mirror of
https://github.com/github/codeql.git
synced 2026-04-30 11:15:13 +02:00
Python: Port taint tests to use inline expectations
The meat of this PR is described in the new python/ql/test/experimental/meta/InlineTaintTest.qll file: > Defines a InlineExpectationsTest for checking whether any arguments in > `ensure_tainted` and `ensure_not_tainted` calls are tainted. > > Also defines query predicates to ensure that: > - if any arguments to `ensure_not_tainted` are tainted, their annotation is marked with `SPURIOUS`. > - if any arguments to `ensure_tainted` are not tainted, their annotation is marked with `MISSING`. > > The functionality of this module is tested in `ql/test/experimental/meta/inline-taint-test-demo`.
This commit is contained in:
Rasmus Wriedt Larsen
@@ -0,0 +1,3 @@
|
||||
argumentToEnsureNotTaintedNotMarkedAsSpurious
|
||||
untaintedArgumentToEnsureTaintedNotMarkedAsMissing
|
||||
failures
|
||||
@@ -1,4 +1,4 @@
|
||||
import experimental.dataflow.tainttracking.TestTaintLib
|
||||
import experimental.meta.InlineTaintTest
|
||||
import semmle.python.dataflow.new.BarrierGuards
|
||||
|
||||
class CustomSanitizerOverrides extends TestTaintTrackingConfiguration {
|
||||
@@ -1,27 +0,0 @@
|
||||
| test_string_const_compare.py:16 | ok | test_eq | ts |
|
||||
| test_string_const_compare.py:18 | ok | test_eq | ts |
|
||||
| test_string_const_compare.py:20 | ok | test_eq | ts |
|
||||
| test_string_const_compare.py:27 | ok | test_eq_unsafe | ts |
|
||||
| test_string_const_compare.py:29 | ok | test_eq_unsafe | ts |
|
||||
| test_string_const_compare.py:35 | fail | test_eq_with_or | ts |
|
||||
| test_string_const_compare.py:37 | ok | test_eq_with_or | ts |
|
||||
| test_string_const_compare.py:43 | ok | test_non_eq1 | ts |
|
||||
| test_string_const_compare.py:45 | ok | test_non_eq1 | ts |
|
||||
| test_string_const_compare.py:51 | ok | test_non_eq2 | ts |
|
||||
| test_string_const_compare.py:53 | fail | test_non_eq2 | ts |
|
||||
| test_string_const_compare.py:59 | ok | test_in_list | ts |
|
||||
| test_string_const_compare.py:61 | ok | test_in_list | ts |
|
||||
| test_string_const_compare.py:67 | ok | test_in_tuple | ts |
|
||||
| test_string_const_compare.py:69 | ok | test_in_tuple | ts |
|
||||
| test_string_const_compare.py:75 | ok | test_in_set | ts |
|
||||
| test_string_const_compare.py:77 | ok | test_in_set | ts |
|
||||
| test_string_const_compare.py:83 | ok | test_in_unsafe1 | ts |
|
||||
| test_string_const_compare.py:85 | ok | test_in_unsafe1 | ts |
|
||||
| test_string_const_compare.py:91 | ok | test_in_unsafe2 | ts |
|
||||
| test_string_const_compare.py:93 | ok | test_in_unsafe2 | ts |
|
||||
| test_string_const_compare.py:99 | ok | test_not_in1 | ts |
|
||||
| test_string_const_compare.py:101 | ok | test_not_in1 | ts |
|
||||
| test_string_const_compare.py:107 | ok | test_not_in2 | ts |
|
||||
| test_string_const_compare.py:109 | fail | test_not_in2 | ts |
|
||||
| test_string_const_compare.py:119 | fail | test_eq_thorugh_func | ts |
|
||||
| test_string_const_compare.py:121 | ok | test_eq_thorugh_func | ts |
|
||||
@@ -15,32 +15,32 @@ def test_eq():
|
||||
if ts == "safe":
|
||||
ensure_not_tainted(ts)
|
||||
else:
|
||||
ensure_tainted(ts)
|
||||
ensure_tainted(ts) # $ tainted
|
||||
# ts should still be tainted after exiting the if block
|
||||
ensure_tainted(ts)
|
||||
ensure_tainted(ts) # $ tainted
|
||||
|
||||
|
||||
def test_eq_unsafe(x="foo"):
|
||||
"""This test-case might seem strange, but it was a FP in our old points-to based analysis."""
|
||||
ts = TAINTED_STRING
|
||||
if ts == ts:
|
||||
ensure_tainted(ts)
|
||||
ensure_tainted(ts) # $ tainted
|
||||
if ts == x:
|
||||
ensure_tainted(ts)
|
||||
ensure_tainted(ts) # $ tainted
|
||||
|
||||
|
||||
def test_eq_with_or():
|
||||
ts = TAINTED_STRING
|
||||
if ts == "safe" or ts == "also_safe":
|
||||
ensure_not_tainted(ts)
|
||||
ensure_not_tainted(ts) # $ SPURIOUS: tainted
|
||||
else:
|
||||
ensure_tainted(ts)
|
||||
ensure_tainted(ts) # $ tainted
|
||||
|
||||
|
||||
def test_non_eq1():
|
||||
ts = TAINTED_STRING
|
||||
if ts != "safe":
|
||||
ensure_tainted(ts)
|
||||
ensure_tainted(ts) # $ tainted
|
||||
else:
|
||||
ensure_not_tainted(ts)
|
||||
|
||||
@@ -48,9 +48,9 @@ def test_non_eq1():
|
||||
def test_non_eq2():
|
||||
ts = TAINTED_STRING
|
||||
if not ts == "safe":
|
||||
ensure_tainted(ts)
|
||||
ensure_tainted(ts) # $ tainted
|
||||
else:
|
||||
ensure_not_tainted(ts)
|
||||
ensure_not_tainted(ts) # $ SPURIOUS: tainted
|
||||
|
||||
|
||||
def test_in_list():
|
||||
@@ -58,7 +58,7 @@ def test_in_list():
|
||||
if ts in ["safe", "also_safe"]:
|
||||
ensure_not_tainted(ts)
|
||||
else:
|
||||
ensure_tainted(ts)
|
||||
ensure_tainted(ts) # $ tainted
|
||||
|
||||
|
||||
def test_in_tuple():
|
||||
@@ -66,7 +66,7 @@ def test_in_tuple():
|
||||
if ts in ("safe", "also_safe"):
|
||||
ensure_not_tainted(ts)
|
||||
else:
|
||||
ensure_tainted(ts)
|
||||
ensure_tainted(ts) # $ tainted
|
||||
|
||||
|
||||
def test_in_set():
|
||||
@@ -74,29 +74,29 @@ def test_in_set():
|
||||
if ts in {"safe", "also_safe"}:
|
||||
ensure_not_tainted(ts)
|
||||
else:
|
||||
ensure_tainted(ts)
|
||||
ensure_tainted(ts) # $ tainted
|
||||
|
||||
|
||||
def test_in_unsafe1(xs):
|
||||
ts = TAINTED_STRING
|
||||
if ts in xs:
|
||||
ensure_tainted(ts)
|
||||
ensure_tainted(ts) # $ tainted
|
||||
else:
|
||||
ensure_tainted(ts)
|
||||
ensure_tainted(ts) # $ tainted
|
||||
|
||||
|
||||
def test_in_unsafe2(x):
|
||||
ts = TAINTED_STRING
|
||||
if ts in ["safe", x]:
|
||||
ensure_tainted(ts)
|
||||
ensure_tainted(ts) # $ tainted
|
||||
else:
|
||||
ensure_tainted(ts)
|
||||
ensure_tainted(ts) # $ tainted
|
||||
|
||||
|
||||
def test_not_in1():
|
||||
ts = TAINTED_STRING
|
||||
if ts not in ["safe", "also_safe"]:
|
||||
ensure_tainted(ts)
|
||||
ensure_tainted(ts) # $ tainted
|
||||
else:
|
||||
ensure_not_tainted(ts)
|
||||
|
||||
@@ -104,9 +104,9 @@ def test_not_in1():
|
||||
def test_not_in2():
|
||||
ts = TAINTED_STRING
|
||||
if not ts in ["safe", "also_safe"]:
|
||||
ensure_tainted(ts)
|
||||
ensure_tainted(ts) # $ tainted
|
||||
else:
|
||||
ensure_not_tainted(ts)
|
||||
ensure_not_tainted(ts) # $ SPURIOUS: tainted
|
||||
|
||||
|
||||
def is_safe(x):
|
||||
@@ -116,9 +116,9 @@ def is_safe(x):
|
||||
def test_eq_thorugh_func():
|
||||
ts = TAINTED_STRING
|
||||
if is_safe(ts):
|
||||
ensure_not_tainted(ts)
|
||||
ensure_not_tainted(ts) # $ SPURIOUS: tainted
|
||||
else:
|
||||
ensure_tainted(ts)
|
||||
ensure_tainted(ts) # $ tainted
|
||||
|
||||
|
||||
# Make tests runable
|
||||
|
||||
@@ -0,0 +1,20 @@
|
||||
argumentToEnsureNotTaintedNotMarkedAsSpurious
|
||||
untaintedArgumentToEnsureTaintedNotMarkedAsMissing
|
||||
failures
|
||||
isSanitizer
|
||||
| TestTaintTrackingConfiguration | test.py:21:39:21:39 | ControlFlowNode for s |
|
||||
| TestTaintTrackingConfiguration | test.py:50:10:50:29 | ControlFlowNode for emulated_escaping() |
