Python new taint-tracking: Fix some typos and clarify documentation.

2025-12-18 09:43:15 +01:00 · 2019-08-29 11:03:35 +01:00
parent 5bb528d236
commit 10fddbc19b
4 changed files with 18 additions and 16 deletions
--- a/python/ql/src/semmle/python/dataflow/Configuration.qll
+++ b/python/ql/src/semmle/python/dataflow/Configuration.qll
@@ -69,8 +69,14 @@ module TaintTracking {
            none()
        }

+        /**
+         * Holds if `node` should be considered as a barrier to flow of any kind.
+         */
        predicate isBarrier(DataFlow::Node node) { none() }

+        /**
+         * Holds if `node` should be considered as a barrier to flow of `kind`.
+         */
        predicate isBarrier(DataFlow::Node node, TaintKind kind) {
            exists(Sanitizer sanitizer |
                this.isSanitizer(sanitizer)
@@ -127,7 +133,6 @@ module TaintTracking {
        /* New query API */

        predicate hasSimpleFlow(DataFlow::Node source, DataFlow::Node sink) {
-            /* TO DO */
            exists(PathSource psource, PathSink psink |
                this.hasFlowPath(psource, psink) and
                source = psource.getNode() and
--- a/python/ql/src/semmle/python/dataflow/Implementation.qll
+++ b/python/ql/src/semmle/python/dataflow/Implementation.qll
@@ -61,10 +61,9 @@ private newtype TAttributePath =
    TAttribute(string name) {
        exists(Attribute a | a.getName() = name)
    }
-    or
-    TAttributeAttribute(string name1, string name2) {
-        none()
-    }
+    /* It might make sense to add another level, attribute of attribute.
+     * But some experimentation would be needed.
+     */

 /** The attribute of the tracked value holding the taint.
 * This is usually "no attribute".
@@ -270,7 +269,7 @@ class TaintTrackingImplementation extends string {
        )
    }

-    /** Hold if taint flows to `src` to `dest` in a single step, labelled with `egdeLabel`
+    /** Hold if taint flows to `src` to `dest` in a single step, labeled with `edgeLabel`
     * `edgeLabel` is purely informative.
     */
    predicate flowStep(TaintTrackingNode src, TaintTrackingNode dest, string edgeLabel) {
@@ -492,12 +491,10 @@ class TaintTrackingImplementation extends string {
            call.getFunction().pointsTo(cls) and
            cls.lookup("__init__") = init
            |
-            exists(int arg, TaintKind callerKind, AttributePath callerPath |
-                exists(DataFlow::Node argument |
-                    argnode = TTaintTrackingNode_(argument, caller, callerPath, callerKind, this) and
-                    call.getArg(arg-1) = argument.asCfgNode() and
-                    callee = TParamContext(callerKind, callerPath, arg)
-                )
+            exists(int arg, TaintKind callerKind, AttributePath callerPath, DataFlow::Node argument |
+                argnode = TTaintTrackingNode_(argument, caller, callerPath, callerKind, this) and
+                call.getArg(arg-1) = argument.asCfgNode() and
+                callee = TParamContext(callerKind, callerPath, arg)
            )
        )
    }