Merge pull request #147 from bcaller/bc-arguments

Certain args, kwargs of sink functions are affected by taint

Author: KevinHock

examples/vulnerable_code/sql/sqli.py

@@ -38,5 +38,13 @@ def filtering():
         print(value.username, value.email)
     return 'Result is displayed in console.'
 
+@app.route('/users/<name>', methods=['DELETE'])
+def delete_user_dangerously(name):
+    query = "DELETE FROM user WHERE username = :name"
+    db.engine.execute(query, name=name)
+    print('Deleted')
+    return 'Deleted'
+
+
 if __name__ == '__main__':
     app.run(debug=True)

pyt/cfg/stmt_visitor.py

@@ -573,6 +573,7 @@ def add_blackbox_or_builtin_call(self, node, blackbox):
         call_node = BBorBInode(
             label='',
             left_hand_side=LHS,
+            ast_node=node,
             right_hand_side_variables=[],
             line_number=node.lineno,
             path=self.filenames[-1],

pyt/core/node_types.py

@@ -202,7 +202,7 @@ def __init__(self, label, left_hand_side, right_hand_side_variables, *, line_num
 class BBorBInode(AssignmentNode):
     """Node used for handling restore nodes returning from blackbox or builtin function calls."""
 
-    def __init__(self, label, left_hand_side, right_hand_side_variables, *, line_number, path, func_name):
+    def __init__(self, label, left_hand_side, ast_node, right_hand_side_variables, *, line_number, path, func_name):
         """Create a Restore node.
 
         Args:
@@ -213,7 +213,7 @@ def __init__(self, label, left_hand_side, right_hand_side_variables, *, line_num
             path(string): Current filename.
             func_name(string): The string we will compare with the blackbox_mapping in vulnerabilities.py
         """
-        super().__init__(label, left_hand_side, None, right_hand_side_variables, line_number=line_number, path=path)
+        super().__init__(label, left_hand_side, ast_node, right_hand_side_variables, line_number=line_number, path=path)
         self.args = list()
         self.inner_most_call = self
         self.func_name = func_name

pyt/helper_visitors/__init__.py

@@ -1,9 +1,11 @@
+from .call_visitor import CallVisitor
 from .label_visitor import LabelVisitor
 from .right_hand_side_visitor import RHSVisitor
 from .vars_visitor import VarsVisitor
 
 
 __all__ = [
+    'CallVisitor',
     'LabelVisitor',
     'RHSVisitor',
     'VarsVisitor'

pyt/helper_visitors/call_visitor.py

@@ -0,0 +1,71 @@
+import ast
+import re
+from collections import defaultdict, namedtuple
+from itertools import count
+
+from ..core.ast_helper import get_call_names_as_string
+from .right_hand_side_visitor import RHSVisitor
+
+
+class CallVisitorResults(
+    namedtuple(
+        "CallVisitorResults",
+        ("args", "kwargs", "unknown_args", "unknown_kwargs")
+    )
+):
+    __slots__ = ()
+
+    def all_results(self):
+        for x in self.args:
+            yield from x
+        for x in self.kwargs.values():
+            yield from x
+        yield from self.unknown_args
+        yield from self.unknown_kwargs
+
+
+class CallVisitor(ast.NodeVisitor):
+    def __init__(self, trigger_str):
+        self.unknown_arg_visitor = RHSVisitor()
+        self.unknown_kwarg_visitor = RHSVisitor()
+        self.argument_visitors = defaultdict(lambda: RHSVisitor())
+        self._trigger_str = trigger_str
+
+    def visit_Call(self, call_node):
+        func_name = get_call_names_as_string(call_node.func)
+        trigger_re = r"(^|\.){}$".format(re.escape(self._trigger_str))
+        if re.search(trigger_re, func_name):
+            seen_starred = False
+            for index, arg in enumerate(call_node.args):
+                if isinstance(arg, ast.Starred):
+                    seen_starred = True
+                if seen_starred:
+                    self.unknown_arg_visitor.visit(arg)
+                else:
+                    self.argument_visitors[index].visit(arg)
+
+            for keyword in call_node.keywords:
+                if keyword.arg is None:
+                    self.unknown_kwarg_visitor.visit(keyword.value)
+                else:
+                    self.argument_visitors[keyword.arg].visit(keyword.value)
+        self.generic_visit(call_node)
+
+    @classmethod
+    def get_call_visit_results(cls, trigger_str, node):
+        visitor = cls(trigger_str)
+        visitor.visit(node)
+
+        arg_results = []
+        for i in count():
+            try:
+                arg_results.append(set(visitor.argument_visitors.pop(i).result))
+            except KeyError:
+                break
+
+        return CallVisitorResults(
+            arg_results,
+            {k: set(v.result) for k, v in visitor.argument_visitors.items()},
+            set(visitor.unknown_arg_visitor.result),
+            set(visitor.unknown_kwarg_visitor.result),
+        )

