Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

177 support from import sinks #198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

Conversation

Copy link
Contributor

@wchresta wchresta commented Mar 23, 2019
edited
Loading

Remember import aliases for built-in and black box functions.

  • This allows sinks to be fully qualified
  • I.e. we can use os.system and it will match even if the import us done using from os import system

This is an incompatible change. The labels for function calls changed (they are now fully qualified, regardless of how the function was imported).

This solves #177

KevinHock and bcaller reacted with thumbs up emoji KevinHock reacted with hooray emoji KevinHock reacted with heart emoji KevinHock reacted with eyes emoji
wchresta added 3 commits March 22, 2019 17:01 
* Allow trigger words to be fully qualified to reduce false positives
* This will give fully qualified names for blackboxes like flask
* Improve readability by using keyword arguments
Copy link
Contributor Author

Please review this change carefully; It changes the contents of import_alias_mapping and I'm not 100% this has no unintended side-effects.

Copy link
Collaborator

@KevinHock KevinHock left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great to me, thank you so much for making this 👍 Very high-quality code

I left a few optional feedback comments, but the functionality looks great

edit: Don't worry about Codeclimate, it complains about everything

wchresta reacted with thumbs up emoji
package_name,
local_names,
import_alias_mapping,
module=(module[0], init_file_location),
Copy link
Collaborator

@KevinHock KevinHock Mar 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for doing this 🙏 :) kwargs always improve readability

uninspectable_modules.add(alias.name) # Don't repeatedly warn about this
return IgnoredNode()

def visit_ImportFrom(self, node):
# Is it relative?
if node.level > 0:
return self.handle_relative_import(node)
else:
Copy link
Collaborator

@KevinHock KevinHock Mar 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're definitely improving the readability of this code, thank you :) The less indentation the better

Reassigned in:
File: examples/vulnerable_code/path_traversal_sanitised_2.py
> Line 8: image_name = ~call_1
File: examples/vulnerable_code/path_traversal_sanitised_2.py
> Line 12: ~call_3 = ret_os.path.join(~call_4, image_name)
File: examples/vulnerable_code/path_traversal_sanitised_2.py
> reaches line 12, sink "send_file(":
~call_2 = ret_send_file(~call_3)
Copy link
Collaborator

@KevinHock KevinHock Mar 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes the output more readable as well, awesome job 🎉

module,
None,
Copy link
Collaborator

@KevinHock KevinHock Mar 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The main thing I'm unsure about is, why I was passing None for real_names, but it was probably wrong :)

I do remember I wrote a lot of tests in the import PRs, so I'm somewhat confident this code is well covered. (Granted it was when I was an even worse engineer than I am now 😁 ).

@@ -482,6 +482,21 @@ def test_list_append_taints_list(self):
)
self.assert_length(vulnerabilities, expected_length=1)

def test_import_bb_or_bi_with_alias(self):
Copy link
Collaborator

@KevinHock KevinHock Mar 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great test 🎈 🥇

@KevinHock KevinHock merged commit 98a7b6b into python-security:master Mar 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KevinHock KevinHock KevinHock approved these changes

@bcaller bcaller Awaiting requested review from bcaller

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AltStyle によって変換されたページ (->オリジナル) /