mallamanis · May 6, 2020 13:21
diff --git a/usePathJoin.ql b/usePathJoin.ql
 /**
 * @name Join paths correctly
 * @description use os.path.join or an alternative to correctly join paths.
 * @kind path-problem
 * @tags maintainability
 * @problem.severity recommendation
 * @sub-severity low
 * @precision medium
 * @tags speed
 * @sub-severity low
 * @id py/join-paths
 */
 import python
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Untrusted

 predicate has_path_delimiter(StrConst pathDel) {
  pathDel.getText().matches("%/%") or pathDel.getText().matches("%\\%")
 }

 predicate may_contain_path_delimiter(ControlFlowNode f) {
 	 exists(StrConst str | str = f.getNode() | has_path_delimiter(str))
 }

 class PlatformSpecificPath extends TaintKind {
    PlatformSpecificPath() {
        this = "platform-specific path"
    }
 }

 class FileOpenSink extends TaintTracking::Sink {
    FileOpenSink() {
        exists(FunctionValue openSink |
            openSink.getName() = "open" and
            openSink.getACall().(CallNode).getAnArg() = this
        )
    }

    override predicate sinks(TaintKind kind) {
        kind instanceof PlatformSpecificPath
    }
 }

 class HardcodedPathDelimSource extends TaintTracking::Source {
  	HardcodedPathDelimSource() {
   		may_contain_path_delimiter(this)   
    }
  
    override predicate isSourceOf(TaintKind kind) {
        kind instanceof PlatformSpecificPath
    }
 }

 class PlatformSpecificPathConfig extends TaintTracking::Configuration {
    PlatformSpecificPathConfig() { this = "Hardcoded path delimiter" }

    override predicate isSource(TaintTracking::Source source) {
        source instanceof HardcodedPathDelimSource
    }

    override predicate isSink(TaintTracking::Sink sink) { sink instanceof FileOpenSink }
 }

 from PlatformSpecificPathConfig config, TaintedPathSource src, TaintedPathSink sink
 where config.hasFlowPath(src, sink)
 select sink.getSink(), src, sink, "The $@.", src.getSource(), "flows into an open()"
	/**
	* @name Join paths correctly
	* @description use os.path.join or an alternative to correctly join paths.
	* @kind path-problem
	* @tags maintainability
	* @problem.severity recommendation
	* @sub-severity low
	* @precision medium
	* @tags speed
	* @sub-severity low
	* @id py/join-paths
	*/
	import python
	import semmle.python.security.TaintTracking
	import semmle.python.security.strings.Untrusted

	predicate has_path_delimiter(StrConst pathDel) {
	pathDel.getText().matches("%/%") or pathDel.getText().matches("%\\%")
	}

	predicate may_contain_path_delimiter(ControlFlowNode f) {
	exists(StrConst str \| str = f.getNode() \| has_path_delimiter(str))
	}

	class PlatformSpecificPath extends TaintKind {
	PlatformSpecificPath() {
	this = "platform-specific path"
	}
	}

	class FileOpenSink extends TaintTracking::Sink {
	FileOpenSink() {
	exists(FunctionValue openSink \|
	openSink.getName() = "open" and
	openSink.getACall().(CallNode).getAnArg() = this
	)
	}

	override predicate sinks(TaintKind kind) {
	kind instanceof PlatformSpecificPath
	}
	}

	class HardcodedPathDelimSource extends TaintTracking::Source {
	HardcodedPathDelimSource() {
	may_contain_path_delimiter(this)
	}

	override predicate isSourceOf(TaintKind kind) {
	kind instanceof PlatformSpecificPath
	}
	}

	class PlatformSpecificPathConfig extends TaintTracking::Configuration {
	PlatformSpecificPathConfig() { this = "Hardcoded path delimiter" }

	override predicate isSource(TaintTracking::Source source) {
	source instanceof HardcodedPathDelimSource
	}

	override predicate isSink(TaintTracking::Sink sink) { sink instanceof FileOpenSink }
	}

	from PlatformSpecificPathConfig config, TaintedPathSource src, TaintedPathSink sink
	where config.hasFlowPath(src, sink)
	select sink.getSink(), src, sink, "The $@.", src.getSource(), "flows into an open()"