Merge pull request #2639 from RasmusWL/python-improve-dict-taint

Python: Improve tests for tainted collections

python/ql/test/library-tests/taint/collections/Taint.qll

@@ -0,0 +1,46 @@
+import python
+import semmle.python.security.TaintTracking
+import semmle.python.security.strings.Untrusted
+
+
+class SimpleSource extends TaintSource {
+
+    SimpleSource() { this.(NameNode).getId() = "TAINTED_STRING" }
+
+    override predicate isSourceOf(TaintKind kind) {
+        kind instanceof ExternalStringKind
+    }
+
+    override string toString() {
+        result = "taint source"
+    }
+
+}
+
+class ListSource extends TaintSource {
+
+    ListSource() { this.(NameNode).getId() = "TAINTED_LIST" }
+
+    override predicate isSourceOf(TaintKind kind) {
+        kind instanceof ExternalStringSequenceKind
+    }
+
+    override string toString() {
+        result = "list taint source"
+    }
+
+}
+
+class DictSource extends TaintSource {
+
+    DictSource() { this.(NameNode).getId() = "TAINTED_DICT" }
+
+    override predicate isSourceOf(TaintKind kind) {
+        kind instanceof ExternalStringDictKind
+    }
+
+    override string toString() {
+        result = "dict taint source"
+    }
+
+}

