-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathUntrustedDataToExternalAPI.qhelp
More file actions
70 lines (54 loc) · 3.45 KB
/
UntrustedDataToExternalAPI.qhelp
File metadata and controls
70 lines (54 loc) · 3.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Using unsanitized untrusted data in an external API can cause a variety of security
issues. This query reports external APIs that use untrusted data. The results are not
filtered so that you can audit all examples. The query provides data for security
reviews of the application and you can also use it to identify external APIs that should
be modeled as either taint steps, or sinks for specific problems.</p>
<p>An external API is defined as a call to a method that is not defined in the source
code, and is not modeled as a taint step in the default taint library. External APIs may
be from the Python standard library or dependencies. The query will report the fully
qualified name, along with <code>[position index]</code> or <code>[keyword name]</code>,
to indicate the argument passing the untrusted data.</p>
<p>Note that an excepted sink might not be included in the results, if it also defines a
taint step. This is the case for <code>pickle.loads</code> which is a sink for the
Unsafe Deserialization query, but is also a taint step for other queries.</p>
<p>Note: Compared to the Java version of this query, we currently do not give special
care to methods that are overridden in the source code.</p>
</overview>
<recommendation>
<p>For each result:</p>
<ul>
<li>If the result highlights a known sink, confirm that the result is reported by the relevant query, or
that the result is a false positive because this data is sanitized.</li>
<li>If the result highlights an unknown sink for a problem, then add modeling for the sink to the relevant query,
and confirm that the result is either found, or is safe due to appropriate sanitization.</li>
<li>If the result represents a call to an external API that transfers taint, add the appropriate modeling, and
re-run the query to determine what new results have appeared due to this additional modeling.</li>
</ul>
<p>Otherwise, the result is likely uninteresting. Custom versions of this query can extend the <code>SafeExternalAPI</code>
class and specify <code>getSafeCallable</code> to exclude known safe external APIs from future analysis.</p>
</recommendation>
<example>
<p>In this first example, a request parameter is read from the Flask <code>request</code> and then ultimately used in a call to the
<code>flask.make_response</code> external API:</p>
<sample src="ExternalAPISinkExample.py" />
<p>This is an XSS sink. The XSS query should therefore be reviewed to confirm that this sink is appropriately modeled,
and if it is, to confirm that the query reports this particular result, or that the result is a false positive due to
some existing sanitization.</p>
<p>In this second example, again a request parameter is read from the Flask <code>request</code>.</p>
<sample src="ExternalAPITaintStepExample.py" />
<p>If the query reported the call to <code>base64.decodebytes</code> on line 10, this
would suggest that this external API is not currently modeled as a taint step in the
taint tracking library. The next step would be to model this as a taint step, then
re-run the query to determine what additional results might be found. In this example,
the result of the Base64 decoding is pickled, which can result in remote code execution due
to unsafe deserialization.</p>
<p>Note that both examples are correctly handled by the standard taint tracking library and Unsafe Deserialization query.</p>
</example>
<references>
</references>
</qhelp>