Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

General issue: Missing vulnerability reports due to incomplete self variable reference relationships in Python classes #18374

Open
Firebasky opened this issue Dec 27, 2024 · 4 comments
Labels
Python question Further information is requested

Comments

@Firebasky
Copy link

code:

import os
from flask import Flask, request

app = Flask(__name__)


class CCC:
    def update(self, **kwargs):
        os.system(kwargs["mode"])

class test:
    def __init__(self):
        self.A = CCC()

    @app.route('/execute')
    def execute_command(self):
        cmd = request.args.get('cmd')
        self.A.update(mode=cmd, file="a")
        return "Command executed"

ql:

/**
 * @name Uncontrolled command line
 * @description Using externally controlled strings in a command line may allow a malicious
 *              user to change the meaning of the command.
 * @kind path-problem
 * @problem.severity error
 * @security-severity 9.8
 * @sub-severity high
 * @precision high
 * @id py/command-line-injection
 * @tags correctness
 *       security
 *       external/cwe/cwe-078
 *       external/cwe/cwe-088
 */

import python
import semmle.python.security.dataflow.CommandInjectionQuery
import CommandInjectionFlow::PathGraph

from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink
where CommandInjectionFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "This command line depends on a $@.", source.getNode(),
  "user-provided value"

this ql file can not find bug!!!!???
why???
I hope you can help me, thank you.

@Firebasky Firebasky added the question Further information is requested label Dec 27, 2024
@jketema
Copy link
Contributor

jketema commented Dec 27, 2024

Hi @Firebasky,

Thanks for your report. I've let CodeQL python engineering team know about this false negative. They'll likely get back to you early January.

@Firebasky
Copy link
Author

Hi @Firebasky,

Thanks for your report. I've let CodeQL python engineering team know about this false negative. They'll likely get back to you early January.

ok,thanks.I hope you can reply to me quickly。

@RasmusWL RasmusWL added the Python label Jan 6, 2025
@RasmusWL
Copy link
Member

RasmusWL commented Jan 6, 2025

Thanks for the report, I think this would be solved by #16670, which I need to update and get merged.

I don't have any recommendations for something you can do from your side though.

@Firebasky
Copy link
Author

Thanks for the report, I think this would be solved by #16670, which I need to update and get merged.

I don't have any recommendations for something you can do from your side though.

Thank you for your reply. I reviewed the file content in this link: https://github.com/github/codeql/pull/16670/files#/diff-b8840832da5793d1616e86610ed5f1067ce809e1125e0ed1979390ab2bc15dcf. I noticed that loadStoreStep is not called. Is this normal?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Python question Further information is requested
Projects
None yet
Development

No branches or pull requests

3 participants