CodeQL library for Python
codeql/python-all 2.1.1-dev (changelog, source)
Search

Class Configuration

DEPRECATED: Use PathInjectionFlow module instead.

A taint-tracking configuration for detecting “path injection” vulnerabilities.

This configuration uses two flow states, NotNormalized and NormalizedUnchecked, to track the requirement that a file path must be first normalized and then checked before it is safe to use.

At sources, paths are assumed not normalized. At normalization points, they change state to NormalizedUnchecked after which they can be made safe by an appropriate check of the prefix.

Such checks are ineffective in the NotNormalized state.

Import path

import semmle.python.security.dataflow.PathInjectionQuery

Direct supertypes

Indirect supertypes

Predicates

isAdditionalTaintStep

Holds if taint may propagate from node1 to node2 in addition to the normal data-flow and taint steps. This step is only applicable in state1 and updates the flow state to state2.

isSanitizer

Holds if the node node is a taint sanitizer.

isSanitizer

Holds if the node node is a taint sanitizer when the flow state is state.

isSink

Holds if sink is a relevant taint sink accepting state.

isSource

Holds if source is a relevant taint source with the given initial state.

Inherited predicates

allowImplicitRead

Holds if an arbitrary number of implicit read steps of content c may be taken at node.

from Configuration
charAt

Returns a one-character string containing the character in the receiver at the given index (which ranges from 0 through length minus one)

from string
codePointAt

Returns an integer for the Unicode code point value of the character starting at the given index, counted by UTF-16 code units.

from string
codePointCount

Returns the number of Unicode code points found in the receiver between the given start index (inclusive) and end index (exclusive).

from string
fieldFlowBranchLimit

Gets the virtual dispatch branching limit when calculating field flow. This can be overridden to a smaller value to improve performance (a value of 0 disables field flow), or a larger value to get more results.

from Configuration
getAFeature

Gets a data flow configuration feature to add restrictions to the set of valid flow paths.

from Configuration
hasFlow

Holds if taint may flow from source to sink for this configuration.

from Configuration
hasFlowPath

Holds if data may flow from source to sink for this configuration.

from Configuration
hasFlowTo

Holds if data may flow from some source to sink for this configuration.

from Configuration
hasFlowToExpr

Holds if data may flow from some source to sink for this configuration.

from Configuration
includeHiddenNodes

Holds if hidden nodes should be included in the data flow graph.

from Configuration
indexOf

Returns all the offsets (starting at 0) at which the given string occurs in the receiver. Has no result if the string does not occur in the receiver.

from string
indexOf

Returns the index of the n’th (starting at 0) occurrence of the given string within the receiver, starting at the given 0-based offset. Has no result if the string does not occur in the receiver.

from string
isAdditionalFlowStep

Holds if data may flow from node1 to node2 in addition to the normal data-flow steps.

from Configuration
isAdditionalFlowStep

Holds if data may flow from node1 to node2 in addition to the normal data-flow steps. This step is only applicable in state1 and updates the flow state to state2.

from Configuration
isAdditionalTaintStep

Holds if taint may propagate from node1 to node2 in addition to the normal data-flow and taint steps.

from Configuration
isBarrier

Holds if data flow through node is prohibited. This completely removes node from the data flow graph.

from Configuration
isBarrier

Holds if data flow through node is prohibited when the flow state is state.

from Configuration
isBarrierIn

Holds if data flow into node is prohibited.

from Configuration
isBarrierOut

Holds if data flow out of node is prohibited.

from Configuration
isLowercase

Holds when the receiver contains no upper-case letters. This includes the case where the receiver contains no letters at all, for example, if it’s an empty string or only consists of non-letter symbols.

from string
isSanitizerIn

Holds if taint propagation into node is prohibited.

from Configuration
isSanitizerOut

Holds if taint propagation out of node is prohibited.

from Configuration
isSink

Holds if sink is a relevant taint sink

from Configuration
isSource

Holds if source is a relevant taint source.

from Configuration
isUppercase

Holds when the receiver contains no lower-case letters. This includes the case where the receiver contains no letters at all, for example, if it’s an empty string or only consists of non-letter symbols.

from string
length

Returns the length of the receiver (in UTF-16 code units)

from string
matches

Holds when the receiver matches the pattern. Patterns are matched by case sensitive string matching, and there are two wildcards: _ matches a single character, and % matches any sequence of characters. To match the actual characters _ or % in the pattern, they must be escaped using backslashes. For example, "anythingstring%".matches("%string\\%") holds. To match a literal backslash in front of _ or %, you must escape the backslash. Backslashes that are not part of an escape sequence are matched as literals.

from string
prefix

Returns the substring of the receiver ending at the given 0-based exclusive offset

from string
regexpCapture

When the given regular expression matches the entire receiver, returns the substring matched by the given capture group (starting at 1). The regex format used is Java’s Pattern.

from string
regexpFind

Returns a substring of the receiver which matches the given regular expression. Also returns the offset within the receiver (starting at 0) at which the match occurred (occurrenceOffset), and the number of matches which occur at smaller offsets (occurrenceIndex). The regex format used is Java’s Pattern.

from string
regexpMatch

Holds when the given regular expression matches the entire receiver. The regex format used is Java’s Pattern.

from string
regexpReplaceAll

Returns a copy of the receiver with every substring which matches the given regular expression is replaced by the replacement. The regex format used is Java’s Pattern. The replacement string can contain references to captured groups as described in Java’s appendReplacement docs.

from string
replaceAll

Returns a copy of the receiver with all occurrences of the target replaced by the replacement

from string
sinkGrouping

Holds if sinks should be grouped in the result of hasFlowPath.

from Configuration
sourceGrouping

Holds if sources should be grouped in the result of hasFlowPath.

from Configuration
splitAt

Returns all the substrings obtained by splitting the receiver at every occurrence of the argument. Trailing empty substrings are omitted. Splitting at an empty string returns all the characters that the receiver consists of.

from string
splitAt

Returns the n’th (starting at 0) substring obtained by splitting the receiver at every occurrence of the argument. Trailing empty substrings are omitted. Splitting at an empty string returns all the characters that the receiver consists of.

from string
substring

Returns the substring of the receiver which starts and ends at the given indices. Both indices are 0-based. The start index is inclusive and the end index is exclusive.

from string
suffix

Returns the substring of the receiver starting at the given 0-based inclusive offset

from string
toBigInt

Returns the arbitrary-precision signed integer, if any, obtained by parsing the receiver. The number may consist of an optional leading + or -, followed by one or more digits.

from string
toDate

Returns the date, if any, obtained by parsing the receiver. The recognized formats are described in the documentation.

from string
toFloat

Returns the 64-bit floating point number, if any, obtained by parsing the receiver. The parsing rules are described in Java’s valueOf docs.

from string
toInt

Returns the 32-bit signed integer, if any, obtained by parsing the receiver. The number may consist of an optional leading + or -, followed by one or more digits. Has no result if the value exceeds the value range supported by the int type.

from string
toLowerCase

Returns a copy of the receiver with all uppercase characters replaced by lowercase ones according to Unicode case conversion rules.

from string
toString

Returns the receiver

from string
toUpperCase

Returns a copy of the receiver with all lowercase characters replaced by uppercase ones according to Unicode case conversion rules.

from string
trim

Returns a copy of the receiver with all whitespace removed from the beginning and end of the string (where whitespace is defined as Unicode code points ‘\u0000’ through ‘\u0020’ inclusive)

from string

Charpred