python/ql/test/library-tests/taint/collections/TestStep.expected

@@ -0,0 +1,60 @@
+| Taint [externally controlled string] | test.py:9 | test.py:9:20:9:35 | List |  |  -->  | Taint [externally controlled string] | test.py:14 | test.py:14:14:14:25 | tainted_list |  |
+| Taint [externally controlled string] | test.py:9 | test.py:9:20:9:35 | List |  |  -->  | Taint [externally controlled string] | test.py:20 | test.py:20:15:20:26 | tainted_list |  |
+| Taint [externally controlled string] | test.py:9 | test.py:9:20:9:35 | List |  |  -->  | Taint [externally controlled string] | test.py:21 | test.py:21:13:21:24 | tainted_list |  |
+| Taint [externally controlled string] | test.py:9 | test.py:9:20:9:35 | List |  |  -->  | Taint [externally controlled string] | test.py:22 | test.py:22:19:22:30 | tainted_list |  |
+| Taint [externally controlled string] | test.py:10 | test.py:10:22:10:36 | Tuple |  |  -->  | Taint [externally controlled string] | test.py:15 | test.py:15:14:15:26 | tainted_tuple |  |
+| Taint [externally controlled string] | test.py:14 | test.py:14:9:14:26 | list() |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:10:23:10 | a |  |
+| Taint [externally controlled string] | test.py:14 | test.py:14:14:14:25 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:14 | test.py:14:9:14:26 | list() |  |
+| Taint [externally controlled string] | test.py:15 | test.py:15:9:15:27 | list() |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:13:23:13 | b |  |
+| Taint [externally controlled string] | test.py:15 | test.py:15:14:15:26 | tainted_tuple |  |  -->  | Taint [externally controlled string] | test.py:15 | test.py:15:9:15:27 | list() |  |
+| Taint [externally controlled string] | test.py:17 | test.py:17:9:17:35 | list() |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:19:23:19 | d |  |
+| Taint [externally controlled string] | test.py:17 | test.py:17:14:17:34 | Attribute() |  |  -->  | Taint [externally controlled string] | test.py:17 | test.py:17:9:17:35 | list() |  |
+| Taint [externally controlled string] | test.py:20 | test.py:20:9:20:27 | tuple() |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:25:23:25 | f |  |
+| Taint [externally controlled string] | test.py:20 | test.py:20:15:20:26 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:20 | test.py:20:9:20:27 | tuple() |  |
+| Taint [externally controlled string] | test.py:21 | test.py:21:9:21:25 | set() |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:28:23:28 | g |  |
+| Taint [externally controlled string] | test.py:21 | test.py:21:13:21:24 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:21 | test.py:21:9:21:25 | set() |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:27 | test.py:27:9:27:20 | tainted_list |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:28 | test.py:28:9:28:20 | tainted_list |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:29 | test.py:29:9:29:20 | tainted_list |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:30 | test.py:30:9:30:20 | tainted_list |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:31 | test.py:31:15:31:26 | tainted_list |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:33 | test.py:33:14:33:25 | tainted_list |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:35 | test.py:35:23:35:34 | tainted_list |  |
+| Taint [externally controlled string] | test.py:27 | test.py:27:9:27:20 | tainted_list |  |  -->  | Taint externally controlled string | test.py:27 | test.py:27:9:27:23 | Subscript |  |
+| Taint [externally controlled string] | test.py:28 | test.py:28:9:28:20 | tainted_list |  |  -->  | Taint externally controlled string | test.py:28 | test.py:28:9:28:23 | Subscript |  |
+| Taint [externally controlled string] | test.py:29 | test.py:29:9:29:20 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:29 | test.py:29:9:29:25 | Subscript |  |
+| Taint [externally controlled string] | test.py:29 | test.py:29:9:29:25 | Subscript |  |  -->  | Taint [externally controlled string] | test.py:32 | test.py:32:16:32:16 | c |  |
+| Taint [externally controlled string] | test.py:30 | test.py:30:9:30:20 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:30 | test.py:30:9:30:27 | Attribute() |  |
+| Taint [externally controlled string] | test.py:30 | test.py:30:9:30:27 | Attribute() |  |  -->  | Taint [externally controlled string] | test.py:32 | test.py:32:19:32:19 | d |  |
+| Taint [externally controlled string] | test.py:33 | test.py:33:14:33:25 | tainted_list |  |  -->  | Taint externally controlled string | test.py:33 | test.py:33:5:33:26 | For |  |
+| Taint [externally controlled string] | test.py:35 | test.py:35:14:35:35 | reversed() |  |  -->  | Taint externally controlled string | test.py:35 | test.py:35:5:35:36 | For |  |
+| Taint [externally controlled string] | test.py:35 | test.py:35:23:35:34 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:35 | test.py:35:14:35:35 | reversed() |  |
