Python: Use variables in collection-taint test

They are not tainted in assignment, only in use. I also adopted an attempt at a better test-setup, where it's easy to see if everything is the way you hoped for, instead of browsing through 100 of lines of taint-step output :P
2026-05-01 03:35:13 +02:00 · 2020-01-23 14:30:09 +01:00
parent 772538ff46
commit 3db551d6bc
6 changed files with 126 additions and 116 deletions
--- a/python/ql/test/library-tests/taint/collections/TestNode.expected
+++ b/python/ql/test/library-tests/taint/collections/TestNode.expected
@@ -1,53 +0,0 @@
-| Taint [externally controlled string] | test.py:5 | test.py:5:20:5:35 | List |  |
-| Taint [externally controlled string] | test.py:6 | test.py:6:22:6:36 | Tuple |  |
-| Taint [externally controlled string] | test.py:10 | test.py:10:9:10:26 | list() |  |
-| Taint [externally controlled string] | test.py:10 | test.py:10:14:10:25 | tainted_list |  |
-| Taint [externally controlled string] | test.py:11 | test.py:11:9:11:27 | list() |  |
-| Taint [externally controlled string] | test.py:11 | test.py:11:14:11:26 | tainted_tuple |  |
-| Taint [externally controlled string] | test.py:13 | test.py:13:9:13:35 | list() |  |
-| Taint [externally controlled string] | test.py:13 | test.py:13:14:13:34 | Attribute() |  |
-| Taint [externally controlled string] | test.py:16 | test.py:16:9:16:27 | tuple() |  |
-| Taint [externally controlled string] | test.py:16 | test.py:16:15:16:26 | tainted_list |  |
-| Taint [externally controlled string] | test.py:17 | test.py:17:9:17:25 | set() |  |
-| Taint [externally controlled string] | test.py:17 | test.py:17:13:17:24 | tainted_list |  |
-| Taint [externally controlled string] | test.py:18 | test.py:18:19:18:30 | tainted_list |  |
-| Taint [externally controlled string] | test.py:21 | test.py:21:20:21:31 | TAINTED_LIST |  |
-| Taint [externally controlled string] | test.py:22 | test.py:22:9:22:20 | tainted_list |  |
-| Taint [externally controlled string] | test.py:23 | test.py:23:9:23:20 | tainted_list |  |
-| Taint [externally controlled string] | test.py:24 | test.py:24:9:24:20 | tainted_list |  |
-| Taint [externally controlled string] | test.py:24 | test.py:24:9:24:25 | Subscript |  |
-| Taint [externally controlled string] | test.py:25 | test.py:25:9:25:20 | tainted_list |  |
-| Taint [externally controlled string] | test.py:25 | test.py:25:9:25:27 | Attribute() |  |
-| Taint [externally controlled string] | test.py:26 | test.py:26:15:26:26 | tainted_list |  |
-| Taint [externally controlled string] | test.py:27 | test.py:27:14:27:25 | tainted_list |  |
-| Taint [externally controlled string] | test.py:29 | test.py:29:14:29:35 | reversed() |  |
-| Taint [externally controlled string] | test.py:29 | test.py:29:23:29:34 | tainted_list |  |
-| Taint [externally controlled string] | test.py:37 | test.py:37:14:37:34 | Attribute() |  |
-| Taint externally controlled string | test.py:4 | test.py:4:22:4:35 | TAINTED_STRING |  |
-| Taint externally controlled string | test.py:5 | test.py:5:21:5:34 | tainted_string |  |
-| Taint externally controlled string | test.py:6 | test.py:6:22:6:35 | tainted_string |  |
-| Taint externally controlled string | test.py:7 | test.py:7:20:7:33 | tainted_string |  |
-| Taint externally controlled string | test.py:8 | test.py:8:28:8:41 | tainted_string |  |
-| Taint externally controlled string | test.py:22 | test.py:22:9:22:23 | Subscript |  |
-| Taint externally controlled string | test.py:23 | test.py:23:9:23:23 | Subscript |  |
-| Taint externally controlled string | test.py:27 | test.py:27:5:27:26 | For |  |
-| Taint externally controlled string | test.py:28 | test.py:28:9:28:9 | h |  |
-| Taint externally controlled string | test.py:29 | test.py:29:5:29:36 | For |  |
-| Taint externally controlled string | test.py:30 | test.py:30:9:30:9 | i |  |
-| Taint externally controlled string | test.py:34 | test.py:34:9:34:28 | Subscript |  |
-| Taint externally controlled string | test.py:35 | test.py:35:9:35:23 | Subscript |  |
-| Taint externally controlled string | test.py:37 | test.py:37:5:37:35 | For |  |
