Python: Add CodeExecution tests for stdlib

2026-05-02 20:25:13 +02:00 · 2020-10-07 18:58:16 +02:00
parent 0af86cba50
commit 453c391bb0
16 changed files with 109 additions and 0 deletions
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/CodeExecution.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/CodeExecution.py
@@ -0,0 +1,2 @@
+# exec statement is Python 2 specific
+exec "print(42)"  # $getCode="print(42)"
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/ConceptsTest.expected
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/ConceptsTest.expected
@@ -0,0 +1 @@
+| CodeExecution.py:2:19:2:40 | Comment # $getCode="print(42)" | Missing result:getCode="print(42)" |
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/ConceptsTest.ql
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/options
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=1 --lang=2
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/CodeExecution.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/CodeExecution.py
@@ -0,0 +1,4 @@
+import builtins
+
+# exec being part of builtins is Python 3 only
+builtins.exec("print(42)")  # $getCode="print(42)"
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/ConceptsTest.expected
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/ConceptsTest.expected
@@ -0,0 +1 @@
+| CodeExecution.py:4:29:4:50 | Comment # $getCode="print(42)" | Missing result:getCode="print(42)" |
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/ConceptsTest.ql
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/options
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=1 --lang=3
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecution.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecution.py
@@ -0,0 +1,39 @@
+# without this, `eval("print(42)")` becomes invalid syntax in Python 2, since print is a
+# statement
+from __future__ import print_function
+
+import sys
+
+if sys.version_info[0] == 3:
+    import builtins
+if sys.version_info[0] == 2:
+    import __builtin__ as builtins
+
+exec("print(42)")  # $getCode="print(42)"
+eval("print(42)")  # $getCode="print(42)"
+
+builtins.eval("print(42)")  # $getCode="print(42)"
+
+cmd = compile("print(42)", "<filename>", "exec")
+exec(cmd)  # $getCode=cmd
+
+cmd = builtins.compile("print(42)", "<filename>", "exec")
+exec(cmd)  # $getCode=cmd
+
+# ------------------------------------------------------------------------------
+# taint related
+
+
+def test_additional_taint():
+    src = TAINTED_STRING
+
+    cmd1 = compile(src, "<filename>", "exec")
+    cmd2 = compile(source=src, filename="<filename>", mode="exec")
+    cmd3 = builtins.compile(src, "<filename>", "exec")
+
+    ensure_tainted(
+        src,
+        cmd1,
+        cmd2,
+        cmd3,
+    )
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP1.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP1.py
@@ -0,0 +1,11 @@
+# without this, `eval("print(42)")` becomes invalid syntax in Python 2, since print is a
+# statement
+from __future__ import print_function
+
+
+def eval(*args, **kwargs):
+    raise Exception("no eval")
+
+
+# This function call might be marked as a code execution, but it actually isn't.
+eval("print(42)")
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP2.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP2.py
@@ -0,0 +1,13 @@
+# without this, `eval("print(42)")` becomes invalid syntax in Python 2, since print is a
+# statement
+from __future__ import print_function
+
+
+def foo(*args, **kwargs):
+    raise Exception("no eval")
+
+
+eval = foo
+
+# This function call might be marked as a code execution, but it actually isn't.
+eval("print(42)")
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP3.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP3.py
@@ -0,0 +1,19 @@
+# without this, `eval("print(42)")` becomes invalid syntax in Python 2, since print is a
+# statement
+from __future__ import print_function
+import sys
+
+if sys.version_info[0] == 3:
+    import builtins
+if sys.version_info[0] == 2:
+    import __builtin__ as builtins
+
+
+def foo(*args, **kwargs):
+    raise Exception("no eval")
+
+
+builtins.eval = foo
+
+# This function call might be marked as a code execution, but it actually isn't.
+eval("print(42)")
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/ConceptsTest.expected
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/ConceptsTest.expected
@@ -0,0 +1,5 @@
+| CodeExecution.py:12:20:12:41 | Comment # $getCode="print(42)" | Missing result:getCode="print(42)" |
+| CodeExecution.py:13:20:13:41 | Comment # $getCode="print(42)" | Missing result:getCode="print(42)" |
+| CodeExecution.py:15:29:15:50 | Comment # $getCode="print(42)" | Missing result:getCode="print(42)" |
+| CodeExecution.py:18:12:18:25 | Comment # $getCode=cmd | Missing result:getCode=cmd |
+| CodeExecution.py:21:12:21:25 | Comment # $getCode=cmd | Missing result:getCode=cmd |
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/TestTaint.expected
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/TestTaint.expected
@@ -0,0 +1,4 @@
+| CodeExecution.py:35 | ok   | test_additional_taint | src |
+| CodeExecution.py:36 | fail | test_additional_taint | cmd1 |
+| CodeExecution.py:37 | fail | test_additional_taint | cmd2 |
+| CodeExecution.py:38 | fail | test_additional_taint | cmd3 |
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/TestTaint.ql
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/TestTaint.ql
@@ -0,0 +1,2 @@
+import experimental.dataflow.tainttracking.TestTaintLib
+import experimental.dataflow.RemoteFlowSources
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-094/code_injection.py
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-094/code_injection.py
@@ -6,3 +6,5 @@ def code_execution():
    code = request.args.get("code")
    exec(code)
    eval(code)
+    cmd = compile(code, "<filename>", "exec")
+    exec(cmd)
				`@@ -0,0 +1 @@`
				`\| CodeExecution.py:2:19:2:40 \| Comment # $getCode="print(42)" \| Missing result:getCode="print(42)" \|`
				`@@ -0,0 +1 @@`
				`semmle-extractor-options: --max-import-depth=1 --lang=2`
				`@@ -0,0 +1 @@`
				`\| CodeExecution.py:4:29:4:50 \| Comment # $getCode="print(42)" \| Missing result:getCode="print(42)" \|`