+| Taint [externally controlled string] | test.py:44 | test.py:44:14:44:34 | Attribute() |  |  -->  | Taint externally controlled string | test.py:44 | test.py:44:5:44:35 | For |  |
+| Taint externally controlled string | test.py:8 | test.py:8:22:8:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:9 | test.py:9:21:9:34 | tainted_string |  |
+| Taint externally controlled string | test.py:8 | test.py:8:22:8:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:10 | test.py:10:22:10:35 | tainted_string |  |
+| Taint externally controlled string | test.py:8 | test.py:8:22:8:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:11 | test.py:11:20:11:33 | tainted_string |  |
+| Taint externally controlled string | test.py:8 | test.py:8:22:8:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:12 | test.py:12:28:12:41 | tainted_string |  |
+| Taint externally controlled string | test.py:9 | test.py:9:21:9:34 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:9 | test.py:9:20:9:35 | List |  |
+| Taint externally controlled string | test.py:10 | test.py:10:22:10:35 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:10 | test.py:10:22:10:36 | Tuple |  |
+| Taint externally controlled string | test.py:12 | test.py:12:28:12:41 | tainted_string |  |  -->  | Taint {externally controlled string} | test.py:12 | test.py:12:20:12:42 | Dict |  |
+| Taint externally controlled string | test.py:27 | test.py:27:9:27:23 | Subscript |  |  -->  | Taint externally controlled string | test.py:32 | test.py:32:10:32:10 | a |  |
+| Taint externally controlled string | test.py:28 | test.py:28:9:28:23 | Subscript |  |  -->  | Taint externally controlled string | test.py:32 | test.py:32:13:32:13 | b |  |
+| Taint externally controlled string | test.py:33 | test.py:33:5:33:26 | For |  |  -->  | Taint externally controlled string | test.py:34 | test.py:34:14:34:14 | h |  |
+| Taint externally controlled string | test.py:35 | test.py:35:5:35:36 | For |  |  -->  | Taint externally controlled string | test.py:36 | test.py:36:14:36:14 | i |  |
+| Taint externally controlled string | test.py:40 | test.py:40:9:40:28 | Subscript |  |  -->  | Taint externally controlled string | test.py:43 | test.py:43:10:43:10 | a |  |
+| Taint externally controlled string | test.py:41 | test.py:41:9:41:23 | Subscript |  |  -->  | Taint externally controlled string | test.py:43 | test.py:43:13:43:13 | b |  |
+| Taint externally controlled string | test.py:44 | test.py:44:5:44:35 | For |  |  -->  | Taint externally controlled string | test.py:45 | test.py:45:14:45:14 | d |  |
+| Taint externally controlled string | test.py:62 | test.py:62:34:62:47 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:62 | test.py:62:5:62:47 | BinaryExpr |  |
+| Taint {externally controlled string} | test.py:12 | test.py:12:20:12:42 | Dict |  |  -->  | Taint {externally controlled string} | test.py:17 | test.py:17:14:17:25 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:12 | test.py:12:20:12:42 | Dict |  |  -->  | Taint {externally controlled string} | test.py:18 | test.py:18:14:18:25 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:17 | test.py:17:14:17:25 | tainted_dict |  |  -->  | Taint [externally controlled string] | test.py:17 | test.py:17:14:17:34 | Attribute() |  |
+| Taint {externally controlled string} | test.py:39 | test.py:39:20:39:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:40 | test.py:40:9:40:20 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:39 | test.py:39:20:39:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:41 | test.py:41:9:41:20 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:39 | test.py:39:20:39:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:42 | test.py:42:9:42:20 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:39 | test.py:39:20:39:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:44 | test.py:44:14:44:25 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:39 | test.py:39:20:39:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:46 | test.py:46:17:46:28 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:40 | test.py:40:9:40:20 | tainted_dict |  |  -->  | Taint externally controlled string | test.py:40 | test.py:40:9:40:28 | Subscript |  |
+| Taint {externally controlled string} | test.py:41 | test.py:41:9:41:20 | tainted_dict |  |  -->  | Taint externally controlled string | test.py:41 | test.py:41:9:41:23 | Subscript |  |
+| Taint {externally controlled string} | test.py:42 | test.py:42:9:42:20 | tainted_dict |  |  -->  | Taint {externally controlled string} | test.py:42 | test.py:42:9:42:27 | Attribute() |  |
+| Taint {externally controlled string} | test.py:42 | test.py:42:9:42:27 | Attribute() |  |  -->  | Taint {externally controlled string} | test.py:43 | test.py:43:16:43:16 | c |  |
+| Taint {externally controlled string} | test.py:44 | test.py:44:14:44:25 | tainted_dict |  |  -->  | Taint [externally controlled string] | test.py:44 | test.py:44:14:44:34 | Attribute() |  |

