skylos 1.0.10__py3-none-any.whl → 2.5.2__py3-none-any.whl

skylos/rules/danger/calls.py

@@ -0,0 +1,119 @@
+import ast
+from skylos.rules.base import SkylosRule
+
+DANGEROUS_CALLS = {
+    "eval": ("SKY-D201", "HIGH", "Use of eval()"),
+    "exec": ("SKY-D202", "HIGH", "Use of exec()"),
+    "pickle.load": (
+        "SKY-D203",
+        "CRITICAL",
+        "Untrusted deserialization via pickle.load",
+    ),
+    "pickle.loads": (
+        "SKY-D204",
+        "CRITICAL",
+        "Untrusted deserialization via pickle.loads",
+    ),
+    "yaml.load": ("SKY-D205", "HIGH", "yaml.load without SafeLoader"),
+    "hashlib.md5": ("SKY-D206", "MEDIUM", "Weak hash (MD5)"),
+    "hashlib.sha1": ("SKY-D207", "MEDIUM", "Weak hash (SHA1)"),
+    "requests.*": (
+        "SKY-D208",
+        "HIGH",
+        "requests call with verify=False",
+        {"kw_equals": {"verify": False}},
+    ),
+}
+
+
+def _qualified_name_from_call(node: ast.Call):
+    func = node.func
+    parts = []
+    while isinstance(func, ast.Attribute):
+        parts.append(func.attr)
+        func = func.value
+    if isinstance(func, ast.Name):
+        parts.append(func.id)
+        parts.reverse()
+        return ".".join(parts)
+    return None
+
+
+def _matches_rule(name, rule_key):
+    if not name:
+        return False
+    if rule_key.endswith(".*"):
+        return name.startswith(rule_key[:-2] + ".")
+    return name == rule_key
+
+
+def _kw_equals(node: ast.Call, requirements):
+    if not requirements:
+        return True
+    kw_map = {}
+    for kw in node.keywords or []:
+        if kw.arg:
+            if isinstance(kw.value, (ast.Constant, ast.NameConstant)):
+                kw_map[kw.arg] = kw.value.value
+            elif isinstance(kw.value, ast.Name) and kw.value.id in ("True", "False"):
+                kw_map[kw.arg] = kw.value.id == "True"
+
+    for key, expected in requirements.items():
+        val = kw_map.get(key)
+        if val != expected:
+            return False
+    return True
+
+
+def _yaml_load_without_safeloader(node: ast.Call):
+    for kw in node.keywords or []:
+        if kw.arg == "Loader":
+            if "SafeLoader" in ast.dump(kw.value):
+                return False
+    return True
+
+
+class DangerousCallsRule(SkylosRule):
+    rule_id = "SKY-D200"
+    name = "Dangerous Function Calls"
+
+    def visit_node(self, node, context):
+        if not isinstance(node, ast.Call):
+            return None
+
+        name = _qualified_name_from_call(node)
+        if not name:
+            return None
+
+        findings = []
+
+        for rule_key, tup in DANGEROUS_CALLS.items():
+            if not _matches_rule(name, rule_key):
+                continue
+
+            rule_id = tup[0]
+            severity = tup[1]
+            message = tup[2]
+            opts = tup[3] if len(tup) > 3 else None
+
+            if rule_key == "yaml.load":
+                if not _yaml_load_without_safeloader(node):
+                    continue
+
+            if opts and "kw_equals" in opts:
+                if not _kw_equals(node, opts["kw_equals"]):
+                    continue
+
+            findings.append(
+                {
+                    "rule_id": rule_id,
+                    "severity": severity,
+                    "message": message,
+                    "file": context.get("filename"),
+                    "line": node.lineno,
+                    "col": node.col_offset,
+                }
+            )
+            break
+
+        return findings if findings else None

