Python: Escaping only valid with both input/output defined

Problematic part is ```codeql /** A escape from string format with `markupsafe.Markup` as the format string. */ private class MarkupEscapeFromStringFormat extends MarkupSafeEscape, Markup::StringFormat { override DataFlow::Node getAnInput() { result in [this.getArg(_), this.getArgByName(_)] and not result = Markup::instance() } override DataFlow::Node getOutput() { result = this } } ``` since the char-pred still holds even if `getAnInput` has no results... I will say that doing it this way feels kinda dirty, and we _could_ fix this by including the logic in `getAnInput` in the char-pred as well. But as I see it, that would just lead to a lot of code duplication, which isn't very nice.
2026-05-05 21:55:19 +02:00 · 2021-06-16 19:00:11 +02:00
parent 6539df6422
commit 498703fc81
2 changed files with 7 additions and 2 deletions
--- a/python/ql/test/library-tests/frameworks/markupsafe/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/markupsafe/taint_test.py
@@ -38,7 +38,7 @@ def test():
        m_unsafe.format(SAFE), # $ escapeInput=SAFE escapeKind=html escapeOutput=m_unsafe.format(..) MISSING: tainted
        m_unsafe + ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr MISSING: tainted

-        m_safe.format(m_unsafe), # $ escapeKind=html escapeOutput=m_safe.format(..) MISSING: tainted
+        m_safe.format(m_unsafe), # $ tainted

        escape(ts).unescape(), # $ escapeInput=ts escapeKind=html escapeOutput=escape(..) MISSING: tainted
        escape_silent(ts).unescape(), # $ escapeInput=ts escapeKind=html escapeOutput=escape_silent(..) MISSING: tainted