python/ql/test/library-tests/taint/collections/TestStep.ql

@@ -0,0 +1,11 @@
+import python
+import semmle.python.security.TaintTracking
+import Taint
+
+from TaintedNode n, TaintedNode s
+where
+    n.getLocation().getFile().getShortName() = "test.py" and
+    s.getLocation().getFile().getShortName() = "test.py" and
+    s = n.getASuccessor()
+select "Taint " + n.getTaintKind(), n.getLocation().toString(), n.getAstNode(), n.getContext(),
+    " --> ", "Taint " + s.getTaintKind(), s.getLocation().toString(), s.getAstNode(), s.getContext()

python/ql/test/library-tests/taint/collections/TestTaint.expected

@@ -0,0 +1,33 @@
+| test.py:23 | test_construction | a | [externally controlled string] |
+| test.py:23 | test_construction | b | [externally controlled string] |
+| test.py:23 | test_construction | c | NO TAINT |
+| test.py:23 | test_construction | d | [externally controlled string] |
+| test.py:23 | test_construction | e | NO TAINT |
+| test.py:23 | test_construction | f | [externally controlled string] |
+| test.py:23 | test_construction | g | [externally controlled string] |
+| test.py:23 | test_construction | h | NO TAINT |
+| test.py:32 | test_access | a | externally controlled string |
+| test.py:32 | test_access | b | externally controlled string |
+| test.py:32 | test_access | c | [externally controlled string] |
+| test.py:32 | test_access | d | [externally controlled string] |
+| test.py:32 | test_access | e | NO TAINT |
+| test.py:32 | test_access | f | NO TAINT |
+| test.py:32 | test_access | g | NO TAINT |
+| test.py:34 | test_access | h | externally controlled string |
+| test.py:36 | test_access | i | externally controlled string |
+| test.py:43 | test_dict_access | a | externally controlled string |
+| test.py:43 | test_dict_access | b | externally controlled string |
+| test.py:43 | test_dict_access | c | {externally controlled string} |
+| test.py:45 | test_dict_access | d | externally controlled string |
+| test.py:47 | test_dict_access | e | NO TAINT |
+| test.py:58 | test_named_tuple | a | NO TAINT |
+| test.py:58 | test_named_tuple | b | NO TAINT |
+| test.py:58 | test_named_tuple | c | NO TAINT |
+| test.py:58 | test_named_tuple | d | NO TAINT |
+| test.py:58 | test_named_tuple | e | NO TAINT |
+| test.py:58 | test_named_tuple | f | NO TAINT |
+| test.py:67 | test_defaultdict | a | NO TAINT |
+| test.py:67 | test_defaultdict | b | NO TAINT |
+| test.py:67 | test_defaultdict | c | NO TAINT |
+| test.py:69 | test_defaultdict | d | NO TAINT |
+| test.py:71 | test_defaultdict | e | NO TAINT |

python/ql/test/library-tests/taint/collections/TestTaint.ql

@@ -0,0 +1,18 @@
+import python
+import semmle.python.security.TaintTracking
+import Taint
+
+from Call call, Expr arg, string taint_string
+where
+    call.getLocation().getFile().getShortName() = "test.py" and
+    call.getFunc().(Name).getId() = "test" and
+    arg = call.getAnArg() and
+    (
+        not exists(TaintedNode tainted | tainted.getAstNode() = arg) and
+        taint_string = "NO TAINT"
+        or
+        exists(TaintedNode tainted | tainted.getAstNode() = arg |
+            taint_string = tainted.getTaintKind().toString()
+        )
+    )
+select arg.getLocation().toString(), call.getScope().(Function).getName(), arg.toString(), taint_string

