Hi Mikko,
welcome to the static analysis rabbit hole :-)
On 13.10.20 15:09, Florian Bruhin wrote:
On Tue, Oct 06, 2020 at 01:33:24PM -0400, Mikko Elomaa via code-quality wrote:
I looked around for a tool to spot these vulnerabilities, but could not find
anything available for free. So, I wrote a quick script at first and then
made it more generic. The tool checks functions with the route decorator, it
detects the request related input data and checks if the data is passed to a
function without being checked by a known filter or validator.
There is PyT [1] (unmaintained) and Pysa [2] which both do this kind of
taint analysis and maybe cover your needs. For some theoretical
background you probably should read the Master Thesis behind PyT [5].
From a quick look, you might want to consider using an ast
(abstract syntax tree) module for parsing the code, rather than using
regular expressions.
A very good point Florian makes there :-) Regular Expressions are not
capable of parsing Python code in the general case.
More libs that could help you parsing and making sense of Python code:
- Astroid [3] which is similar to the stdlib ast module but way nicer to
work with
- Jedi [4] which is a higher level interface built on top of parso which
lets you do things like this
```
import jedi
source = """
def fn(arg1, arg2):
sink(arg1)
"""
script = jedi.Script(source, path="foo.py")
for def_ in script.get_names(all_scopes=True, references=True):
print(def_)
```
Cheers,
Martin
[1] https://github.com/python-security/pyt
[2] https://pyre-check.org/docs/pysa-basics/#taint-analysis
[3] http://pylint.pycqa.org/projects/astroid/en/latest/index.html
[4] https://github.com/davidhalter/jedi
[5] https://projekter.aau.dk/projekter/files/239563289/final.pdf
_______________________________________________
code-quality mailing list -- code-quality@python.org
To unsubscribe send an email to code-quality-le...@python.org
https://mail.python.org/mailman3/lists/code-quality.python.org/
Member address: arch...@mail-archive.com
