-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Fix false-negatives and false-positives #99
Closed
Closed
Changes from all commits
Commits
Show all changes
24 commits
Select commit
Hold shift + click to select a range
3b4bf1b
Make a false_negatives directory with the issues from the 11/16/17 ev…
KevinHock 153501f
Made a folder example/november_2017_evaluation with a directory for f…
KevinHock 104cf80
Fix the foddy infinite loop
KevinHock 4156984
Delete the infinite_loop folder since it is fixed
KevinHock 97074f3
Make source_nested_in_sink.py test and pass it by making .args = list…
KevinHock 98b49b6
Make a test for if_else_in_sink
KevinHock ff1bc89
Fix double import trap https://stackoverflow.com/questions/43393764/p…
KevinHock 6c7a8d2
[False-negs] Problem illustration commit
KevinHock e9dd5e4
[comments] w/r/t ConnectStatements
KevinHock 63c3f96
save current work emergency
KevinHock 8367f68
save current work emergency
KevinHock 2578c29
Merge branch 'master' into fix_oakie_false_negative
KevinHock 6226a77
Added changes back to file that git merge missed
KevinHock 62e7420
Fix whitespace
KevinHock 8b72e52
Fixed some imports that got broken by the merge, indented EXPECTED in…
KevinHock d42243c
Delete tests/vulnerabilities_test.py that I accidentally added, Fix C…
KevinHock 695bbde
Mostly finished BoolOp, IfExp and expr_star_handler
KevinHock 7ecf462
Handle BoolOp inside of BoolOp, Make ConnectExpressions a class, Fix …
KevinHock 1fa04e8
Finished IfExp, found bug in expr_star_handler
KevinHock 4081900
Fix case where false-positives could occur by making the node before …
KevinHock c6d9e62
Add vulnerable_code_with_expressions/last_var_in_and_is_tainted and l…
KevinHock 4d2ad46
Change visit_IfExp to handle .test better, change expr_cfg_test.py to…
KevinHock 5b1f262
Add example of connecting_control_flow_exprs_in_connect_expressions.py
KevinHock b85c072
Things I did on 7/26/18
KevinHock File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
5 changes: 5 additions & 0 deletions
5
example/november_2017_evaluation/false_negatives/encode_tainted.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| @app.route('/encode_tainted') | ||
| def encode_tainted(): | ||
| state = request.args.get('state', '') | ||
| next = base64.urlsafe_b64decode(state.encode('ascii')) | ||
| return redirect(next) |
52 changes: 52 additions & 0 deletions
52
example/november_2017_evaluation/false_negatives/if_else_in_sink.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| """ | ||
| This is very similar to one of the false-negatives found in our November 16th/17th 2017 evaluation | ||
| http://pyt.readthedocs.io/en/latest/past_evaluations.html#november-16-17th-2017 | ||
| """ | ||
| import scrypt | ||
|
|
||
|
|
||
| @app.route('/login', methods=['GET', 'POST']) | ||
| def login(): | ||
| # 2 bool op | ||
| # print('foo') | ||
| # x = 5 | ||
| # laun = request.args.get('Laundry') | ||
| laun = 'beep' | ||
| # return redirect(request.args.get('The') or request.args.get('French') or 'laun' and 'crazy') | ||
| # return redirect(request.args.get('The') or request.args.get('French') or request.args.get('Laundry') and 'crazy') | ||
|
|
||
| # works | ||
| # return redirect(request.args.get('The') or request.args.get('French') or 'crazy' and request.args.get('Laundry')) | ||
|
|
||
| # return redirect(request.args.get('The') if 1==2 else request.args.get('French') if 'foo' else 'crazy') | ||
| # return redirect(request.args.get('The') if 1==2 else request.args.get('French') if 'foo' else request.args.get('Aces')) | ||
|
|
||
| # return redirect(request.args.get('The') if 'hey' or 'you' else request.args.get('French') if 'foo' else 'c' and request.args.get('Aces')) | ||
| return redirect(request.args.get('The') if 'hey' or 'you' else request.args.get('French') if 'foo' else request.args.get('Aces') and 'c') | ||
|
|
||
|
|
||
| # works | ||
| # return redirect('crazy' and request.args.get('Laundry') ) | ||
|
|
||
|
|
||
| # return redirect(request.args.get('The') if 1==2 else request.args.get('French')) | ||