-| Taint externally controlled string | test.py:38 | test.py:38:9:38:9 | d |  |
-| Taint externally controlled string | test.py:44 | test.py:44:19:44:32 | TAINTED_STRING |  |
-| Taint externally controlled string | test.py:54 | test.py:54:5:54:47 | BinaryExpr |  |
-| Taint externally controlled string | test.py:54 | test.py:54:34:54:47 | TAINTED_STRING |  |
-| Taint {externally controlled string} | test.py:8 | test.py:8:20:8:42 | Dict |  |
-| Taint {externally controlled string} | test.py:13 | test.py:13:14:13:25 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:14 | test.py:14:14:14:25 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:33 | test.py:33:20:33:31 | TAINTED_DICT |  |
-| Taint {externally controlled string} | test.py:34 | test.py:34:9:34:20 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:35 | test.py:35:9:35:20 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:36 | test.py:36:9:36:20 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:36 | test.py:36:9:36:27 | Attribute() |  |
-| Taint {externally controlled string} | test.py:37 | test.py:37:14:37:25 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:39 | test.py:39:17:39:28 | tainted_dict |  |
--- a/python/ql/test/library-tests/taint/collections/TestNode.ql
+++ b/python/ql/test/library-tests/taint/collections/TestNode.ql
@@ -1,9 +0,0 @@
-import python
-import semmle.python.security.TaintTracking
-import Taint
-
-
-from TaintedNode n
-where n.getLocation().getFile().getName().matches("%test.py")
-select "Taint " + n.getTaintKind(), n.getLocation().toString(), n.getCfgNode().getNode(), n.getContext()
-
--- a/python/ql/test/library-tests/taint/collections/TestStep.expected
+++ b/python/ql/test/library-tests/taint/collections/TestStep.expected
@@ -1,48 +1,60 @@
-| Taint [externally controlled string] | test.py:5 | test.py:5:20:5:35 | List |  |  -->  | Taint [externally controlled string] | test.py:10 | test.py:10:14:10:25 | tainted_list |  |
-| Taint [externally controlled string] | test.py:5 | test.py:5:20:5:35 | List |  |  -->  | Taint [externally controlled string] | test.py:16 | test.py:16:15:16:26 | tainted_list |  |
-| Taint [externally controlled string] | test.py:5 | test.py:5:20:5:35 | List |  |  -->  | Taint [externally controlled string] | test.py:17 | test.py:17:13:17:24 | tainted_list |  |
-| Taint [externally controlled string] | test.py:5 | test.py:5:20:5:35 | List |  |  -->  | Taint [externally controlled string] | test.py:18 | test.py:18:19:18:30 | tainted_list |  |
-| Taint [externally controlled string] | test.py:6 | test.py:6:22:6:36 | Tuple |  |  -->  | Taint [externally controlled string] | test.py:11 | test.py:11:14:11:26 | tainted_tuple |  |
-| Taint [externally controlled string] | test.py:10 | test.py:10:14:10:25 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:10 | test.py:10:9:10:26 | list() |  |
-| Taint [externally controlled string] | test.py:11 | test.py:11:14:11:26 | tainted_tuple |  |  -->  | Taint [externally controlled string] | test.py:11 | test.py:11:9:11:27 | list() |  |
-| Taint [externally controlled string] | test.py:13 | test.py:13:14:13:34 | Attribute() |  |  -->  | Taint [externally controlled string] | test.py:13 | test.py:13:9:13:35 | list() |  |
-| Taint [externally controlled string] | test.py:16 | test.py:16:15:16:26 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:16 | test.py:16:9:16:27 | tuple() |  |
-| Taint [externally controlled string] | test.py:17 | test.py:17:13:17:24 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:17 | test.py:17:9:17:25 | set() |  |
-| Taint [externally controlled string] | test.py:21 | test.py:21:20:21:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:22 | test.py:22:9:22:20 | tainted_list |  |
-| Taint [externally controlled string] | test.py:21 | test.py:21:20:21:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:9:23:20 | tainted_list |  |
-| Taint [externally controlled string] | test.py:21 | test.py:21:20:21:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:24 | test.py:24:9:24:20 | tainted_list |  |
-| Taint [externally controlled string] | test.py:21 | test.py:21:20:21:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:25 | test.py:25:9:25:20 | tainted_list |  |
