Add query to detect ZipSlip

[ahmed-farid-dev]

Zip Slip is a widespread critical archive extraction vulnerability, allowing attackers to write arbitrary files on the system, typically resulting in remote command execution

[ahmed-farid-dev]

Hello, any update on this ?

[tausbn]

Thank you for your submission!

I have made some comments and suggestions for improving this query and getting it into a state where it can be merged.

In addition to the various things I point out, the main thing missing at this point is a set of tests that demonstrate what the query can (and if relevant, cannot) do in its present state. I would especially like to see a test of the sanitizer.

[tausbn]

The formatting here looks really weird. Has this been formatted using the standard autoformatter? If not, it needs to be in order to get merged, since we enforce this on all of our QL code. (To use the autoformatter, you can either invoke it via the VSCode extension, or the CodeQL CLI.)

[tausbn]

I don't see anything in this class that makes it specific to zip files, so it's not clear to me why it should contain Zip in its name.

[tausbn]

It is not clear to me what "this function" refers to. Do you in fact mean the opposite of what you've written, that the recommended way is to call extract or extractall?

[tausbn]

Suggested change

	<p>To fix this vulnerability, we need to this function <code>extractall()</code>.
	<p>To fix this vulnerability, we need to call the function <code>extractall()</code>.

[tausbn]

Suggested change

	shutil.copyfileobj(entry, "/tmp/unpack/")
	shutil.copyfileobj(entry, "/tmp/unpack/")

This would be a syntax error otherwise.

[tausbn]

What purpose does pred serve here? It's only mentioned on this line, as far as I can see. You could equivalently just write exists(call.getArg(0)), or just remove it altogether.

[tausbn]

This predicate does not mention this, and so it will in fact hold for all dataflow nodes, assuming there is at least one call, somewhere in the source code, to one of the listed methods on shutil.

(This is why it's important to write tests!)

[tausbn]

Again, this characteristic predicate does not mention this, and so the set of nodes it encompasses is all the nodes in OpenZipFile. You probably want to write this = ... instead of call = ..., as I imagine you want to capture the return value of the given function.

[tausbn]

Suggested change

	for entry in zipf:
	for entry in zipf:

To make the indentation consistent.

[tausbn]

cf. my earlier comment about copyfileobj, does this code actually do what you intend it to do?

[ahmed-farid-dev]

Hi @tausbn,
i get some trouble in running the test, can you help me pls?

[ahmed-farid-dev]

Hello @tausbn,
I removed the sanitizer because he will miss some shot

[tausbn]

Hi @tausbn, i get some trouble in running the test, can you help me pls?

I'm a bit confused. What tests are you trying to run here? As far as I can tell you have not added any tests to this PR. Tests should live in the python/ql/test/experimental directory.

As for the error you're seeing above, perhaps your branch is out of date compared to the current codeql main? You could try merging in main and see if this fixes the warning about database upgrades.

[ahmed-farid-dev]

@tausbn, i try but it still showing up.

[tausbn]

@tausbn, i try but it still showing up.

Hmm... It's not really clear to me why that's happening. I tried pulling down your PR branch, and running the tests through VSCode, and that built the database just fine (though the tests fail to compile, see below).

I also tried invoking codeql using the gh command line application, and that had no issue with building the database either:

$ gh codeql test run python/ql/test/experimental/query-tests/Security/CWE-022/ZipSlip.qlref 
Executing 1 tests in 1 directories.
Extracting test database in /workspaces/codeql/python/ql/test/experimental/query-tests/Security/CWE-022.
Compiling queries in /workspaces/codeql/python/ql/test/experimental/query-tests/Security/CWE-022.
--- expected
+++ actual
@@ -1,1 +1,1 @@
-
+ERROR: Could not resolve type OpenFile (/workspaces/codeql/python/ql/src/experimental/semmle/python/security/ZipSlip.qll:9,69-77)
[1/1 comp 2.4s] FAILED(COMPILATION) /workspaces/codeql/python/ql/test/experimental/query-tests/Security/CWE-022/ZipSlip.qlref
0 tests passed; 1 tests failed:
  FAILED: /workspaces/codeql/python/ql/test/experimental/query-tests/Security/CWE-022/ZipSlip.qlref

What version of the CLI are you using?

[ahmed-farid-dev]

@tausbn i hope this changes will be enough

[ahmed-farid-dev]

for the autoformat checks, i use codeql query format

[tausbn]

I took the liberty of fixing up the issues that were preventing this PR from getting merged.

If you decide to submit any other PRs, please

• ensure that all the tests pass and rerun them whenever you make changes, and
• ensure that the files are autoformatted at all times.

This will greatly help lessen the amount of friction encountered when reviewing and merging your contributions.

Thank you for the contribution.

[ahmed-farid-dev]

Hi @tausbn ,
pls, Can do anything about github/securitylab#538 ?

[tausbn]

Hi @tausbn , pls, Can do anything about github/securitylab#538 ?

I'm sorry, but I don't have any further involvement in that issue.