| # return redirect(request.args.get('The') if 1==2 else laun) | ||
|
|
||
| # return redirect(request.args.get('The')) | ||
|
|
||
|
|
||
| # return redirect(request.args.get('The') if 1==2 else 'foo') | ||
| # return redirect('beep', request.args.get('The')) | ||
| # return redirect(request.args.get('The') if 1==2 else 'beep') | ||
| # return redirect(request.args.get('The')) | ||
| # return 'The' | ||
| # return redirect('The') | ||
|
|
||
|
|
||
| # 2 IfExp and a string | ||
| # return redirect(request.args.get('The') if 1==2 else request.args.get('French') if 2==3 else 'Laundry') | ||
| # 3 IfExp | ||
| # return redirect(request.args.get('The') if 1==2 else request.args.get('French') if 2==3 else request.args.get('Laundry')) | ||
|
|
||
| # All 3 | ||
| # return redirect(request.args.get('The') if 5==5 else url_for('French'), request.args.get('Laundry') or url_for('Sushiritto'), scrypt.encrypt('Mixt')) |
5 changes: 5 additions & 0 deletions
5
example/november_2017_evaluation/false_negatives/index_of_tainted.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| @app.route('/index_of_tainted') | ||
| def index_of_tainted(): | ||
| state = request.args.get('state', '') | ||
| next = base64.urlsafe_b64decode(state).split(';')[1] | ||
| return redirect(next) |
20 changes: 20 additions & 0 deletions
20
example/november_2017_evaluation/false_negatives/oakie_auth.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| """ | ||
| One of the false-negatives found in our November 16th/17th 2017 evaluation | ||
| http://pyt.readthedocs.io/en/latest/past_evaluations.html#november-16-17th-2017 | ||
| """ | ||
|
|
||
| @app.route('/auth_callback') | ||
| def auth_callback(): | ||
| error = request.args.get('error', '') | ||
| if error: | ||
| return 'Error: ' + error | ||
| state = request.args.get('state', '') | ||
| if not is_valid_state(state): | ||
| abort(403) | ||
| next = base64.urlsafe_b64decode(state.encode('ascii')).split(';')[1] | ||
| remove_state(state) | ||
| code = request.args.get('code') | ||
| id_token, access_token = get_tokens(code) | ||
|
|
||
| session['email'] = id_token['email'] | ||
| return redirect(next) |
8 changes: 8 additions & 0 deletions
8
example/november_2017_evaluation/false_negatives/or_in_sink.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| """ | ||
| This is very similar to one of the false-negatives found in our November 16th/17th 2017 evaluation | ||
| http://pyt.readthedocs.io/en/latest/past_evaluations.html#november-16-17th-2017 | ||
| """ | ||
|
|
||
| @app.route('/login', methods=['GET', 'POST']) | ||
| def login(): | ||
| return redirect(request.args.get("next") or url_for("index")) |
9 changes: 9 additions & 0 deletions
9
example/november_2017_evaluation/false_negatives/source_nested_in_sink.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| """ | ||
| This is very similar to one of the false-negatives found in our November 16th/17th 2017 evaluation | ||
| http://pyt.readthedocs.io/en/latest/past_evaluations.html#november-16-17th-2017 | ||
| """ | ||
|
|
||
|
|
||
| @app.route('/login', methods=['GET', 'POST']) | ||
| def login(): | ||
| return redirect(request.args.get("next")) |
5 changes: 5 additions & 0 deletions
5
example/november_2017_evaluation/false_negatives/split_tainted.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| @app.route('/split_tainted') | ||
| def split_tainted(): | ||
| state = request.args.get('state', '') | ||
| next = base64.urlsafe_b64decode(state).split(';') | ||
| return redirect(next) |
13 changes: 13 additions & 0 deletions
13
example/november_2017_evaluation/false_positives/cheapskate_get_image.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| @app.route('/image', methods = ['GET']) | ||
| def get_image(): | ||
| url = request.args.get('url', '') | ||
| if not url: | ||
| abort(400) | ||
|
|
||
| if is_image(url): | ||
| return redirect(url) | ||
|
|
||
| def is_image(url): | ||
| image_extensions = ['.jpg', '.gif', '.png', '.jpg', '.bmp', '.webp', '.webm'] | ||
| extension = url[url.rfind('.'):] | ||
