codeql/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKey.ql at d4e4e2d4267f9cde6650654598e836bc00963783 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
/**
 * @name Initializing SECRET_KEY of Flask application with Constant value
 * @description Initializing SECRET_KEY of Flask application with Constant value
 * files can lead to Authentication bypass
 * @kind path-problem
 * @id py/flask-constant-secret-key
 * @problem.severity error
 * @security-severity 8.5
 * @precision high
 * @tags security
 *       experimental
 *       external/cwe/cwe-287
 */

import python
import experimental.semmle.python.Concepts
import semmle.python.dataflow.new.DataFlow
import semmle.python.ApiGraphs
import semmle.python.dataflow.new.TaintTracking
import WebAppConstantSecretKeyDjango
import WebAppConstantSecretKeyFlask
import semmle.python.filters.Tests

newtype TFrameWork =
  Flask() or
  Django()

module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig {
  class FlowState = TFrameWork;

  predicate isSource(DataFlow::Node source, FlowState state) {
    state = Flask() and FlaskConstantSecretKeyConfig::isSource(source)
    or
    state = Django() and DjangoConstantSecretKeyConfig::isSource(source)
  }

  predicate isBarrier(DataFlow::Node node) {
    node.getLocation().getFile().inStdlib()
    or
    // To reduce FP rate, the following was added
    node.getLocation()
        .getFile()
        .getRelativePath()
        .matches(["%test%", "%demo%", "%example%", "%sample%"]) and
    // but that also meant all data-flow nodes in query tests were excluded... so we had
    // to add this:
    not node.getLocation().getFile().getRelativePath().matches("%query-tests/Security/CWE-287%")
  }

  predicate isSink(DataFlow::Node sink, FlowState state) {
    state = Flask() and FlaskConstantSecretKeyConfig::isSink(sink)
    or
    state = Django() and DjangoConstantSecretKeyConfig::isSink(sink)
  }
}

module WebAppConstantSecretKey = TaintTracking::GlobalWithState<WebAppConstantSecretKeyConfig>;

import WebAppConstantSecretKey::PathGraph

from WebAppConstantSecretKey::PathNode source, WebAppConstantSecretKey::PathNode sink
where WebAppConstantSecretKey::flowPath(source, sink)
select sink, source, sink, "The SECRET_KEY config variable is assigned by $@.", source,
  " this constant String"