Python: Add taint tests for encode/decode functions

2026-04-30 11:15:13 +02:00 · 2020-08-24 14:44:01 +02:00
parent 31b398937a
commit 5125c7a55c
3 changed files with 63 additions and 0 deletions
--- a/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll
+++ b/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll
@@ -119,4 +119,7 @@ predicate stringMethods(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
      fmt.getRight() = nodeFrom.getNode()
    )
  )
+  // TODO: Handle encode/decode from base64/quopri
+  // TODO: Handle os.path.join
+  // TODO: Handle functions in https://docs.python.org/3/library/binascii.html
 }
--- a/python/ql/test/experimental/dataflow/tainttracking/string/TestTaint.expected
+++ b/python/ql/test/experimental/dataflow/tainttracking/string/TestTaint.expected
@@ -47,3 +47,17 @@
 | test.py:110 | ok   | percent_fmt | BinaryExpr |
 | test.py:111 | ok   | percent_fmt | BinaryExpr |
 | test.py:112 | fail | percent_fmt | BinaryExpr |
+| test.py:122 | fail | binary_decode_encode | base64.b64encode(..) |
+| test.py:123 | fail | binary_decode_encode | base64.b64decode(..) |
+| test.py:125 | fail | binary_decode_encode | base64.standard_b64encode(..) |
+| test.py:126 | fail | binary_decode_encode | base64.standard_b64decode(..) |
+| test.py:128 | fail | binary_decode_encode | base64.urlsafe_b64encode(..) |
+| test.py:129 | fail | binary_decode_encode | base64.urlsafe_b64decode(..) |
+| test.py:131 | fail | binary_decode_encode | base64.b32encode(..) |
+| test.py:132 | fail | binary_decode_encode | base64.b32decode(..) |
+| test.py:134 | fail | binary_decode_encode | base64.b16encode(..) |
+| test.py:135 | fail | binary_decode_encode | base64.b16decode(..) |
+| test.py:150 | fail | binary_decode_encode | base64.encodestring(..) |
+| test.py:151 | fail | binary_decode_encode | base64.decodestring(..) |
+| test.py:156 | fail | binary_decode_encode | quopri.encodestring(..) |
+| test.py:157 | fail | binary_decode_encode | quopri.decodestring(..) |
--- a/python/ql/test/experimental/dataflow/tainttracking/string/test.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/string/test.py
@@ -113,9 +113,55 @@ def percent_fmt():
    )


+def binary_decode_encode():
+    print("\n#percent_fmt")
+    tb = TAINTED_BYTES
+    import base64
+
+    ensure_tainted(
+        base64.b64encode(tb),
+        base64.b64decode(base64.b64encode(tb)),
+
+        base64.standard_b64encode(tb),
+        base64.standard_b64decode(base64.standard_b64encode(tb)),
+
+        base64.urlsafe_b64encode(tb),
+        base64.urlsafe_b64decode(base64.urlsafe_b64encode(tb)),
+
+        base64.b32encode(tb),
+        base64.b32decode(base64.b32encode(tb)),
+
+        base64.b16encode(tb),
+        base64.b16decode(base64.b16encode(tb)),
+
+        # # New in Python 3.4
+        # base64.a85encode(tb),
+        # base64.a85decode(base64.a85encode(tb)),
+
+        # # New in Python 3.4
+        # base64.b85encode(tb),
+        # base64.b85decode(base64.b85encode(tb)),
+
+        # # New in Python 3.1
+        # base64.encodebytes(tb),
+        # base64.decodebytes(base64.encodebytes(tb)),
+
+        # deprecated since Python 3.1, but still works
+        base64.encodestring(tb),
+        base64.decodestring(base64.encodestring(tb)),
+    )
+
+    import quopri
+    ensure_tainted(
+        quopri.encodestring(tb),
+        quopri.decodestring(quopri.encodestring(tb)),
+    )
+
+
 # Make tests runable

 str_operations()
 str_methods()
 non_syntactic()
 percent_fmt()
+binary_decode_encode()