|
||||
isSanitizerGuard
|
||||
| TestTaintTrackingConfiguration | test.py:35:8:35:26 | ControlFlowNode for emulated_is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_logical.py:29:8:29:17 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_logical.py:44:8:44:17 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_logical.py:52:12:52:21 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_logical.py:72:8:72:17 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_logical.py:80:12:80:21 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_logical.py:104:8:104:17 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_logical.py:127:12:127:21 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_logical.py:132:16:132:25 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_logical.py:137:20:137:29 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_reference.py:30:8:30:17 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_reference.py:40:8:40:25 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_reference.py:55:8:55:21 | ControlFlowNode for is_safe() |
|
||||
@@ -1,4 +1,4 @@
|
||||
import experimental.dataflow.tainttracking.TestTaintLib
|
||||
import experimental.meta.InlineTaintTest
|
||||
|
||||
class IsSafeCheck extends DataFlow::BarrierGuard {
|
||||
IsSafeCheck() {
|
||||
@@ -1,61 +0,0 @@
|
||||
test_taint
|
||||
| test.py:22 | ok | test_custom_sanitizer | s |
|
||||
| test.py:36 | ok | test_custom_sanitizer_guard | s |
|
||||
| test.py:38 | ok | test_custom_sanitizer_guard | s |
|
||||
| test.py:40 | ok | test_custom_sanitizer_guard | s |
|
||||
| test.py:51 | ok | test_escape | s2 |
|
||||
| test_logical.py:30 | ok | test_basic | s |
|
||||
| test_logical.py:32 | ok | test_basic | s |
|
||||
| test_logical.py:35 | ok | test_basic | s |
|
||||
| test_logical.py:37 | fail | test_basic | s |
|
||||
| test_logical.py:45 | ok | test_or | s |
|
||||
| test_logical.py:47 | ok | test_or | s |
|
||||
| test_logical.py:51 | ok | test_or | s |
|
||||
| test_logical.py:53 | ok | test_or | s |
|
||||
| test_logical.py:57 | ok | test_or | s |
|
||||
| test_logical.py:59 | ok | test_or | s |
|
||||
| test_logical.py:67 | ok | test_and | s |
|
||||
| test_logical.py:69 | ok | test_and | s |
|
||||
| test_logical.py:73 | ok | test_and | s |
|
||||
| test_logical.py:75 | ok | test_and | s |
|
||||
| test_logical.py:79 | ok | test_and | s |
|
||||
| test_logical.py:81 | fail | test_and | s |
|
||||
| test_logical.py:89 | fail | test_tricky | s |
|
||||
| test_logical.py:93 | fail | test_tricky | s_ |
|
||||
| test_logical.py:100 | fail | test_nesting_not | s |
|
||||
| test_logical.py:102 | ok | test_nesting_not | s |
|
||||
| test_logical.py:105 | ok | test_nesting_not | s |
|
||||
| test_logical.py:107 | fail | test_nesting_not | s |
|
||||
| test_logical.py:116 | ok | test_nesting_not_with_and_true | s |
|
||||
| test_logical.py:118 | ok | test_nesting_not_with_and_true | s |
|
||||
| test_logical.py:121 | ok | test_nesting_not_with_and_true | s |
|
||||
| test_logical.py:123 | ok | test_nesting_not_with_and_true | s |
|
||||
| test_logical.py:126 | ok | test_nesting_not_with_and_true | s |
|
||||
| test_logical.py:128 | ok | test_nesting_not_with_and_true | s |
|
||||
| test_logical.py:137 | fail | test_with_return | s |
|
||||
| test_logical.py:146 | fail | test_with_exception | s |
|
||||
| test_reference.py:31 | fail | test_basic | s2 |
|
||||
| test_reference.py:31 | ok | test_basic | s |
|
||||
| test_reference.py:33 | ok | test_basic | s |
|
||||
| test_reference.py:33 | ok | test_basic | s2 |
|
||||
| test_reference.py:41 | fail | test_identical_call | s.strip() |
|
||||
| test_reference.py:43 | ok | test_identical_call | s.strip() |
|
||||
| test_reference.py:56 | fail | test_class_attribute_access | c.foo |
|
||||
| test_reference.py:58 | ok | test_class_attribute_access | c.foo |
|
||||
isSanitizer
|
||||
| TestTaintTrackingConfiguration | test.py:21:39:21:39 | ControlFlowNode for s |
|
||||
| TestTaintTrackingConfiguration | test.py:50:10:50:29 | ControlFlowNode for emulated_escaping() |
|
||||
isSanitizerGuard
|
||||
| TestTaintTrackingConfiguration | test.py:35:8:35:26 | ControlFlowNode for emulated_is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_logical.py:29:8:29:17 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_logical.py:44:8:44:17 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_logical.py:50:12:50:21 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_logical.py:66:8:66:17 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_logical.py:72:12:72:21 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_logical.py:92:8:92:17 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_logical.py:115:12:115:21 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_logical.py:120:16:120:25 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_logical.py:125:20:125:29 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_reference.py:30:8:30:17 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_reference.py:40:8:40:25 | ControlFlowNode for is_safe() |
|
||||
| TestTaintTrackingConfiguration | test_reference.py:55:8:55:21 | ControlFlowNode for is_safe() |
|
||||
@@ -35,9 +35,9 @@ def test_custom_sanitizer_guard():
|
||||
if emulated_is_safe(s):
|
||||
ensure_not_tainted(s)
|
||||
s = TAINTED_STRING
|
||||
ensure_tainted(s)
|
||||
ensure_tainted(s) # $ tainted
|
||||
else:
|
||||
ensure_tainted(s)
|
||||
ensure_tainted(s) # $ tainted
|
||||
|
||||
|
||||
def emulated_escaping(arg):
|
||||
|
||||
@@ -29,12 +29,12 @@ def test_basic():
|
||||
if is_safe(s):
|
||||
ensure_not_tainted(s)
|
||||
else:
|
||||
ensure_tainted(s)
|
||||
ensure_tainted(s) # $ tainted
|
||||
|
||||
if not is_safe(s):
|
||||
ensure_tainted(s)
|
||||
ensure_tainted(s) # $ tainted
|
||||
else:
|
||||
ensure_not_tainted(s)
|
||||
ensure_not_tainted(s) # $ SPURIOUS: tainted
|
||||
|
||||
|
||||
def test_or():
|
||||
@@ -42,21 +42,27 @@ def test_or():
|
||||
|
||||
# x or y
|
||||
if is_safe(s) or random_choice():
|
||||
ensure_tainted(s) # might be tainted
|
||||
# might be tainted
|
||||
ensure_tainted(s) # $ tainted
|
||||
else:
|
||||
ensure_tainted(s) # must be tainted
|
||||
# must be tainted
|
||||
ensure_tainted(s) # $ tainted
|
||||
|
||||
# not (x or y)
|
||||
if not(is_safe(s) or random_choice()):
|
||||
ensure_tainted(s) # must be tainted
|
||||
# must be tainted
|
||||
ensure_tainted(s) # $ tainted
|
||||
else:
|
||||
ensure_tainted(s) # might be tainted
|
||||
# might be tainted
|
||||
ensure_tainted(s) # $ tainted
|
||||
|
||||
# not (x or y) == not x and not y [de Morgan's laws]
|
||||
if not is_safe(s) and not random_choice():
|
||||
ensure_tainted(s) # must be tainted
|
||||
# must be tainted
|
||||
ensure_tainted(s) # $ tainted
|
||||
else:
|
||||
ensure_tainted(s) # might be tainted
|
||||
# might be tainted
|
||||