pyt/helper_visitors/right_hand_side_visitor.py

@@ -21,3 +21,9 @@ def visit_Call(self, node):
         if node.keywords:
             for keyword in node.keywords:
                 self.visit(keyword)
+
+    @classmethod
+    def result_for_node(cls, node):
+        visitor = cls()
+        visitor.visit(node)
+        return visitor.result

pyt/vulnerabilities/trigger_definitions_parser.py

@@ -1,10 +1,7 @@
+import json
 from collections import namedtuple
 
 
-SANITISER_SEPARATOR = '->'
-SOURCES_KEYWORD = 'sources:'
-SINKS_KEYWORD = 'sinks:'
-
 Definitions = namedtuple(
     'Definitions',
     (
@@ -13,30 +10,55 @@
     )
 )
 
+Source = namedtuple('Source', ('trigger_word'))
 
-def parse_section(iterator):
-    """Parse a section of a file. Stops at empty line.
 
-    Args:
-        iterator(File): file descriptor pointing at a definition file.
+class Sink:
+    def __init__(
+        self, trigger, *,
+        unlisted_args_propagate=True, unlisted_kwargs_propagate=True,
+        arg_list=None, kwarg_list=None,
+        sanitisers=None
+    ):
+        self._trigger = trigger
+        self.sanitisers = sanitisers or []
+        self.arg_list_propagates = not unlisted_args_propagate
+        self.kwarg_list_propagates = not unlisted_kwargs_propagate
 
-    Returns:
-         Iterator of all definitions in the section.
-    """
-    try:
-        line = next(iterator).rstrip()
-        while line:
-            if line.rstrip():
-                if SANITISER_SEPARATOR in line:
-                    line = line.split(SANITISER_SEPARATOR)
-                    sink = line[0].rstrip()
-                    sanitisers = list(map(str.strip, line[1].split(',')))
-                    yield (sink, sanitisers)
-                else:
-                    yield (line, list())
-            line = next(iterator).rstrip()
-    except StopIteration:
-        return
+        if trigger[-1] != '(':
+            if self.arg_list_propagates or self.kwarg_list_propagates or arg_list or kwarg_list:
+                raise ValueError("Propagation options specified, but trigger word isn't a function call")
+
+        self.arg_list = set(arg_list or ())
+        self.kwarg_list = set(kwarg_list or ())
+
+    def arg_propagates(self, index):
+        in_list = index in self.arg_list
+        return self.arg_list_propagates == in_list
+
+    def kwarg_propagates(self, keyword):
+        in_list = keyword in self.kwarg_list
+        return self.kwarg_list_propagates == in_list
+
+    @property
+    def all_arguments_propagate_taint(self):
+        if self.arg_list or self.kwarg_list:
+            return False
+        return True
+
+    @property
+    def call(self):
+        if self._trigger[-1] == '(':
+            return self._trigger[:-1]
+        return None
+
+    @property
+    def trigger_word(self):
+        return self._trigger
+
+    @classmethod
+    def from_json(cls, key, data):
+        return cls(trigger=key, **data)
 
 
 def parse(trigger_word_file):
@@ -45,13 +67,11 @@ def parse(trigger_word_file):
     Returns:
        A definitions tuple with sources and sinks.
     """
-    sources = list()
-    sinks = list()
-    with open(trigger_word_file, 'r') as fd:
-        for line in fd:
-            line = line.rstrip()
-            if line == SOURCES_KEYWORD:
-                sources = list(parse_section(fd))
-            elif line == SINKS_KEYWORD:
-                sinks = list(parse_section(fd))
+    with open(trigger_word_file) as fd:
+        triggers_dict = json.load(fd)
+    sources = [Source(s) for s in triggers_dict['sources']]
+    sinks = [
+        Sink.from_json(trigger, data)
+        for trigger, data in triggers_dict['sinks'].items()
+    ]
     return Definitions(sources, sinks)

pyt/vulnerabilities/vulnerabilities.py

@@ -13,10 +13,11 @@
     TaintedNode
 )
 from ..helper_visitors import (
+    CallVisitor,
     RHSVisitor,
     VarsVisitor
 )
-from .trigger_definitions_parser import parse
+from .trigger_definitions_parser import parse, Source
 from .vulnerability_helper import (
     Sanitiser,
     TriggerNode,
@@ -49,8 +50,7 @@ def identify_triggers(
     tainted_nodes = filter_cfg_nodes(cfg, TaintedNode)
     tainted_trigger_nodes = [
         TriggerNode(
-            'Framework function URL parameter',
-            sanitisers=None,
+            Source('Framework function URL parameter'),
             cfg_node=node
         ) for node in tainted_nodes
     ]
@@ -142,7 +142,7 @@ def find_triggers(
 