| return extension in image_extensions | ||
11 changes: 11 additions & 0 deletions
11
example/november_2017_evaluation/false_positives/first_or_second_arg_of_sink.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| """A minimized version of flask_expand_url to illustrate the question of 'what args being tainted means a vulnerability?'""" | ||
|
|
||
| from Flask import g | ||
|
|
||
| @app.route('/<david>') | ||
| def expand_url(david): | ||
| foster = query_db('select url_long from urls where david = ?', [david]) | ||
|
|
||
|
|
||
| def query_db(query, args=()): | ||
| wallace = g.db.execute(query, args) |
20 changes: 20 additions & 0 deletions
20
example/november_2017_evaluation/false_positives/flaskly_expand_url.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| from Flask import g | ||
|
|
||
| @app.route('/<url_short>') | ||
| def expand_url(url_short): | ||
| """Check for url in DB""" | ||
| result = query_db('select url_long from urls where url_short = ?', | ||
| [url_short], one=True) | ||
| if result is None: | ||
| return redirect(url_for("index")) | ||
| else: | ||
| link = result['url_long'] | ||
| return redirect(link) | ||
|
|
||
|
|
||
| def query_db(query, args=(), one=False): | ||
| """Queries the database and returns a list of dictionaries.""" | ||
| cur = g.db.execute(query, args) | ||
| rv = [dict((cur.description[idx][0], value) | ||
| for idx, value in enumerate(row)) for row in cur.fetchall()] | ||
| return (rv[0] if rv else None) if one else rv |
9 changes: 9 additions & 0 deletions
9
example/november_2017_evaluation/false_positives/front_or_end_of_string.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| """ | ||
| One of the false-positives found in our November 16th/17th 2017 evaluation | ||
| http://pyt.readthedocs.io/en/latest/past_evaluations.html#november-16-17th-2017 | ||
| """ | ||
| @app.route('/client/passport', methods=['POST','GET']) | ||
| def client_passport(): | ||
| code = request.args.get('code') | ||
| uri = 'http://localhost:5000/oauth?response_type=%s&client_id=%s&redirect_uri=%s' %(code,client_id,redirect_uri) | ||
| return redirect(uri) |
12 changes: 12 additions & 0 deletions
12
.../vulnerable_code_with_expressions/connecting_control_flow_exprs_in_connect_expressions.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| """ | ||
| This is very similar to one of the false-negatives found in our November 16th/17th 2017 evaluation | ||
| http://pyt.readthedocs.io/en/latest/past_evaluations.html#november-16-17th-2017 | ||
| """ | ||
|
|
||
| redirect( | ||
| request.args.get('Laundry') and 'crazy' | ||
| or | ||
| request.args.get('French') and 'foo' | ||
| or | ||
| request.args.get('The') | ||
| ) |
6 changes: 6 additions & 0 deletions
6
examples/vulnerable_code_with_expressions/last_var_in_and_is_not_tainted.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| """ | ||
| This is very similar to one of the false-negatives found in our November 16th/17th 2017 evaluation | ||
| http://pyt.readthedocs.io/en/latest/past_evaluations.html#november-16-17th-2017 | ||
| """ | ||
|
|
||
| redirect(request.args.get('The') if 'hey' or 'you' else request.args.get('French') if 'foo' else request.args.get('Aces') and 'c') |
6 changes: 6 additions & 0 deletions
6
examples/vulnerable_code_with_expressions/last_var_in_and_is_tainted.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| """ | ||
| This is very similar to one of the false-negatives found in our November 16th/17th 2017 evaluation | ||
| http://pyt.readthedocs.io/en/latest/past_evaluations.html#november-16-17th-2017 | ||
| """ | ||
|
|
||
| redirect(request.args.get('The') if 'hey' or 'you' else request.args.get('French') if 'foo' else 'c' and request.args.get('Aces')) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one seems bypass-able, so not a false-positive, but it easily could have been, in order to do this well we would need to be able to solve predicates, via like Z3str3 or something. I feel these are acceptable for the foreseeable future.