-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Azure python sanitizer upstream2 #21288
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
bdrodes
wants to merge
20
commits into
github:main
Choose a base branch
from
microsoft:azure_python_sanitizer_upstream2
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+918
−412
Open
Changes from all commits
Commits
Show all changes
20 commits
Select commit
Hold shift + click to select a range
9912aaa
Adding azure sdk test cases and updated test expected file.
bdrodes b8ba905
Added change logs.
bdrodes 46a2a24
Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestF…
bdrodes 08b72d0
Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestF…
bdrodes 7db9779
Moved change log to correct location.
bdrodes 265922d
Adding docs.
bdrodes 88adb05
Adjusting acryonym for SSRF for casing standards.
bdrodes 27e1981
Removing an upstream change log, not needed for local fork update.
bdrodes 97ddab0
Added support for new URIValidator in AntiSSRF library. Updated test …
bdrodes 97f19d0
Updating test case expected alerts.
bdrodes 42f6e6a
Fixing inefficiently passed variable in nested existential quantifica…
bdrodes 4f11913
removing SSRFSink.qll
bdrodes f6c302b
Removing commented out test cases.
bdrodes 85ae404
Merge branch 'main' into azure_python_sanitizer_upstream2
bdrodes df54459
Restore prior PR change log (accidentally removed)
bdrodes 23bab81
Added change log
bdrodes 9f8ed71
Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestF…
bdrodes a91cf6b
Applying copilot PR suggestions.
bdrodes 4bb110b
More copilot suggestions.
bdrodes 9f9c353
Update expected files. Copilot suggestions broke unit test expected r…
bdrodes File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
5 changes: 5 additions & 0 deletions
5
.../ql/lib/change-notes/2026-02-09-ssrf_test_case_cleanup_and_new_ssrf_barriers.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| category: minorAnalysis | ||
| --- | ||
| * Modified SSRF tests to use postprocessing to more easily debug results. | ||
| * Added new full SSRF sanitization barrier from the new AntiSSRF library. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
361 changes: 231 additions & 130 deletions
361
...ery-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected
Large diffs are not rendered by default.
Oops, something went wrong.
3 changes: 2 additions & 1 deletion
3
.../query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.qlref
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,2 @@ | ||
| Security/CWE-918/FullServerSideRequestForgery.ql | ||
| query: Security/CWE-918/FullServerSideRequestForgery.ql | ||
| postprocess: utils/test/InlineExpectationsTestQuery.ql |
593 changes: 378 additions & 215 deletions
593
...-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected
Large diffs are not rendered by default.
Oops, something went wrong.
3 changes: 2 additions & 1 deletion
3
...ery-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.qlref
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,2 @@ | ||
| Security/CWE-918/PartialServerSideRequestForgery.ql | ||
| query: Security/CWE-918/PartialServerSideRequestForgery.ql | ||
| postprocess: utils/test/InlineExpectationsTestQuery.ql |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| from flask import request | ||
| from flask import request # $ Source | ||
|
|
||
| import requests | ||
| import re | ||
|
|
@@ -7,20 +7,24 @@ def full_ssrf(): | |
| user_input = request.args['untrusted_input'] | ||
| query_val = request.args['query_val'] | ||
|
|
||
| requests.get(user_input) # NOT OK -- user has full control | ||
| # NOT OK -- user has full control | ||
| requests.get(user_input) # $ Alert[py/full-ssrf] | ||
|
|
||
| url = "https://" + user_input | ||
| requests.get(url) # NOT OK -- user has full control | ||
| # NOT OK -- user has full control | ||
| requests.get(url) # $ Alert[py/full-ssrf] | ||
|
|
||
| # although the path `/foo` is added here, this can be circumvented such that the | ||
| # final URL is `https://evil.com/#/foo" -- since the fragment (#) is not sent to the | ||
| # server. | ||
