Python: Port taint tests to use inline expectations

The meat of this PR is described in the new python/ql/test/experimental/meta/InlineTaintTest.qll file:

> Defines a InlineExpectationsTest for checking whether any arguments in
> `ensure_tainted` and `ensure_not_tainted` calls are tainted.
>
> Also defines query predicates to ensure that:
> - if any arguments to `ensure_not_tainted` are tainted, their annotation is marked with `SPURIOUS`.
> - if any arguments to `ensure_tainted` are not tainted, their annotation is marked with `MISSING`.
>
> The functionality of this module is tested in `ql/test/experimental/meta/inline-taint-test-demo`.

python/ql/test/experimental/meta/InlineTaintTest.qll

@@ -0,0 +1,91 @@
+/**
+ * Defines a InlineExpectationsTest for checking whether any arguments in
+ * `ensure_tainted` and `ensure_not_tainted` calls are tainted.
+ *
+ * Also defines query predicates to ensure that:
+ * - if any arguments to `ensure_not_tainted` are tainted, their annotation is marked with `SPURIOUS`.
+ * - if any arguments to `ensure_tainted` are not tainted, their annotation is marked with `MISSING`.
+ *
+ * The functionality of this module is tested in `ql/test/experimental/meta/inline-taint-test-demo`.
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.dataflow.new.RemoteFlowSources
+import TestUtilities.InlineExpectationsTest
+import experimental.dataflow.TestUtil.PrintNode
+
+DataFlow::Node shouldBeTainted() {
+  exists(DataFlow::CallCfgNode call |
+    call.getFunction().asCfgNode().(NameNode).getId() = "ensure_tainted" and
+    result in [call.getArg(_), call.getArgByName(_)]
+  )
+}
+
+DataFlow::Node shouldNotBeTainted() {
+  exists(DataFlow::CallCfgNode call |
+    call.getFunction().asCfgNode().(NameNode).getId() = "ensure_not_tainted" and
+    result in [call.getArg(_), call.getArgByName(_)]
+  )
+}
+
+class TestTaintTrackingConfiguration extends TaintTracking::Configuration {
+  TestTaintTrackingConfiguration() { this = "TestTaintTrackingConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asCfgNode().(NameNode).getId() in [
+        "TAINTED_STRING", "TAINTED_BYTES", "TAINTED_LIST", "TAINTED_DICT"
+      ]
+    or
+    source instanceof RemoteFlowSource
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = shouldBeTainted()
+    or
+    sink = shouldNotBeTainted()
+  }
+}
+
+class InlineTaintTest extends InlineExpectationsTest {
+  InlineTaintTest() { this = "InlineTaintTest" }
+
+  override string getARelevantTag() { result = "tainted" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(DataFlow::Node sink |
+      any(TestTaintTrackingConfiguration config).hasFlow(_, sink) and
+      location = sink.getLocation() and
+      element = prettyExp(sink.asExpr()) and
+      value = "" and
+      tag = "tainted"
+    )
+  }
+}
+
+query predicate argumentToEnsureNotTaintedNotMarkedAsSpurious(
+  string error, Location location, string element
+) {
+  error = "ERROR, you should add `SPURIOUS:` to this annotation" and
+  location = shouldNotBeTainted().getLocation() and
+  any(InlineTaintTest test).hasActualResult(location, element, "tainted", _) and
+  exists(GoodExpectation good, ActualResult actualResult |
+    good.matchesActualResult(actualResult) and
+    actualResult.getLocation() = location and
+    actualResult.toString() = element
+  )
+}
+
+query predicate untaintedArgumentToEnsureTaintedNotMarkedAsMissing(string error, Location location) {
+  error = "ERROR, you should add `# $ MISSING: tainted` annotation" and
+  exists(DataFlow::Node sink |
+    sink = shouldBeTainted() and
+    not any(TestTaintTrackingConfiguration config).hasFlow(_, sink) and
+    location = sink.getLocation() and
+    not exists(FalseNegativeExpectation missingResult |
+      missingResult.getLocation().getStartLine() = location.getStartLine()
+    )
+  )
+}

python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.expected

@@ -0,0 +1,5 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+| ERROR, you should add `SPURIOUS:` to this annotation | taint_test.py:36:9:36:29 | taint_test.py:36 | should_not_be_tainted |
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+| ERROR, you should add `# $ MISSING: tainted` annotation | taint_test.py:28:9:28:25 | taint_test.py:28 |
+failures

python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.ql

@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest

python/ql/test/experimental/meta/inline-taint-test-demo/taint_test.py

@@ -0,0 +1,37 @@
+def expected_usage():
+    ts = TAINTED_STRING
+
+    # simulating handling something we _want_ to treat at tainted, but we currently treat as untainted
+    should_be_tainted = "pretend this is unsafe"
+
+    ensure_tainted(
+        ts, # $ tainted
+        should_be_tainted, # $ MISSING: tainted
+    )
+
+    # simulating handling something we _want_ to treat at untainted, but we currently treat as tainted
+    should_not_be_tainted = "pretend this is now safe" + ts
+    ensure_not_tainted(
+        should_not_be_tainted, # $ SPURIOUS: tainted
+        "FOO"
+    )
+
+
+def bad_usage():
+    ts = TAINTED_STRING
+
+    # simulating handling something we _want_ to treat at tainted, but we currently treat as untainted
+    should_be_tainted = "pretend this is unsafe"
+
+    # This element _should_ have a `$ MISSING: tainted` annotation, which will be alerted in the .expected output
+    ensure_tainted(
+        should_be_tainted,
+    )
+
+    # simulating handling something we _want_ to treat at untainted, but we currently treat as tainted
+    should_not_be_tainted = "pretend this is now safe" + ts
+
+    # This annotation _should_ have used `SPURIOUS`, which will be alerted on in the .expected output
+    ensure_not_tainted(
+        should_not_be_tainted # $ tainted
+    )