Merge pull request #2100 from RasmusWL/python-fix-hasFlowPath

Python: Fix hasFlowPath default implementation of isSink/2
2026-05-02 04:05:14 +02:00 · 2019-10-18 11:16:58 +02:00
parent dcc446660e bf197b9f20
commit 37291c5642
5 changed files with 75 additions and 0 deletions
--- a/python/ql/src/semmle/python/dataflow/Configuration.qll
+++ b/python/ql/src/semmle/python/dataflow/Configuration.qll
@@ -51,6 +51,7 @@ module TaintTracking {
         */
        predicate isSink(DataFlow::Node node, TaintKind kind) {
            exists(TaintSink sink |
+                this.isSink(sink) and
                node.asCfgNode() = sink and
                sink.sinks(kind)
            )
--- a/python/ql/test/library-tests/taint/flowpath_regression/Config.qll
+++ b/python/ql/test/library-tests/taint/flowpath_regression/Config.qll
@@ -0,0 +1,45 @@
+import python
+import semmle.python.security.TaintTracking
+import semmle.python.security.strings.Untrusted
+
+class FooSource extends TaintSource {
+    FooSource() { this.(CallNode).getFunction().(NameNode).getId() = "foo_source" }
+
+    override predicate isSourceOf(TaintKind kind) { kind instanceof UntrustedStringKind }
+
+    override string toString() { result = "FooSource" }
+}
+
+class FooSink extends TaintSink {
+    FooSink() {
+        exists(CallNode call |
+            call.getFunction().(NameNode).getId() = "foo_sink" and
+            call.getAnArg() = this
+        )
+    }
+
+    override predicate sinks(TaintKind kind) { kind instanceof UntrustedStringKind }
+
+    override string toString() { result = "FooSink" }
+}
+
+class FooConfig extends TaintTracking::Configuration {
+    FooConfig() { this = "FooConfig" }
+
+    override predicate isSource(TaintTracking::Source source) { source instanceof FooSource }
+
+    override predicate isSink(TaintTracking::Sink sink) { sink instanceof FooSink }
+}
+
+class BarSink extends TaintSink {
+    BarSink() {
+        exists(CallNode call |
+            call.getFunction().(NameNode).getId() = "bar_sink" and
+            call.getAnArg() = this
+        )
+    }
+
+    override predicate sinks(TaintKind kind) { kind instanceof UntrustedStringKind }
+
+    override string toString() { result = "BarSink" }
+}
--- a/python/ql/test/library-tests/taint/flowpath_regression/Path.expected
+++ b/python/ql/test/library-tests/taint/flowpath_regression/Path.expected
@@ -0,0 +1 @@
+| test.py:16:9:16:20 | foo_source() | test.py:17:14:17:14 | x |
--- a/python/ql/test/library-tests/taint/flowpath_regression/Path.ql
+++ b/python/ql/test/library-tests/taint/flowpath_regression/Path.ql
@@ -0,0 +1,6 @@
+import python
+import Config
+
+from FooConfig config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
+select src.getSource(), sink.getSink()
--- a/python/ql/test/library-tests/taint/flowpath_regression/test.py
+++ b/python/ql/test/library-tests/taint/flowpath_regression/test.py
@@ -0,0 +1,22 @@
+def foo_source():
+    return 'foo'
+
+
+def foo_sink(x):
+    if x == 'foo':
+        print('fire the foo missiles')
+
+
+def bar_sink(x):
+    if x == 'bar':
+        print('fire the bar missiles')
+
+
+def should_report():
+    x = foo_source()
+    foo_sink(x)
+
+
+def should_not_report():
+    x = foo_source()
+    bar_sink(x)
				`@@ -0,0 +1 @@`
				`\| test.py:16:9:16:20 \| foo_source() \| test.py:17:14:17:14 \| x \|`