Skip to content

Commit e02e4e8

Browse files
yoffyoff
committed
python: add modelling for urlib.parse
- `quote` together with `re.compile` recover regex injection alerts on haiwen/seahub - `quote_plus` recovers the URL redirection alert on DemocracyClub/EveryElection - `unquote` recovers path injection alerts on `cloudera/hue` - it was tedious finding justifications for the rest..
1 parent de29c90 commit e02e4e8

File tree

1 file changed

+20
-2
lines changed

1 file changed

+20
-2
lines changed

python/ql/lib/ext/StdLib.model.yml

+20-2
Original file line numberDiff line numberDiff line change
@@ -12,8 +12,26 @@ extensions:
1212
- addsTo:
1313
pack: codeql/python-all
1414
extensible: summaryModel
15-
data: []
16-
15+
data:
16+
# See https://docs.python.org/3/library/urllib.parse.html#urllib.parse.quote
17+
- ["urllib", "Member[parse].Member[quote]", "Argument[0,string:]", "ReturnValue", "taint"]
18+
# See https://docs.python.org/3/library/urllib.parse.html#urllib.parse.quote_plus
19+
- ["urllib", "Member[parse].Member[quote_plus]", "Argument[0,string:]", "ReturnValue", "taint"]
20+
# See https://epydoc.sourceforge.net/stdlib/urllib-module.html
21+
- ["urllib", "Member[parse].Member[splitquery]", "Argument[0,url:]", "ReturnValue.TupleElement[0]", "taint"]
22+
- ["urllib", "Member[parse].Member[splitquery]", "Argument[0,url:]", "ReturnValue.TupleElement[1]", "taint"]
23+
# See https://docs.python.org/3/library/urllib.parse.html#urllib.parse.unquote
24+
- ["urllib", "Member[parse].Member[unquote]", "Argument[0,string:]", "ReturnValue", "taint"]
25+
# See https://docs.python.org/3/library/urllib.parse.html#urllib.parse.unquote_plus
26+
- ["urllib", "Member[parse].Member[unquote_plus]", "Argument[0,string:]", "ReturnValue", "taint"]
27+
# We could consider a more precise source than the first argument, namely tuple or dict content.
28+
# See https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlencode
29+
- ["urllib", "Member[parse].Member[urlencode]", "Argument[0,query:]", "ReturnValue", "taint"]
30+
# See https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urljoin
31+
- ["urllib", "Member[parse].Member[urljoin]", "Argument[0,base:]", "ReturnValue", "taint"]
32+
- ["urllib", "Member[parse].Member[urljoin]", "Argument[1,url:]", "ReturnValue", "taint"]
33+
# See https://docs.python.org/3/library/re.html#re.compile
34+
- ["re", "Member[compile]", "Argument[0,pattern:]", "ReturnValue", "taint"]
1735
- addsTo:
1836
pack: codeql/python-all
1937
extensible: neutralModel

0 commit comments

Comments
 (0)