Mercurial Repositories > eric / annotate

eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionWildcard.py@698ae46f40a4 (annotated)

eric6/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionWildcard.py

Sat, 01 May 2021 14:27:20 +0200

author
Detlev Offenbach <detlev@die-offenbachs.de>
date
Sat, 01 May 2021 14:27:20 +0200
branch
maintenance
changeset 8273
698ae46f40a4
parent 8259
2bbec88047dd
permissions
-rw-r--r--

Merged with default branch to prepare release 21.5.

7615
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
1 # -*- coding: utf-8 -*-
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
2
7923
91e843545d9a Updated copyright for 2021.
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 7615
diff changeset
3 # Copyright (c) 2020 - 2021 Detlev Offenbach <detlev@die-offenbachs.de>
7615
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
4 #
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
5
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
6 """
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
7 Module implementing a check for use of wildcard injection.
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
8 """
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
9
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
10 #
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
11 # This is a modified version of the one found in the bandit package.
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
12 #
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
13 # Original Copyright 2014 Hewlett-Packard Development Company, L.P.
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
14 #
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
15 # SPDX-License-Identifier: Apache-2.0
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
16 #
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
17
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
18 from Security.SecurityDefaults import SecurityDefaults
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
19
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
20
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
21 def getChecks():
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
22 """
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
23 Public method to get a dictionary with checks handled by this module.
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
24
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
25 @return dictionary containing checker lists containing checker function and
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
26 list of codes
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
27 @rtype dict
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
28 """
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
29 return {
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
30 "Call": [
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
31 (checkLinuxCommandsWildcardInjection, ("S609",)),
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
32 ],
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
33 }
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
34
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
35
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
36 def checkLinuxCommandsWildcardInjection(reportError, context, config):
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
37 """
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
38 Function to check for use of wildcard injection.
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
39
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
40 @param reportError function to be used to report errors
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
41 @type func
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
42 @param context security context object
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
43 @type SecurityContext
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
44 @param config dictionary with configuration data
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
45 @type dict
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
46 """
8259
2bbec88047dd Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8222
diff changeset
47 subProcessFunctionNames = (
2bbec88047dd Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8222
diff changeset
48 config["shell_injection_subprocess"]
2bbec88047dd Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8222
diff changeset
49 if config and "shell_injection_subprocess" in config else
2bbec88047dd Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8222
diff changeset
50 SecurityDefaults["shell_injection_subprocess"]
2bbec88047dd Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8222
diff changeset
51 )
7615
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
52
8259
2bbec88047dd Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8222
diff changeset
53 shellFunctionNames = (
2bbec88047dd Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8222
diff changeset
54 config["shell_injection_shell"]
2bbec88047dd Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8222
diff changeset
55 if config and "shell_injection_shell" in config else
2bbec88047dd Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8222
diff changeset
56 SecurityDefaults["shell_injection_shell"]
2bbec88047dd Applied some more code simplifications suggested by the new Simplify checker (Y108: use ternary operator).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8222
diff changeset
57 )
7615
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
58
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
59 vulnerableFunctions = ['chown', 'chmod', 'tar', 'rsync']
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
60 if (
8222
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
61 (context.callFunctionNameQual in shellFunctionNames or
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
62 (context.callFunctionNameQual in subProcessFunctionNames and
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
63 context.checkCallArgValue('shell', 'True'))) and
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
64 context.callArgsCount >= 1
7615
ca2949b1a29a Code Style Checker: continued to implement checker for security related issues.
Detlev Offenbach <detlev@die-offenbachs.de>
parents:
diff changeset
65 ):
8222
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
66 callArgument = context.getCallArgAtPosition(0)
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
67 argumentString = ''
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
68 if isinstance(callArgument, list):
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
69 for li in callArgument:
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
70 argumentString += ' {0}'.format(li)
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
71 elif isinstance(callArgument, str):
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
72 argumentString = callArgument
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
73
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
74 if argumentString != '':
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
75 for vulnerableFunction in vulnerableFunctions:
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
76 if (
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
77 vulnerableFunction in argumentString and
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
78 '*' in argumentString
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
79 ):
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
80 lineNo = context.getLinenoForCallArg('shell')
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
81 if lineNo < 1:
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
82 lineNo = context.node.lineno
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
83 offset = context.getOffsetForCallArg('shell')
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
84 if offset < 0:
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
85 offset = context.node.col_offset
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
86 reportError(
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
87 lineNo - 1,
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
88 offset,
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
89 "S609",
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
90 "H",
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
91 "M",
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
92 context.callFunctionNameQual
5994b80b8760 Applied some more code simplifications suggested by the new Simplify checker (Y102: use single if) (batch 1).
Detlev Offenbach <detlev@die-offenbachs.de>
parents: 8217
diff changeset
93 )

Mercurial Repository: eric

eric ide

mercurial