-| Taint [externally controlled string] | test.py:21 | test.py:21:20:21:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:26 | test.py:26:15:26:26 | tainted_list |  |
-| Taint [externally controlled string] | test.py:21 | test.py:21:20:21:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:27 | test.py:27:14:27:25 | tainted_list |  |
-| Taint [externally controlled string] | test.py:21 | test.py:21:20:21:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:29 | test.py:29:23:29:34 | tainted_list |  |
-| Taint [externally controlled string] | test.py:22 | test.py:22:9:22:20 | tainted_list |  |  -->  | Taint externally controlled string | test.py:22 | test.py:22:9:22:23 | Subscript |  |
-| Taint [externally controlled string] | test.py:23 | test.py:23:9:23:20 | tainted_list |  |  -->  | Taint externally controlled string | test.py:23 | test.py:23:9:23:23 | Subscript |  |
-| Taint [externally controlled string] | test.py:24 | test.py:24:9:24:20 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:24 | test.py:24:9:24:25 | Subscript |  |
-| Taint [externally controlled string] | test.py:25 | test.py:25:9:25:20 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:25 | test.py:25:9:25:27 | Attribute() |  |
-| Taint [externally controlled string] | test.py:27 | test.py:27:14:27:25 | tainted_list |  |  -->  | Taint externally controlled string | test.py:27 | test.py:27:5:27:26 | For |  |
-| Taint [externally controlled string] | test.py:29 | test.py:29:14:29:35 | reversed() |  |  -->  | Taint externally controlled string | test.py:29 | test.py:29:5:29:36 | For |  |
-| Taint [externally controlled string] | test.py:29 | test.py:29:23:29:34 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:29 | test.py:29:14:29:35 | reversed() |  |
-| Taint [externally controlled string] | test.py:37 | test.py:37:14:37:34 | Attribute() |  |  -->  | Taint externally controlled string | test.py:37 | test.py:37:5:37:35 | For |  |
-| Taint externally controlled string | test.py:4 | test.py:4:22:4:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:5 | test.py:5:21:5:34 | tainted_string |  |
-| Taint externally controlled string | test.py:4 | test.py:4:22:4:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:6 | test.py:6:22:6:35 | tainted_string |  |
-| Taint externally controlled string | test.py:4 | test.py:4:22:4:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:7 | test.py:7:20:7:33 | tainted_string |  |
-| Taint externally controlled string | test.py:4 | test.py:4:22:4:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:8 | test.py:8:28:8:41 | tainted_string |  |
-| Taint externally controlled string | test.py:5 | test.py:5:21:5:34 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:5 | test.py:5:20:5:35 | List |  |
-| Taint externally controlled string | test.py:6 | test.py:6:22:6:35 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:6 | test.py:6:22:6:36 | Tuple |  |
-| Taint externally controlled string | test.py:8 | test.py:8:28:8:41 | tainted_string |  |  -->  | Taint {externally controlled string} | test.py:8 | test.py:8:20:8:42 | Dict |  |
-| Taint externally controlled string | test.py:27 | test.py:27:5:27:26 | For |  |  -->  | Taint externally controlled string | test.py:28 | test.py:28:9:28:9 | h |  |
-| Taint externally controlled string | test.py:29 | test.py:29:5:29:36 | For |  |  -->  | Taint externally controlled string | test.py:30 | test.py:30:9:30:9 | i |  |
-| Taint externally controlled string | test.py:37 | test.py:37:5:37:35 | For |  |  -->  | Taint externally controlled string | test.py:38 | test.py:38:9:38:9 | d |  |
-| Taint externally controlled string | test.py:54 | test.py:54:34:54:47 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:54 | test.py:54:5:54:47 | BinaryExpr |  |
-| Taint {externally controlled string} | test.py:8 | test.py:8:20:8:42 | Dict |  |  -->  | Taint {externally controlled string} | test.py:13 | test.py:13:14:13:25 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:8 | test.py:8:20:8:42 | Dict |  |  -->  | Taint {externally controlled string} | test.py:14 | test.py:14:14:14:25 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:13 | test.py:13:14:13:25 | tainted_dict |  |  -->  | Taint [externally controlled string] | test.py:13 | test.py:13:14:13:34 | Attribute() |  |
