Python: Handle taint for % formatting

2026-05-01 19:55:15 +02:00 · 2020-08-24 14:15:27 +02:00
parent 80745e8881
commit 1e447c5ca2
3 changed files with 26 additions and 0 deletions
--- a/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll
+++ b/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll
@@ -105,4 +105,14 @@ predicate stringMethods(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
    method_name = "format_map" and
    nodeFrom.getNode() = call.getArg(0)
  )
+  or
+  // % formatting
+  exists(BinaryExprNode fmt | fmt = nodeTo.getNode() |
+    fmt.getOp() instanceof Mod and
+    (
+      fmt.getLeft() = nodeFrom.getNode()
+      or
+      fmt.getRight() = nodeFrom.getNode()
+    )
+  )
 }
--- a/python/ql/test/experimental/dataflow/tainttracking/string/TestTaint.expected
+++ b/python/ql/test/experimental/dataflow/tainttracking/string/TestTaint.expected
@@ -43,3 +43,6 @@
 | test.py:89 | fail | str_methods | ts.join(..) |
 | test.py:99 | fail | non_syntactic | meth() |
 | test.py:100 | fail | non_syntactic | _str(..) |
+| test.py:109 | ok   | percent_fmt | BinaryExpr |
+| test.py:110 | ok   | percent_fmt | BinaryExpr |
+| test.py:111 | fail | percent_fmt | BinaryExpr |
--- a/python/ql/test/experimental/dataflow/tainttracking/string/test.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/string/test.py
@@ -100,8 +100,21 @@ def non_syntactic():
        _str(ts),
    )

+
+def percent_fmt():
+    print("\n#percent_fmt")
+    ts = TAINTED_STRING
+    tainted_fmt = ts + " %s %s"
+    ensure_tainted(
+        tainted_fmt % (1, 2),
+        "%s foo bar" % ts,
+        "%s %s %s" % (1, 2, ts),
+    )
+
+
 # Make tests runable

 str_operations()
 str_methods()
 non_syntactic()
+percent_fmt()