Hi Mikko, welcome to the static analysis rabbit hole :-) On 13.10.20 15:09, Florian Bruhin wrote:

On Tue, Oct 06, 2020 at 01:33:24PM -0400, Mikko Elomaa via code-quality wrote:

...

I looked around for a tool to spot these vulnerabilities, but could not find anything available for free. So, I wrote a quick script at first and then made it more generic. The tool checks functions with the route decorator, it detects the request related input data and checks if the data is passed to a function without being checked by a known filter or validator.

There is PyT [1] (unmaintained) and Pysa [2] which both do this kind of taint analysis and maybe cover your needs. For some theoretical background you probably should read the Master Thesis behind PyT [5].

From a quick look, you might want to consider using an ast (abstract syntax tree) module for parsing the code, rather than using regular expressions.

A very good point Florian makes there :-) Regular Expressions are not capable of parsing Python code in the general case. More libs that could help you parsing and making sense of Python code: - Astroid [3] which is similar to the stdlib ast module but way nicer to work with - Jedi [4] which is a higher level interface built on top of parso which lets you do things like this ``` import jedi source = """ def fn(arg1, arg2): sink(arg1) """ script = jedi.Script(source, path="foo.py") for def_ in script.get_names(all_scopes=True, references=True): print(def_) ``` Cheers, Martin [1] https://github.com/python-security/pyt [2] https://pyre-check.org/docs/pysa-basics/#taint-analysis [3] http://pylint.pycqa.org/projects/astroid/en/latest/index.html [4] https://github.com/davidhalter/jedi [5] https://projekter.aau.dk/projekter/files/239563289/final.pdf