-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Python: New command execution sinks #15715
base: main
Are you sure you want to change the base?
Conversation
the proxy command is not a secondary command execution so we can add proxy command to SystemCommandExecution::Range, update QLDocs, add a proper Paramiko test case fix a typo
…ary command execution, add proper test cases
Hello am0o0 👋 In the meantime, feel free to make changes to the pull request. If you'd like to maximize payout for your this and future submissions, here are a few general guidelines, that we might take into consideration when reviewing a submission.
Please note that these are guidelines, not rules. Since we have a lot of different types of submissions, the guidelines might vary for each submission. Happy hacking! |
… and also we can find much more DataFrame objects
the proxy command is not a secondary command execution so we can add proxy command to SystemCommandExecution::Range, update QLDocs, add a proper Paramiko test case fix a typo
…ary command execution, add proper test cases
…dd proper test cases
Urgh. Rebasing may have been a mistake (I ended up a co-author on all commits, which I wasn't expecting). Feel free to force push your original commits instead, and then merging in |
@tausbn Also please let me know if you prefer I move most of the new non-experimental codeql library files under the experimental directory. |
Feel free to add them now, if you like. 👍
No, I think it's fine the way it is. From what I've seen so far, your modelling is good, and only a few changes here and there should be needed to make it ready to merge. 🙂 One thing I do need to mention is this change: https://github.com/github/codeql/pull/15715/files#diff-950dae083553f4d1115143425b3e4816da96a333a4751463eda140c20156ae5cL97 The predicate in question is used elsewhere, and so its removal is causing the tests to fail (as we can't even compile all the queries). Specifically, It's this file that uses it: https://github.com/github/codeql/blob/main/python/ql/src/meta/ClassHierarchy/Find.ql#L327 |
@tausbn I fixed the Fabric library issue that you mentioned( I didn't run a full test yet) you can see the changes in this commit: f93d4a0 the only problem is that I wanted to use the API::CallNode instanceRunMethods() {
result = any(Instance is).getReturn().getMember(["run", "sudo", "local"]).getACall()
} |
@@ -328,7 +328,7 @@ class FabricConnection extends FindSubclassesSpec { | |||
FabricConnection() { this = "fabric.connection.Connection~Subclass" } | |||
|
|||
override API::Node getAlreadyModeledClass() { | |||
result = FabricV2::Fabric::Connection::ConnectionClass::classRef() | |||
result = any(FabricV2::Fabric::Connection::ConnectionClass::Instance i) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not right. classRef
should be a reference to the class, whereas Instance
is for instances of said class. These are not the same thing, and this is important for this file, as it is explicitly about finding references to (subclasses of) known classes, not instances of those classes.
Please just put classRef()
back in place in Fabric.qll
.
(Also, don't forget to autoformat your code. This file and Torch.qll
failed the autoformat check.)
I think my last question is solved in c7adb32. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your submission. Before we can merge this, there are a few comments that need to be addressed.
Once you've addressed the requested changes, I'll re-run the tests and also kick off a performance evaluation (which is needed because you've made changes to files outside the experimental
subdirectory).
Finally, this would probably have been better as two separate PRs, as the command execution sinks are mostly disjoint from your work on secondary command injection.
...rc/experimental/Security/CWE-074/secondaryCommandInjection/SecondaryServerCmdInjection.qhelp
Outdated
Show resolved
Hide resolved
python/ql/src/experimental/semmle/python/security/SecondaryServerCmdInjection.qll
Outdated
Show resolved
Hide resolved
…mandExecution to module like SystemCommandExecution module
What is new?
JsonPickle library Code execution sinks
Pytorch library Code execution sinks
Pexpect library Command Execution and Secondary server cmd injection
AsyncSsh library Secondary server cmd injection
Netmiko library Secondary server cmd injection
Scrapli library Secondary server cmd injection
Twisted library Secondary server cmd injection
Ssh2-python library Secondary server cmd injection
pandas library DataFrame Code execution sinks
What has changed?
Upgrade paramiko query to Secondary server command execution query which attackers can execute commands on other than the primary server. it is in the experimental directory.
for the paramiko query, it has added
proxyCommand
as aSystemCommandExecution
because it executes commands on the primary server.Upgraded
Fabric
framework and added proxy_command as aSystemCommandExecution
, I didn't change the sinks of this framework to Secondary server command execution because it is not in an experimental library, otherwise therun
andsudo
functions areSecondaryCommandInjection
andlocal
function isSystemCommandExecution
. I only simplified the framework structure with new higher-level APIs and addedSystemCommandExecution
new sinks.Also, I tried my best to use inline tests everywhere so you can review this PR more easily. :)