Python: Add non-syntactical test for taint of json methods

python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/TestTaint.expected

@@ -39,6 +39,11 @@
 | json.py:27 | fail | test | json.loads(..) |
 | json.py:34 | fail | test | tainted_filelike |
 | json.py:35 | fail | test | json.load(..) |
+| json.py:48 | fail | non_syntacical | dumps(..) |
+| json.py:49 | fail | non_syntacical | dumps_alias(..) |
+| json.py:50 | fail | non_syntacical | loads(..) |
+| json.py:57 | fail | non_syntacical | tainted_filelike |
+| json.py:58 | fail | non_syntacical | load(..) |
 | string.py:25 | ok   | str_operations | ts |
 | string.py:26 | ok   | str_operations | BinaryExpr |
 | string.py:27 | ok   | str_operations | BinaryExpr |

python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/json.py

@@ -10,7 +10,6 @@ if TYPE_CHECKING:
 
 # Actual tests
 
-import json
 from io import StringIO
 
 # Workaround for Python3 not having unicode
@@ -21,6 +20,7 @@ if sys.version_info[0] == 3:
 def test():
     print("\n# test")
     ts = TAINTED_STRING
+    import json
 
     ensure_tainted(
         json.dumps(ts),
@@ -35,7 +35,30 @@ def test():
         json.load(tainted_filelike),
     )
 
+def non_syntacical():
+    print("\n# non_syntacical")
+    ts = TAINTED_STRING
+
+    # a less syntactical approach
+    from json import load, loads, dumps
+
+    dumps_alias = dumps
+
+    ensure_tainted(
+        dumps(ts),
+        dumps_alias(ts),
+        loads(dumps(ts)),
+    )
+
+    # For Python2, need to convert to unicode for StringIO to work
+    tainted_filelike = StringIO(unicode(dumps(ts)))
+
+    ensure_tainted(
+        tainted_filelike,
+        load(tainted_filelike),
+    )
 
 # Make tests runable
 
 test()
+non_syntacical()