-| Taint {externally controlled string} | test.py:33 | test.py:33:20:33:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:34 | test.py:34:9:34:20 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:33 | test.py:33:20:33:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:35 | test.py:35:9:35:20 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:33 | test.py:33:20:33:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:36 | test.py:36:9:36:20 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:33 | test.py:33:20:33:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:37 | test.py:37:14:37:25 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:33 | test.py:33:20:33:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:39 | test.py:39:17:39:28 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:34 | test.py:34:9:34:20 | tainted_dict |  |  -->  | Taint externally controlled string | test.py:34 | test.py:34:9:34:28 | Subscript |  |
-| Taint {externally controlled string} | test.py:35 | test.py:35:9:35:20 | tainted_dict |  |  -->  | Taint externally controlled string | test.py:35 | test.py:35:9:35:23 | Subscript |  |
-| Taint {externally controlled string} | test.py:36 | test.py:36:9:36:20 | tainted_dict |  |  -->  | Taint {externally controlled string} | test.py:36 | test.py:36:9:36:27 | Attribute() |  |
-| Taint {externally controlled string} | test.py:37 | test.py:37:14:37:25 | tainted_dict |  |  -->  | Taint [externally controlled string] | test.py:37 | test.py:37:14:37:34 | Attribute() |  |
+| Taint [externally controlled string] | test.py:9 | test.py:9:20:9:35 | List |  |  -->  | Taint [externally controlled string] | test.py:14 | test.py:14:14:14:25 | tainted_list |  |
+| Taint [externally controlled string] | test.py:9 | test.py:9:20:9:35 | List |  |  -->  | Taint [externally controlled string] | test.py:20 | test.py:20:15:20:26 | tainted_list |  |
+| Taint [externally controlled string] | test.py:9 | test.py:9:20:9:35 | List |  |  -->  | Taint [externally controlled string] | test.py:21 | test.py:21:13:21:24 | tainted_list |  |
+| Taint [externally controlled string] | test.py:9 | test.py:9:20:9:35 | List |  |  -->  | Taint [externally controlled string] | test.py:22 | test.py:22:19:22:30 | tainted_list |  |
+| Taint [externally controlled string] | test.py:10 | test.py:10:22:10:36 | Tuple |  |  -->  | Taint [externally controlled string] | test.py:15 | test.py:15:14:15:26 | tainted_tuple |  |
+| Taint [externally controlled string] | test.py:14 | test.py:14:9:14:26 | list() |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:10:23:10 | a |  |
+| Taint [externally controlled string] | test.py:14 | test.py:14:14:14:25 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:14 | test.py:14:9:14:26 | list() |  |
+| Taint [externally controlled string] | test.py:15 | test.py:15:9:15:27 | list() |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:13:23:13 | b |  |
+| Taint [externally controlled string] | test.py:15 | test.py:15:14:15:26 | tainted_tuple |  |  -->  | Taint [externally controlled string] | test.py:15 | test.py:15:9:15:27 | list() |  |
+| Taint [externally controlled string] | test.py:17 | test.py:17:9:17:35 | list() |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:19:23:19 | d |  |
+| Taint [externally controlled string] | test.py:17 | test.py:17:14:17:34 | Attribute() |  |  -->  | Taint [externally controlled string] | test.py:17 | test.py:17:9:17:35 | list() |  |
+| Taint [externally controlled string] | test.py:20 | test.py:20:9:20:27 | tuple() |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:25:23:25 | f |  |
+| Taint [externally controlled string] | test.py:20 | test.py:20:15:20:26 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:20 | test.py:20:9:20:27 | tuple() |  |
