Python: Handle taint of f-strings

change-notes/1.25/analysis-python.md

@@ -20,3 +20,4 @@ The following changes in version 1.25 affect Python analysis in all applications
 ## Changes to libraries
 
 * Importing `semmle.python.web.HttpRequest` will no longer import `UntrustedStringKind` transitively. `UntrustedStringKind` is the most commonly used non-abstract subclass of `ExternalStringKind`. If not imported (by one mean or another), taint-tracking queries that concern `ExternalStringKind` will not produce any results. Please ensure such queries contain an explicit import (`import semmle.python.security.strings.Untrusted`).
+* Added support for tainted f-strings.

python/ql/src/semmle/python/security/strings/Basic.qll

@@ -27,7 +27,8 @@ abstract class StringKind extends TaintKind {
       os_path_join(fromnode, tonode) or
       str_format(fromnode, tonode) or
       encode_decode(fromnode, tonode) or
-      to_str(fromnode, tonode)
+      to_str(fromnode, tonode) or
+      f_string(fromnode, tonode)
     )
     or
     result = this and copy_call(fromnode, tonode)
@@ -107,6 +108,11 @@ private predicate os_path_join(ControlFlowNode fromnode, CallNode tonode) {
   tonode.getAnArg() = fromnode
 }
 
+/** tonode = f"... {fromnode} ..." */
+private predicate f_string(ControlFlowNode fromnode, ControlFlowNode tonode) {
+  tonode.getNode().(Fstring).getAValue() = fromnode.getNode()
+}
+
 /**
  * A kind of "taint", representing a dictionary mapping str->"taint"
  *

python/ql/test/3/library-tests/taint/strings/TestTaint.expected

@@ -1 +1 @@
-| test.py:4 | fail | fstring | Fstring | <NO TAINT> |
+| test.py:4 | ok   | fstring | Fstring | externally controlled string |