Python: Model MarkupSafe PyPI package

Since expectation tests had so many changes from ConceptsTest, I'm going to do the changes for that on in a separate commit. The important part is the changes to taint-tracking, which is highlighted in this commit.
2026-05-05 05:35:13 +02:00 · 2021-06-16 18:46:21 +02:00
parent e1c4b8ca42
commit 14de3bffb7
8 changed files with 171 additions and 11 deletions
--- a/python/ql/test/library-tests/frameworks/markupsafe/ConceptsTest.expected
+++ b/python/ql/test/library-tests/frameworks/markupsafe/ConceptsTest.expected
--- a/python/ql/test/library-tests/frameworks/markupsafe/ConceptsTest.ql
+++ b/python/ql/test/library-tests/frameworks/markupsafe/ConceptsTest.ql
@@ -1,2 +0,0 @@
-import python
-import experimental.meta.ConceptsTest
--- a/python/ql/test/library-tests/frameworks/markupsafe/InlineTaintTest.ql
+++ b/python/ql/test/library-tests/frameworks/markupsafe/InlineTaintTest.ql
@@ -1 +1,13 @@
 import experimental.meta.InlineTaintTest
+import semmle.python.Concepts
+
+class HtmlSpecialization extends TestTaintTrackingConfiguration {
+  // TODO: For now, since there is not an `isSanitizingStep` member-predicate part of a
+  // `TaintTracking::Configuration`, we use treat the output is a taint-sanitizer. This
+  // is slightly imprecise, which you can see in the `m_unsafe + SAFE` test-case in
+  // python/ql/test/library-tests/frameworks/markupsafe/taint_test.py
+  //
+  // However, it is better than `getAnInput()`. Due to use-use flow, that would remove
+  // the taint-flow to `SINK()` in `some_escape(tainted); SINK(tainted)`.
+  override predicate isSanitizer(DataFlow::Node node) { node = any(HtmlEscaping esc).getOutput() }
+}
--- a/python/ql/test/library-tests/frameworks/markupsafe/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/markupsafe/taint_test.py
@@ -32,11 +32,11 @@ def test():

    ensure_tainted(
        ts, # $ tainted
-        m_unsafe, # $ MISSING: tainted
+        m_unsafe, # $ tainted
        m_unsafe + SAFE, # $ MISSING: tainted
        SAFE + m_unsafe, # $ MISSING: tainted
        m_unsafe.format(SAFE), # $ MISSING: tainted
-        m_unsafe + ts, # $ tainted
+        m_unsafe + ts, # $ MISSING: tainted

        m_safe.format(m_unsafe), # $ MISSING: tainted

@@ -51,13 +51,13 @@ def test():
        Markup.escape(ts),

        m_safe,
-        m_safe + ts, # $ SPURIOUS: tainted
-        ts + m_safe, # $ SPURIOUS: tainted
-        m_safe.format(ts), # $ SPURIOUS: tainted
+        m_safe + ts,
+        ts + m_safe,
+        m_safe.format(ts),

-        escape(ts) + ts, # $ SPURIOUS: tainted
-        escape_silent(ts) + ts, # $ SPURIOUS: tainted
-        Markup.escape(ts) + ts, # $ SPURIOUS: tainted
+        escape(ts) + ts,
+        escape_silent(ts) + ts,
+        Markup.escape(ts) + ts,
    )

    # flask re-exports these, as:
@@ -66,7 +66,7 @@ def test():
    import flask

    ensure_tainted(
-        flask.Markup(ts), # $ MISSING: tainted
+        flask.Markup(ts), # $ tainted
    )

    ensure_not_tainted(