+| Taint [externally controlled string] | test.py:21 | test.py:21:9:21:25 | set() |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:28:23:28 | g |  |
+| Taint [externally controlled string] | test.py:21 | test.py:21:13:21:24 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:21 | test.py:21:9:21:25 | set() |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:27 | test.py:27:9:27:20 | tainted_list |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:28 | test.py:28:9:28:20 | tainted_list |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:29 | test.py:29:9:29:20 | tainted_list |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:30 | test.py:30:9:30:20 | tainted_list |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:31 | test.py:31:15:31:26 | tainted_list |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:33 | test.py:33:14:33:25 | tainted_list |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:35 | test.py:35:23:35:34 | tainted_list |  |
+| Taint [externally controlled string] | test.py:27 | test.py:27:9:27:20 | tainted_list |  |  -->  | Taint externally controlled string | test.py:27 | test.py:27:9:27:23 | Subscript |  |
+| Taint [externally controlled string] | test.py:28 | test.py:28:9:28:20 | tainted_list |  |  -->  | Taint externally controlled string | test.py:28 | test.py:28:9:28:23 | Subscript |  |
+| Taint [externally controlled string] | test.py:29 | test.py:29:9:29:20 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:29 | test.py:29:9:29:25 | Subscript |  |
+| Taint [externally controlled string] | test.py:29 | test.py:29:9:29:25 | Subscript |  |  -->  | Taint [externally controlled string] | test.py:32 | test.py:32:16:32:16 | c |  |
+| Taint [externally controlled string] | test.py:30 | test.py:30:9:30:20 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:30 | test.py:30:9:30:27 | Attribute() |  |
+| Taint [externally controlled string] | test.py:30 | test.py:30:9:30:27 | Attribute() |  |  -->  | Taint [externally controlled string] | test.py:32 | test.py:32:19:32:19 | d |  |
+| Taint [externally controlled string] | test.py:33 | test.py:33:14:33:25 | tainted_list |  |  -->  | Taint externally controlled string | test.py:33 | test.py:33:5:33:26 | For |  |
+| Taint [externally controlled string] | test.py:35 | test.py:35:14:35:35 | reversed() |  |  -->  | Taint externally controlled string | test.py:35 | test.py:35:5:35:36 | For |  |
+| Taint [externally controlled string] | test.py:35 | test.py:35:23:35:34 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:35 | test.py:35:14:35:35 | reversed() |  |
+| Taint [externally controlled string] | test.py:44 | test.py:44:14:44:34 | Attribute() |  |  -->  | Taint externally controlled string | test.py:44 | test.py:44:5:44:35 | For |  |
+| Taint externally controlled string | test.py:8 | test.py:8:22:8:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:9 | test.py:9:21:9:34 | tainted_string |  |
+| Taint externally controlled string | test.py:8 | test.py:8:22:8:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:10 | test.py:10:22:10:35 | tainted_string |  |
+| Taint externally controlled string | test.py:8 | test.py:8:22:8:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:11 | test.py:11:20:11:33 | tainted_string |  |
+| Taint externally controlled string | test.py:8 | test.py:8:22:8:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:12 | test.py:12:28:12:41 | tainted_string |  |
+| Taint externally controlled string | test.py:9 | test.py:9:21:9:34 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:9 | test.py:9:20:9:35 | List |  |
+| Taint externally controlled string | test.py:10 | test.py:10:22:10:35 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:10 | test.py:10:22:10:36 | Tuple |  |
+| Taint externally controlled string | test.py:12 | test.py:12:28:12:41 | tainted_string |  |  -->  | Taint {externally controlled string} | test.py:12 | test.py:12:20:12:42 | Dict |  |
+| Taint externally controlled string | test.py:27 | test.py:27:9:27:23 | Subscript |  |  -->  | Taint externally controlled string | test.py:32 | test.py:32:10:32:10 | a |  |