     Args:
         nodes(list[Node]): the nodes to find triggers in.
-        trigger_word_list(list[string]): list of trigger words to look for.
+        trigger_word_list(list[Union[Sink, Source]]): list of trigger words to look for.
         nosec_lines(set): lines with # nosec whitelisting
 
     Returns:
@@ -157,23 +157,21 @@ def find_triggers(
 
 def label_contains(
     node,
-    trigger_words
+    triggers
 ):
     """Determine if node contains any of the trigger_words provided.
 
     Args:
         node(Node): CFG node to check.
-        trigger_words(list[string]): list of trigger words to look for.
+        trigger_words(list[Union[Sink, Source]]): list of trigger words to look for.
 
     Returns:
         Iterable of TriggerNodes found. Can be multiple because multiple
         trigger_words can be in one node.
     """
-    for trigger_word_tuple in trigger_words:
-        if trigger_word_tuple[0] in node.label:
-            trigger_word = trigger_word_tuple[0]
-            sanitisers = trigger_word_tuple[1]
-            yield TriggerNode(trigger_word, sanitisers, node)
+    for trigger in triggers:
+        if trigger.trigger_word in node.label:
+            yield TriggerNode(trigger, node)
 
 
 def build_sanitiser_node_dict(
@@ -243,6 +241,37 @@ def get_sink_args(cfg_node):
         return vv.result
 
 
+def get_sink_args_which_propagate(sink, ast_node):
+    sink_args_with_positions = CallVisitor.get_call_visit_results(sink.trigger.call, ast_node)
+    sink_args = []
+
+    for i, vars in enumerate(sink_args_with_positions.args):
+        if sink.trigger.arg_propagates(i):
+            sink_args.extend(vars)
+
+    if (
+        # Either any unspecified arg propagates
+        not sink.trigger.arg_list_propagates or
+        # or there are some propagating args which weren't passed positionally
+        any(1 for position in sink.trigger.arg_list if position >= len(sink_args_with_positions.args))
+    ):
+        sink_args.extend(sink_args_with_positions.unknown_args)
+
+    for keyword, vars in sink_args_with_positions.kwargs.items():
+        if sink.trigger.kwarg_propagates(keyword):
+            sink_args.extend(vars)
+
+    if (
+        # Either any unspecified kwarg propagates
+        not sink.trigger.kwarg_list_propagates or
+        # or there are some propagating kwargs which have not been passed by keyword
+        sink.trigger.kwarg_list - set(sink_args_with_positions.kwargs.keys())
+    ):
+        sink_args.extend(sink_args_with_positions.unknown_kwargs)
+
+    return sink_args
+
+
 def get_vulnerability_chains(
     current_node,
     sink,
@@ -377,10 +406,14 @@ def get_vulnerability(
                                                    sink.cfg_node)]
     nodes_in_constaint.append(source.cfg_node)
 
-    sink_args = get_sink_args(sink.cfg_node)
+    if sink.trigger.all_arguments_propagate_taint:
+        sink_args = get_sink_args(sink.cfg_node)
+    else:
+        sink_args = get_sink_args_which_propagate(sink, sink.cfg_node.ast_node)
+
     tainted_node_in_sink_arg = get_tainted_node_in_sink_args(
         sink_args,
-        nodes_in_constaint
+        nodes_in_constaint,
     )
 
     if tainted_node_in_sink_arg:

pyt/vulnerabilities/vulnerability_helper.py

@@ -164,16 +164,22 @@ def __str__(self):
 class TriggerNode():
     def __init__(
         self,
-        trigger_word,
-        sanitisers,
+        trigger,
         cfg_node,
         secondary_nodes=[]
     ):
-        self.trigger_word = trigger_word
-        self.sanitisers = sanitisers
+        self.trigger = trigger
         self.cfg_node = cfg_node
         self.secondary_nodes = secondary_nodes
 
+    @property
+    def trigger_word(self):
+        return self.trigger.trigger_word
+
+    @property
+    def sanitisers(self):
+        return self.trigger.sanitisers if hasattr(self.trigger, 'sanitisers') else []
+
     def append(self, cfg_node):
         if not cfg_node == self.cfg_node:
             if self.secondary_nodes and cfg_node not in self.secondary_nodes: