Module PathInjectionConfig
This configuration uses two flow states, NotNormalized
and NormalizedUnchecked
,
to track the requirement that a file path must be first normalized and then checked
before it is safe to use.
At sources, paths are assumed not normalized. At normalization points, they change
state to NormalizedUnchecked
after which they can be made safe by an appropriate
check of the prefix.
Such checks are ineffective in the NotNormalized
state.
Import path
import semmle.python.security.dataflow.PathInjectionQuery
Predicates
isAdditionalFlowStep | Holds if data may flow from |
isBarrier | Holds if data flow through |
isBarrier | Holds if data flow through |
isSink | Holds if |
isSource | Holds if |