Commit 2e91ce7

bcallerBen Caller

authored and

Ben Caller

committed

Chained function calls separated into multiple assignments

Take the example from examples/vulnerable_code/sql/sqli.py: `result = session.query(User).filter("username={}".format(TAINT))` The `filter` function is marked as a sink. However, previously this did not get marked as a vulnerability. The call label used to be `session.query`, ignoring the filter function. Now, when the file is read, it is transformed into 2 lines: ``` __chain_tmp_1 = session.query(User) result = __chain_tmp_1.filter("username={}".format(TAINT)) ``` And the vulnerability is found. We don't find everything here: just ordinary assignments and return statements. We can't just transform all Call nodes here since Call nodes can appear in many different scenarios e.g. comprehensions, bare function calls.

1 parent 11567c4 commit 2e91ce7Copy full SHA for 2e91ce7

File tree

6 files changed

+108

-7

lines changed

pyt/core
- ast_helper.py
- transformer.py
tests
- base_test_case.py
- cfg
  - cfg_test.py
- core
  - transformer_test.py
- vulnerabilities
  - vulnerabilities_test.py

6 files changed

+108

-7

lines changed

`‎pyt/core/ast_helper.py`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@`
`6`	`6`	`import subprocess`
`7`	`7`	`from functools import lru_cache`
`8`	`8`
`9`		`-from .transformer import AsyncTransformer`
	`9`	`+from .transformer import PytTransformer`
`10`	`10`
`11`	`11`
`12`	`12`	`BLACK_LISTED_CALL_NAMES = ['self']`
`@@ -35,7 +35,7 @@ def generate_ast(path):`
`35`	`35`	`with open(path, 'r') as f:`
`36`	`36`	`try:`
`37`	`37`	`tree = ast.parse(f.read())`
`38`		`- return AsyncTransformer().visit(tree)`
	`38`	`+ return PytTransformer().visit(tree)`
`39`	`39`	`except SyntaxError: # pragma: no cover`
`40`	`40`	`global recursive`
`41`	`41`	`if not recursive:`

`‎pyt/core/transformer.py`

Lines changed: 51 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`import ast`
`2`	`2`
`3`	`3`
`4`		`-class AsyncTransformer(ast.NodeTransformer):`
	`4`	`+class AsyncTransformer():`
`5`	`5`	`"""Converts all async nodes into their synchronous counterparts."""`
`6`	`6`
`7`	`7`	`def visit_Await(self, node):`
`@@ -16,3 +16,53 @@ def visit_AsyncFor(self, node):`
`16`	`16`
`17`	`17`	`def visit_AsyncWith(self, node):`
`18`	`18`	`return self.visit(ast.With(**node.__dict__))`
	`19`	`+`
	`20`	`+`
	`21`	`+class ChainedFunctionTransformer():`
	`22`	`+ def visit_chain(self, node, depth=1):`
	`23`	`+ if (`
	`24`	`+ isinstance(node.value, ast.Call) and`
	`25`	`+ isinstance(node.value.func, ast.Attribute) and`
	`26`	`+ isinstance(node.value.func.value, ast.Call)`
	`27`	`+ ):`
	`28`	+ # Node is assignment or return with value like `b.c().d()`
	`29`	`+ call_node = node.value`
	`30`	`+ # If we want to handle nested functions in future, depth needs fixing`
	`31`	`+ temp_var_id = '__chain_tmp_{}'.format(depth)`
	`32`	`+ # AST tree is from right to left, so d() is the outer Call and b.c() is the inner Call`
	`33`	`+ unvisited_inner_call = ast.Assign(`
	`34`	`+ targets=[ast.Name(id=temp_var_id, ctx=ast.Store())],`
	`35`	`+ value=call_node.func.value,`
	`36`	`+ )`
	`37`	`+ ast.copy_location(unvisited_inner_call, node)`
	`38`	`+ inner_calls = self.visit_chain(unvisited_inner_call, depth + 1)`
	`39`	`+ for inner_call_node in inner_calls:`
	`40`	`+ ast.copy_location(inner_call_node, node)`
	`41`	`+ outer_call = self.generic_visit(type(node)(`
	`42`	`+ value=ast.Call(`
	`43`	`+ func=ast.Attribute(`
	`44`	`+ value=ast.Name(id=temp_var_id, ctx=ast.Load()),`
	`45`	`+ attr=call_node.func.attr,`
	`46`	`+ ctx=ast.Load(),`
	`47`	`+ ),`
	`48`	`+ args=call_node.args,`
	`49`	`+ keywords=call_node.keywords,`
	`50`	`+ ),`
	`51`	`+ **{field: value for field, value in ast.iter_fields(node) if field != 'value'} # e.g. targets`
	`52`	`+ ))`
	`53`	`+ ast.copy_location(outer_call, node)`
	`54`	`+ ast.copy_location(outer_call.value, node)`
	`55`	`+ ast.copy_location(outer_call.value.func, node)`
	`56`	`+ return [*inner_calls, outer_call]`
	`57`	`+ else:`
	`58`	`+ return [self.generic_visit(node)]`
	`59`	`+`
	`60`	`+ def visit_Assign(self, node):`
	`61`	`+ return self.visit_chain(node)`
	`62`	`+`
	`63`	`+ def visit_Return(self, node):`
	`64`	`+ return self.visit_chain(node)`
	`65`	`+`
	`66`	`+`
	`67`	`+class PytTransformer(AsyncTransformer, ChainedFunctionTransformer, ast.NodeTransformer):`
	`68`	`+ pass`