python/ql/test/library-tests/taint/collections/test.py

@@ -0,0 +1,71 @@
+from collections import defaultdict, namedtuple
+
+# Use to show only interesting results in qltest output
+def test(*args):
+    pass
+
+def test_construction():
+    tainted_string = TAINTED_STRING
+    tainted_list = [tainted_string]
+    tainted_tuple = (tainted_string,)
+    tainted_set = {tainted_string} # TODO: set currently not handled
+    tainted_dict = {'key': tainted_string}
+
+    a = list(tainted_list)
+    b = list(tainted_tuple)
+    c = list(tainted_set) # TODO: set currently not handled
+    d = list(tainted_dict.values())
+    e = list(tainted_dict.items()) # TODO: dict.items() currently not handled
+
+    f = tuple(tainted_list)
+    g = set(tainted_list)
+    h = frozenset(tainted_list) # TODO: frozenset constructor currently not handled
+    test(a, b, c, d, e, f, g, h)
+
+def test_access():
+    tainted_list = TAINTED_LIST
+    a = tainted_list[0]
+    b = tainted_list[x]
+    c = tainted_list[y:z]
+    d = tainted_list.copy()
+    e, f, g = tainted_list # TODO: currently not handled
+    test(a, b, c, d, e, f, g)
+    for h in tainted_list:
+        test(h)
+    for i in reversed(tainted_list):
+        test(i)
+
+def test_dict_access(x):
+    tainted_dict = TAINTED_DICT
+    a = tainted_dict["name"]
+    b = tainted_dict[x]
+    c = tainted_dict.copy()
+    test(a, b, c)
+    for d in tainted_dict.values():
+        test(d)
+    for _, e in tainted_dict.items(): # TODO: dict.items() currently not handled
+        test(e)
+
+def test_named_tuple(): # TODO: namedtuple currently not handled
+    Point = namedtuple('Point', ['x', 'y'])
+    point = Point(TAINTED_STRING, 'const')
+
+    a = point[0]
+    b = point.x
+    c = point[1]
+    d = point.y
+    e, f = point
+    test(a, b, c, d, e, f)
+
+def test_defaultdict(key, x): # TODO: defaultdict currently not handled
+    tainted_default_dict = defaultdict(str)
+    tainted_default_dict[key] += TAINTED_STRING
+
+    a = tainted_dict["name"]
+    b = tainted_dict[x]
+    c = tainted_dict.copy()
+    test(a, b, c)
+    for d in tainted_dict.values():
+        test(d)
+    for _, e in tainted_dict.items():
+        test(e)

python/ql/test/library-tests/taint/strings/DistinctStringKinds.expected

@@ -1,16 +1,16 @@
-| Taint exception.info | test.py:54 | test.py:54:22:54:26 | taint | p1 = exception.info |
-| Taint exception.info | test.py:55 | test.py:55:12:55:22 | func() | p1 = exception.info |
-| Taint exception.info | test.py:55 | test.py:55:17:55:21 | taint | p1 = exception.info |
-| Taint exception.info | test.py:58 | test.py:58:12:58:33 | TAINTED_EXCEPTION_INFO |  |
-| Taint exception.info | test.py:59 | test.py:59:11:59:41 | cross_over() |  |
-| Taint exception.info | test.py:59 | test.py:59:37:59:40 | info |  |
-| Taint exception.info | test.py:61 | test.py:61:19:61:21 | arg | p0 = exception.info |
-| Taint exception.info | test.py:62 | test.py:62:12:62:14 | arg | p0 = exception.info |
-| Taint externally controlled string | test.py:54 | test.py:54:22:54:26 | taint | p1 = externally controlled string |
-| Taint externally controlled string | test.py:55 | test.py:55:12:55:22 | func() | p1 = externally controlled string |
-| Taint externally controlled string | test.py:55 | test.py:55:17:55:21 | taint | p1 = externally controlled string |
-| Taint externally controlled string | test.py:61 | test.py:61:19:61:21 | arg | p0 = externally controlled string |
-| Taint externally controlled string | test.py:62 | test.py:62:12:62:14 | arg | p0 = externally controlled string |
-| Taint externally controlled string | test.py:65 | test.py:65:11:65:33 | TAINTED_EXTERNAL_STRING |  |
-| Taint externally controlled string | test.py:66 | test.py:66:11:66:41 | cross_over() |  |
-| Taint externally controlled string | test.py:66 | test.py:66:38:66:40 | ext |  |
+| Taint exception.info | test.py:41 | test.py:41:22:41:26 | taint | p1 = exception.info |
+| Taint exception.info | test.py:42 | test.py:42:12:42:22 | func() | p1 = exception.info |
+| Taint exception.info | test.py:42 | test.py:42:17:42:21 | taint | p1 = exception.info |
+| Taint exception.info | test.py:45 | test.py:45:12:45:33 | TAINTED_EXCEPTION_INFO |  |
+| Taint exception.info | test.py:46 | test.py:46:11:46:41 | cross_over() |  |
+| Taint exception.info | test.py:46 | test.py:46:37:46:40 | info |  |
+| Taint exception.info | test.py:48 | test.py:48:19:48:21 | arg | p0 = exception.info |
+| Taint exception.info | test.py:49 | test.py:49:12:49:14 | arg | p0 = exception.info |
+| Taint externally controlled string | test.py:41 | test.py:41:22:41:26 | taint | p1 = externally controlled string |
+| Taint externally controlled string | test.py:42 | test.py:42:12:42:22 | func() | p1 = externally controlled string |
+| Taint externally controlled string | test.py:42 | test.py:42:17:42:21 | taint | p1 = externally controlled string |
+| Taint externally controlled string | test.py:48 | test.py:48:19:48:21 | arg | p0 = externally controlled string |
+| Taint externally controlled string | test.py:49 | test.py:49:12:49:14 | arg | p0 = externally controlled string |
+| Taint externally controlled string | test.py:52 | test.py:52:11:52:33 | TAINTED_EXTERNAL_STRING |  |
+| Taint externally controlled string | test.py:53 | test.py:53:11:53:41 | cross_over() |  |
+| Taint externally controlled string | test.py:53 | test.py:53:38:53:40 | ext |  |

python/ql/test/library-tests/taint/strings/TestNode.expected

@@ -1,10 +1,3 @@
-| Taint [externally controlled string] | test.py:12 | test.py:12:20:12:31 | TAINTED_LIST |  |
-| Taint [externally controlled string] | test.py:13 | test.py:13:9:13:20 | tainted_list |  |
-| Taint [externally controlled string] | test.py:14 | test.py:14:9:14:20 | tainted_list |  |
-| Taint [externally controlled string] | test.py:15 | test.py:15:9:15:20 | tainted_list |  |
-| Taint [externally controlled string] | test.py:15 | test.py:15:9:15:25 | Subscript |  |
-| Taint [externally controlled string] | test.py:16 | test.py:16:9:16:20 | tainted_list |  |
-| Taint [externally controlled string] | test.py:16 | test.py:16:9:16:27 | Attribute() |  |
 | Taint externally controlled string | test.py:5 | test.py:5:22:5:28 | TAINTED |  |
 | Taint externally controlled string | test.py:6 | test.py:6:31:6:44 | tainted_string |  |
 | Taint externally controlled string | test.py:7 | test.py:7:9:7:25 | Subscript |  |
@@ -12,39 +5,35 @@
 | Taint externally controlled string | test.py:8 | test.py:8:9:8:18 | Attribute() |  |
 | Taint externally controlled string | test.py:9 | test.py:9:9:9:9 | b |  |
 | Taint externally controlled string | test.py:9 | test.py:9:9:9:14 | Subscript |  |
-| Taint externally controlled string | test.py:13 | test.py:13:9:13:23 | Subscript |  |
-| Taint externally controlled string | test.py:14 | test.py:14:9:14:23 | Subscript |  |
-| Taint externally controlled string | test.py:20 | test.py:20:9:20:28 | Subscript |  |
-| Taint externally controlled string | test.py:21 | test.py:21:9:21:23 | Subscript |  |
-| Taint externally controlled string | test.py:25 | test.py:25:22:25:28 | TAINTED |  |
-| Taint externally controlled string | test.py:26 | test.py:26:9:26:22 | tainted_string |  |
-| Taint externally controlled string | test.py:26 | test.py:26:9:26:31 | Attribute() |  |
-| Taint externally controlled string | test.py:27 | test.py:27:9:27:22 | tainted_string |  |
-| Taint externally controlled string | test.py:27 | test.py:27:9:27:29 | Attribute() |  |
-| Taint externally controlled string | test.py:28 | test.py:28:9:28:22 | tainted_string |  |
-| Taint externally controlled string | test.py:28 | test.py:28:9:28:25 | Subscript |  |
-| Taint externally controlled string | test.py:29 | test.py:29:9:29:22 | tainted_string |  |
-| Taint externally controlled string | test.py:29 | test.py:29:9:29:27 | Subscript |  |
-| Taint externally controlled string | test.py:30 | test.py:30:9:30:32 | reversed() |  |
-| Taint externally controlled string | test.py:30 | test.py:30:18:30:31 | tainted_string |  |
-| Taint externally controlled string | test.py:31 | test.py:31:9:31:28 | copy() |  |
-| Taint externally controlled string | test.py:31 | test.py:31:14:31:27 | tainted_string |  |
-| Taint externally controlled string | test.py:32 | test.py:32:9:32:22 | tainted_string |  |
