zulip/stubs/taint/false_positives.pysa

# This function ensures that a redirect is only within the specified domain.
# Assuming that the domain isn't attacker controllable, the result is safe to
# redirect to
def zerver.views.auth.get_safe_redirect_to(url, redirect_host) -> Sanitize: ...

# This function was previously the source of an open redirect, but has now been
# reviewed and patched, so the output should now be safe to redirect to,
# regardless of the value of the specified 'path'.
def zerver.lib.thumbnail.generate_thumbnail_url(
    path,
    size=...,
    is_camo_url=...
) -> Sanitize: ...

# This function returns a version of name that only contains word and space
# characters, or ., -, _ characters. This should be safe to put into URLs and
# filesystem operations.
def zerver.lib.upload.sanitize_name(value) -> Sanitize: ...

# This function accepts two integers and then concatenates them into a path
# segment. The result should be safe for use in filesystem and other operations.
def zerver.lib.avatar_hash.user_avatar_path_from_ids(user_profile_id, realm_id) -> Sanitize: ...

# This function creates a list of 'UserMessageLite' objects, which contain only
# integral IDs and flags. These should safe for use with SQL and other
# operations.
def zerver.lib.actions.create_user_messages(
    message,
    um_eligible_user_ids,
    long_term_idle_user_ids,
    stream_push_user_ids,
    stream_email_user_ids,
    mentioned_user_ids,
    mark_as_read
) -> Sanitize: ...

# This function is an identity function used for removing taint from variables
# when there is no convenient way to do it by annotating existing functions.
def zerver.lib.pysa.mark_sanitized(arg) -> Sanitize: ...

############################
# Overbroad Approximations #
############################

# Note that the below functions are overbroad approximations of Sanitizers and
# could lead to false negatives. They should be replaced with more specific
# feature-based filtering when that is available through SAPP.

# This function generates a URL pointing to a valid Django endpoint, with
# arguments properly URL encoded. The resulting URL can usually be used as a
# part of a redirect or HTTP request without fear of open redirect or SSRF
# vulnerabilities respectively.
def django.urls.base.reverse(
    viewname,
    urlconf=...,
    args=...,
    kwargs=...,
    current_app=...
) -> Sanitize: ...
pysa: Introduce sanitizers, models, and inline marking safe. This commit adds three `.pysa` model files: `false_positives.pysa` for ruling out false positive flows with `Sanitize` annotations, `req_lib.pysa` for educating pysa about Zulip's `REQ()` pattern for extracting user input, and `redirects.pysa` for capturing the risk of open redirects within Zulip code. Additionally, this commit introduces `mark_sanitized`, an identity function which can be used to selectively clear taint in cases where `Sanitize` models will not work. This commit also puts `mark_sanitized` to work removing known false postive flows. 2019-12-20 00:00:45 +01:00			`# This function ensures that a redirect is only within the specified domain.`
			`# Assuming that the domain isn't attacker controllable, the result is safe to`
			`# redirect to`
			`def zerver.views.auth.get_safe_redirect_to(url, redirect_host) -> Sanitize: ...`

			`# This function was previously the source of an open redirect, but has now been`
			`# reviewed and patched, so the output should now be safe to redirect to,`
			`# regardless of the value of the specified 'path'.`
			`def zerver.lib.thumbnail.generate_thumbnail_url(`
			`path,`
			`size=...,`
			`is_camo_url=...`
			`) -> Sanitize: ...`

			`# This function returns a version of name that only contains word and space`
			`# characters, or ., -, _ characters. This should be safe to put into URLs and`
			`# filesystem operations.`
			`def zerver.lib.upload.sanitize_name(value) -> Sanitize: ...`

			`# This function accepts two integers and then concatenates them into a path`
			`# segment. The result should be safe for use in filesystem and other operations.`
			`def zerver.lib.avatar_hash.user_avatar_path_from_ids(user_profile_id, realm_id) -> Sanitize: ...`

			`# This function creates a list of 'UserMessageLite' objects, which contain only`
			`# integral IDs and flags. These should safe for use with SQL and other`
			`# operations.`
			`def zerver.lib.actions.create_user_messages(`
			`message,`
			`um_eligible_user_ids,`
			`long_term_idle_user_ids,`
			`stream_push_user_ids,`
			`stream_email_user_ids,`
			`mentioned_user_ids,`
			`mark_as_read`
			`) -> Sanitize: ...`

			`# This function is an identity function used for removing taint from variables`
			`# when there is no convenient way to do it by annotating existing functions.`
			`def zerver.lib.pysa.mark_sanitized(arg) -> Sanitize: ...`

			`############################`
			`# Overbroad Approximations #`
			`############################`

			`# Note that the below functions are overbroad approximations of Sanitizers and`
			`# could lead to false negatives. They should be replaced with more specific`
			`# feature-based filtering when that is available through SAPP.`

			`# This function generates a URL pointing to a valid Django endpoint, with`
			`# arguments properly URL encoded. The resulting URL can usually be used as a`
			`# part of a redirect or HTTP request without fear of open redirect or SSRF`
			`# vulnerabilities respectively.`
			`def django.urls.base.reverse(`
			`viewname,`
			`urlconf=...,`
			`args=...,`
			`kwargs=...,`
			`current_app=...`
			`) -> Sanitize: ...`