Skip to content

Azure python sdk url summary upstream #20563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bdrodes wants to merge 13 commits into
base: main
Choose a base branch
from
Open

Azure python sdk url summary upstream #20563

bdrodes wants to merge 13 commits into from
+195 −0

Conversation

@bdrodes
Copy link
Contributor

@bdrodes bdrodes commented Sep 30, 2025

  • Added MaD sinks for URLs in the azure SDK, labeled as 'ssrf'
  • Updated HTTP request clients to use 'ssrf' MaD

@bdrodes bdrodes requested a review from a team as a code owner September 30, 2025 17:58
Copilot AI review requested due to automatic review settings September 30, 2025 17:58
Copilot AI reviewed Sep 30, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds Server-Side Request Forgery (SSRF) modeling for the Azure Python SDK by introducing MaD (Models as Data) sinks and updating HTTP request clients to recognize SSRF vulnerabilities. This enables CodeQL to detect when user input can control URLs passed to Azure SDK methods.

  • Added SSRF sink modeling framework for MaD-based HTTP requests
  • Created comprehensive Azure SDK models for KeyVault and Storage services
  • Added test coverage for Azure client SSRF scenarios

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
python/ql/lib/semmle/python/frameworks/SSRFSink.qll New framework for handling SSRF sinks through MaD models
python/ql/lib/semmle/python/frameworks/Azure.Storage.model.yml MaD definitions for Azure Storage SDK SSRF sinks
python/ql/lib/semmle/python/frameworks/Azure.Keyvault.model.yml MaD definitions for Azure KeyVault SDK SSRF sinks
python/ql/lib/semmle/python/Frameworks.qll Import statement for new SSRFSink framework
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py Test cases for Azure SDK SSRF detection
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected Expected results for partial SSRF tests
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected Expected results for full SSRF tests
python/ql/lib/change-notes/released/2025-09-30-azure_ssrf_models Release notes for the changes

bdrodes and others added 4 commits September 30, 2025 14:00
@bdrodes
Update python/ql/lib/semmle/python/frameworks/SSRFSink.qll
5ca9ff2 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@bdrodes
Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestF…
fab96d9 
…orgery/test_azure_client.py

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@bdrodes
Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestF…
d790c6d 
…orgery/test_azure_client.py

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@bdrodes
Moved change log to correct location.
acddb2c
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 30, 2025
View reviewed changes
@MathiasVP MathiasVP requested a review from tausbn October 14, 2025 15:26
owen-mc
owen-mc requested changes Feb 4, 2026
View reviewed changes
Copy link
Contributor

@owen-mc owen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not familiar with the python library in general, but I can review the use of models-as-data.

python/ql/lib/semmle/python/frameworks/SSRFSink.qll Outdated
or
this.getArgByName(_) = urlArg
) and
urlArg = ModelOutput::getASinkNode("ssrf").asSink()
Copy link
Contributor

@owen-mc owen-mc Feb 4, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Some tests are failing because we do validation on sink kinds and "ssrf" isn't on the list. Please use "request-forgery", which is what all the other languages use. (New sink kinds can of course be added, but if there is an existing one then that should be used first, to keep the different language libraries consistent.)
  • In Python: MaD barriers #21004 we switched to using a slightly different syntax (which matches the static languages). You'll have to rebase on main for this to work.
Suggested change
urlArg = ModelOutput::getASinkNode("ssrf").asSink()
ModelOutput::sinkNode(urlArg, "request-forgery")

Copy link
Contributor Author

@bdrodes bdrodes Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@owen-mc
Copy link
Contributor

owen-mc commented Feb 4, 2026
edited
Loading

Looking at the other test failures (which aren't related to validation of sink kinds):

  • python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.qlref and python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.qlref are failing because of some line number changes - you should check if the new results make sense, and if so accept them.
  • another test is failing for unrelated reasons. I've made a PR to fix it, which should be merged soon.

@bdrodes bdrodes closed this Feb 4, 2026
@bdrodes
Copy link
Contributor Author

bdrodes commented Feb 4, 2026

Looking at the other test failures (which aren't related to validation of sink kinds):

  • python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.qlref and python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.qlref are failing because of some line number changes - you should check if the new results make sense, and if so accept them.
  • another test is failing for unrelated reasons. I've made a PR to fix it, which should be merged soon.

Fixed.

@bdrodes bdrodes reopened this Feb 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@owen-mc owen-mc owen-mc requested changes

@tausbn tausbn Awaiting requested review from tausbn

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

documentation Python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bdrodes @owen-mc