🌐 AI搜索 & 代理 主页
Skip to content

Python: MaD barriers #21004

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
yoff wants to merge 17 commits into
base: main
Choose a base branch
from
+831 −176
Draft

Python: MaD barriers #21004

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
d8325c2
Java: Basic support for pass-through barrier models.
aschackmull Dec 8, 2025
6d4a86e
Java: Add support for boolean MaD barrier guards.
aschackmull Dec 9, 2025
4d74d18
Java: Add empty extensible data.
aschackmull Dec 9, 2025
6eae43a
Convert trust boundary violation barrier and barrier guard to MaD
owen-mc Dec 9, 2025
1586f00
Convert path injection barrier to MaD
owen-mc Dec 9, 2025
063ce9b
Add dummy instantiations for other languages.
aschackmull Dec 9, 2025
cec0f73
Convert request forgery barrier guard to MaD
owen-mc Dec 9, 2025
befccac
Convert XSS barrier to MaD
owen-mc Dec 9, 2025
8da742a
Convert regex injection barrier to MaD
owen-mc Dec 9, 2025
872f3b0
python: remove barrier that can be expressed in MaD
yoff Dec 10, 2025
578b835
python: add machinery for MaD barriers
yoff Dec 10, 2025
546c22f
python: add qldoc
yoff Dec 11, 2025
8fb23fc
all: sync API graph files
yoff Dec 11, 2025
a5213a7
js/ruby: add empty models
yoff Dec 11, 2025
0a6a7ec
python: centralize external barrier guard definition
yoff Dec 11, 2025
c016b66
python: add qldoc
yoff Dec 11, 2025
bb141ab
python: MaD expectations
yoff Dec 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
python: centralize external barrier guard definition
  • Loading branch information
@yoff
yoff committed Dec 11, 2025
commit 0a6a7ec9cd39dbcbabe621fc7228115eb299e071
39 changes: 38 additions & 1 deletion python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -600,15 +600,52 @@
module BarrierGuard<guardChecksSig/3 guardChecks> {
/** Gets a node that is safely guarded by the given guard check. */
ExprNode getABarrierNode() {
result = ParameterizedBarrierGuard<Unit, extendedGuardChecks/4>::getABarrierNode(_)
}

private predicate extendedGuardChecks(GuardNode g, ControlFlowNode node, boolean branch, Unit u) {
guardChecks(g, node, branch)
}
}

bindingset[this]
private signature class ParamSig;

private module WithParam<ParamSig P> {
signature predicate guardChecksSig(GuardNode g, ControlFlowNode node, boolean branch, P param);
}

module ParameterizedBarrierGuard<ParamSig P, WithParam<P>::guardChecksSig/4 guardChecks> {

Check warning on line 618 in python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll

View workflow job for this annotation

GitHub Actions / qldoc 

Missing QLdoc for module DataFlowPublic::ParameterizedBarrierGuard
/** Gets a node that is safely guarded by the given guard check with parameter `param`. */
ExprNode getABarrierNode(P param) {
exists(GuardNode g, EssaDefinition def, ControlFlowNode node, boolean branch |
AdjacentUses::useOfDef(def, node) and
guardChecks(g, node, branch) and
guardChecks(g, node, branch, param) and
AdjacentUses::useOfDef(def, result.asCfgNode()) and
g.controlsBlock(result.asCfgNode().getBasicBlock(), branch)
)
}
}

module ExternalBarrierGuard {

Check warning on line 630 in python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll

View workflow job for this annotation

GitHub Actions / qldoc 

Missing QLdoc for module DataFlowPublic::ExternalBarrierGuard
private import semmle.python.ApiGraphs

predicate guardCheck(GuardNode g, ControlFlowNode node, boolean branch, string kind) {

Check warning on line 633 in python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll

View workflow job for this annotation

GitHub Actions / qldoc 

Missing QLdoc for classless-predicate DataFlowPublic::ExternalBarrierGuard::guardCheck/4
exists(API::CallNode call, API::Node parameter |
parameter = call.getAParameter() and
parameter = ModelOutput::getABarrierGuardNode(kind, branch)
|
g = call.asCfgNode() and
node = parameter.asSink().asCfgNode()
)
}

/** Gets a node that is an external barrier of the given kind. */
ExprNode getAnExternalBarrierNode(string kind) {
result = ParameterizedBarrierGuard<string, guardCheck/4>::getABarrierNode(kind)
}
}

/**
* Algebraic datatype for tracking data content associated with values.
* Content can be collection elements or object attributes.
Expand Down
14 changes: 3 additions & 11 deletions python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
*/

private import python
private import semmle.python.dataflow.new.DataFlow

Check warning

Code scanning / CodeQL

Redundant import Warning

Redundant import, the module is already imported inside
semmle.python.ApiGraphs
Loading
.
private import semmle.python.Concepts
private import semmle.python.ApiGraphs
private import semmle.python.dataflow.new.RemoteFlowSources
Expand Down Expand Up @@ -161,18 +161,10 @@
/** DEPRECATED: Use ConstCompareAsSanitizerGuard instead. */
deprecated class StringConstCompareAsSanitizerGuard = ConstCompareAsSanitizerGuard;

private predicate urlCheck(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
exists(API::CallNode call, API::Node parameter |
parameter = call.getAParameter() and
parameter = ModelOutput::getABarrierGuardNode("url-redirection", branch)
|
g = call.asCfgNode() and
node = parameter.asSink().asCfgNode()
)
}

class SanitizerFromModel extends Sanitizer {

Check warning on line 164 in python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll

View workflow job for this annotation

GitHub Actions / qldoc 

Missing QLdoc for class UrlRedirectCustomizations::UrlRedirect::SanitizerFromModel
SanitizerFromModel() { this = DataFlow::BarrierGuard<urlCheck/3>::getABarrierNode() }
SanitizerFromModel() {
this = DataFlow::ExternalBarrierGuard::getAnExternalBarrierNode("url-redirection")
}

override predicate sanitizes(FlowState state) {
// sanitize all flow states
Expand Down
Loading