Open gbleaney opened 4 years ago
What happens if you put thumbnail_url = url
? I'm wondering if what you're seeing is the fact that the taint is getting lost during the call to generate_thumbnail_url
.
In general, function calls do not preserve taint, unless we can figure out (by an examination of the function) that taint is preserved all the way through. The function generate_thumbnail_url
is fairly complicated, and in turn depends on urllib
, so my guess is that somewhere in all of this URL manipulation, the taint is getting lost.
If you know that a function should preserve taint, you can always tell the taint analysis this explicitly by adding an isAdditionalFlowStep(src, dest)
method to your configuration.
What happens if you put
thumbnail_url = url
?
@tausbn, is there a way for me to rebuild the database after modifying the code? I'm using a database from lgtm.com right now. Happy to follow the docs if you can give me a link.
As an attempt to test your theory within the constraints of not regenerating the database, I modified the above code to make the first argument of generate_thumbnail_url
a sink:
class RedirectSink extends TaintTracking::Sink {
RedirectSink() {
// This is the only line I changed:
exists( FunctionValue f | f.getName() = "generate_thumbnail_url" and f.getACall().getArg(0) = this)
}
override predicate sinks(TaintKind kind) {
kind instanceof DjangoRequest
}
override string toString() { result = "Django's redirect sink" }
}
I tested the source and sink definitions seperately like this, and confirmed they returned the expected REQ()
and generate_thumbnail_url(...)
calls:
from TaintSource source
where source instanceof ZulipReqSource
select source
and
from TaintSink source
where source instanceof RedirectSink
select source
When querying for the flow from REQ()
-> arg 0 of generate_thumbnail_url
, I still get no results.
For creating databases, you can use the CodeQL CLI. See here for information on how to set it up, as well as the licensing terms that apply.
I just tried out a small test case, and I think you're right that we are not handling taint flow from default arguments correctly. In the short term, this may be possible to fix by defining additional taint flow steps (as I mentioned above). I'm working on a fix for the libraries themselves, but this change will likely take a few weeks before it goes live on LGTM.com.
I'm trying to catch CVE-2019-19775 with CodeQL. The flow is from the
REQ
function called to create the default argument value, to the redirect function call:This is the code I've been using (yes I know I'm reinventing the wheel, but I wanted to make the example self contained and do some sanity checking):
I can't seem to catch the flow when running on the Zulip database from lgtm.com. As best I can tell, I think taint flow through the defaulted parameter might not be being tracked properly. If I run the above code, but swap
generate_thumbnail_url
forREQ
, it works and I am able to catch the flow fromgenerate_thumbnail_url
->redirect