Skip to content

Commit

Permalink
fix(python): regard pair children as data sources (#1611)
Browse files Browse the repository at this point in the history
  • Loading branch information
elsapet authored May 27, 2024
1 parent 14e0918 commit 9947948
Show file tree
Hide file tree
Showing 5 changed files with 61 additions and 1 deletion.
30 changes: 30 additions & 0 deletions internal/languages/python/.snapshots/TestPair--pair.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
high:
- rule:
cwe_ids:
- "42"
id: pair_test
title: Test detection filter dictionary pair statements
description: Test detection filter dictionary pair statements
documentation_url: ""
line_number: 4
full_filename: pair.py
filename: pair.py
source:
location:
start: 4
end: 4
column:
start: 1
end: 46
sink:
location:
start: 4
end: 4
column:
start: 1
end: 46
content: ""
parent_line_number: 4
fingerprint: ccf6bc0c73d9320075b1353d72b65703_0
old_fingerprint: ccf6bc0c73d9320075b1353d72b65703_0

2 changes: 1 addition & 1 deletion internal/languages/python/analyzer/analyzer.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ func (analyzer *analyzer) Analyze(node *sitter.Node, visitChildren func() error)
return analyzer.analyzeSubscript(node, visitChildren)
case "call":
return analyzer.analyzeCall(node, visitChildren)
case "argument_list", "expression_statement", "list", "tuple", "unary_operator", "binary_operator":
case "pair", "argument_list", "expression_statement", "list", "tuple", "unary_operator", "binary_operator":
return analyzer.analyzeGenericOperation(node, visitChildren)
case "parenthesized_expression", "interpolation":
return analyzer.analyzeGenericConstruct(node, visitChildren)
Expand Down
7 changes: 7 additions & 0 deletions internal/languages/python/python_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@ var importRule []byte
//go:embed testdata/subscript_rule.yml
var subscriptRule []byte

//go:embed testdata/pair_rule.yml
var pairRule []byte

func TestDatatypes(t *testing.T) {
testhelper.GetRunner(t, datatypesRule, "python").RunTest(t, "./testdata/datatypes", ".snapshots/")
}
Expand All @@ -41,3 +44,7 @@ func TestImport(t *testing.T) {
func TestSubscript(t *testing.T) {
testhelper.GetRunner(t, subscriptRule, "python").RunTest(t, "./testdata/subscript", ".snapshots/")
}

func TestPair(t *testing.T) {
testhelper.GetRunner(t, pairRule, "python").RunTest(t, "./testdata/pair", ".snapshots/")
}
4 changes: 4 additions & 0 deletions internal/languages/python/testdata/pair/pair.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
user_input = input("Enter username: ")

# collection is some mongodo collection
collection.find_one({"username": user_input})
19 changes: 19 additions & 0 deletions internal/languages/python/testdata/pair_rule.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
languages:
- python
patterns:
- pattern: collection.find_one($<...>$<USER_INPUT>$<...>)
filters:
- variable: USER_INPUT
detection: pair_test_user_input
scope: result
auxiliary:
- id: pair_test_user_input
patterns:
- input()
severity: high
metadata:
description: Test detection filter dictionary pair statements
remediation_message: Test detection filter dictionary pair statements
cwe_id:
- 42
id: pair_test

0 comments on commit 9947948

Please sign in to comment.