Skip to content

python: Straight port of tarslip#9551

Merged
codeql-ci merged 13 commits intogithub:mainfrom
yoff:python/port-tarslip
Jul 1, 2022
Merged

python: Straight port of tarslip#9551
codeql-ci merged 13 commits intogithub:mainfrom
yoff:python/port-tarslip

Conversation

@yoff
Copy link
Contributor

@yoff yoff commented Jun 14, 2022

A straight port, which does not manually handle nested not (since I think that is not the job of a query).
I want to change the heuristic that any function with a name that contains path is a sanitizer..

Flow states were not necessary.

I wonder if I should make it similar to the path injection query instead of how it is now. It depends on which sanitizers we would like to support.

Also, remove the `toLowerCase` again,
as I do not know what effect it will have.
@yoff yoff marked this pull request as ready for review June 15, 2022 12:21
@yoff yoff requested a review from a team as a code owner June 15, 2022 12:21
@yoff yoff added the no-change-note-required This PR does not need a change note label Jun 15, 2022
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few minor things, otherwise looks fine 👍

attr.getName() = "name" and
attr.getObject() = tarInfo
|
// Assume that any test with "path" in it is a sanitizer
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Assume that any test with "path" in it is a sanitizer
// Assume that any test ending with "path" in it is a sanitizer

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would match something like utilities.pathlib.filters.relative().

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nope, try for yourself with

from string s
where
  s in ["ends_with_path", "path_foo"] and
  s.matches("%path")
select s

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, right. My example should have been utilities.path.filters.relative().

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, I'm still not 100% happy about the comment. I have two suggestions:

  1. change the comment entirely, so it reads something like // the assumption that any test that matches %path is a sanitizer might be too broad
  2. make the comment more precise

After having written out (1), I'm very much in favor of that version, since I guess that is what highlights the intent behind the initial comment: that the sanitizer might be too broad.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, that does seem more helpful.


override predicate checks(ControlFlowNode checked, boolean branch) {
checked = tarInfo and
branch in [true, false]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the old code only clears taint on the false edge. I don't see any mention of why this was changed, but the fact that our tests results did not change because of this, hints that our tests could have been better 😄

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True, I never got to write this down. I felt that the heuristic "contains path" did not warrant an assumption about whether the function tested for good or bad paths...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess that's a fair point... although this doesn't make it a "straight port", I'll allow it 😊

yoff and others added 2 commits June 28, 2022 08:05
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
@yoff yoff requested a review from RasmusWL June 28, 2022 11:35
@yoff
Copy link
Contributor Author

yoff commented Jun 28, 2022

Performance test looks slightly bad. It could be because I changed the guard. I will make it a straight port and run again..

Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Besides a few minor things, looks good 👍

attr.getName() = "name" and
attr.getObject() = tarInfo
|
// Assume that any test with "path" in it is a sanitizer
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, I'm still not 100% happy about the comment. I have two suggestions:

  1. change the comment entirely, so it reads something like // the assumption that any test that matches %path is a sanitizer might be too broad
  2. make the comment more precise

After having written out (1), I'm very much in favor of that version, since I guess that is what highlights the intent behind the initial comment: that the sanitizer might be too broad.

yoff and others added 2 commits June 30, 2022 14:53
…tions.qll

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
@yoff yoff requested a review from RasmusWL June 30, 2022 13:07
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (as long as newest performance test ends up looking good)

@yoff
Copy link
Contributor Author

yoff commented Jul 1, 2022

Newest performance test is basically "nothing to report".

@codeql-ci codeql-ci merged commit 5b5a52f into github:main Jul 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

no-change-note-required This PR does not need a change note Python

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants