Open
Description
add these files under same main directory
a.py
import cgi
import b
req = cgi.FieldStorage()
ssh = b.cmd_exec(req.getvalue('cmd'))b.py
def cmd_exec(cmd):
from mymodule import exec_mymodule
cmd_output = exec_mymodule("bach"," -c",cmd)
return cmd_outputRun the following simple taint tracking path query
/**
* @name myTaint
* @description myTaint
* @kind path-problem
* @problem.severity error
* @security-severity 9.3
* @sub-severity high
* @precision high
* @id py/myTaint
* @tags security
* external/cwe/cwe-094
* external/cwe/cwe-095
* external/cwe/cwe-116
*/
import python
import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking
import semmle.python.dataflow.new.RemoteFlowSources
import DataFlow::PathGraph
import semmle.python.ApiGraphs
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "Configuration"}
override predicate isSource(DataFlow::Node source) {
source = API::moduleImport("cgi").getMember("FieldStorage").getReturn().asSource()
}
override predicate isSink(DataFlow::Node sink) {
any()
}
}
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "This code execution depends on a $@.", source.getNode(),
"user-provided value"You can see that flow can't go into b.cmd_exec from a.py
@jketema on the GHSL slack said that if I change the directory structure as follows:
code
|- a.py
|- pack
|- __init__.py
|- b.py
It works, and I tested it, and it has worked for me, and I could track cmd to exec_mymodule as the final Sink.