-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Python: promote nosql query #14070
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Python: promote nosql query #14070
Changes from all commits
Commits
Show all changes
45 commits
Select commit
Hold shift + click to select a range
60dc1af
Python: prepare to promote NoSqlInjection
yoff 55707d3
Python: Make things compile in their new location
yoff db04597
Python: rename file
yoff 087961d
Python: Refactor to allow customizations
yoff 19046ea
Python: more renames
yoff bf8bfd9
Python: Add inline query test
yoff 114984b
Python: Added tests based on security analysis
yoff c0b3245
Python: Enrich the NoSql concept
yoff 7edebbe
Python: Add QLDocs
yoff f253f97
Python: update test expectations
yoff 970e881
Python: Follow naming convention
yoff b07d085
Python: make test PoC a proper package
yoff d91cd21
Python: rename file
yoff 154a369
Python: Add test for function
yoff d9f63e1
Python: Split modelling of query operators
yoff a063d7d
Python: sinks -> decodings
yoff 4614b1a
Python: add change note
yoff 5611bda
Python: add test for `$accumulator`
yoff 30c37ca
Python: model `§accumulator`
yoff 7c085ec
Python: Add test for `map_reduce`
yoff 4ec8b3f
Python: Model `map_reduce`
yoff 12dab88
Python: rename concept
yoff 8156fa9
Apply naming suggestions from code review
yoff 37a4f35
Python: further rename
yoff 3fb579e
Python: add test for type tracking
yoff d90630a
Python: fix query file
yoff c2b6383
Apply suggestions from code review
yoff 9682c82
Python: rename file
yoff 2a739b3
Python: rename module
yoff eb1be08
Python: split modelling
yoff 2a7b593
Python: Fix QL alerts
yoff a8e0023
Python: forgot to list framework
yoff d5b64c5
Python: update test expectations
yoff 3043633
Python: Some renaming of flow states
yoff 2e028a4
Apply suggestions from code review
yoff 74d6f37
Python: update meta query `TaintSinks`
yoff 2d845e3
Python: nicer paths
yoff e170805
Python: fix QL alert
yoff f3a0161
Python: rename flow states
yoff 9769668
Python: require dict sinks be dangerous.
yoff 16e1a00
Python: NoSQLInjection -> NoSqlInjection
RasmusWL d7ad5a0
Python: List NoSQL injection sinks
RasmusWL 3676262
Python: Clean trailing whitespace
RasmusWL d6d13f8
Python: -> NoSQL in QLDocs
RasmusWL 9b73bbf
Python: Add keyword argument support
RasmusWL File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| /** | ||
| * Provides classes modeling security-relevant aspects of the `bson` PyPI package. | ||
| * See | ||
| * - https://pypi.org/project/bson/ | ||
| * - https://github.com/py-bson/bson | ||
| */ | ||
|
|
||
| private import python | ||
| private import semmle.python.dataflow.new.DataFlow | ||
| private import semmle.python.Concepts | ||
| private import semmle.python.ApiGraphs | ||
|
|
||
| /** | ||
| * Provides models for the `bson` PyPI package. | ||
| * See | ||
| * - https://pypi.org/project/bson/ | ||
| * - https://github.com/py-bson/bson | ||
| */ | ||
| private module BSon { | ||
| /** | ||
| * ObjectId returns a string representing an id. | ||
| * If at any time ObjectId can't parse it's input (like when a tainted dict in passed in), | ||
| * then ObjectId will throw an error preventing the query from running. | ||
| */ | ||
| private class BsonObjectIdCall extends DataFlow::CallCfgNode, NoSqlSanitizer::Range { | ||
| BsonObjectIdCall() { | ||
| exists(API::Node mod | | ||
| mod = API::moduleImport("bson") | ||
| or | ||
| mod = API::moduleImport("bson").getMember(["objectid", "json_util"]) | ||
| | | ||
| this = mod.getMember("ObjectId").getACall() | ||
| ) | ||
| } | ||
|
|
||
| override DataFlow::Node getAnInput() { result = this.getArg(0) } | ||
| } | ||
| } | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.