skylos/rules/danger/danger.py

@@ -0,0 +1,157 @@
+from __future__ import annotations
+import ast
+import sys
+from pathlib import Path
+from .danger_sql.sql_flow import scan as scan_sql
+from .danger_cmd.cmd_flow import scan as scan_cmd
+from .danger_sql.sql_raw_flow import scan as scan_sql_raw
+from .danger_net.ssrf_flow import scan as scan_ssrf
+from .danger_fs.path_flow import scan as scan_path
+from .danger_web.xss_flow import scan as scan_xss
+
+ALLOWED_SUFFIXES = (".py", ".pyi", ".pyw")
+
+DANGEROUS_CALLS = {
+    "eval": ("SKY-D201", "HIGH", "Use of eval()"),
+    "exec": ("SKY-D202", "HIGH", "Use of exec()"),
+    "pickle.load": (
+        "SKY-D203",
+        "CRITICAL",
+        "Untrusted deserialization via pickle.load",
+    ),
+    "pickle.loads": (
+        "SKY-D204",
+        "CRITICAL",
+        "Untrusted deserialization via pickle.loads",
+    ),
+    "yaml.load": ("SKY-D205", "HIGH", "yaml.load without SafeLoader"),
+    "hashlib.md5": ("SKY-D206", "MEDIUM", "Weak hash (MD5)"),
+    "hashlib.sha1": ("SKY-D207", "MEDIUM", "Weak hash (SHA1)"),
+    "requests.*": (
+        "SKY-D208",
+        "HIGH",
+        "requests call with verify=False",
+        {"kw_equals": {"verify": False}},
+    ),
+}
+
+
+def _matches_rule(name, rule_key):
+    if not name:
+        return False
+    if rule_key.endswith(".*"):
+        return name.startswith(rule_key[:-2] + ".")
+    return name == rule_key
+
+
+def _kw_equals(node: ast.Call, requirements):
+    if not requirements:
+        return True
+    kw_map = {}
+    for kw in node.keywords or []:
+        if kw.arg:
+            kw_map[kw.arg] = kw.value
+
+    for key, expected in requirements.items():
+        val = kw_map.get(key)
+        if not isinstance(val, ast.Constant):
+            return False
+        if val.value != expected:
+            return False
+    return True
+
+
+def qualified_name_from_call(node: ast.Call):
+    func = node.func
+    parts = []
+    while isinstance(func, ast.Attribute):
+        parts.append(func.attr)
+        func = func.value
+    if isinstance(func, ast.Name):
+        parts.append(func.id)
+        parts.reverse()
+        return ".".join(parts)
+    return None
+
+
+def _yaml_load_without_safeloader(node: ast.Call):
+    name = qualified_name_from_call(node)
+    if name != "yaml.load":
+        return False
+
+    for kw in node.keywords or []:
+        if kw.arg == "Loader":
+            text = ast.unparse(kw.value)
+            return "SafeLoader" not in text
+    return True
+
+
+def _add_finding(findings, file_path: Path, node: ast.AST, rule_id, severity, message):
+    findings.append(
+        {
+            "rule_id": rule_id,
+            "severity": severity,
+            "message": message,
+            "file": str(file_path),
+            "line": getattr(node, "lineno", 1),
+            "col": getattr(node, "col_offset", 0),
+        }
+    )
+
+
+def _scan_file(file_path: Path, findings):
+    src = file_path.read_text(encoding="utf-8", errors="ignore")
+    tree = ast.parse(src)
+
+    scan_sql(tree, file_path, findings)
+    scan_cmd(tree, file_path, findings)
+    scan_sql_raw(tree, file_path, findings)
+    scan_ssrf(tree, file_path, findings)
+    scan_path(tree, file_path, findings)
+    scan_xss(tree, file_path, findings)
+
+    for node in ast.walk(tree):
+        if not isinstance(node, ast.Call):
+            continue
+
+        name = qualified_name_from_call(node)
+        if not name:
+            continue
+
+        for rule_key, tup in DANGEROUS_CALLS.items():
+            rule_id = tup[0]
+            severity = tup[1]
+            message = tup[2]
+
+            if len(tup) > 3:
+                opts = tup[3]
+            else:
+                opts = None
+
+            if not _matches_rule(name, rule_key):
+                continue
+
+            if rule_key == "yaml.load":
+                if not _yaml_load_without_safeloader(node):
+                    continue
+            if opts and "kw_equals" in opts:
+                if not _kw_equals(node, opts["kw_equals"]):
+                    continue
+
+            _add_finding(findings, file_path, node, rule_id, severity, message)
+            break
+
+
+def scan_ctx(_, files):
+    findings = []
+
+    for file_path in files:
+        if file_path.suffix.lower() not in ALLOWED_SUFFIXES:
+            continue
+
+        try:
+            _scan_file(file_path, findings)
+        except Exception as e:
+            print(f"Scan failed for {file_path}: {e}", file=sys.stderr)
+
+    return findings

