Python: New command execution sinks

[am0o0]

What is new?
JsonPickle library Code execution sinks
Pytorch library Code execution sinks
Pexpect library Command Execution and Secondary server cmd injection
AsyncSsh library Secondary server cmd injection
Netmiko library Secondary server cmd injection
Scrapli library Secondary server cmd injection
Twisted library Secondary server cmd injection
Ssh2-python library Secondary server cmd injection
pandas library DataFrame Code execution sinks

What has changed?
Upgrade paramiko query to Secondary server command execution query which attackers can execute commands on other than the primary server. it is in the experimental directory.
for the paramiko query, it has added proxyCommand as a SystemCommandExecution because it executes commands on the primary server.
Upgraded Fabric framework and added proxy_command as a SystemCommandExecution, I didn't change the sinks of this framework to Secondary server command execution because it is not in an experimental library, otherwise the run and sudo functions are SecondaryCommandInjection and local function is SystemCommandExecution. I only simplified the framework structure with new higher-level APIs and added SystemCommandExecution new sinks.

Also, I tried my best to use inline tests everywhere so you can review this PR more easily. :)

[ghsecuritylab]

Hello am0o0 👋
You have submitted this pull request as a bug bounty report in the github/securitylab repository and therefore this pull request has been put into draft state to give time for the GitHub Security Lab to assess the PR. When GitHub Security Lab has finished assessing your pull request, it will be marked automatically as Ready for review. Until then, please don't change the draft state.

In the meantime, feel free to make changes to the pull request. If you'd like to maximize payout for your this and future submissions, here are a few general guidelines, that we might take into consideration when reviewing a submission.

• the submission models widely-used frameworks/libraries
• the vulnerability modeled in the submission is impactful
• the submission finds new true positive vulnerabilities
• the submission finds very few false positives
• code in the submission is easy to read and will be easy to maintain
• documentation is written clearly, highlighting the impact of the issue it finds and is written without grammatical or other errors. The code samples clearly show the vulnerability
• the submission includes tests, change note etc.

Please note that these are guidelines, not rules. Since we have a lot of different types of submissions, the guidelines might vary for each submission.

Happy hacking!

[am0o0]

I think my last question is solved in c7adb32.
#15715 (comment)

[tausbn]

Thank you for your submission. Before we can merge this, there are a few comments that need to be addressed.

Once you've addressed the requested changes, I'll re-run the tests and also kick off a performance evaluation (which is needed because you've made changes to files outside the experimental subdirectory).

Finally, this would probably have been better as two separate PRs, as the command execution sinks are mostly disjoint from your work on secondary command injection.

[tausbn]

Thank you for the changes. I think this looks good. 👍
However, there's now a merge conflict on the paramiko.expected file (which was deleted).

Could you kindly resolve that conflict? Then I can run the final performance tests, and (assuming there are no issues with performance) merge the PR.

[am0o0]

@tausbn I'm not really good at working with Git :) IDK if it is solved or not.

[tausbn]

I think you solved the merge conflict (at least the tests can run now), but I'm not too sure about the revert in the latest commit.

Also:

python/ql/src/experimental/semmle/python/security/RemoteCommandExecution.qll would change by autoformatting.

(So many hoops to jump through...)

[tausbn]

Performance looks good! In it goes. 👍