`‎tests/base_test_case.py`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@`
`4`	`4`	`from pyt.cfg import make_cfg`
`5`	`5`	`from pyt.core.ast_helper import generate_ast`
`6`	`6`	`from pyt.core.module_definitions import project_definitions`
	`7`	`+from pyt.core.transformer import PytTransformer`
`7`	`8`
`8`	`9`
`9`	`10`	`class BaseTestCase(unittest.TestCase):`
`@@ -36,7 +37,7 @@ def cfg_create_from_ast(`
`36`	`37`	`):`
`37`	`38`	`project_definitions.clear()`
`38`	`39`	`self.cfg = make_cfg(`
`39`		`- ast_tree,`
	`40`	`+ PytTransformer().visit(ast_tree),`
`40`	`41`	`project_modules,`
`41`	`42`	`local_modules,`
`42`	`43`	`filename='?'`

`‎tests/cfg/cfg_test.py`

Lines changed: 32 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1497,3 +1497,35 @@ def test_name_for(self):`
`1497`	`1497`
`1498`	`1498`	`self.assert_length(self.cfg.nodes, expected_length=4)`
`1499`	`1499`	`self.assertEqual(self.cfg.nodes[1].label, 'for x in l:')`
	`1500`	`+`
	`1501`	`+`
	`1502`	`+class CFGFunctionChain(CFGBaseTestCase):`
	`1503`	`+ def test_simple(self):`
	`1504`	`+ self.cfg_create_from_ast(`
	`1505`	`+ ast.parse('a = b.c(z)')`
	`1506`	`+ )`
	`1507`	`+ middle_nodes = self.cfg.nodes[1:-1]`
	`1508`	`+ self.assert_length(middle_nodes, expected_length=2)`
	`1509`	`+ self.assertEqual(middle_nodes[0].label, '~call_1 = ret_b.c(z)')`
	`1510`	`+ self.assertEqual(middle_nodes[0].func_name, 'b.c')`
	`1511`	`+ self.assertCountEqual(middle_nodes[0].right_hand_side_variables, ['z', 'b'])`
	`1512`	`+`
	`1513`	`+ def test_chain(self):`
	`1514`	`+ self.cfg_create_from_ast(`
	`1515`	`+ ast.parse('a = b.xxx.c(z).d(y)')`
	`1516`	`+ )`
	`1517`	`+ middle_nodes = self.cfg.nodes[1:-1]`
	`1518`	`+ self.assert_length(middle_nodes, expected_length=4)`
	`1519`	`+`
	`1520`	`+ self.assertEqual(middle_nodes[0].left_hand_side, '~call_1')`
	`1521`	`+ self.assertCountEqual(middle_nodes[0].right_hand_side_variables, ['b', 'z'])`
	`1522`	`+ self.assertEqual(middle_nodes[0].label, '~call_1 = ret_b.xxx.c(z)')`
	`1523`	`+`
	`1524`	`+ self.assertEqual(middle_nodes[1].left_hand_side, '__chain_tmp_1')`
	`1525`	`+ self.assertCountEqual(middle_nodes[1].right_hand_side_variables, ['~call_1'])`
	`1526`	`+`
	`1527`	`+ self.assertEqual(middle_nodes[2].left_hand_side, '~call_2')`
	`1528`	`+ self.assertCountEqual(middle_nodes[2].right_hand_side_variables, ['__chain_tmp_1', 'y'])`
	`1529`	`+`
	`1530`	`+ self.assertEqual(middle_nodes[3].left_hand_side, 'a')`
	`1531`	`+ self.assertCountEqual(middle_nodes[3].right_hand_side_variables, ['~call_2'])`

