Merge pull request #12 from GitHubSecurityLab/part-4

Part 4

Author: sylwia-budzynska

4/README.md

@@ -0,0 +1,3 @@
+To run the queries in this folder, follow the set up instructions for [VS Code CodeQL starter workspace](https://github.com/github/vscode-codeql-starter) and install VS Code CodeQL extension. Then, in the CodeQL extension select the `vulnerable-code-snippets-db` database.
+
+For more information around CodeQL, set up and running queries, see [CodeQL zero to hero part 2](https://github.blog/developer-skills/github/codeql-zero-to-hero-part-2-getting-started-with-codeql/) and the other blog posts in the series.

4/queries/1.ql

@@ -0,0 +1,14 @@
+/**
+ * @id codeql-zero-to-hero/4-1
+ * @severity error
+ * @kind problem
+ */
+
+ import python
+ import semmle.python.ApiGraphs
+
+ from API::CallNode node
+ where node =
+	 API::moduleImport("gradio").getMember("Interface").getACall()
+
+ select node, "Call to gr.Interface"

4/queries/2.ql

@@ -0,0 +1,14 @@
+/**
+ * @id codeql-zero-to-hero/4-2
+ * @severity error
+ * @kind problem
+ */
+
+ import python
+ import semmle.python.ApiGraphs
+
+ from API::CallNode node
+ where node =
+	 API::moduleImport("gradio").getMember("Interface").getACall()
+
+ select node.getParameter(0, "fn").getParameter(_).asSource(), "Gradio sources"

4/queries/3.ql

@@ -0,0 +1,22 @@
+/**
+ * @id codeql-zero-to-hero/4-3
+ * @severity error
+ * @kind problem
+ */
+
+ import python
+ import semmle.python.ApiGraphs
+ import semmle.python.dataflow.new.RemoteFlowSources
+
+ class GradioInterface extends RemoteFlowSource::Range {
+	GradioInterface() {
+		exists(API::CallNode n |
+		n = API::moduleImport("gradio").getMember("Interface").getACall() |
+		this = n.getParameter(0, "fn").getParameter(_).asSource())
+	}
+	override string getSourceType() { result = "Gradio untrusted input" }
+
+ }
+
+from GradioInterface inp
+select inp, "Gradio sources"

4/queries/4.ql

@@ -0,0 +1,23 @@
+/**
+ * @id codeql-zero-to-hero/4-4
+ * @severity error
+ * @kind problem
+ */
+
+ import python
+ import semmle.python.ApiGraphs
+ import semmle.python.dataflow.new.RemoteFlowSources
+
+class GradioInterface extends RemoteFlowSource::Range {
+	GradioInterface() {
+		exists(API::CallNode n |
+		n = API::moduleImport("gradio").getMember("Interface").getACall() |
+		this = n.getParameter(0, "fn").getParameter(_).asSource())
+	}
+	override string getSourceType() { result = "Gradio untrusted input" }
+
+ }
+
+
+from RemoteFlowSource rfs
+select rfs, "All python sources"

4/queries/5.ql

@@ -0,0 +1,15 @@
+/**
+ * @id codeql-zero-to-hero/4-5
+ * @severity error
+ * @kind problem
+ */
+
+ import python
+ import semmle.python.ApiGraphs
+
+ from API::CallNode node
+ where node =
+	 API::moduleImport("gradio").getMember("Button").getReturn()
+	 .getMember("click").getACall()
+
+select node.getParameter(0, "fn").getParameter(_), "Gradio sources"

4/queries/6.ql

@@ -0,0 +1,26 @@
+
+/**
+ * @id codeql-zero-to-hero/4-6
+ * @severity error
+ * @kind problem
+ */
+
+
+ import python
+ import semmle.python.ApiGraphs
+ import semmle.python.dataflow.new.RemoteFlowSources
+
+class GradioButton extends RemoteFlowSource::Range {
+	GradioButton() {
+		exists(API::CallNode n |
+		n = API::moduleImport("gradio").getMember("Button").getReturn()
+		.getMember("click").getACall() |
+		this = n.getParameter(0, "fn").getParameter(_).asSource())
+	}
+
+	override string getSourceType() { result = "Gradio untrusted input" }
+
+ }
+
+from GradioButton inp
+select inp, "Gradio sources"

4/queries/7.ql

@@ -0,0 +1,62 @@
+
+/**
+ * @id codeql-zero-to-hero/4-7
+ * @severity error
+ * @kind path-problem
+ */
+
+
+ import python
+ import semmle.python.dataflow.new.DataFlow
+ import semmle.python.dataflow.new.TaintTracking
+ import semmle.python.ApiGraphs
+ import semmle.python.dataflow.new.RemoteFlowSources
+ import MyFlow::PathGraph
+
+class GradioButton extends RemoteFlowSource::Range {
+	GradioButton() {
+		exists(API::CallNode n |
+		n = API::moduleImport("gradio").getMember("Button").getReturn()
+		.getMember("click").getACall() |
+		this = n.getParameter(0, "fn").getParameter(_).asSource())
+	}
+
+	override string getSourceType() { result = "Gradio untrusted input" }
+
+ }
+
+ class GradioInterface extends RemoteFlowSource::Range {
+	GradioInterface() {
+		exists(API::CallNode n |
+		n = API::moduleImport("gradio").getMember("Interface").getACall() |
+		this = n.getParameter(0, "fn").getParameter(_).asSource())
+	}
+	override string getSourceType() { result = "Gradio untrusted input" }
+
+ }
+
+
+
+class OsSystemSink extends API::CallNode {
+	OsSystemSink() {
+		this = API::moduleImport("os").getMember("system").getACall()
+	}
+}
+
+ private module MyConfig implements DataFlow::ConfigSig {
+   predicate isSource(DataFlow::Node source) {
+	 source instanceof RemoteFlowSource
+   }
+
+   predicate isSink(DataFlow::Node sink) {
+	exists(OsSystemSink call |
+		sink = call.getArg(0)
+		)
+   }
+ }
+
+ module MyFlow = TaintTracking::Global<MyConfig>;
+
+ from MyFlow::PathNode source, MyFlow::PathNode sink
+ where MyFlow::flowPath(source, sink)
+ select sink.getNode(), source, sink, "Data Flow from a Gradio source to `os.system`"