skylos/rules/danger/danger_cmd/cmd_flow.py

@@ -0,0 +1,75 @@
+from __future__ import annotations
+import ast
+import sys
+from skylos.rules.danger.taint import TaintVisitor
+
+
+def _qualified_name(node):
+    func = node.func
+    parts = []
+    while isinstance(func, ast.Attribute):
+        parts.append(func.attr)
+        func = func.value
+
+    if isinstance(func, ast.Name):
+        parts.append(func.id)
+        parts.reverse()
+        return ".".join(parts)
+
+    return None
+
+
+class _CmdFlowChecker(TaintVisitor):
+    OS_SYSTEM = "os.system"
+    SUBPROC_PREFIX = "subprocess."
+
+    def visit_Call(self, node):
+        qn = _qualified_name(node)
+        if not qn:
+            self.generic_visit(node)
+            return
+
+        if qn == self.OS_SYSTEM and node.args:
+            if self.is_tainted(node.args[0]):
+                self.findings.append(
+                    {
+                        "rule_id": "SKY-D212",
+                        "severity": "CRITICAL",
+                        "message": "Possible command injection (os.system): tainted input.",
+                        "file": str(self.file_path),
+                        "line": node.lineno,
+                        "col": node.col_offset,
+                    }
+                )
+
+        if qn.startswith(self.SUBPROC_PREFIX):
+            shell_true = False
+            for kw in node.keywords:
+                if (
+                    kw.arg == "shell"
+                    and isinstance(kw.value, ast.Constant)
+                    and kw.value.value is True
+                ):
+                    shell_true = True
+
+            if shell_true and self.is_tainted(node):
+                self.findings.append(
+                    {
+                        "rule_id": "SKY-D212",
+                        "severity": "CRITICAL",
+                        "message": "Possible command injection (subprocess shell=True): tainted input.",
+                        "file": str(self.file_path),
+                        "line": node.lineno,
+                        "col": node.col_offset,
+                    }
+                )
+
+        self.generic_visit(node)
+
+
+def scan(tree, file_path, findings):
+    try:
+        checker = _CmdFlowChecker(file_path, findings)
+        checker.visit(tree)
+    except Exception as e:
+        print(f"CMD flow failed for {file_path}: {e}", file=sys.stderr)

