From 9947948450446919a371f8562fd10f80399e9caa Mon Sep 17 00:00:00 2001 From: elsapet Date: Mon, 27 May 2024 11:58:18 +0200 Subject: [PATCH] fix(python): regard pair children as data sources (#1611) --- .../python/.snapshots/TestPair--pair.yml | 30 +++++++++++++++++++ .../languages/python/analyzer/analyzer.go | 2 +- internal/languages/python/python_test.go | 7 +++++ .../languages/python/testdata/pair/pair.py | 4 +++ .../languages/python/testdata/pair_rule.yml | 19 ++++++++++++ 5 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 internal/languages/python/.snapshots/TestPair--pair.yml create mode 100644 internal/languages/python/testdata/pair/pair.py create mode 100644 internal/languages/python/testdata/pair_rule.yml diff --git a/internal/languages/python/.snapshots/TestPair--pair.yml b/internal/languages/python/.snapshots/TestPair--pair.yml new file mode 100644 index 000000000..90859f0a2 --- /dev/null +++ b/internal/languages/python/.snapshots/TestPair--pair.yml @@ -0,0 +1,30 @@ +high: + - rule: + cwe_ids: + - "42" + id: pair_test + title: Test detection filter dictionary pair statements + description: Test detection filter dictionary pair statements + documentation_url: "" + line_number: 4 + full_filename: pair.py + filename: pair.py + source: + location: + start: 4 + end: 4 + column: + start: 1 + end: 46 + sink: + location: + start: 4 + end: 4 + column: + start: 1 + end: 46 + content: "" + parent_line_number: 4 + fingerprint: ccf6bc0c73d9320075b1353d72b65703_0 + old_fingerprint: ccf6bc0c73d9320075b1353d72b65703_0 + diff --git a/internal/languages/python/analyzer/analyzer.go b/internal/languages/python/analyzer/analyzer.go index 9ba3ebfd5..0d7a434ab 100644 --- a/internal/languages/python/analyzer/analyzer.go +++ b/internal/languages/python/analyzer/analyzer.go @@ -37,7 +37,7 @@ func (analyzer *analyzer) Analyze(node *sitter.Node, visitChildren func() error) return analyzer.analyzeSubscript(node, visitChildren) case "call": return analyzer.analyzeCall(node, visitChildren) - case "argument_list", "expression_statement", "list", "tuple", "unary_operator", "binary_operator": + case "pair", "argument_list", "expression_statement", "list", "tuple", "unary_operator", "binary_operator": return analyzer.analyzeGenericOperation(node, visitChildren) case "parenthesized_expression", "interpolation": return analyzer.analyzeGenericConstruct(node, visitChildren) diff --git a/internal/languages/python/python_test.go b/internal/languages/python/python_test.go index f8919b56b..c6761a178 100644 --- a/internal/languages/python/python_test.go +++ b/internal/languages/python/python_test.go @@ -22,6 +22,9 @@ var importRule []byte //go:embed testdata/subscript_rule.yml var subscriptRule []byte +//go:embed testdata/pair_rule.yml +var pairRule []byte + func TestDatatypes(t *testing.T) { testhelper.GetRunner(t, datatypesRule, "python").RunTest(t, "./testdata/datatypes", ".snapshots/") } @@ -41,3 +44,7 @@ func TestImport(t *testing.T) { func TestSubscript(t *testing.T) { testhelper.GetRunner(t, subscriptRule, "python").RunTest(t, "./testdata/subscript", ".snapshots/") } + +func TestPair(t *testing.T) { + testhelper.GetRunner(t, pairRule, "python").RunTest(t, "./testdata/pair", ".snapshots/") +} diff --git a/internal/languages/python/testdata/pair/pair.py b/internal/languages/python/testdata/pair/pair.py new file mode 100644 index 000000000..c39cad7a6 --- /dev/null +++ b/internal/languages/python/testdata/pair/pair.py @@ -0,0 +1,4 @@ +user_input = input("Enter username: ") + +# collection is some mongodo collection +collection.find_one({"username": user_input}) \ No newline at end of file diff --git a/internal/languages/python/testdata/pair_rule.yml b/internal/languages/python/testdata/pair_rule.yml new file mode 100644 index 000000000..467795e17 --- /dev/null +++ b/internal/languages/python/testdata/pair_rule.yml @@ -0,0 +1,19 @@ +languages: + - python +patterns: + - pattern: collection.find_one($<...>$$<...>) + filters: + - variable: USER_INPUT + detection: pair_test_user_input + scope: result +auxiliary: + - id: pair_test_user_input + patterns: + - input() +severity: high +metadata: + description: Test detection filter dictionary pair statements + remediation_message: Test detection filter dictionary pair statements + cwe_id: + - 42 + id: pair_test