ensure_tainted(s) # $ tainted
|
||||
|
||||
|
||||
def test_and():
|
||||
@@ -64,21 +70,27 @@ def test_and():
|
||||
|
||||
# x and y
|
||||
if is_safe(s) and random_choice():
|
||||
ensure_not_tainted(s) # must not be tainted
|
||||
# cannot be tainted
|
||||
ensure_not_tainted(s)
|
||||
else:
|
||||
ensure_tainted(s) # might be tainted
|
||||
# might be tainted
|
||||
ensure_tainted(s) # $ tainted
|
||||
|
||||
# not (x and y)
|
||||
if not(is_safe(s) and random_choice()):
|
||||
ensure_tainted(s) # might be tainted
|
||||
# might be tainted
|
||||
ensure_tainted(s) # $ tainted
|
||||
else:
|
||||
# cannot be tainted
|
||||
ensure_not_tainted(s)
|
||||
|
||||
# not (x and y) == not x or not y [de Morgan's laws]
|
||||
if not is_safe(s) or not random_choice():
|
||||
ensure_tainted(s) # might be tainted
|
||||
# might be tainted
|
||||
ensure_tainted(s) # $ tainted
|
||||
else:
|
||||
ensure_not_tainted(s)
|
||||
# cannot be tainted
|
||||
ensure_not_tainted(s) # $ SPURIOUS: tainted
|
||||
|
||||
|
||||
def test_tricky():
|
||||
@@ -86,25 +98,25 @@ def test_tricky():
|
||||
|
||||
x = is_safe(s)
|
||||
if x:
|
||||
ensure_not_tainted(s) # FP
|
||||
ensure_not_tainted(s) # $ SPURIOUS: tainted
|
||||
|
||||
s_ = s
|
||||
if is_safe(s):
|
||||
ensure_not_tainted(s_) # FP
|
||||
ensure_not_tainted(s_) # $ SPURIOUS: tainted
|
||||
|
||||
|
||||
def test_nesting_not():
|
||||
s = TAINTED_STRING
|
||||
|
||||
if not(not(is_safe(s))):
|
||||
ensure_not_tainted(s)
|
||||
ensure_not_tainted(s) # $ SPURIOUS: tainted
|
||||
else:
|
||||
ensure_tainted(s)
|
||||
ensure_tainted(s) # $ tainted
|
||||
|
||||
if not(not(not(is_safe(s)))):
|
||||
ensure_tainted(s)
|
||||
ensure_tainted(s) # $ tainted
|
||||
else:
|
||||
ensure_not_tainted(s)
|
||||
ensure_not_tainted(s) # $ SPURIOUS: tainted
|
||||
|
||||
|
||||
# Adding `and True` makes the sanitizer trigger when it would otherwise not. See output in
|
||||
@@ -113,17 +125,17 @@ def test_nesting_not_with_and_true():
|
||||
s = TAINTED_STRING
|
||||
|
||||
if not(is_safe(s) and True):
|
||||
ensure_tainted(s)
|
||||
ensure_tainted(s) # $ tainted
|
||||
else:
|
||||
ensure_not_tainted(s)
|
||||
|
||||
if not(not(is_safe(s) and True)):
|
||||
ensure_not_tainted(s)
|
||||
else:
|
||||
ensure_tainted(s)
|
||||
ensure_tainted(s) # $ tainted
|
||||
|
||||
if not(not(not(is_safe(s) and True))):
|
||||
ensure_tainted(s)
|
||||
ensure_tainted(s) # $ tainted
|
||||
else:
|
||||
ensure_not_tainted(s)
|
||||
|
||||
@@ -134,7 +146,7 @@ def test_with_return():
|
||||
if not is_safe(s):
|
||||
return
|
||||
|
||||
ensure_not_tainted(s)
|
||||
ensure_not_tainted(s) # $ SPURIOUS: tainted
|
||||
|
||||
|
||||
def test_with_exception():
|
||||
@@ -143,7 +155,7 @@ def test_with_exception():
|
||||
if not is_safe(s):
|
||||
raise Exception("unsafe")
|
||||
|
||||
ensure_not_tainted(s)
|
||||
ensure_not_tainted(s) # $ SPURIOUS: tainted
|
||||
|
||||
# Make tests runable
|
||||
|
||||
|
||||
@@ -28,9 +28,9 @@ def test_basic():
|
||||
s2 = s
|
||||
|
||||
if is_safe(s):
|
||||
ensure_not_tainted(s, s2)
|
||||
ensure_not_tainted(s, s2) # $ SPURIOUS: tainted
|
||||
else:
|
||||
ensure_tainted(s, s2)
|
||||
ensure_tainted(s, s2) # $ tainted
|
||||
|
||||
|
||||
def test_identical_call():
|
||||
@@ -38,9 +38,9 @@ def test_identical_call():
|
||||
s = TAINTED_STRING
|
||||
|
||||
if is_safe(s.strip()):
|
||||
ensure_not_tainted(s.strip())
|
||||
ensure_not_tainted(s.strip()) # $ SPURIOUS: tainted
|
||||
else:
|
||||
ensure_tainted(s.strip())
|
||||
ensure_tainted(s.strip()) # $ tainted
|
||||
|
||||
|
||||
class C(object):
|
||||
@@ -53,9 +53,9 @@ def test_class_attribute_access():
|
||||
c = C(s)
|
||||
|
||||
if is_safe(c.foo):
|
||||
ensure_not_tainted(c.foo)
|
||||
ensure_not_tainted(c.foo) # $ SPURIOUS: tainted
|
||||
else:
|
||||
ensure_tainted(c.foo)
|
||||
ensure_tainted(c.foo) # $ tainted
|
||||
|
||||
|
||||
# Make tests runable
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
argumentToEnsureNotTaintedNotMarkedAsSpurious
|
||||
untaintedArgumentToEnsureTaintedNotMarkedAsMissing
|
||||
failures
|
||||
@@ -0,0 +1 @@
|
||||
import experimental.meta.InlineTaintTest
|
||||
@@ -1,34 +0,0 @@
|
||||
| test_collections.py:16 | ok | test_access | tainted_list.copy() |
|
||||
| test_collections.py:24 | ok | list_clear | tainted_list |
|
||||
| test_collections.py:27 | fail | list_clear | tainted_list |
|
||||
| test_pathlib.py:26 | fail | test_basic | tainted_path |
|
||||
| test_pathlib.py:28 | fail | test_basic | tainted_pure_path |
|
||||
| test_pathlib.py:29 | fail | test_basic | tainted_pure_posix_path |
|
||||
| test_pathlib.py:30 | fail | test_basic | tainted_pure_windows_path |
|
||||
| test_pathlib.py:32 | fail | test_basic | BinaryExpr |
|
||||
| test_pathlib.py:33 | fail | test_basic | BinaryExpr |
|
||||
| test_pathlib.py:35 | fail | test_basic | tainted_path.joinpath(..) |
|
||||
| test_pathlib.py:36 | fail | test_basic | pathlib.Path(..).joinpath(..) |
|
||||
| test_pathlib.py:37 | fail | test_basic | pathlib.Path(..).joinpath(..) |
|
||||
| test_pathlib.py:39 | fail | test_basic | str(..) |
|
||||
| test_pathlib.py:49 | fail | test_basic | tainted_posix_path |
|
||||
| test_pathlib.py:55 | fail | test_basic | tainted_windows_path |
|
||||
| test_string.py:17 | ok | str_methods | ts.casefold() |
|
||||
| test_string.py:19 | ok | str_methods | ts.format_map(..) |
|
||||
| test_string.py:20 | ok | str_methods | "{unsafe}".format_map(..) |
|
||||
| test_string.py:31 | ok | binary_decode_encode | base64.a85encode(..) |
|
||||
| test_string.py:32 | ok | binary_decode_encode | base64.a85decode(..) |
|
||||
| test_string.py:35 | ok | binary_decode_encode | base64.b85encode(..) |
|
||||
| test_string.py:36 | ok | binary_decode_encode | base64.b85decode(..) |
|
||||
| test_string.py:39 | ok | binary_decode_encode | base64.encodebytes(..) |
|
||||
| test_string.py:40 | ok | binary_decode_encode | base64.decodebytes(..) |
|
||||
| test_string.py:48 | ok | f_strings | Fstring |
|
||||
| test_unpacking.py:18 | ok | extended_unpacking | first |
|
||||
| test_unpacking.py:18 | ok | extended_unpacking | last |
|
||||
| test_unpacking.py:18 | ok | extended_unpacking | rest |
|
||||
| test_unpacking.py:23 | ok | also_allowed | a |
|
||||
| test_unpacking.py:31 | ok | also_allowed | b |
|
||||
| test_unpacking.py:31 | ok | also_allowed | c |
|
||||
| test_unpacking.py:39 | ok | nested | x |
|
||||
| test_unpacking.py:39 | ok | nested | xs |
|
||||
| test_unpacking.py:39 | ok | nested | ys |
|
||||
@@ -1 +0,0 @@
|
||||
import experimental.dataflow.tainttracking.TestTaintLib
|
||||
@@ -13,7 +13,7 @@ def test_access():
|
||||
tainted_list = TAINTED_LIST
|
||||
|
||||
ensure_tainted(
|
||||
tainted_list.copy(),
|
||||
tainted_list.copy(), # $ tainted
|
||||
)
|
||||
|
||||
|
||||
@@ -21,10 +21,10 @@ def list_clear():
|
||||
tainted_string = TAINTED_STRING
|
||||
tainted_list = [tainted_string]
|
||||
|
||||
ensure_tainted(tainted_list)
|
||||
ensure_tainted(tainted_list) # $ tainted
|
||||
|
||||
tainted_list.clear()
|
||||
ensure_not_tainted(tainted_list)
|
||||
ensure_not_tainted(tainted_list) # $ SPURIOUS: tainted
|
||||
|
||||
# Make tests runable
|
||||
|
||||
|
||||
@@ -23,20 +23,20 @@ def test_basic():
|
||||
tainted_pure_windows_path = pathlib.PureWindowsPath(ts)
|
||||
|
||||
ensure_tainted(
|
||||
tainted_path,
|
||||
tainted_path, # $ MISSING: tainted
|
||||
|
||||
tainted_pure_path,
|
||||
tainted_pure_posix_path,
|
||||
tainted_pure_windows_path,
|
||||
tainted_pure_path, # $ MISSING: tainted
|
||||
tainted_pure_posix_path, # $ MISSING: tainted
|
||||
tainted_pure_windows_path, # $ MISSING: tainted
|
||||
|
||||
pathlib.Path("foo") / ts,
|
||||
ts / pathlib.Path("foo"),
|
||||
pathlib.Path("foo") / ts, # $ MISSING: tainted
|
||||
ts / pathlib.Path("foo"), # $ MISSING: tainted
|
||||
|
||||
tainted_path.joinpath("foo", "bar"),
|
||||
pathlib.Path("foo").joinpath(tainted_path, "bar"),
|
||||
pathlib.Path("foo").joinpath("bar", tainted_path),
|
||||
tainted_path.joinpath("foo", "bar"), # $ MISSING: tainted
|
||||
pathlib.Path("foo").joinpath(tainted_path, "bar"), # $ MISSING: tainted
|
||||
pathlib.Path("foo").joinpath("bar", tainted_path), # $ MISSING: tainted
|
||||
|
||||
str(tainted_path),
|
||||
str(tainted_path), # $ MISSING: tainted
|
||||
|
||||
# TODO: Tainted methods and attributes
|
||||
# https://docs.python.org/3.8/library/pathlib.html#methods-and-properties
|
||||
@@ -46,13 +46,13 @@ def test_basic():
|
||||
tainted_posix_path = pathlib.PosixPath(ts)
|
||||
|
||||
ensure_tainted(
|
||||
tainted_posix_path,
|
||||
tainted_posix_path, # $ MISSING: tainted
|
||||
)
|
||||
|
||||
if os.name == "nt":
|
||||
tainted_windows_path = pathlib.WindowsPath(ts)
|
||||
ensure_tainted(
|
||||
tainted_windows_path,
|
||||
tainted_windows_path, # $ MISSING: tainted
|
||||
)
|
||||
|
||||
# Make tests runable
|
||||
|
||||
@@ -14,10 +14,10 @@ def str_methods():
|
||||
ts = TAINTED_STRING
|
||||
tb = TAINTED_BYTES
|
||||
ensure_tainted(
|
||||
ts.casefold(),
|
||||
ts.casefold(), # $ tainted
|
||||
|
||||
ts.format_map({}),
|
||||
"{unsafe}".format_map({"unsafe": ts}),
|
||||
ts.format_map({}), # $ tainted
|
||||
"{unsafe}".format_map({"unsafe": ts}), # $ tainted
|
||||
)
|
||||
|
||||
|
||||
@@ -28,16 +28,16 @@ def binary_decode_encode():
|
||||
|
||||
ensure_tainted(
|
||||
# New in Python 3.4
|
||||
base64.a85encode(tb),
|
||||
base64.a85decode(base64.a85encode(tb)),
|
||||
base64.a85encode(tb), # $ tainted
|
||||
base64.a85decode(base64.a85encode(tb)), # $ tainted
|
||||
|
||||
# New in Python 3.4
|
||||
base64.b85encode(tb),
|
||||
base64.b85decode(base64.b85encode(tb)),
|
||||
base64.b85encode(tb), # $ tainted
|
||||
base64.b85decode(base64.b85encode(tb)), # $ tainted
|
||||
|
||||
# New in Python 3.1
|
||||
base64.encodebytes(tb),
|
||||
base64.decodebytes(base64.encodebytes(tb)),
|
||||
base64.encodebytes(tb), # $ tainted
|
||||
base64.decodebytes(base64.encodebytes(tb)), # $ tainted
|
||||
)
|
||||
|
||||
|
||||
@@ -45,7 +45,7 @@ def f_strings():
|
||||
print("\n# f_strings")
|
||||
ts = TAINTED_STRING
|
||||
|
||||
ensure_tainted(f"foo {ts} bar")
|
||||
ensure_tainted(f"foo {ts} bar") # $ tainted
|
||||
|
||||
|
||||
# Make tests runable
|
||||
|
||||
@@ -15,12 +15,12 @@ if TYPE_CHECKING:
|
||||
|
||||
def extended_unpacking():
|
||||
first, *rest, last = TAINTED_LIST
|
||||
ensure_tainted(first, rest, last)
|
||||
ensure_tainted(first, rest, last) # $ tainted
|
||||
|
||||
|
||||
def also_allowed():
|
||||
*a, = TAINTED_LIST
|
||||
ensure_tainted(a)
|
||||
ensure_tainted(a) # $ tainted
|
||||
|
||||
# for b, *c in [(1, 2, 3), (4, 5, 6, 7)]:
|
||||
# print(c)
|
||||
@@ -28,7 +28,7 @@ def also_allowed():
|
||||
# i=1; c=[5,6,7]
|
||||
|
||||
for b, *c in [TAINTED_LIST, TAINTED_LIST]:
|
||||
ensure_tainted(b, c)
|
||||
ensure_tainted(b, c) # $ tainted
|
||||
|
||||
|
||||
def nested():
|
||||
@@ -36,7 +36,7 @@ def nested():
|
||||
ll = [l,l]
|
||||
|
||||
[[x, *xs], ys] = ll
|
||||
ensure_tainted(x, xs, ys)
|
||||
ensure_tainted(x, xs, ys) # $ tainted
|
||||
|
||||
|
||||
# Make tests runable
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
argumentToEnsureNotTaintedNotMarkedAsSpurious
|
||||
untaintedArgumentToEnsureTaintedNotMarkedAsMissing
|
||||
failures
|
||||
@@ -0,0 +1 @@
|
||||
import experimental.meta.InlineTaintTest
|
||||
@@ -1,176 +0,0 @@
|
||||
| test_collections.py:23 | ok | test_construction | tainted_string |
|
||||
| test_collections.py:24 | ok | test_construction | tainted_list |
|
||||
| test_collections.py:25 | ok | test_construction | tainted_tuple |
|
||||
| test_collections.py:26 | ok | test_construction | tainted_set |
|
||||
| test_collections.py:27 | ok | test_construction | tainted_dict |
|
||||
| test_collections.py:31 | ok | test_construction | list(..) |
|
||||
| test_collections.py:32 | ok | test_construction | list(..) |
|
||||
| test_collections.py:33 | ok | test_construction | list(..) |
|
||||
| test_collections.py:34 | ok | test_construction | list(..) |
|
||||
| test_collections.py:35 | ok | test_construction | list(..) |
|
||||
| test_collections.py:37 | ok | test_construction | tuple(..) |
|
||||
| test_collections.py:38 | ok | test_construction | set(..) |
|
||||
| test_collections.py:39 | ok | test_construction | frozenset(..) |
|
||||
| test_collections.py:47 | ok | test_access | tainted_list[0] |
|
||||
| test_collections.py:48 | ok | test_access | tainted_list[x] |
|
||||
| test_collections.py:49 | ok | test_access | tainted_list[Slice] |
|
||||
| test_collections.py:51 | ok | test_access | sorted(..) |
|
||||
| test_collections.py:52 | ok | test_access | reversed(..) |
|
||||
| test_collections.py:53 | ok | test_access | iter(..) |
|
||||
| test_collections.py:54 | ok | test_access | next(..) |
|
||||
| test_collections.py:58 | ok | test_access | a |
|
||||
| test_collections.py:58 | ok | test_access | b |
|
||||
| test_collections.py:58 | ok | test_access | c |
|
||||
| test_collections.py:61 | ok | test_access | h |
|
||||
| test_collections.py:63 | ok | test_access | i |
|
||||
| test_collections.py:70 | ok | test_dict_access | tainted_dict["name"] |
|
||||
| test_collections.py:71 | ok | test_dict_access | tainted_dict.get(..) |
|
||||
| test_collections.py:72 | ok | test_dict_access | tainted_dict[x] |
|
||||
| test_collections.py:73 | ok | test_dict_access | tainted_dict.copy() |
|
||||
| test_collections.py:77 | ok | test_dict_access | v |
|
||||
| test_collections.py:79 | ok | test_dict_access | v |
|
||||
| test_collections.py:87 | fail | test_named_tuple | point[0] |
|
||||
| test_collections.py:88 | fail | test_named_tuple | point.x |
|
||||
| test_collections.py:92 | ok | test_named_tuple | point[1] |
|
||||
| test_collections.py:93 | ok | test_named_tuple | point.y |
|
||||
| test_collections.py:97 | fail | test_named_tuple | a |
|
||||
| test_collections.py:98 | ok | test_named_tuple | b |
|
||||
| test_collections.py:106 | fail | test_defaultdict | tainted_default_dict["name"] |
|
||||
| test_collections.py:107 | fail | test_defaultdict | tainted_default_dict.get(..) |
|
||||
| test_collections.py:108 | fail | test_defaultdict | tainted_default_dict[x] |
|
||||
| test_collections.py:109 | fail | test_defaultdict | tainted_default_dict.copy() |
|
||||
| test_collections.py:112 | fail | test_defaultdict | v |
|
||||
| test_collections.py:114 | fail | test_defaultdict | v |
|
||||
| test_collections.py:121 | ok | test_copy_1 | copy(..) |
|
||||
| test_collections.py:122 | ok | test_copy_1 | deepcopy(..) |
|
||||
| test_collections.py:130 | ok | test_copy_2 | copy.copy(..) |
|
||||
| test_collections.py:131 | ok | test_copy_2 | copy.deepcopy(..) |
|
||||
| test_collections.py:139 | ok | list_index_assign | my_list |
|
||||
| test_collections.py:142 | fail | list_index_assign | my_list |
|
||||
| test_collections.py:149 | ok | list_index_aug_assign | my_list |
|
||||
| test_collections.py:152 | fail | list_index_aug_assign | my_list |
|
||||
| test_collections.py:159 | ok | list_append | my_list |
|
||||
| test_collections.py:162 | ok | list_append | my_list |
|
||||
| test_collections.py:169 | ok | list_extend | my_list |
|
||||
| test_collections.py:172 | fail | list_extend | my_list |
|
||||
| test_collections.py:179 | ok | dict_update_dict | my_dict |
|
||||
| test_collections.py:182 | fail | dict_update_dict | my_dict |
|
||||
| test_collections.py:189 | ok | dict_update_kv_list | my_dict |
|
||||
| test_collections.py:192 | fail | dict_update_kv_list | my_dict |
|
||||
| test_collections.py:198 | ok | dict_update_kv_arg | my_dict |
|
||||
| test_collections.py:201 | fail | dict_update_kv_arg | my_dict |
|
||||
| test_collections.py:208 | ok | dict_manual_update | my_dict |
|
||||
| test_collections.py:212 | fail | dict_manual_update | my_dict |
|
||||
| test_collections.py:220 | fail | dict_merge | merged |
|
||||
| test_collections.py:227 | ok | set_add | my_set |
|
||||
| test_collections.py:230 | ok | set_add | my_set |
|
||||
| test_json.py:26 | ok | test | json.dumps(..) |
|
||||
| test_json.py:27 | ok | test | json.loads(..) |
|
||||
| test_json.py:34 | fail | test | tainted_filelike |
|
||||
| test_json.py:35 | fail | test | json.load(..) |
|
||||
| test_json.py:48 | ok | non_syntacical | dumps(..) |
|
||||
| test_json.py:49 | ok | non_syntacical | dumps_alias(..) |
|
||||
| test_json.py:50 | ok | non_syntacical | loads(..) |
|
||||
| test_json.py:57 | fail | non_syntacical | tainted_filelike |
|
||||
| test_json.py:58 | fail | non_syntacical | load(..) |
|
||||
| test_string.py:25 | ok | str_operations | ts |
|
||||
| test_string.py:26 | ok | str_operations | BinaryExpr |
|
||||
| test_string.py:27 | ok | str_operations | BinaryExpr |
|
||||
| test_string.py:28 | ok | str_operations | BinaryExpr |
|
||||
| test_string.py:29 | ok | str_operations | ts[Slice] |
|
||||
| test_string.py:30 | ok | str_operations | ts[Slice] |
|
||||
| test_string.py:31 | ok | str_operations | ts[Slice] |
|
||||
| test_string.py:32 | ok | str_operations | ts[0] |
|
||||
| test_string.py:33 | ok | str_operations | str(..) |
|
||||
| test_string.py:34 | ok | str_operations | bytes(..) |
|
||||
| test_string.py:35 | ok | str_operations | unicode(..) |
|
||||
| test_string.py:39 | ok | str_operations | aug_assignment |
|
||||
| test_string.py:41 | ok | str_operations | aug_assignment |
|
||||
| test_string.py:49 | ok | str_methods | ts.capitalize() |
|
||||
| test_string.py:50 | ok | str_methods | ts.center(..) |
|
||||
| test_string.py:51 | ok | str_methods | ts.expandtabs() |
|
||||
| test_string.py:53 | ok | str_methods | ts.format() |
|
||||
| test_string.py:54 | ok | str_methods | "{}".format(..) |
|
||||
| test_string.py:55 | ok | str_methods | "{unsafe}".format(..) |
|
||||
| test_string.py:57 | ok | str_methods | ts.join(..) |
|
||||
| test_string.py:58 | ok | str_methods | "".join(..) |
|
||||
| test_string.py:60 | ok | str_methods | ts.ljust(..) |
|
||||
| test_string.py:61 | ok | str_methods | ts.lstrip() |
|
||||
| test_string.py:62 | ok | str_methods | ts.lower() |
|
||||
| test_string.py:64 | ok | str_methods | ts.replace(..) |
|
||||
| test_string.py:65 | ok | str_methods | "safe".replace(..) |
|
||||
| test_string.py:67 | ok | str_methods | ts.rjust(..) |
|
||||
| test_string.py:68 | ok | str_methods | ts.rstrip() |
|
||||
| test_string.py:69 | ok | str_methods | ts.strip() |
|
||||
| test_string.py:70 | ok | str_methods | ts.swapcase() |
|
||||
| test_string.py:71 | ok | str_methods | ts.title() |
|
||||
| test_string.py:72 | ok | str_methods | ts.upper() |
|
||||
| test_string.py:73 | ok | str_methods | ts.zfill(..) |
|
||||
| test_string.py:75 | ok | str_methods | ts.encode(..) |
|
||||
| test_string.py:76 | ok | str_methods | ts.encode(..).decode(..) |
|
||||
| test_string.py:78 | ok | str_methods | tb.decode(..) |
|
||||
| test_string.py:79 | ok | str_methods | tb.decode(..).encode(..) |
|
||||
| test_string.py:82 | ok | str_methods | ts.partition(..) |
|
||||
| test_string.py:83 | ok | str_methods | ts.rpartition(..) |
|
||||
| test_string.py:84 | ok | str_methods | ts.rsplit(..) |
|
||||
| test_string.py:85 | ok | str_methods | ts.split(..) |
|
||||
| test_string.py:86 | ok | str_methods | ts.splitlines() |
|
||||
| test_string.py:91 | ok | str_methods | "safe".replace(..) |
|
||||
| test_string.py:93 | fail | str_methods | ts.join(..) |
|
||||
| test_string.py:94 | fail | str_methods | ts.join(..) |
|
||||
| test_string.py:104 | fail | non_syntactic | meth() |
|
||||
| test_string.py:105 | fail | non_syntactic | _str(..) |
|
||||
| test_string.py:114 | ok | percent_fmt | BinaryExpr |
|
||||
| test_string.py:115 | ok | percent_fmt | BinaryExpr |
|
||||
| test_string.py:116 | ok | percent_fmt | BinaryExpr |
|
||||
| test_string.py:126 | ok | binary_decode_encode | base64.b64encode(..) |
|
||||
| test_string.py:127 | ok | binary_decode_encode | base64.b64decode(..) |
|
||||
| test_string.py:129 | ok | binary_decode_encode | base64.standard_b64encode(..) |
|
||||
| test_string.py:130 | ok | binary_decode_encode | base64.standard_b64decode(..) |
|
||||
| test_string.py:132 | ok | binary_decode_encode | base64.urlsafe_b64encode(..) |
|
||||
| test_string.py:133 | ok | binary_decode_encode | base64.urlsafe_b64decode(..) |
|
||||
| test_string.py:135 | ok | binary_decode_encode | base64.b32encode(..) |
|
||||
| test_string.py:136 | ok | binary_decode_encode | base64.b32decode(..) |
|
||||
| test_string.py:138 | ok | binary_decode_encode | base64.b16encode(..) |
|
||||
| test_string.py:139 | ok | binary_decode_encode | base64.b16decode(..) |
|
||||
| test_string.py:142 | ok | binary_decode_encode | base64.encodestring(..) |
|
||||
| test_string.py:143 | ok | binary_decode_encode | base64.decodestring(..) |
|
||||
| test_string.py:148 | fail | binary_decode_encode | quopri.encodestring(..) |
|
||||
| test_string.py:149 | fail | binary_decode_encode | quopri.decodestring(..) |
|
||||
| test_string.py:159 | ok | test_os_path_join | os.path.join(..) |
|
||||
| test_string.py:160 | ok | test_os_path_join | os.path.join(..) |
|
||||
| test_string.py:161 | ok | test_os_path_join | os.path.join(..) |
|
||||
| test_string.py:162 | ok | test_os_path_join | ospath_alias.join(..) |
|
||||
| test_unpacking.py:16 | ok | unpacking | a |
|
||||
| test_unpacking.py:16 | ok | unpacking | b |
|
||||
| test_unpacking.py:16 | ok | unpacking | c |
|
||||
| test_unpacking.py:22 | ok | unpacking_to_list | a |
|
||||
| test_unpacking.py:22 | ok | unpacking_to_list | b |
|
||||
| test_unpacking.py:22 | ok | unpacking_to_list | c |
|
||||
| test_unpacking.py:31 | ok | nested | a1 |
|
||||
| test_unpacking.py:31 | ok | nested | a2 |
|
||||
| test_unpacking.py:31 | ok | nested | a3 |
|
||||
| test_unpacking.py:31 | ok | nested | b |
|
||||
| test_unpacking.py:31 | ok | nested | c |
|
||||
| test_unpacking.py:35 | ok | nested | a1 |
|
||||
| test_unpacking.py:35 | ok | nested | a2 |
|
||||
| test_unpacking.py:35 | ok | nested | a3 |
|
||||
| test_unpacking.py:35 | ok | nested | b |
|
||||
| test_unpacking.py:35 | ok | nested | c |
|
||||
| test_unpacking.py:39 | ok | nested | a1 |
|
||||
| test_unpacking.py:39 | ok | nested | a2 |
|
||||
| test_unpacking.py:39 | ok | nested | a3 |
|
||||
| test_unpacking.py:39 | ok | nested | b |
|
||||
| test_unpacking.py:39 | ok | nested | c |
|
||||
| test_unpacking.py:46 | ok | unpack_from_set | a |
|
||||
| test_unpacking.py:46 | ok | unpack_from_set | b |
|
||||
| test_unpacking.py:46 | ok | unpack_from_set | c |
|
||||
| test_unpacking.py:55 | ok | contrived_1 | a |
|
||||
| test_unpacking.py:55 | ok | contrived_1 | b |
|
||||
| test_unpacking.py:55 | ok | contrived_1 | c |
|
||||
| test_unpacking.py:56 | fail | contrived_1 | d |
|
||||
| test_unpacking.py:56 | fail | contrived_1 | e |
|
||||
| test_unpacking.py:56 | fail | contrived_1 | f |
|
||||
| test_unpacking.py:65 | ok | contrived_2 | a |
|
||||
| test_unpacking.py:65 | ok | contrived_2 | b |
|
||||
| test_unpacking.py:65 | ok | contrived_2 | c |
|
||||
@@ -1 +0,0 @@
|
||||
import experimental.dataflow.tainttracking.TestTaintLib
|
||||
@@ -20,23 +20,23 @@ def test_construction():
|
||||
tainted_dict = {'key': tainted_string}
|
||||
|
||||
ensure_tainted(
|
||||
tainted_string,
|
||||
tainted_list,
|
||||
tainted_tuple,
|
||||
tainted_set,
|
||||
tainted_dict,
|
||||
tainted_string, # $ tainted
|
||||
tainted_list, # $ tainted
|
||||
tainted_tuple, # $ tainted
|
||||
tainted_set, # $ tainted
|
||||
tainted_dict, # $ tainted
|
||||
)
|
||||
|
||||
ensure_tainted(
|
||||
list(tainted_list),
|
||||
list(tainted_tuple),
|
||||
list(tainted_set),
|
||||
list(tainted_dict.values()),
|
||||
list(tainted_dict.items()),
|
||||
list(tainted_list), # $ tainted
|
||||
list(tainted_tuple), # $ tainted
|
||||
list(tainted_set), # $ tainted
|
||||
list(tainted_dict.values()), # $ tainted
|
||||
list(tainted_dict.items()), # $ tainted
|
||||
|
||||
tuple(tainted_list),
|
||||
set(tainted_list),
|
||||
frozenset(tainted_list),
|
||||
tuple(tainted_list), # $ tainted
|
||||
set(tainted_list), # $ tainted
|
||||
frozenset(tainted_list), # $ tainted
|
||||
)
|
||||
|
||||
|
||||
@@ -44,39 +44,39 @@ def test_access(x, y, z):
|
||||
tainted_list = TAINTED_LIST
|
||||
|
||||
ensure_tainted(
|
||||
tainted_list[0],
|
||||
tainted_list[x],
|
||||
tainted_list[y:z],
|
||||
tainted_list[0], # $ tainted
|
||||
tainted_list[x], # $ tainted
|
||||
tainted_list[y:z], # $ tainted
|
||||
|
||||
sorted(tainted_list),
|
||||
reversed(tainted_list),
|
||||
iter(tainted_list),
|
||||
next(iter(tainted_list)),
|
||||
sorted(tainted_list), # $ tainted
|
||||
reversed(tainted_list), # $ tainted
|
||||
iter(tainted_list), # $ tainted
|
||||
next(iter(tainted_list)), # $ tainted
|
||||
)
|
||||
|
||||
a, b, c = tainted_list[0:3]
|
||||
ensure_tainted(a, b, c)
|
||||
ensure_tainted(a, b, c) # $ tainted
|
||||
|
||||
for h in tainted_list:
|
||||
ensure_tainted(h)
|
||||
ensure_tainted(h) # $ tainted
|
||||
for i in reversed(tainted_list):
|
||||
ensure_tainted(i)
|
||||
ensure_tainted(i) # $ tainted
|
||||
|
||||
|
||||
def test_dict_access(x):
|
||||
tainted_dict = TAINTED_DICT
|
||||
|
||||
ensure_tainted(
|
||||
tainted_dict["name"],
|
||||
tainted_dict.get("name"),
|
||||
tainted_dict[x],
|
||||
tainted_dict.copy(),
|
||||
tainted_dict["name"], # $ tainted
|
||||
tainted_dict.get("name"), # $ tainted
|
||||
tainted_dict[x], # $ tainted
|
||||
tainted_dict.copy(), # $ tainted
|
||||
)
|
||||
|
||||
for v in tainted_dict.values():
|
||||
ensure_tainted(v)
|
||||
ensure_tainted(v) # $ tainted
|
||||
for k, v in tainted_dict.items():
|
||||
ensure_tainted(v)
|
||||
ensure_tainted(v) # $ tainted
|
||||
|
||||
|
||||
def test_named_tuple(): # TODO: namedtuple currently not handled
|
||||
@@ -84,8 +84,8 @@ def test_named_tuple(): # TODO: namedtuple currently not handled
|
||||
point = Point(TAINTED_STRING, 'safe')
|
||||
|
||||
ensure_tainted(
|
||||
point[0],
|
||||
point.x,
|
||||
point[0], # $ MISSING: tainted
|
||||
point.x, # $ MISSING: tainted
|
||||
)
|
||||
|
||||
ensure_not_tainted(
|
||||
@@ -94,7 +94,7 @@ def test_named_tuple(): # TODO: namedtuple currently not handled
|
||||
)
|
||||
|
||||
a, b = point
|
||||
ensure_tainted(a)
|
||||
ensure_tainted(a) # $ MISSING: tainted
|
||||
ensure_not_tainted(b)
|
||||
|
||||
|
||||
@@ -103,23 +103,23 @@ def test_defaultdict(key, x): # TODO: defaultdict currently not handled
|
||||
tainted_default_dict[key] += TAINTED_STRING
|
||||
|
||||
ensure_tainted(
|
||||
tainted_default_dict["name"],
|
||||
tainted_default_dict.get("name"),
|
||||
tainted_default_dict[x],
|
||||
tainted_default_dict.copy(),
|
||||
tainted_default_dict["name"], # $ MISSING: tainted
|
||||
tainted_default_dict.get("name"), # $ MISSING: tainted
|
||||
tainted_default_dict[x], # $ MISSING: tainted
|
||||
tainted_default_dict.copy(), # $ MISSING: tainted
|
||||
)
|
||||
for v in tainted_default_dict.values():
|
||||
ensure_tainted(v)
|
||||
ensure_tainted(v) # $ MISSING: tainted
|
||||
for k, v in tainted_default_dict.items():
|
||||
ensure_tainted(v)
|
||||
ensure_tainted(v) # $ MISSING: tainted
|
||||
|
||||
|
||||
def test_copy_1():
|
||||
from copy import copy, deepcopy
|
||||
|
||||
ensure_tainted(
|
||||
copy(TAINTED_LIST),
|
||||
deepcopy(TAINTED_LIST),
|
||||
copy(TAINTED_LIST), # $ tainted
|
||||
deepcopy(TAINTED_LIST), # $ tainted
|
||||
)
|
||||
|
||||
|
||||
@@ -127,8 +127,8 @@ def test_copy_2():
|
||||
import copy
|
||||
|
||||
ensure_tainted(
|
||||
copy.copy(TAINTED_LIST),
|
||||
copy.deepcopy(TAINTED_LIST),
|
||||
copy.copy(TAINTED_LIST), # $ tainted
|
||||
copy.deepcopy(TAINTED_LIST), # $ tainted
|
||||
)
|
||||
|
||||
|
||||
@@ -139,7 +139,7 @@ def list_index_assign():
|
||||
ensure_not_tainted(my_list)
|
||||
|
||||
my_list[0] = tainted_string
|
||||
ensure_tainted(my_list)
|
||||
ensure_tainted(my_list) # $ MISSING: tainted
|
||||
|
||||
|
||||
def list_index_aug_assign():
|
||||
@@ -149,7 +149,7 @@ def list_index_aug_assign():
|
||||
ensure_not_tainted(my_list)
|
||||
|
||||
my_list[0] += tainted_string
|
||||
ensure_tainted(my_list)
|
||||
ensure_tainted(my_list) # $ MISSING: tainted
|
||||
|
||||
|
||||
def list_append():
|
||||
@@ -159,7 +159,7 @@ def list_append():
|
||||
ensure_not_tainted(my_list)
|
||||
|
||||
my_list.append(tainted_string)
|
||||
ensure_tainted(my_list)
|
||||
ensure_tainted(my_list) # $ tainted
|
||||
|
||||
|
||||
def list_extend():
|
||||
@@ -169,7 +169,7 @@ def list_extend():
|
||||
ensure_not_tainted(my_list)
|
||||
|
||||
my_list.extend(tainted_list)
|
||||
ensure_tainted(my_list)
|
||||
ensure_tainted(my_list) # $ MISSING: tainted
|
||||
|
||||
|
||||
def dict_update_dict():
|
||||
@@ -179,7 +179,7 @@ def dict_update_dict():
|
||||
ensure_not_tainted(my_dict)
|
||||
|
||||
my_dict.update(tainted_dict)
|
||||
ensure_tainted(my_dict)
|
||||
ensure_tainted(my_dict) # $ MISSING: tainted
|
||||
|
||||
|
||||
def dict_update_kv_list():
|
||||
@@ -189,7 +189,7 @@ def dict_update_kv_list():
|
||||
ensure_not_tainted(my_dict)
|
||||
|
||||
my_dict.update(tainted_kv_list)
|
||||
ensure_tainted(my_dict)
|
||||
ensure_tainted(my_dict) # $ MISSING: tainted
|
||||
|
||||
|
||||
def dict_update_kv_arg():
|
||||
@@ -198,7 +198,7 @@ def dict_update_kv_arg():
|
||||
ensure_not_tainted(my_dict)
|
||||
|
||||
my_dict.update(key2=TAINTED_STRING)
|
||||
ensure_tainted(my_dict)
|
||||
ensure_tainted(my_dict) # $ MISSING: tainted
|
||||
|
||||
|
||||
def dict_manual_update():
|
||||
@@ -209,7 +209,7 @@ def dict_manual_update():
|
||||
|
||||
for k in tainted_dict:
|
||||
my_dict[k] = tainted_dict[k]
|
||||
ensure_tainted(my_dict)
|
||||
ensure_tainted(my_dict) # $ MISSING: tainted
|
||||
|
||||
|
||||
def dict_merge():
|
||||
@@ -217,7 +217,7 @@ def dict_merge():
|
||||
tainted_dict = {"key2": TAINTED_STRING}
|
||||
|
||||
merged = {**my_dict, **tainted_dict}
|
||||
ensure_tainted(merged)
|
||||
ensure_tainted(merged) # $ MISSING: tainted
|
||||
|
||||
|
||||
def set_add():
|
||||
@@ -227,7 +227,7 @@ def set_add():
|
||||
ensure_not_tainted(my_set)
|
||||
|
||||
my_set.add(tainted_string)
|
||||
ensure_tainted(my_set)
|
||||
ensure_tainted(my_set) # $ tainted
|
||||
|
||||
|
||||
# Make tests runable
|
||||
|
||||
@@ -23,16 +23,16 @@ def test():
|
||||
import json
|
||||
|
||||
ensure_tainted(
|
||||
json.dumps(ts),
|
||||
json.loads(json.dumps(ts)),
|
||||
json.dumps(ts), # $ tainted
|
||||
json.loads(json.dumps(ts)), # $ tainted
|
||||
)
|
||||
|
||||
# For Python2, need to convert to unicode for StringIO to work
|
||||
tainted_filelike = StringIO(unicode(json.dumps(ts)))
|
||||
|
||||
ensure_tainted(
|
||||
tainted_filelike,
|
||||
json.load(tainted_filelike),
|
||||
tainted_filelike, # $ MISSING: tainted
|
||||
json.load(tainted_filelike), # $ MISSING: tainted
|
||||
)
|
||||
|
||||
def non_syntacical():
|
||||
@@ -45,17 +45,17 @@ def non_syntacical():
|
||||
dumps_alias = dumps
|
||||
|
||||
ensure_tainted(
|
||||
dumps(ts),
|
||||
dumps_alias(ts),
|
||||
loads(dumps(ts)),
|
||||
dumps(ts), # $ tainted
|
||||
dumps_alias(ts), # $ tainted
|
||||
loads(dumps(ts)), # $ tainted
|
||||
)
|
||||
|
||||
# For Python2, need to convert to unicode for StringIO to work
|
||||
tainted_filelike = StringIO(unicode(dumps(ts)))
|
||||
|
||||
ensure_tainted(
|
||||
tainted_filelike,
|
||||
load(tainted_filelike),
|
||||
tainted_filelike, # $ MISSING: tainted
|
||||
load(tainted_filelike), # $ MISSING: tainted
|
||||
)
|
||||
|
||||
# Make tests runable
|
||||
|
||||
@@ -22,23 +22,23 @@ def str_operations():
|
||||
tb = TAINTED_BYTES
|
||||
|
||||
ensure_tainted(
|
||||
ts,
|
||||
ts + "foo",
|
||||
"foo" + ts,
|
||||
ts * 5,
|
||||
ts[0 : len(ts)],
|
||||
ts[:],
|
||||
ts[0:1000],
|
||||
ts[0],
|
||||
str(ts),
|
||||
bytes(tb),
|
||||
unicode(ts),
|
||||
ts, # $ tainted
|
||||
ts + "foo", # $ tainted
|
||||
"foo" + ts, # $ tainted
|
||||
ts * 5, # $ tainted
|
||||
ts[0 : len(ts)], # $ tainted
|
||||
ts[:], # $ tainted
|
||||
ts[0:1000], # $ tainted
|
||||
ts[0], # $ tainted
|
||||
str(ts), # $ tainted
|
||||
bytes(tb), # $ tainted
|
||||
unicode(ts), # $ tainted
|
||||
)
|
||||
|
||||
aug_assignment = "safe"
|
||||
ensure_not_tainted(aug_assignment)
|
||||
aug_assignment += TAINTED_STRING
|
||||
ensure_tainted(aug_assignment)
|
||||
ensure_tainted(aug_assignment) # $ tainted
|
||||
|
||||
|
||||
def str_methods():
|
||||
@@ -46,52 +46,54 @@ def str_methods():
|
||||
ts = TAINTED_STRING
|
||||
tb = TAINTED_BYTES
|
||||
ensure_tainted(
|
||||
ts.capitalize(),
|
||||
ts.center(100),
|
||||
ts.expandtabs(),
|
||||
ts.capitalize(), # $ tainted
|
||||
ts.center(100), # $ tainted
|
||||
ts.expandtabs(), # $ tainted
|
||||
|
||||
ts.format(),
|
||||
"{}".format(ts),
|
||||
"{unsafe}".format(unsafe=ts),
|
||||
ts.format(), # $ tainted
|
||||
"{}".format(ts), # $ tainted
|
||||
"{unsafe}".format(unsafe=ts), # $ tainted
|
||||
|
||||
ts.join(["", ""]),
|
||||
"".join([ts]),
|
||||
ts.join(["", ""]), # $ tainted
|
||||
"".join([ts]), # $ tainted
|
||||
|
||||
ts.ljust(100),
|
||||
ts.lstrip(),
|
||||
ts.lower(),
|
||||
ts.ljust(100), # $ tainted
|
||||
ts.lstrip(), # $ tainted
|
||||
ts.lower(), # $ tainted
|
||||
|
||||
ts.replace("old", "new"),
|
||||
"safe".replace("safe", ts),
|
||||
ts.replace("old", "new"), # $ tainted
|
||||
"safe".replace("safe", ts), # $ tainted
|
||||
|
||||
ts.rjust(100),
|
||||
ts.rstrip(),
|
||||
ts.strip(),
|
||||
ts.swapcase(),
|
||||
ts.title(),
|
||||
ts.upper(),
|
||||
ts.zfill(100),
|
||||
ts.rjust(100), # $ tainted
|
||||
ts.rstrip(), # $ tainted
|
||||
ts.strip(), # $ tainted
|
||||
ts.swapcase(), # $ tainted
|
||||
ts.title(), # $ tainted
|
||||
ts.upper(), # $ tainted
|
||||
ts.zfill(100), # $ tainted
|
||||
|
||||
ts.encode("utf-8"),
|
||||
ts.encode("utf-8").decode("utf-8"),
|
||||
ts.encode("utf-8"), # $ tainted
|
||||
ts.encode("utf-8").decode("utf-8"), # $ tainted
|
||||
|
||||
tb.decode("utf-8"),
|
||||
tb.decode("utf-8").encode("utf-8"),
|
||||
tb.decode("utf-8"), # $ tainted
|
||||
tb.decode("utf-8").encode("utf-8"), # $ tainted
|
||||
|
||||
# string methods that return a list
|
||||
ts.partition("_"),
|
||||
ts.rpartition("_"),
|
||||
ts.rsplit("_"),
|
||||
ts.split("_"),
|
||||
ts.splitlines(),
|
||||
ts.partition("_"), # $ tainted
|
||||
ts.rpartition("_"), # $ tainted
|
||||
ts.rsplit("_"), # $ tainted
|
||||
ts.split("_"), # $ tainted
|
||||
ts.splitlines(), # $ tainted
|
||||
)
|
||||
|
||||
ensure_not_tainted(
|
||||
# Intuitively I think this should be safe, but better discuss it
|
||||
"safe".replace(ts, "also-safe"),
|
||||
|
||||
ts.join([]), # FP due to separator not being used with zero/one elements
|
||||
ts.join(["safe"]), # FP due to separator not being used with zero/one elements
|
||||
# FPs due to separator (`ts`) not ending up in result, when the list only has
|
||||
# zero/one elements
|
||||
ts.join([]), # $ SPURIOUS: tainted
|
||||
ts.join(["safe"]), # $ SPURIOUS: tainted
|
||||
)
|
||||
|
||||
|
||||
@@ -101,8 +103,8 @@ def non_syntactic():
|
||||
meth = ts.upper
|
||||
_str = str
|
||||
ensure_tainted(
|
||||
meth(),
|
||||
_str(ts),
|
||||
meth(), # $ MISSING: tainted
|
||||
_str(ts), # $ MISSING: tainted
|
||||
)
|
||||
|
||||
|
||||
@@ -111,9 +113,9 @@ def percent_fmt():
|
||||
ts = TAINTED_STRING
|
||||
tainted_fmt = ts + " %s %s"
|
||||
ensure_tainted(
|
||||
tainted_fmt % (1, 2),
|
||||
"%s foo bar" % ts,
|
||||
"%s %s %s" % (1, 2, ts),
|
||||
tainted_fmt % (1, 2), # $ tainted
|
||||
"%s foo bar" % ts, # $ tainted
|
||||
"%s %s %s" % (1, 2, ts), # $ tainted
|
||||
)
|
||||
|
||||
|
||||
@@ -123,30 +125,30 @@ def binary_decode_encode():
|
||||
import base64
|
||||
|
||||
ensure_tainted(
|
||||
base64.b64encode(tb),
|
||||
base64.b64decode(base64.b64encode(tb)),
|
||||
base64.b64encode(tb), # $ tainted
|
||||
base64.b64decode(base64.b64encode(tb)), # $ tainted
|
||||
|
||||
base64.standard_b64encode(tb),
|
||||
base64.standard_b64decode(base64.standard_b64encode(tb)),
|
||||
base64.standard_b64encode(tb), # $ tainted
|
||||
base64.standard_b64decode(base64.standard_b64encode(tb)), # $ tainted
|
||||
|
||||
base64.urlsafe_b64encode(tb),
|
||||
base64.urlsafe_b64decode(base64.urlsafe_b64encode(tb)),
|
||||
base64.urlsafe_b64encode(tb), # $ tainted
|
||||
base64.urlsafe_b64decode(base64.urlsafe_b64encode(tb)), # $ tainted
|
||||
|
||||
base64.b32encode(tb),
|
||||
base64.b32decode(base64.b32encode(tb)),
|
||||
base64.b32encode(tb), # $ tainted
|
||||
base64.b32decode(base64.b32encode(tb)), # $ tainted
|
||||
|
||||
base64.b16encode(tb),
|
||||
base64.b16decode(base64.b16encode(tb)),
|
||||
base64.b16encode(tb), # $ tainted
|
||||
base64.b16decode(base64.b16encode(tb)), # $ tainted
|
||||
|
||||
# deprecated since Python 3.1, but still works
|
||||
base64.encodestring(tb),
|
||||
base64.decodestring(base64.encodestring(tb)),
|
||||
base64.encodestring(tb), # $ tainted
|
||||
base64.decodestring(base64.encodestring(tb)), # $ tainted
|
||||
)
|
||||
|
||||
import quopri
|
||||
ensure_tainted(
|
||||
quopri.encodestring(tb),
|
||||
quopri.decodestring(quopri.encodestring(tb)),
|
||||
quopri.encodestring(tb), # $ MISSING: tainted
|
||||
quopri.decodestring(quopri.encodestring(tb)), # $ MISSING: tainted
|
||||
)
|
||||
|
||||
|
||||
@@ -156,10 +158,10 @@ def test_os_path_join():
|
||||
print("\n# test_os_path_join")
|
||||
ts = TAINTED_STRING
|
||||
ensure_tainted(
|
||||
os.path.join(ts, "foo", "bar"),
|
||||
os.path.join(ts),
|
||||
os.path.join("foo", "bar", ts),
|
||||
ospath_alias.join("foo", "bar", ts),
|
||||
os.path.join(ts, "foo", "bar"), # $ tainted
|
||||
os.path.join(ts), # $ tainted
|
||||
os.path.join("foo", "bar", ts), # $ tainted
|
||||
ospath_alias.join("foo", "bar", ts), # $ tainted
|
||||
)
|
||||
|
||||
|
||||
|
||||
@@ -13,13 +13,13 @@ if TYPE_CHECKING:
|
||||
def unpacking():
|
||||
l = TAINTED_LIST[0:3]
|
||||
a, b, c = l
|
||||
ensure_tainted(a, b, c)
|
||||
ensure_tainted(a, b, c) # $ tainted
|
||||
|
||||
|
||||
def unpacking_to_list():
|
||||
l = TAINTED_LIST[0:3]
|
||||
[a, b, c] = l
|
||||
ensure_tainted(a, b, c)
|
||||
ensure_tainted(a, b, c) # $ tainted
|
||||
|
||||
|
||||
def nested():
|
||||
@@ -28,22 +28,22 @@ def nested():
|
||||
|
||||
# list
|
||||
[[a1, a2, a3], b, c] = ll
|
||||
ensure_tainted(a1, a2, a3, b, c)
|
||||
ensure_tainted(a1, a2, a3, b, c) # $ tainted
|
||||
|
||||
# tuple
|
||||
((a1, a2, a3), b, c) = ll
|
||||
ensure_tainted(a1, a2, a3, b, c)
|
||||
ensure_tainted(a1, a2, a3, b, c) # $ tainted
|
||||
|
||||
# mixed
|
||||
[(a1, a2, a3), b, c] = ll
|
||||
ensure_tainted(a1, a2, a3, b, c)
|
||||
ensure_tainted(a1, a2, a3, b, c) # $ tainted
|
||||
|
||||
|
||||
def unpack_from_set():
|
||||
# no guarantee on ordering ... don't know why you would ever do this
|
||||
a, b, c = {"foo", "bar", TAINTED_STRING}
|
||||
# either all should be tainted, or none of them
|
||||
ensure_tainted(a, b, c)
|
||||
ensure_tainted(a, b, c) # $ tainted
|
||||
|
||||
|
||||
def contrived_1():
|
||||
@@ -52,8 +52,8 @@ def contrived_1():
|
||||
no_taint_list = [1,2,3]
|
||||
|
||||
(a, b, c), (d, e, f) = tainted_list, no_taint_list
|
||||
ensure_tainted(a, b, c)
|
||||
ensure_not_tainted(d, e, f) # FP: we mark `d`, `e` and `f` as tainted.
|
||||
ensure_tainted(a, b, c) # $ tainted
|
||||
ensure_not_tainted(d, e, f) # $ SPURIOUS: tainted
|
||||
|
||||
|
||||
def contrived_2():
|
||||
@@ -62,7 +62,7 @@ def contrived_2():
|
||||
# Old taint tracking was only able to handle taint nested 2 levels in sequences,
|
||||
# so would not mark a, b, c as tainted
|
||||
[[[ (a, b, c) ]]] = [[[ TAINTED_LIST[0:3] ]]]
|
||||
ensure_tainted(a, b, c)
|
||||
ensure_tainted(a, b, c) # $ tainted
|
||||
|
||||
|
||||
# Make tests runable
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
argumentToEnsureNotTaintedNotMarkedAsSpurious
|
||||
untaintedArgumentToEnsureTaintedNotMarkedAsMissing
|
||||
failures
|
||||
@@ -0,0 +1 @@
|
||||
import experimental.meta.InlineTaintTest
|
||||
@@ -25,14 +25,14 @@ initially_tainted = NOT_TAINTED
|
||||
ensure_not_tainted(initially_tainted)
|
||||
|
||||
def use_of_initially_tainted():
|
||||
ensure_not_tainted(initially_tainted) # FP
|
||||
ensure_not_tainted(initially_tainted) # $ SPURIOUS: tainted
|
||||
|
||||
|
||||
# A very similar case to the above, but here we _do_ want taint flow, because the initially tainted
|
||||
# value is actually used before it gets reassigned to an untainted value.
|
||||
# value is actually used before it gets reassigned to an untainted value.
|
||||
|
||||
def use_of_initially_tainted2():
|
||||
ensure_tainted(initially_tainted2)
|
||||
ensure_tainted(initially_tainted2) # $ tainted
|
||||
|
||||
initially_tainted2 = TAINTED_STRING
|
||||
use_of_initially_tainted2()
|
||||
@@ -47,7 +47,7 @@ def write_tainted():
|
||||
g = TAINTED_STRING
|
||||
|
||||
def sink_global():
|
||||
ensure_tainted(g)
|
||||
ensure_tainted(g) # $ tainted
|
||||
|
||||
write_global()
|
||||
write_tainted()
|
||||
|
||||
@@ -1,6 +0,0 @@
|
||||
| test.py:12 | ok | test | tainted_later |
|
||||
| test.py:25 | ok | test | initially_tainted |
|
||||
| test.py:28 | fail | use_of_initially_tainted | initially_tainted |
|
||||
| test.py:35 | ok | use_of_initially_tainted2 | initially_tainted2 |
|
||||
| test.py:40 | ok | test | initially_tainted2 |
|
||||
| test.py:50 | ok | sink_global | g |
|
||||
@@ -1 +0,0 @@
|
||||
import experimental.dataflow.tainttracking.TestTaintLib
|
||||
Reference in New Issue
Block a user