General issue: Missing vulnerability reports due to incomplete self variable reference relationships in Python classes #18374
Open
Description
code:
import os
from flask import Flask, request
app = Flask(__name__)
class CCC:
def update(self, **kwargs):
os.system(kwargs["mode"])
class test:
def __init__(self):
self.A = CCC()
@app.route('/execute')
def execute_command(self):
cmd = request.args.get('cmd')
self.A.update(mode=cmd, file="a")
return "Command executed"
ql:
/**
* @name Uncontrolled command line
* @description Using externally controlled strings in a command line may allow a malicious
* user to change the meaning of the command.
* @kind path-problem
* @problem.severity error
* @security-severity 9.8
* @sub-severity high
* @precision high
* @id py/command-line-injection
* @tags correctness
* security
* external/cwe/cwe-078
* external/cwe/cwe-088
*/
import python
import semmle.python.security.dataflow.CommandInjectionQuery
import CommandInjectionFlow::PathGraph
from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink
where CommandInjectionFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "This command line depends on a $@.", source.getNode(),
"user-provided value"
this ql file can not find bug!!!!???
why???
I hope you can help me, thank you.