`‎tests/core/transformer_test.py`

Lines changed: 20 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,14 @@`
`1`	`1`	`import ast`
`2`	`2`	`import unittest`
`3`	`3`
`4`		`-from pyt.core.transformer import AsyncTransformer`
	`4`	`+from pyt.core.transformer import PytTransformer`
`5`	`5`
`6`	`6`
`7`	`7`	`class TransformerTest(unittest.TestCase):`
`8`	`8`	`"""Tests for the AsyncTransformer."""`
`9`	`9`
`10`	`10`	`def test_async_removed_by_transformer(self):`
	`11`	`+ self.maxDiff = 99999`
`11`	`12`	`async_tree = ast.parse("\n".join([`
`12`	`13`	`"async def a():",`
`13`	`14`	`" async for b in c():",`
`@@ -30,7 +31,24 @@ def test_async_removed_by_transformer(self):`
`30`	`31`	`]))`
`31`	`32`	`self.assertIsInstance(sync_tree.body[0], ast.FunctionDef)`
`32`	`33`
`33`		`- transformed = AsyncTransformer().visit(async_tree)`
	`34`	`+ transformed = PytTransformer().visit(async_tree)`
`34`	`35`	`self.assertIsInstance(transformed.body[0], ast.FunctionDef)`
`35`	`36`
`36`	`37`	`self.assertEqual(ast.dump(transformed), ast.dump(sync_tree))`
	`38`	`+`
	`39`	`+ def test_chained_function(self):`
	`40`	`+ chained_tree = ast.parse("\n".join([`
	`41`	`+ "def a():",`
	`42`	`+ " b = c.d(e).f(g).h(i).j(k)",`
	`43`	`+ ]))`
	`44`	`+`
	`45`	`+ separated_tree = ast.parse("\n".join([`
	`46`	`+ "def a():",`
	`47`	`+ " __chain_tmp_3 = c.d(e)",`
	`48`	`+ " __chain_tmp_2 = __chain_tmp_3.f(g)",`
	`49`	`+ " __chain_tmp_1 = __chain_tmp_2.h(i)",`
	`50`	`+ " b = __chain_tmp_1.j(k)",`
	`51`	`+ ]))`
	`52`	`+`
	`53`	`+ transformed = PytTransformer().visit(chained_tree)`
	`54`	`+ self.assertEqual(ast.dump(transformed), ast.dump(separated_tree))`

`‎tests/vulnerabilities/vulnerabilities_test.py`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -282,7 +282,7 @@ def test_path_traversal_sanitised_2_result(self):`
`282`	`282`
`283`	`283`	`def test_sql_result(self):`
`284`	`284`	`vulnerabilities = self.run_analysis('examples/vulnerable_code/sql/sqli.py')`
`285`		`- self.assert_length(vulnerabilities, expected_length=2)`
	`285`	`+ self.assert_length(vulnerabilities, expected_length=3)`
`286`	`286`	`vulnerability_description = str(vulnerabilities[0])`
`287`	`287`	`EXPECTED_VULNERABILITY_DESCRIPTION = """`
`288`	`288`	`File: examples/vulnerable_code/sql/sqli.py`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 2e91ce7

File tree

6 files changed

6 files changed

`‎pyt/core/ast_helper.py`

`‎pyt/core/transformer.py`

`‎tests/base_test_case.py`

`‎tests/cfg/cfg_test.py`

`‎tests/core/transformer_test.py`

`‎tests/vulnerabilities/vulnerabilities_test.py`

0 commit comments