Python: XML RPC Dotted Names#3910
Open
dilanbhalla wants to merge 2 commits into
Open
Conversation
yoff
requested changes
Feb 22, 2024
Contributor
yoff
left a comment
There was a problem hiding this comment.
This seems to not have been touched in a long time. By the referenced documentation, this might still be relevant, though. I guess this query is mostly to guard against user who did not read the very explicit warning in the documentation, but I can see how that can easily happen when copying examples or working with existing code, so this is probably a fine query at least for experimental. If we want it, it should be updated to modern standards; I made a suggestion to that effect.
Comment on lines
+11
to
+24
| import python | ||
|
|
||
| from CallNode call, ControlFlowNode allow_dotted_names, Attribute a | ||
| where | ||
| a.getLocation().getStartLine() = call.getLocation().getStartLine() and | ||
| a.getName() = "register_instance" and | ||
| not call.getLocation().getFile().inStdlib() and | ||
| ( | ||
| allow_dotted_names = call.getArgByName("allow_dotted_names") or | ||
| allow_dotted_names = call.getArg(1) | ||
| ) and | ||
| allow_dotted_names.getNode().toString() = "True" | ||
| select a, | ||
| "Enabling the allow_dotted_names option allows intruders to access your module’s global variables and may allow intruders to execute arbitrary code on your machine." |
Contributor
There was a problem hiding this comment.
A modern way to write this would be
Suggested change
| import python | |
| from CallNode call, ControlFlowNode allow_dotted_names, Attribute a | |
| where | |
| a.getLocation().getStartLine() = call.getLocation().getStartLine() and | |
| a.getName() = "register_instance" and | |
| not call.getLocation().getFile().inStdlib() and | |
| ( | |
| allow_dotted_names = call.getArgByName("allow_dotted_names") or | |
| allow_dotted_names = call.getArg(1) | |
| ) and | |
| allow_dotted_names.getNode().toString() = "True" | |
| select a, | |
| "Enabling the allow_dotted_names option allows intruders to access your module’s global variables and may allow intruders to execute arbitrary code on your machine." | |
| import python | |
| import semmle.python.ApiGraphs | |
| from API::CallNode call, DataFlow::Node allow_dotted_names | |
| where | |
| call = | |
| API::moduleImport("xmlrpc") | |
| .getMember("server") | |
| .getMember("SimpleXMLRPCServer") | |
| .getReturn() | |
| .getMember("register_instance") | |
| .getACall() and | |
| allow_dotted_names = call.getParameter(1, "allow_dotted_names").getAValueReachingSink() and | |
| allow_dotted_names.asExpr() instanceof True | |
| select allow_dotted_names, | |
| "Enabling the allow_dotted_names option allows intruders to access your module’s global variables and may allow intruders to execute arbitrary code on your machine." | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This query warns against enabling the allow_dotted_names option when registering an instance of SimpleXMLRPCServer, as this allows intruders to access your module’s global variables and may execute arbitrary code on your machine. This should only be used within a secure, closed network.