| url = "https://" + user_input + "/foo" | ||
| requests.get(url) # NOT OK -- user has full control | ||
| # NOT OK -- user has full control | ||
| requests.get(url) # $ Alert[py/full-ssrf] | ||
|
|
||
| # this might seem like a dummy test, but it serves to check how our sanitizers work. | ||
| url = "https://" + user_input + "/foo?key=" + query_val | ||
| requests.get(url) # NOT OK -- user has full control | ||
| # NOT OK -- user has full control | ||
| requests.get(url) # $ Alert[py/full-ssrf] | ||
|
|
||
| # taint-steps are added as `fromNode -> toNode`, but when adding a sanitizer it's | ||
| # currently only possible to so on either `fromNode` or `toNode` (either all edges in | ||
|
|
@@ -39,72 +43,87 @@ def full_ssrf_format(): | |
|
|
||
| # using .format | ||
| url = "https://{}".format(user_input) | ||
| requests.get(url) # NOT OK -- user has full control | ||
| # NOT OK -- user has full control | ||
| requests.get(url) # $ Alert[py/full-ssrf] | ||
|
|
||
| url = "https://{}/foo".format(user_input) | ||
| requests.get(url) # NOT OK -- user has full control | ||
| # NOT OK -- user has full control | ||
| requests.get(url) # $ Alert[py/full-ssrf] | ||
|
|
||
| url = "https://{}/foo?key={}".format(user_input, query_val) | ||
| requests.get(url) # NOT OK -- user has full control | ||
| # NOT OK -- user has full control | ||
| requests.get(url) # $ Alert[py/full-ssrf] | ||
|
|
||
| url = "https://{x}".format(x=user_input) | ||
| requests.get(url) # NOT OK -- user has full control | ||
| # NOT OK -- user has full control | ||
| requests.get(url) # $ Alert[py/full-ssrf] | ||
|
|
||
| url = "https://{1}".format(0, user_input) | ||
| requests.get(url) # NOT OK -- user has full control | ||
| # NOT OK -- user has full control | ||
| requests.get(url) # $ Alert[py/full-ssrf] | ||
|
|
||
| def full_ssrf_percent_format(): | ||
| user_input = request.args['untrusted_input'] | ||
| query_val = request.args['query_val'] | ||
|
|
||
| # using %-formatting | ||
| url = "https://%s" % user_input | ||
| requests.get(url) # NOT OK -- user has full control | ||
| # NOT OK -- user has full control | ||
| requests.get(url) # $ Alert[py/full-ssrf] | ||
|
|
||
| url = "https://%s/foo" % user_input | ||
| requests.get(url) # NOT OK -- user has full control | ||
| # NOT OK -- user has full control | ||
| requests.get(url) # $ Alert[py/full-ssrf] | ||
|
|
||
| url = "https://%s/foo/key=%s" % (user_input, query_val) | ||
| requests.get(url) # NOT OK -- user has full control | ||
| # NOT OK -- user has full and partial control | ||
| requests.get(url) # $ Alert[py/partial-ssrf] $ MISSING: Alert[py/full-ssrf] | ||
|
|
||
| def full_ssrf_f_strings(): | ||
| user_input = request.args['untrusted_input'] | ||
| query_val = request.args['query_val'] | ||
|
|
||
| # using f-strings | ||
| url = f"https://{user_input}" | ||
| requests.get(url) # NOT OK -- user has full control | ||
| # NOT OK -- user has full control | ||
| requests.get(url) # $ Alert[py/full-ssrf] | ||
|
|
||
| url = f"https://{user_input}/foo" | ||
| requests.get(url) # NOT OK -- user has full control | ||
| # NOT OK -- user has full control | ||
| requests.get(url) # $ Alert[py/full-ssrf] | ||
|
|
||
| url = f"https://{user_input}/foo?key={query_val}" | ||
| requests.get(url) # NOT OK -- user has full control | ||
| # NOT OK -- user has full control | ||
| requests.get(url) # $ Alert[py/full-ssrf] | ||
|
|
||
|
|
||
| def partial_ssrf_1(): | ||
| user_input = request.args['untrusted_input'] | ||
|
|
||
| url = "https://example.com/foo?" + user_input | ||
| requests.get(url) # NOT OK -- user controls query parameters | ||
| # NOT OK -- user controls query parameters | ||
| requests.get(url) # $ Alert[py/partial-ssrf] | ||
|
|
||
| def partial_ssrf_2(): | ||
| user_input = request.args['untrusted_input'] | ||
|
|
||
| url = "https://example.com/" + user_input | ||
| requests.get(url) # NOT OK -- user controls path | ||
| # NOT OK -- user controls path | ||
| requests.get(url) # $ Alert[py/partial-ssrf] | ||
|
|
||
| def partial_ssrf_3(): | ||
| user_input = request.args['untrusted_input'] | ||
|
|
||
