search

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
https://codeql.github.com
MIT License
7.67k stars 1.54k forks source link

Python : Unable to follow taint through indirect calls #14842

Open R3x opened 11 months ago

R3x commented 11 months ago

Hello, I am trying to create a few dataflow queries for python and I noticed that the Dataflow module is unable to do taint tracking through indirect calls. 

def test1(arg : str):
    print(f"test1 {arg}")

def test2(arg : str):
    print(f"test2 {arg}")

funcmap = {
    "test1" : test1, 
    "test2" : test2}

funclist = [test1, test2]

def foo(arg1 : str, arg2 : int):
    global funclist, funclist
    func_name = None
    if arg2 == 1:
        func_name = "test1"
        out = 0
    else:
        func_name = "test2"
        out = 1
    funcmap[func_name](arg1) 
    funclist[out](arg1)

foo("hello", 1)
foo("world", 2)

Here, when I try to track flows from foo -> test1 or test2. The dataflow module can't find them.

Here is the query that I was using -

module MyConfiguration implements DataFlow::ConfigSig {
  private DataFlow::ParameterNode funcSourceCall() {
    exists(Function func |
        func.getName() = "foo" | 
        result.getParameter() in [func.getArg(0)]
    ) 
  }    

  private DataFlow::ParameterNode funcSinkCall() {
    exists(Function func |
        func.getName() = "test2" |
        result.getParameter() in [func.getArg(0)]
    ) 
  }    

  predicate isSource(DataFlow::Node source) {
    source = funcSourceCall()
  }

  predicate isSink(DataFlow::Node sink) {
    sink = funcSinkCall()
  }
}

module RemoteToFileFlow = TaintTracking::Global<MyConfiguration>;
from DataFlow::Node src, DataFlow::Node sink
where RemoteToFileFlow::flow(src, sink)
select sink.asExpr(), src, sink, "Src to Sink"

Is this not supported by CodeQL (or maybe I am doing something wrong)? if so - is there a hackish way I can enable tracking - maybe by modifying the Control Flow Graph?

RasmusWL commented 11 months ago

Hi @R3x, thanks for this detailed issue ❤ It's a known problem with type-trackers in the Python analysis right now, and something we're looking into fixing (although we have no concrete timeline to share right now).

R3x commented 11 months ago

@RasmusWL is there some workaround maybe similar to #7520 ?

RasmusWL commented 11 months ago

Not really no.