|
| 1 | +import json |
| 2 | + |
| 3 | +from codemodder.codemods.test import BaseSASTCodemodTest |
| 4 | +from core_codemods.semgrep.semgrep_harden_pyyaml import SemgrepHardenPyyaml |
| 5 | + |
| 6 | + |
| 7 | +class TestSemgrepHardenPyyaml(BaseSASTCodemodTest): |
| 8 | + codemod = SemgrepHardenPyyaml |
| 9 | + tool = "semgrep" |
| 10 | + |
| 11 | + def test_name(self): |
| 12 | + assert self.codemod.name == "harden-pyyaml" |
| 13 | + |
| 14 | + def test_pyyaml(self, tmpdir): |
| 15 | + input_code = """\ |
| 16 | + import yaml |
| 17 | + data = b'!!python/object/apply:subprocess.Popen \\n- ls' |
| 18 | + deserialized_data = yaml.load(data, Loader=yaml.Loader) |
| 19 | + """ |
| 20 | + expected_output = """\ |
| 21 | + import yaml |
| 22 | + data = b'!!python/object/apply:subprocess.Popen \\n- ls' |
| 23 | + deserialized_data = yaml.load(data, Loader=yaml.SafeLoader) |
| 24 | + """ |
| 25 | + |
| 26 | + results = { |
| 27 | + "runs": [ |
| 28 | + { |
| 29 | + "results": [ |
| 30 | + { |
| 31 | + "fingerprints": {"matchBasedId/v1": "123"}, |
| 32 | + "locations": [ |
| 33 | + { |
| 34 | + "physicalLocation": { |
| 35 | + "artifactLocation": { |
| 36 | + "uri": "code.py", |
| 37 | + "uriBaseId": "%SRCROOT%", |
| 38 | + }, |
| 39 | + "region": { |
| 40 | + "endColumn": 56, |
| 41 | + "endLine": 3, |
| 42 | + "snippet": { |
| 43 | + "text": "deserialized_data = yaml.load(data, Loader=yaml.Loader)" |
| 44 | + }, |
| 45 | + "startColumn": 21, |
| 46 | + "startLine": 3, |
| 47 | + }, |
| 48 | + } |
| 49 | + } |
| 50 | + ], |
| 51 | + "message": { |
| 52 | + "text": "Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead." |
| 53 | + }, |
| 54 | + "properties": {}, |
| 55 | + "ruleId": "python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load", |
| 56 | + } |
| 57 | + ] |
| 58 | + } |
| 59 | + ] |
| 60 | + } |
| 61 | + self.run_and_assert( |
| 62 | + tmpdir, |
| 63 | + input_code, |
| 64 | + expected_output, |
| 65 | + results=json.dumps(results), |
| 66 | + ) |
| 67 | + |
| 68 | + def test_pyyaml_django(self, tmpdir): |
| 69 | + input_code = """\ |
| 70 | + import yaml |
| 71 | + |
| 72 | + def index(request): |
| 73 | + cookie = request.cookies.get('cookie') |
| 74 | + return "Hey there! {}!".format(yaml.load(cookie)) |
| 75 | + """ |
| 76 | + expected_output = """\ |
| 77 | + import yaml |
| 78 | + |
| 79 | + def index(request): |
| 80 | + cookie = request.cookies.get('cookie') |
| 81 | + return "Hey there! {}!".format(yaml.load(cookie, Loader=yaml.SafeLoader)) |
| 82 | + """ |
| 83 | + |
| 84 | + results = { |
| 85 | + "runs": [ |
| 86 | + { |
| 87 | + "results": [ |
| 88 | + { |
| 89 | + "fingerprints": {"matchBasedId/v1": "123"}, |
| 90 | + "locations": [ |
| 91 | + { |
| 92 | + "physicalLocation": { |
| 93 | + "artifactLocation": { |
| 94 | + "uri": "code.py", |
| 95 | + "uriBaseId": "%SRCROOT%", |
| 96 | + }, |
| 97 | + "region": { |
| 98 | + "endColumn": 53, |
| 99 | + "endLine": 5, |
| 100 | + "snippet": { |
| 101 | + "text": ' return "Hey there! {}!".format(yaml.load(cookie))' |
| 102 | + }, |
| 103 | + "startColumn": 36, |
| 104 | + "startLine": 5, |
| 105 | + }, |
| 106 | + } |
| 107 | + } |
| 108 | + ], |
| 109 | + "message": { |
| 110 | + "text": "Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities." |
| 111 | + }, |
| 112 | + "properties": {}, |
| 113 | + "ruleId": "python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization", |
| 114 | + } |
| 115 | + ] |
| 116 | + } |
| 117 | + ] |
| 118 | + } |
| 119 | + self.run_and_assert( |
| 120 | + tmpdir, |
| 121 | + input_code, |
| 122 | + expected_output, |
| 123 | + results=json.dumps(results), |
| 124 | + ) |
0 commit comments