Merge pull request #9200 from tausbn/python-modernise-weak-file-permissions-query

yoff · web-flow · commit f14a90ff096c · 2022-06-15T14:37:17.000+02:00
Python: Modernise weak file permissions query
diff --git a/python/ql/src/Security/CWE-732/WeakFilePermissions.ql b/python/ql/src/Security/CWE-732/WeakFilePermissions.ql
@@ -12,6 +12,7 @@
  */
 
 import python
+import semmle.python.ApiGraphs
 
 bindingset[p]
 int world_permission(int p) { result = p % 8 }
@@ -33,20 +34,20 @@ string permissive_permission(int p) {
   world_permission(p) = 0 and result = "group " + access(group_permission(p))
 }
 
-predicate chmod_call(CallNode call, FunctionValue chmod, NumericValue num) {
-  Value::named("os.chmod") = chmod and
-  chmod.getACall() = call and
-  call.getArg(1).pointsTo(num)
+predicate chmod_call(API::CallNode call, string name, int mode) {
+  call = API::moduleImport("os").getMember("chmod").getACall() and
+  mode = call.getParameter(1, "mode").getAValueReachingRhs().asExpr().(IntegerLiteral).getValue() and
+  name = "chmod"
 }
 
-predicate open_call(CallNode call, FunctionValue open, NumericValue num) {
-  Value::named("os.open") = open and
-  open.getACall() = call and
-  call.getArg(2).pointsTo(num)
+predicate open_call(API::CallNode call, string name, int mode) {
+  call = API::moduleImport("os").getMember("open").getACall() and
+  mode = call.getParameter(2, "mode").getAValueReachingRhs().asExpr().(IntegerLiteral).getValue() and
+  name = "open"
 }
 
-from CallNode call, FunctionValue func, NumericValue num, string permission
+from API::CallNode call, string name, int mode, string permission
 where
-  (chmod_call(call, func, num) or open_call(call, func, num)) and
-  permission = permissive_permission(num.getIntValue())
-select call, "Overly permissive mask in " + func.getName() + " sets file to " + permission + "."
+  (chmod_call(call, name, mode) or open_call(call, name, mode)) and
+  permission = permissive_permission(mode)
+select call, "Overly permissive mask in " + name + " sets file to " + permission + "."
diff --git a/python/ql/test/query-tests/Security/CWE-732-WeakFilePermissions/WeakFilePermissions.expected b/python/ql/test/query-tests/Security/CWE-732-WeakFilePermissions/WeakFilePermissions.expected
@@ -2,6 +2,5 @@
 | test.py:8:1:8:20 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to world writable. |
 | test.py:9:1:9:21 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to world writable. |
 | test.py:11:1:11:21 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group readable. |
-| test.py:13:1:13:28 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group writable. |
 | test.py:14:1:14:19 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group writable. |
 | test.py:16:1:16:25 | ControlFlowNode for Attribute() | Overly permissive mask in open sets file to world readable. |
diff --git a/python/ql/test/query-tests/Security/CWE-732-WeakFilePermissions/options b/python/ql/test/query-tests/Security/CWE-732-WeakFilePermissions/options
@@ -1 +1 @@
-semmle-extractor-options: --max-import-depth=2 -p ../lib
+semmle-extractor-options: --max-import-depth=2 -p ../lib --lang=3

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-semmle-extractor-options: --max-import-depth=2 -p ../lib`
	`1`	`+semmle-extractor-options: --max-import-depth=2 -p ../lib --lang=3`