Python new taint-tracking: Fix some typos and clarify documentation.

2026-04-30 11:15:13 +02:00 · 2019-08-29 11:03:35 +01:00
parent 5bb528d236
commit 10fddbc19b
4 changed files with 18 additions and 16 deletions
--- a/python/ql/src/semmle/python/dataflow/Configuration.qll
+++ b/python/ql/src/semmle/python/dataflow/Configuration.qll
@@ -69,8 +69,14 @@ module TaintTracking {
            none()
        }

+        /**
+         * Holds if `node` should be considered as a barrier to flow of any kind.
+         */
        predicate isBarrier(DataFlow::Node node) { none() }

+        /**
+         * Holds if `node` should be considered as a barrier to flow of `kind`.
+         */
        predicate isBarrier(DataFlow::Node node, TaintKind kind) {
            exists(Sanitizer sanitizer |
                this.isSanitizer(sanitizer)
@@ -127,7 +133,6 @@ module TaintTracking {
        /* New query API */

        predicate hasSimpleFlow(DataFlow::Node source, DataFlow::Node sink) {
-            /* TO DO */
            exists(PathSource psource, PathSink psink |
                this.hasFlowPath(psource, psink) and
                source = psource.getNode() and
--- a/python/ql/src/semmle/python/dataflow/Implementation.qll
+++ b/python/ql/src/semmle/python/dataflow/Implementation.qll
@@ -61,10 +61,9 @@ private newtype TAttributePath =
    TAttribute(string name) {
        exists(Attribute a | a.getName() = name)
    }
-    or
-    TAttributeAttribute(string name1, string name2) {
-        none()
-    }
+    /* It might make sense to add another level, attribute of attribute.
+     * But some experimentation would be needed.
+     */

 /** The attribute of the tracked value holding the taint.
 * This is usually "no attribute".
@@ -270,7 +269,7 @@ class TaintTrackingImplementation extends string {
        )
    }

-    /** Hold if taint flows to `src` to `dest` in a single step, labelled with `egdeLabel`
+    /** Hold if taint flows to `src` to `dest` in a single step, labeled with `edgeLabel`
     * `edgeLabel` is purely informative.
     */
    predicate flowStep(TaintTrackingNode src, TaintTrackingNode dest, string edgeLabel) {
@@ -492,12 +491,10 @@ class TaintTrackingImplementation extends string {
            call.getFunction().pointsTo(cls) and
            cls.lookup("__init__") = init
            |
-            exists(int arg, TaintKind callerKind, AttributePath callerPath |
-                exists(DataFlow::Node argument |
-                    argnode = TTaintTrackingNode_(argument, caller, callerPath, callerKind, this) and
-                    call.getArg(arg-1) = argument.asCfgNode() and
-                    callee = TParamContext(callerKind, callerPath, arg)
-                )
+            exists(int arg, TaintKind callerKind, AttributePath callerPath, DataFlow::Node argument |
+                argnode = TTaintTrackingNode_(argument, caller, callerPath, callerKind, this) and
+                call.getArg(arg-1) = argument.asCfgNode() and
+                callee = TParamContext(callerKind, callerPath, arg)
            )
        )
    }
--- a/python/ql/test/library-tests/taint/config/RockPaperScissors.expected
+++ b/python/ql/test/library-tests/taint/config/RockPaperScissors.expected
@@ -88,6 +88,6 @@ edges
 | test.py:213:14:213:32 | iterable.simple | test.py:213:5:213:33 | simple.test |
 | test.py:213:14:213:32 | sequence of simple.test | test.py:213:5:213:33 | simple.test |
 #select
-| rockpaperscissors.py:13:10:13:17 | SCISSORS | rockpaperscissors.py:13:10:13:17 | scissors | rockpaperscissors.py:13:10:13:17 | scissors | $@ looses to $@. | rockpaperscissors.py:13:10:13:17 | SCISSORS | scissors | rockpaperscissors.py:13:10:13:17 | SCISSORS | scissors |
-| rockpaperscissors.py:16:11:16:14 | ROCK | rockpaperscissors.py:16:11:16:14 | rock | rockpaperscissors.py:16:11:16:14 | rock | $@ looses to $@. | rockpaperscissors.py:16:11:16:14 | ROCK | rock | rockpaperscissors.py:16:11:16:14 | ROCK | rock |
-| rockpaperscissors.py:26:14:26:14 | y | rockpaperscissors.py:24:9:24:12 | rock | rockpaperscissors.py:26:14:26:14 | paper | $@ looses to $@. | rockpaperscissors.py:24:9:24:12 | ROCK | rock | rockpaperscissors.py:26:14:26:14 | y | paper |
+| rockpaperscissors.py:13:10:13:17 | SCISSORS | rockpaperscissors.py:13:10:13:17 | scissors | rockpaperscissors.py:13:10:13:17 | scissors | $@ loses to $@. | rockpaperscissors.py:13:10:13:17 | SCISSORS | scissors | rockpaperscissors.py:13:10:13:17 | SCISSORS | scissors |
+| rockpaperscissors.py:16:11:16:14 | ROCK | rockpaperscissors.py:16:11:16:14 | rock | rockpaperscissors.py:16:11:16:14 | rock | $@ loses to $@. | rockpaperscissors.py:16:11:16:14 | ROCK | rock | rockpaperscissors.py:16:11:16:14 | ROCK | rock |
+| rockpaperscissors.py:26:14:26:14 | y | rockpaperscissors.py:24:9:24:12 | rock | rockpaperscissors.py:26:14:26:14 | paper | $@ loses to $@. | rockpaperscissors.py:24:9:24:12 | ROCK | rock | rockpaperscissors.py:26:14:26:14 | y | paper |
--- a/python/ql/test/library-tests/taint/config/RockPaperScissors.ql
+++ b/python/ql/test/library-tests/taint/config/RockPaperScissors.ql
@@ -10,4 +10,4 @@ import semmle.python.security.Paths

 from RockPaperScissorConfig config, TaintedPathSource src, TaintedPathSink sink
 where config.hasFlowPath(src, sink)
-select sink.getSink(), src, sink, "$@ looses to $@.", src.getNode(), src.getTaintKind().toString(), sink.getNode(), sink.getTaintKind().toString()
+select sink.getSink(), src, sink, "$@ loses to $@.", src.getNode(), src.getTaintKind().toString(), sink.getNode(), sink.getTaintKind().toString()