-
Hello all, I'm trying to pinpoint all locations calling a crypto library for a python project. Ideally I would be interested in two types of information:
I am very new to CodeQL and so far I'm putting together queries like the one below, however I think there should be a cleaner way to achieve what I want here using predicates, queries, import python
import semmle.python.Concepts
private import semmle.python.dataflow.new.DataFlow
from
Cryptography::CryptographicOperation op, Cryptography::CryptographicAlgorithm algorithm,
DataFlow::MethodCallNode mc, DataFlow::Node mco, CallNode callNode, Call call, Name name
where
op.getAlgorithm() = algorithm and
mc.getLocation() = op.getLocation() and
mco = mc.getObject() and
callNode = mco.getEnclosingCallable().getACall() and
call.getFunc() = name and
name.getId() = mco.getEnclosingCallable().getName()
select algorithm, op.getLocation(), mco.getEnclosingCallable().getName() as enclosing_callable,
mco.toString(), callNode.toString(), call, call.getLocation(), name |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
I think you want something like I described here: /**
* @kind path-problem
*/
import java
class StartMethod extends Method {
StartMethod() { getName() = "validateExpression" }
}
class TargetMethod extends Method {
TargetMethod() { getName() = "findValue" }
}
query predicate edges(Method a, Method b) { a.calls(b) }
from TargetMethod end, StartMethod entryPoint
where edges+(entryPoint, end)
select end, entryPoint, end, "Found a path from start to target." Porting this to Python is a bit tricky (to me), since I could not find an equivalent for the /**
* @kind path-problem
*/
import python
class StartMethod extends Function {
StartMethod() { getName() = "validateExpression" }
}
class TargetMethod extends Function {
TargetMethod() { getName() = "findValue" }
}
query predicate edges(Function a, Function b) { a.getAChildNode().(Call).getFunc().(Name).getId() = b.getName() }
from TargetMethod end, StartMethod entryPoint
where edges+(entryPoint, end)
select end, entryPoint, end, "Found a path from start to target." |
Beta Was this translation helpful? Give feedback.
-
Thanks for also looking into this @intrigus-lgtm 💪 here is my take on it @nettrino can you explain why you are interested in finding all transitive calls to cryptographic operations? Are you trying to build way to build a way to do a security audit of cryptographic operations? (Sometimes the underlying reason for asking technical questions can help solve the problem in a different way) Anyway, below is my current best solution. This relies on the points-to based call-graph, which we know isn't perfect, and we're currently working on replacing that with something better. (also notice that this will exclude cryptographic operations that happens on module level, since that isn't within a function). import python
import semmle.python.Concepts
Function getFunctionPerformingCrypto(Cryptography::CryptographicOperation op) {
result = op.getEnclosingCallable().getScope()
}
/** Holds if there is a call to `target` within `func`. */
predicate calls(Function func, Function target) {
exists(PythonFunctionValue fv | fv.getScope() = target and fv.getACall().getScope() = func)
}
from Function immediateCryptoOp, Function transitiveCaller
where
immediateCryptoOp = getFunctionPerformingCrypto(_) and
calls+(transitiveCaller, immediateCryptoOp)
select transitiveCaller, immediateCryptoOp |
Beta Was this translation helpful? Give feedback.
Thanks for also looking into this @intrigus-lgtm 💪 here is my take on it
@nettrino can you explain why you are interested in finding all transitive calls to cryptographic operations? Are you trying to build way to build a way to do a security audit of cryptographic operations? (Sometimes the underlying reason for asking technical questions can help solve the problem in a different way)
Anyway, below is my current best solution. This relies on the points-to based call-graph, which we know isn't perfect, and we're currently working on replacing that with something better. (also notice that this will exclude cryptographic operations that happens on module level, since that isn't within a fun…