Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

General issue: Missing vulnerability reports due to incomplete self variable reference relationships in Python classes #18374

Open
Firebasky opened this issue Dec 27, 2024 · 2 comments
Labels
question Further information is requested

Comments

@Firebasky
Copy link

code:

import os
from flask import Flask, request

app = Flask(__name__)


class CCC:
    def update(self, **kwargs):
        os.system(kwargs["mode"])

class test:
    def __init__(self):
        self.A = CCC()

    @app.route('/execute')
    def execute_command(self):
        cmd = request.args.get('cmd')
        self.A.update(mode=cmd, file="a")
        return "Command executed"

ql:

/**
 * @name Uncontrolled command line
 * @description Using externally controlled strings in a command line may allow a malicious
 *              user to change the meaning of the command.
 * @kind path-problem
 * @problem.severity error
 * @security-severity 9.8
 * @sub-severity high
 * @precision high
 * @id py/command-line-injection
 * @tags correctness
 *       security
 *       external/cwe/cwe-078
 *       external/cwe/cwe-088
 */

import python
import semmle.python.security.dataflow.CommandInjectionQuery
import CommandInjectionFlow::PathGraph

from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink
where CommandInjectionFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "This command line depends on a $@.", source.getNode(),
  "user-provided value"

this ql file can not find bug!!!!???
why???
I hope you can help me, thank you.

@Firebasky Firebasky added the question Further information is requested label Dec 27, 2024
@jketema
Copy link
Contributor

jketema commented Dec 27, 2024

Hi @Firebasky,

Thanks for your report. I've let CodeQL python engineering team know about this false negative. They'll likely get back to you early January.

@Firebasky
Copy link
Author

Hi @Firebasky,

Thanks for your report. I've let CodeQL python engineering team know about this false negative. They'll likely get back to you early January.

ok,thanks.I hope you can reply to me quickly。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants