Python: Add preliminary taint tests for pathlib

2026-04-30 19:26:02 +02:00 · 2020-09-30 11:44:37 +02:00
parent 0542c3b91e
commit 1595fed2d6
2 changed files with 72 additions and 0 deletions
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.expected
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.expected
@@ -1,6 +1,18 @@
 | test_collections.py:16 | ok   | test_access | tainted_list.copy() |
 | test_collections.py:24 | ok   | list_clear | tainted_list |
 | test_collections.py:27 | fail | list_clear | tainted_list |
+| test_pathlib.py:26 | fail | test_basic | tainted_path |
+| test_pathlib.py:28 | fail | test_basic | tainted_pure_path |
+| test_pathlib.py:29 | fail | test_basic | tainted_pure_posix_path |
+| test_pathlib.py:30 | fail | test_basic | tainted_pure_windows_path |
+| test_pathlib.py:32 | fail | test_basic | BinaryExpr |
+| test_pathlib.py:33 | fail | test_basic | BinaryExpr |
+| test_pathlib.py:35 | fail | test_basic | tainted_path.joinpath(..) |
+| test_pathlib.py:36 | fail | test_basic | pathlib.Path(..).joinpath(..) |
+| test_pathlib.py:37 | fail | test_basic | pathlib.Path(..).joinpath(..) |
+| test_pathlib.py:39 | fail | test_basic | str(..) |
+| test_pathlib.py:49 | fail | test_basic | tainted_posix_path |
+| test_pathlib.py:55 | fail | test_basic | tainted_windows_path |
 | test_string.py:17 | ok   | str_methods | ts.casefold() |
 | test_string.py:19 | ok   | str_methods | ts.format_map(..) |
 | test_string.py:20 | ok   | str_methods | "{unsafe}".format_map(..) |
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_pathlib.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_pathlib.py
@@ -0,0 +1,60 @@
+# Add taintlib to PATH so it can be imported during runtime without any hassle
+import sys; import os; sys.path.append(os.path.dirname(os.path.dirname((__file__))))
+from taintlib import *
+
+# This has no runtime impact, but allows autocomplete to work
+from typing import Iterable, TYPE_CHECKING
+if TYPE_CHECKING:
+    from ..taintlib import *
+
+# Actual tests
+
+import pathlib
+# pathlib was added in 3.4
+
+def test_basic():
+    print("\n# test_basic")
+    ts = TAINTED_STRING
+
+    tainted_path = pathlib.Path(ts)
+
+    tainted_pure_path = pathlib.PurePath(ts)
+    tainted_pure_posix_path = pathlib.PurePosixPath(ts)
+    tainted_pure_windows_path = pathlib.PureWindowsPath(ts)
+
+    ensure_tainted(
+        tainted_path,
+
+        tainted_pure_path,
+        tainted_pure_posix_path,
+        tainted_pure_windows_path,
+
+        pathlib.Path("foo") / ts,
+        ts / pathlib.Path("foo"),
+
+        tainted_path.joinpath("foo", "bar"),
+        pathlib.Path("foo").joinpath(tainted_path, "bar"),
+        pathlib.Path("foo").joinpath("bar", tainted_path),
+
+        str(tainted_path),
+
+        # TODO: Tainted methods and attributes
+        # https://docs.python.org/3.8/library/pathlib.html#methods-and-properties
+    )
+
+    if os.name == "posix":
+        tainted_posix_path = pathlib.PosixPath(ts)
+
+        ensure_tainted(
+            tainted_posix_path,
+        )
+
+    if os.name == "nt":
+        tainted_windows_path = pathlib.WindowsPath(ts)
+        ensure_tainted(
+            tainted_windows_path,
+        )
+
+# Make tests runable
+
+test_basic()