+| Taint externally controlled string | test.py:28 | test.py:28:9:28:23 | Subscript |  |  -->  | Taint externally controlled string | test.py:32 | test.py:32:13:32:13 | b |  |
+| Taint externally controlled string | test.py:33 | test.py:33:5:33:26 | For |  |  -->  | Taint externally controlled string | test.py:34 | test.py:34:14:34:14 | h |  |
+| Taint externally controlled string | test.py:35 | test.py:35:5:35:36 | For |  |  -->  | Taint externally controlled string | test.py:36 | test.py:36:14:36:14 | i |  |
+| Taint externally controlled string | test.py:40 | test.py:40:9:40:28 | Subscript |  |  -->  | Taint externally controlled string | test.py:43 | test.py:43:10:43:10 | a |  |
+| Taint externally controlled string | test.py:41 | test.py:41:9:41:23 | Subscript |  |  -->  | Taint externally controlled string | test.py:43 | test.py:43:13:43:13 | b |  |
+| Taint externally controlled string | test.py:44 | test.py:44:5:44:35 | For |  |  -->  | Taint externally controlled string | test.py:45 | test.py:45:14:45:14 | d |  |
+| Taint externally controlled string | test.py:62 | test.py:62:34:62:47 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:62 | test.py:62:5:62:47 | BinaryExpr |  |
+| Taint {externally controlled string} | test.py:12 | test.py:12:20:12:42 | Dict |  |  -->  | Taint {externally controlled string} | test.py:17 | test.py:17:14:17:25 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:12 | test.py:12:20:12:42 | Dict |  |  -->  | Taint {externally controlled string} | test.py:18 | test.py:18:14:18:25 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:17 | test.py:17:14:17:25 | tainted_dict |  |  -->  | Taint [externally controlled string] | test.py:17 | test.py:17:14:17:34 | Attribute() |  |
+| Taint {externally controlled string} | test.py:39 | test.py:39:20:39:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:40 | test.py:40:9:40:20 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:39 | test.py:39:20:39:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:41 | test.py:41:9:41:20 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:39 | test.py:39:20:39:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:42 | test.py:42:9:42:20 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:39 | test.py:39:20:39:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:44 | test.py:44:14:44:25 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:39 | test.py:39:20:39:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:46 | test.py:46:17:46:28 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:40 | test.py:40:9:40:20 | tainted_dict |  |  -->  | Taint externally controlled string | test.py:40 | test.py:40:9:40:28 | Subscript |  |
+| Taint {externally controlled string} | test.py:41 | test.py:41:9:41:20 | tainted_dict |  |  -->  | Taint externally controlled string | test.py:41 | test.py:41:9:41:23 | Subscript |  |
+| Taint {externally controlled string} | test.py:42 | test.py:42:9:42:20 | tainted_dict |  |  -->  | Taint {externally controlled string} | test.py:42 | test.py:42:9:42:27 | Attribute() |  |
+| Taint {externally controlled string} | test.py:42 | test.py:42:9:42:27 | Attribute() |  |  -->  | Taint {externally controlled string} | test.py:43 | test.py:43:16:43:16 | c |  |
+| Taint {externally controlled string} | test.py:44 | test.py:44:14:44:25 | tainted_dict |  |  -->  | Taint [externally controlled string] | test.py:44 | test.py:44:14:44:34 | Attribute() |  |
--- a/python/ql/test/library-tests/taint/collections/TestTaint.expected
+++ b/python/ql/test/library-tests/taint/collections/TestTaint.expected
@@ -0,0 +1,33 @@
+| test.py:23 | test_construction | a | [externally controlled string] |
+| test.py:23 | test_construction | b | [externally controlled string] |
+| test.py:23 | test_construction | c | NO TAINT |
+| test.py:23 | test_construction | d | [externally controlled string] |
+| test.py:23 | test_construction | e | NO TAINT |
+| test.py:23 | test_construction | f | [externally controlled string] |
+| test.py:23 | test_construction | g | [externally controlled string] |
+| test.py:23 | test_construction | h | NO TAINT |
+| test.py:32 | test_access | a | externally controlled string |
