feat: extend patterns to use shared import rule

Bearer · May 15, 2024 · 95c16ca · 95c16ca
1 parent 5e1c10b
commit 95c16ca
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 26 deletions.
diff --git a/rules/python/django/path_using_user_input.yml b/rules/python/django/path_using_user_input.yml
@@ -1,34 +1,45 @@
 imports:
   - python_shared_common_user_input
+  - python_shared_lang_import4
 patterns:
-  - pattern: FileSystemStorage($<...>$<USER_INPUT>$<...>)
+  - pattern: $<FILE_SYSTEM_STORAGE>($<...>$<USER_INPUT>$<...>)
     filters:
       - variable: USER_INPUT
         detection: python_shared_common_user_input
         scope: result
+      - variable: FILE_SYSTEM_STORAGE
+        detection: python_shared_lang_import4
+        scope: cursor
+        filters:
+          - variable: MODULE1
+            values: [django]
+          - variable: MODULE2
+            values: [core]
+          - variable: MODULE3
+            values: [files]
+          - variable: MODULE4
+            values: [storage]
+          - variable: NAME
+            values: [FileSystemStorage]
   - pattern: $<DEFAULT_STORAGE>.save($<USER_INPUT>, $<...>)
     filters:
       - variable: DEFAULT_STORAGE
-        detection: python_django_path_using_user_input_default_storage
+        detection: python_shared_lang_import4
         scope: cursor
+        filters:
+          - variable: MODULE1
+            values: [django]
+          - variable: MODULE2
+            values: [core]
+          - variable: MODULE3
+            values: [files]
+          - variable: MODULE4
+            values: [storage]
+          - variable: NAME
+            values: [default_storage]
       - variable: USER_INPUT
         detection: python_shared_common_user_input
         scope: result
-auxiliary:
-  - id: python_django_path_using_user_input_default_storage
-    patterns:
-      - pattern: $<DEFAULT_STORAGE>
-        filters:
-          - variable: DEFAULT_STORAGE
-            regex: \A(django\.core\.files\.storage\.)?default_storage\z
-      - pattern: from $<STORAGE> import $<!>default_storage
-        filters:
-          - variable: STORAGE
-            regex: \A(django\.core\.files\.)?storage\z
-      - pattern: from $<STORAGE> import default_storage as $<!>$<_>
-        filters:
-          - variable: STORAGE
-            regex: \A(django\.core\.files\.)?storage\z
 languages:
   - python
 severity: high

diff --git a/rules/python/lang/path_using_user_input.yml b/rules/python/lang/path_using_user_input.yml
@@ -1,20 +1,27 @@
 imports:
   - python_shared_common_user_input
+  - python_shared_lang_import1
 patterns:
   - pattern: open($<USER_INPUT>$<...>)
     filters:
       - variable: USER_INPUT
         detection: python_shared_common_user_input
         scope: result
-  - pattern: fileinput.$<METHOD>($<...>files=$<USER_INPUT>$<...>)
+  - pattern: $<FILEINPUT>($<...>files=$<USER_INPUT>$<...>)
     filters:
+      - variable: FILEINPUT
+        detection: python_shared_lang_import1
+        scope: cursor
+        filters:
+          - variable: MODULE1
+            values: [fileinput]
+          - variable: NAME
+            values:
+              - input
+              - FileInput
       - variable: USER_INPUT
         detection: python_shared_common_user_input
         scope: result
-      - variable: METHOD
-        values:
-          - input
-          - FileInput
   - pattern: io.$<METHOD>($<USER_INPUT>$<...>)
     filters:
       - variable: USER_INPUT
@@ -158,7 +165,7 @@ metadata:
       ```python
         BASE_DIRECTORY = '/path/to/safe/directory'
         my_path = os.path.abspath(os.path.join(BASE_DIRECTORY, user_input))
-        
+
         if my_path.startswith(BASE_DIRECTORY):
           open(my_path)
       ```

diff --git a/tests/python/django/path_using_user_input/testdata/main.py b/tests/python/django/path_using_user_input/testdata/main.py
@@ -1,5 +1,7 @@
+from django.core.files.storage import FileSystemStorage as FSS
+
 # bearer:expected python_django_path_using_user_input
-fs = FileSystemStorage(form.cleaned_data["storage_path"])
+fs = FSS(form.cleaned_data["storage_path"])
 request_file = request.FILES['document']
 file = fs.save(request_file)
 

diff --git a/tests/python/lang/path_using_user_input/testdata/main.py b/tests/python/lang/path_using_user_input/testdata/main.py
@@ -3,12 +3,13 @@
 os.mkdir(user_upload_path)
 
 print("What file would you like to read?")
-filepath = input() 
+filepath = input()
 # bearer:expected python_lang_path_using_user_input
 open(filepath)
 
+import fileinput as fi
 # bearer:expected python_lang_path_using_user_input
-with fileinput.input(files=(filepath), encoding="utf-8") as f:
+with fi.input(files=(filepath), encoding="utf-8") as f:
     for line in f:
         process(line)