4/vulnerable-code-snippets-db.zip

@@ -0,0 +1,20 @@
+import gradio as gr
+import os
+
+def execute_cmd(folder, logs):
+    cmd = f"python caption.py --dir={folder} --logs={logs}"
+    os.system(cmd)
+    return f"Command: {cmd}"
+
+
+folder = gr.Textbox(placeholder="Directory to caption")
+logs = gr.Checkbox(label="Save verbose logs")
+output = gr.Textbox()
+
+demo = gr.Interface(
+	fn=execute_cmd,
+	inputs=[folder, logs],
+	outputs=output)
+
+if __name__ == "__main__":
+    demo.launch(debug=True)

4/vulnerable-code-snippets/cmdi-interface-list.py

@@ -0,0 +1,19 @@
+import gradio as gr
+import os
+
+def execute_cmd(folder):
+    cmd = f"python caption.py --dir={folder}"
+    os.system(cmd)
+    return f"Command: {cmd}"
+
+
+folder = gr.Textbox(placeholder="Directory to caption")
+output = gr.Textbox()
+
+demo = gr.Interface(
+	execute_cmd,
+	folder,
+    output)
+
+if __name__ == "__main__":
+    demo.launch(debug=True)

4/vulnerable-code-snippets/cmdi-interface.py

@@ -0,0 +1,25 @@
+import gradio as gr
+import os
+
+def execute_cmd(folder, logs):
+    cmd = f"python caption.py --dir={folder} --logs={logs}"
+    os.system(cmd)
+    return f"Command: {cmd}"
+
+
+with gr.Blocks() as demo:
+    gr.Markdown("Create caption files for images in a directory")
+    with gr.Row():
+        folder = gr.Textbox(placeholder="Directory to caption")
+        logs = gr.Checkbox(label="Save verbose logs")
+        output = gr.Textbox()
+
+    btn = gr.Button("Run")
+    btn.click(
+        fn=execute_cmd,
+        inputs=[folder, logs],
+        outputs=output)
+
+
+if __name__ == "__main__":
+    demo.launch(debug=True)

4/vulnerable-code-snippets/cmdi-list.py

@@ -0,0 +1,24 @@
+import gradio as gr
+import os
+
+def execute_cmd(folder):
+    cmd = f"python caption.py --dir={folder}"
+    os.system(cmd)
+    return f"Command: {cmd}"
+
+
+with gr.Blocks() as demo:
+    gr.Markdown("Create caption files for images in a directory")
+    with gr.Row():
+        folder = gr.Textbox(placeholder="Directory to caption")
+        output = gr.Textbox()
+
+    btn = gr.Button("Run")
+    btn.click(
+        execute_cmd,
+        folder,
+        output)
+
+
+if __name__ == "__main__":
+    demo.launch(debug=True)

4/vulnerable-code-snippets/cmdi.py

@@ -2,6 +2,7 @@
 
 This repository contains challenges for the CodeQL Zero to Hero blog post series.
 
-- Link to the first blog post—[CodeQL zero to hero part 1: the fundamentals of static analysis for vulnerability research](https://github.blog/2023-03-31-codeql-zero-to-hero-part-1-the-fundamentals-of-static-analysis-for-vulnerability-research/). The challenges accompanying the blog post are in [folder 1.](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/tree/main/1)
-- Link to the second blog post—[CodeQL zero to hero part 2: getting started with CodeQL](https://github.blog/2023-06-15-codeql-zero-to-hero-part-2-getting-started-with-codeql/). The challenges accompanying the blog post are in [folder 2.](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/tree/main/2)
-- Link to the third blog post—[CodeQL zero to hero part 3: security research](https://github.blog/2024-04-29-codeql-zero-to-hero-part-3-security-research-with-codeql/). The challenges accompanying the blog post are in [folder 3](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/tree/main/3).
+- [CodeQL zero to hero part 1: the fundamentals of static analysis for vulnerability research](https://github.blog/2023-03-31-codeql-zero-to-hero-part-1-the-fundamentals-of-static-analysis-for-vulnerability-research/). The challenges accompanying the blog post are in [folder 1.](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/tree/main/1)
+- [CodeQL zero to hero part 2: getting started with CodeQL](https://github.blog/2023-06-15-codeql-zero-to-hero-part-2-getting-started-with-codeql/). The challenges accompanying the blog post are in [folder 2.](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/tree/main/2)
+- [CodeQL zero to hero part 3: security research](https://github.blog/2024-04-29-codeql-zero-to-hero-part-3-security-research-with-codeql/). The challenges accompanying the blog post are in [folder 3](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/tree/main/3).
+- [CodeQL zero to hero part 4: Gradio case study](). The challenges accompanying the blog post are in [folder 3](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/tree/main/3).