-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathWebAppConstantSecretKeyDjango.qll
More file actions
52 lines (50 loc) · 1.7 KB
/
WebAppConstantSecretKeyDjango.qll
File metadata and controls
52 lines (50 loc) · 1.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
import python
import experimental.semmle.python.Concepts
import semmle.python.dataflow.new.DataFlow
import semmle.python.ApiGraphs
import semmle.python.dataflow.new.TaintTracking
import WebAppConstantSecretKeySource
module DjangoConstantSecretKeyConfig {
/**
* Sources are Constants that without any Tainting reach the Sinks.
* Also Sources can be the default value of getenv or similar methods
* in a case that no value is assigned to Desired SECRET_KEY environment variable
*/
predicate isSource(DataFlow::Node source) { source instanceof WebAppConstantSecretKeySource }
/**
* Holds if There is a sink like following SECRET_KEY Assignments
* ```python
*from django.conf import settings
*settings.configure(
* SECRET_KEY="constant",
*)
* # or
*settings.SECRET_KEY = "constant"
* ```
*/
predicate isSink(DataFlow::Node sink) {
exists(API::moduleImport("django")) and
(
exists(AssignStmt e | e.getTarget(0).(Name).getId() = ["SECRET_KEY", "SECRET_KEY_FALLBACKS"] |
sink.asExpr() = e.getValue()
)
or
exists(API::Node settings |
settings =
API::moduleImport("django").getMember("conf").getMember(["global_settings", "settings"]) and
sink =
settings
.getMember("configure")
.getKeywordParameter(["SECRET_KEY_FALLBACKS", "SECRET_KEY"])
.asSink()
)
or
exists(DataFlow::AttrWrite attr |
attr.getAttributeName() = ["SECRET_KEY_FALLBACKS", "SECRET_KEY"] and
sink = attr.getValue()
)
) and
exists(sink.getScope().getLocation().getFile().getRelativePath()) and
not sink.getScope().getLocation().getFile().inStdlib()
}
}