forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDecompressionBombs.qll
More file actions
65 lines (55 loc) · 2.13 KB
/
DecompressionBombs.qll
File metadata and controls
65 lines (55 loc) · 2.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
/**
* Provides a taint tracking configuration for reasoning about decompression bomb vulnerabilities.
*/
import go
class MimeMultipartFileHeader extends RemoteFlowSource::Range {
MimeMultipartFileHeader() {
exists(DataFlow::FieldReadNode frn | this = frn |
frn.getField().hasQualifiedName("mime/multipart", "FileHeader", ["Filename", "Header"])
)
or
exists(DataFlow::Method m |
m.hasQualifiedName("mime/multipart", "FileHeader", "Open") and
this = m.getACall().getResult(0)
)
or
exists(DataFlow::FieldReadNode frn |
frn.getField().hasQualifiedName("mime/multipart", "Form", "Value")
)
}
}
/** Provides a taint tracking configuration for reasoning about decompression bomb vulnerabilities. */
module DecompressionBomb {
import experimental.frameworks.DecompressionBombsCustomizations
module Config implements DataFlow::StateConfigSig {
class FlowState = DecompressionBombs::FlowState;
predicate isSource(DataFlow::Node source, FlowState state) {
source instanceof ActiveThreatModelSource and
state = ""
}
predicate isSink(DataFlow::Node sink, FlowState state) {
sink instanceof DecompressionBombs::Sink and
state =
[
"ZstdNewReader", "XzNewReader", "GzipNewReader", "PgzipNewReader", "S2NewReader",
"SnappyNewReader", "ZlibNewReader", "FlateNewReader", "Bzip2NewReader", "ZipOpenReader",
"ZipKlauspost"
]
}
predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
exists(DecompressionBombs::AdditionalTaintStep addStep |
addStep.isAdditionalFlowStep(fromNode, toNode)
)
}
predicate isAdditionalFlowStep(
DataFlow::Node fromNode, FlowState fromState, DataFlow::Node toNode, FlowState toState
) {
exists(DecompressionBombs::AdditionalTaintStep addStep |
addStep.isAdditionalFlowStep(fromNode, fromState, toNode, toState)
)
}
predicate observeDiffInformedIncrementalMode() { any() }
}
/** Tracks taint flow for reasoning about decompression bomb vulnerabilities. */
module Flow = TaintTracking::GlobalWithState<Config>;
}