| url = "https://example.com/" + user_input | ||
| requests.get(url) # NOT OK -- user controls path | ||
| # NOT OK -- user controls path | ||
| requests.get(url) # $ Alert[py/partial-ssrf] | ||
|
|
||
| def partial_ssrf_4(): | ||
| user_input = request.args['untrusted_input'] | ||
|
|
||
| url = "https://example.com/foo#{}".format(user_input) | ||
| requests.get(url) # NOT OK -- user contollred fragment | ||
| # NOT OK -- user controlled fragment | ||
| requests.get(url) # $ Alert[py/partial-ssrf] | ||
|
|
||
| def partial_ssrf_5(): | ||
| user_input = request.args['untrusted_input'] | ||
|
|
@@ -113,20 +132,22 @@ def partial_ssrf_5(): | |
| # controlled | ||
|
|
||
| url = "https://example.com/foo#%s" % user_input | ||
| requests.get(url) # NOT OK -- user contollred fragment | ||
| # NOT OK -- user controlled fragment | ||
| requests.get(url) # $ Alert[py/partial-ssrf] | ||
|
Comment on lines
134
to
136
|
||
|
|
||
| def partial_ssrf_6(): | ||
| user_input = request.args['untrusted_input'] | ||
|
|
||
| url = f"https://example.com/foo#{user_input}" | ||
| requests.get(url) # NOT OK -- user only controlled fragment | ||
| # NOT OK -- user only controlled fragment | ||
| requests.get(url) # $ Alert[py/partial-ssrf] | ||
|
|
||
| def partial_ssrf_7(): | ||
| user_input = request.args['untrusted_input'] | ||
|
|
||
| if user_input.isalnum(): | ||
| url = f"https://example.com/foo#{user_input}" | ||
| requests.get(url) # OK - user input can only contain alphanumerical characters | ||
| requests.get(url) # OK - user input can only contain alphanumerical characters | ||
|
|
||
| if user_input.isalpha(): | ||
| url = f"https://example.com/foo#{user_input}" | ||
|
|
@@ -154,7 +175,8 @@ def partial_ssrf_7(): | |
|
|
||
| if re.fullmatch(r'.*[a-zA-Z0-9]+.*', user_input): | ||
| url = f"https://example.com/foo#{user_input}" | ||
| requests.get(url) # NOT OK, but NOT FOUND - user input can contain arbitrary characters | ||
| # NOT OK, but NOT FOUND - user input can contain arbitrary characters | ||
| requests.get(url) # $ MISSING: Alert[py/partial-ssrf] | ||
|
|
||
|
|
||
| if re.match(r'^[a-zA-Z0-9]+$', user_input): | ||
|
|
@@ -163,7 +185,8 @@ def partial_ssrf_7(): | |
|
|
||
| if re.match(r'[a-zA-Z0-9]+', user_input): | ||
| url = f"https://example.com/foo#{user_input}" | ||
| requests.get(url) # NOT OK, but NOT FOUND - user input can contain arbitrary character as a suffix. | ||
| # NOT OK, but NOT FOUND - user input can contain arbitrary character as a suffix. | ||
| requests.get(url) # $ MISSING: Alert[py/partial-ssrf] | ||
|
|
||
| reg = re.compile(r'^[a-zA-Z0-9]+$') | ||
|
|
||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -1,5 +1,5 @@ | ||||||
| from flask import Flask, request | ||||||
|
|
||||||
| from flask import request # $ Source | ||||||
| from flask import Flask | ||||||
| from http.client import HTTPConnection | ||||||
|
|
||||||
| app = Flask(__name__) | ||||||
|
|
@@ -10,28 +10,35 @@ def ssrf_test(): | |||||
| unsafe_path = request.args["path"] | ||||||
| user_input = request.args['untrusted_input'] | ||||||
|
|
||||||
| conn = HTTPConnection(unsafe_host) | ||||||
| conn.request("GET", unsafe_path) # NOT OK -- user has full control | ||||||
| conn = HTTPConnection(unsafe_host) # $ Sink[py/full-ssrf] | ||||||
| # NOT OK -- user has full control | ||||||
| conn.request("GET", unsafe_path) # $ Alert[py/full-ssrf] | ||||||
|
|
||||||
| # Full SSRF variant, where there is ALSO made a request with fixed URL on the same | ||||||
| # Full SSRF variant, where there is also a request with fixed URL on the same | ||||||
| # connection later on. This should not change anything on the overall SSRF alerts. | ||||||
| conn = HTTPConnection(unsafe_host) | ||||||
| conn.request("GET", unsafe_path) # NOT OK -- user has full control | ||||||
| conn = HTTPConnection(unsafe_host) # $ Sink | ||||||
|
||||||
| conn = HTTPConnection(unsafe_host) # $ Sink | |
| conn = HTTPConnection(unsafe_host) # $ Sink[py/full-ssrf] |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Spelling: "contollred" should be "controlled" (appears twice in this file).