+| test.py:32 | test_access | b | externally controlled string |
+| test.py:32 | test_access | c | [externally controlled string] |
+| test.py:32 | test_access | d | [externally controlled string] |
+| test.py:32 | test_access | e | NO TAINT |
+| test.py:32 | test_access | f | NO TAINT |
+| test.py:32 | test_access | g | NO TAINT |
+| test.py:34 | test_access | h | externally controlled string |
+| test.py:36 | test_access | i | externally controlled string |
+| test.py:43 | test_dict_access | a | externally controlled string |
+| test.py:43 | test_dict_access | b | externally controlled string |
+| test.py:43 | test_dict_access | c | {externally controlled string} |
+| test.py:45 | test_dict_access | d | externally controlled string |
+| test.py:47 | test_dict_access | e | NO TAINT |
+| test.py:58 | test_named_tuple | a | NO TAINT |
+| test.py:58 | test_named_tuple | b | NO TAINT |
+| test.py:58 | test_named_tuple | c | NO TAINT |
+| test.py:58 | test_named_tuple | d | NO TAINT |
+| test.py:58 | test_named_tuple | e | NO TAINT |
+| test.py:58 | test_named_tuple | f | NO TAINT |
+| test.py:67 | test_defaultdict | a | NO TAINT |
+| test.py:67 | test_defaultdict | b | NO TAINT |
+| test.py:67 | test_defaultdict | c | NO TAINT |
+| test.py:69 | test_defaultdict | d | NO TAINT |
+| test.py:71 | test_defaultdict | e | NO TAINT |
--- a/python/ql/test/library-tests/taint/collections/TestTaint.ql
+++ b/python/ql/test/library-tests/taint/collections/TestTaint.ql
@@ -0,0 +1,18 @@
+import python
+import semmle.python.security.TaintTracking
+import Taint
+
+from Call call, Expr arg, string taint_string
+where
+    call.getLocation().getFile().getShortName() = "test.py" and
+    call.getFunc().(Name).getId() = "test" and
+    arg = call.getAnArg() and
+    (
+        not exists(TaintedNode tainted | tainted.getAstNode() = arg) and
+        taint_string = "NO TAINT"
+        or
+        exists(TaintedNode tainted | tainted.getAstNode() = arg |
+            taint_string = tainted.getTaintKind().toString()
+        )
+    )
+select arg.getLocation().toString(), call.getScope().(Function).getName(), arg.toString(), taint_string
--- a/python/ql/test/library-tests/taint/collections/test.py
+++ b/python/ql/test/library-tests/taint/collections/test.py
@@ -1,5 +1,9 @@
 from collections import defaultdict, namedtuple

+# Use to show only interesting results in qltest output
+def test(*args):
+    pass
+
 def test_construction():
    tainted_string = TAINTED_STRING
    tainted_list = [tainted_string]
@@ -16,6 +20,7 @@ def test_construction():
    f = tuple(tainted_list)
    g = set(tainted_list)
    h = frozenset(tainted_list) # TODO: frozenset constructor currently not handled
+    test(a, b, c, d, e, f, g, h)

 def test_access():
    tainted_list = TAINTED_LIST
@@ -24,20 +29,22 @@ def test_access():
    c = tainted_list[y:z]
    d = tainted_list.copy()
    e, f, g = tainted_list # TODO: currently not handled
+    test(a, b, c, d, e, f, g)
    for h in tainted_list:
-        h
+        test(h)
    for i in reversed(tainted_list):
-        i
+        test(i)

 def test_dict_access(x):
    tainted_dict = TAINTED_DICT
    a = tainted_dict["name"]
    b = tainted_dict[x]
    c = tainted_dict.copy()
+    test(a, b, c)
    for d in tainted_dict.values():
-        d
+        test(d)
    for _, e in tainted_dict.items(): # TODO: dict.items() currently not handled
-        e
+        test(e)

 def test_named_tuple(): # TODO: namedtuple currently not handled
    Point = namedtuple('Point', ['x', 'y'])
@@ -48,6 +55,7 @@ def test_named_tuple(): # TODO: namedtuple currently not handled
    c = point[1]
    d = point.y
    e, f = point
+    test(a, b, c, d, e, f)

 def test_defaultdict(key, x): # TODO: defaultdict currently not handled
    tainted_default_dict = defaultdict(str)
@@ -56,7 +64,8 @@ def test_defaultdict(key, x): # TODO: defaultdict currently not handled
    a = tainted_dict["name"]
    b = tainted_dict[x]
    c = tainted_dict.copy()
+    test(a, b, c)
    for d in tainted_dict.values():
-        d
+        test(d)
    for _, e in tainted_dict.items():
-        e
+        test(e)