3a995ec
Update python/ql/lib/semmle/python/security/dataflow/LogInjectionCust…
yoff Feb 14, 2022
62d4bb5
Python: Autoformat
RasmusWL Feb 15, 2022
b59ab7f
Merge branch 'main' into python/promote-log-injection
RasmusWL Feb 21, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Update python/ql/lib/semmle/python/security/dataflow/LogInjectionCust… 
…omizations.qll

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
  • Loading branch information
@yoff @RasmusWL
yoff and RasmusWL authored Feb 14, 2022
commit 3a995ec1b1189a0c585fcde54f131114ad26d195
9 changes: 6 additions & 3 deletions python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,11 +57,14 @@ module LogInjection {
* A call to replace line breaks, considered as a sanitizer.
*/
class ReplaceLineBreaksSanitizer extends Sanitizer, DataFlow::CallCfgNode {
// This is actually not safe:
// Note: This sanitizer is not 100% accurate, since:
// - we do not check that all kinds of line breaks are replaced
// - we do not check that one kind of line breaks is not replaced by another
// however, we lack a simple way to do better, and the query would likely
// be too noisy without this. Consider rewriting using flow states.
//
// However, we lack a simple way to do better, and the query would likely
// be too noisy without this.
//
// TODO: Consider rewriting using flow states.
ReplaceLineBreaksSanitizer() {
this.getFunction().(DataFlow::AttrRead).getAttributeName() = "replace" and
this.getArg(0).asExpr().(StrConst).getText() in ["\r\n", "\n"]
Expand Down