skylos/rules/danger/danger_fs/path_flow.py

@@ -0,0 +1,79 @@
+from __future__ import annotations
+import ast
+import sys
+from skylos.rules.danger.taint import TaintVisitor
+
+
+def _qualified_name(node):
+    func = node.func
+    parts = []
+    while isinstance(func, ast.Attribute):
+        parts.append(func.attr)
+        func = func.value
+    if isinstance(func, ast.Name):
+        parts.append(func.id)
+        parts.reverse()
+        return ".".join(parts)
+    if isinstance(func, ast.Name):
+        return func.id
+    return None
+
+
+def _is_interpolated_string(node):
+    if isinstance(node, ast.JoinedStr):
+        return True
+    if isinstance(node, ast.BinOp) and isinstance(node.op, (ast.Add, ast.Mod)):
+        return True
+    if (
+        isinstance(node, ast.Call)
+        and isinstance(node.func, ast.Attribute)
+        and node.func.attr == "format"
+    ):
+        return True
+    return False
+
+
+class _PathFlowChecker(TaintVisitor):
+    FILE_OPEN_FUNCS = {"open"}
+    OS_FILE_FUNCS = {"open", "unlink", "remove", "mkdir", "rmdir", "makedirs"}
+    SHUTIL_FUNCS = {"copy", "copy2", "copytree", "move", "rmtree"}
+
+    def _flag_if_tainted_path(self, node, path_expr):
+        is_interp = _is_interpolated_string(path_expr)
+        is_tainted = self.is_tainted(path_expr)
+
+        if is_interp or is_tainted:
+            self.findings.append(
+                {
+                    "rule_id": "SKY-D215",
+                    "severity": "HIGH",
+                    "message": "Possible path traversal: tainted filesystem path",
+                    "file": str(self.file_path),
+                    "line": node.lineno,
+                    "col": node.col_offset,
+                }
+            )
+
+    def visit_Call(self, node: ast.Call):
+        qn = _qualified_name(node)
+
+        if qn and qn in self.FILE_OPEN_FUNCS and node.args:
+            self._flag_if_tainted_path(node, node.args[0])
+
+        if qn and "." in qn:
+            mod, func = qn.split(".", 1)
+            if mod == "os" and func in self.OS_FILE_FUNCS and node.args:
+                self._flag_if_tainted_path(node, node.args[0])
+
+            if mod == "shutil" and func in self.SHUTIL_FUNCS and node.args:
+                self._flag_if_tainted_path(node, node.args[0])
+
+        self.generic_visit(node)
+
+
+def scan(tree, file_path, findings):
+    try:
+        checker = _PathFlowChecker(file_path, findings)
+        checker.visit(tree)
+    except Exception as e:
+        print(f"Path traversal analysis failed for {file_path}: {e}", file=sys.stderr)

skylos/rules/danger/danger_net/ssrf_flow.py

@@ -0,0 +1,80 @@
+from __future__ import annotations
+import ast
+import sys
+from skylos.rules.danger.taint import TaintVisitor
+
+
+def _qualified_name_from_call(node):
+    func = node.func
+    parts = []
+    while isinstance(func, ast.Attribute):
+        parts.append(func.attr)
+        func = func.value
+    if isinstance(func, ast.Name):
+        parts.append(func.id)
+        parts.reverse()
+        return ".".join(parts)
+    if isinstance(func, ast.Name):
+        return func.id
+    return None
+
+
+def _is_interpolated_string(node):
+    if isinstance(node, ast.JoinedStr):
+        return True
+    if isinstance(node, ast.BinOp) and isinstance(node.op, (ast.Add, ast.Mod)):
+        return True
+    if (
+        isinstance(node, ast.Call)
+        and isinstance(node.func, ast.Attribute)
+        and node.func.attr == "format"
+    ):
+        return True
+    return False
+
+
+class _SSRFFlowChecker(TaintVisitor):
+    HTTP_METHODS = {"get", "post", "put", "delete", "head", "options", "request"}
+
+    def visit_Call(self, node):
+        qn = _qualified_name_from_call(node)
+
+        if qn and "." in qn:
+            _, func = qn.split(".", 1)
+            if func in self.HTTP_METHODS and node.args:
+                url_arg = node.args[0]
+                if _is_interpolated_string(url_arg) or self.is_tainted(url_arg):
+                    self.findings.append(
+                        {
+                            "rule_id": "SKY-D216",
+                            "severity": "CRITICAL",
+                            "message": "Possible SSRF: tainted URL passed to HTTP client.",
+                            "file": str(self.file_path),
+                            "line": node.lineno,
+                            "col": node.col_offset,
+                        }
+                    )
+
+        if qn and qn.endswith(".urlopen") and node.args:
+            url_arg = node.args[0]
+            if _is_interpolated_string(url_arg) or self.is_tainted(url_arg):
+                self.findings.append(
+                    {
+                        "rule_id": "SKY-D216",
+                        "severity": "CRITICAL",
+                        "message": "Possible SSRF: tainted URL passed to HTTP client.",
+                        "file": str(self.file_path),
+                        "line": node.lineno,
+                        "col": node.col_offset,
+                    }
+                )
+
+        self.generic_visit(node)
+
+
+def scan(tree, file_path, findings):
+    try:
+        checker = _SSRFFlowChecker(file_path, findings)
+        checker.visit(tree)
+    except Exception as e:
+        print(f"SSRF flow analysis failed for {file_path}: {e}", file=sys.stderr)