pyt icon indicating copy to clipboard operation
pyt copied to clipboard

Published 20 hours ago verified publisher icon python-security

Fails on Python 3.9.0

Open matthewdeanmartin opened this issue 4 years ago • 7 comments

Looks like pyt took a dependency on a private attribute that has disappeared. Yes. I saw the tool is no longer maintained, but it used to at least run on 3.8.x

Traceback (most recent call last):
  File "/root/.local/bin/pyt", line 8, in <module>
    sys.exit(main())
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/__main__.py", line 101, in main
    cfg = make_cfg(
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/make_cfg.py", line 36, in make_cfg
    visitor = ExprVisitor(
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/expr_visitor.py", line 69, in __init__
    self.init_cfg(node)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/expr_visitor.py", line 76, in init_cfg
    module_statements = self.visit(node)
  File "/usr/local/lib/python3.9/ast.py", line 407, in visit
    return visitor(node)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/stmt_visitor.py", line 67, in visit_Module
    return self.stmt_star_handler(node.body)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/stmt_visitor.py", line 88, in stmt_star_handler
    node = self.visit(stmt)
  File "/usr/local/lib/python3.9/ast.py", line 407, in visit
    return visitor(node)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/stmt_visitor.py", line 1069, in visit_ImportFrom
    return self.add_module(
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/stmt_visitor.py", line 807, in add_module
    self.visit(tree)
  File "/usr/local/lib/python3.9/ast.py", line 407, in visit
    return visitor(node)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/stmt_visitor.py", line 67, in visit_Module
    return self.stmt_star_handler(node.body)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/stmt_visitor.py", line 88, in stmt_star_handler
    node = self.visit(stmt)
  File "/usr/local/lib/python3.9/ast.py", line 407, in visit
    return visitor(node)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/cfg/stmt_visitor.py", line 460, in visit_Assign
    label.visit(node)
  File "/usr/local/lib/python3.9/ast.py", line 407, in visit
    return visitor(node)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/helper_visitors/label_visitor.py", line 56, in visit_Assign
    self.visit(node.value)
  File "/usr/local/lib/python3.9/ast.py", line 407, in visit
    return visitor(node)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/helper_visitors/label_visitor.py", line 334, in visit_IfExp
    self.visit(node.orelse)
  File "/usr/local/lib/python3.9/ast.py", line 407, in visit
    return visitor(node)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/helper_visitors/label_visitor.py", line 173, in visit_Subscript
    self.slicev(node.slice)
  File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/helper_visitors/label_visitor.py", line 190, in slicev
    self.visit(node.value)
  File "/usr/local/lib/python3.9/ast.py", line 407, in visit
    return visitor(node)
  File "/usr/local/lib/python3.9/ast.py", line 411, in generic_visit
    for field, value in iter_fields(node):
  File "/usr/local/lib/python3.9/ast.py", line 249, in iter_fields
    for field in node._fields:
AttributeError: 'str' object has no attribute '_fields'

matthewdeanmartin avatar Oct 08 '20 02:10 matthewdeanmartin

Hi

I've been looking at this and pyre-check. I've found myself looking at this issue because I can't be bothered with setting up a bunch of config files with pyre-check - anyway, I've managed to stop things crashing

At the following line

File "/root/.local/pipx/venvs/python-taint/lib/python3.9/site-packages/pyt/helper_visitors/label_visitor.py", line 190, in slicev
    self.visit(node.value)

Change self.visit(node.value) to self.visit(node) and it seems to be fixed

Output:

21 vulnerabilities found (plus 3 sanitised):
Vulnerability 1:
File: .\XSS.py
 > User input at line 6, source "request.args.get(":
         ~call_1 = ret_request.args.get('param', 'not set')
Reassigned in:
        File: .\XSS.py
         > Line 6: param = ~call_1
File: .\XSS.py
 > reaches line 9, sink "replace(":
        ~call_5 = ret_html.replace('{{ param }}', param)

[...]

Given that this is now an unsupported project I'm wondering if you (and anyone else) would see the value in me/ a group or enthusiastic python devs creating a fork for python 3.9?

FredHappyface avatar Oct 16 '20 16:10 FredHappyface

I've decided to maintain this for the foreseeable future: https://github.com/FHPythonUtils/PyTaintX

FredHappyface avatar Oct 30 '20 09:10 FredHappyface

Would you like to maintain the non-fork @FredHappyface? i.e. this repo.

You'd certainly get more views/contributions, maintaining this repo.

KevinHock avatar Oct 30 '20 18:10 KevinHock

(Happy to still mention your repo at the top of the README of this one, if not.)

KevinHock avatar Oct 30 '20 18:10 KevinHock

Yeah I'd love to maintain the non fork!

(Would be good to have issues in one place too)

Edit: clarify that I'd be interested in maintaining the non forked repo

FredHappyface avatar Oct 30 '20 18:10 FredHappyface

Thanks, I'll ask @Thalmann and @StefanMich to give you the same access as I have.

KevinHock avatar Oct 30 '20 19:10 KevinHock

Thank you

FredHappyface avatar Oct 30 '20 19:10 FredHappyface