-| Taint externally controlled string | test.py:32 | test.py:32:9:32:30 | Attribute() |  |
-| Taint externally controlled string | test.py:35 | test.py:35:22:35:28 | TAINTED |  |
-| Taint externally controlled string | test.py:36 | test.py:36:8:36:21 | tainted_string |  |
-| Taint externally controlled string | test.py:39 | test.py:39:23:39:36 | tainted_string |  |
-| Taint externally controlled string | test.py:42 | test.py:42:22:42:28 | TAINTED |  |
-| Taint externally controlled string | test.py:43 | test.py:43:8:43:21 | tainted_string |  |
-| Taint externally controlled string | test.py:43 | test.py:43:34:43:47 | tainted_string |  |
-| Taint externally controlled string | test.py:46 | test.py:46:23:46:36 | tainted_string |  |
-| Taint externally controlled string | test.py:49 | test.py:49:22:49:28 | TAINTED |  |
-| Taint externally controlled string | test.py:50 | test.py:50:9:50:27 | str() |  |
-| Taint externally controlled string | test.py:50 | test.py:50:13:50:26 | tainted_string |  |
-| Taint externally controlled string | test.py:51 | test.py:51:9:51:29 | bytes() |  |
-| Taint externally controlled string | test.py:51 | test.py:51:15:51:28 | tainted_string |  |
-| Taint externally controlled string | test.py:52 | test.py:52:9:52:46 | bytes() |  |
-| Taint externally controlled string | test.py:52 | test.py:52:15:52:28 | tainted_string |  |
+| Taint externally controlled string | test.py:12 | test.py:12:22:12:28 | TAINTED |  |
+| Taint externally controlled string | test.py:13 | test.py:13:9:13:22 | tainted_string |  |
+| Taint externally controlled string | test.py:13 | test.py:13:9:13:31 | Attribute() |  |
+| Taint externally controlled string | test.py:14 | test.py:14:9:14:22 | tainted_string |  |
+| Taint externally controlled string | test.py:14 | test.py:14:9:14:29 | Attribute() |  |
+| Taint externally controlled string | test.py:15 | test.py:15:9:15:22 | tainted_string |  |
+| Taint externally controlled string | test.py:15 | test.py:15:9:15:25 | Subscript |  |
+| Taint externally controlled string | test.py:16 | test.py:16:9:16:22 | tainted_string |  |
+| Taint externally controlled string | test.py:16 | test.py:16:9:16:27 | Subscript |  |
+| Taint externally controlled string | test.py:17 | test.py:17:9:17:32 | reversed() |  |
+| Taint externally controlled string | test.py:17 | test.py:17:18:17:31 | tainted_string |  |
+| Taint externally controlled string | test.py:18 | test.py:18:9:18:28 | copy() |  |
+| Taint externally controlled string | test.py:18 | test.py:18:14:18:27 | tainted_string |  |
+| Taint externally controlled string | test.py:19 | test.py:19:9:19:22 | tainted_string |  |
+| Taint externally controlled string | test.py:19 | test.py:19:9:19:30 | Attribute() |  |
+| Taint externally controlled string | test.py:22 | test.py:22:22:22:28 | TAINTED |  |
+| Taint externally controlled string | test.py:23 | test.py:23:8:23:21 | tainted_string |  |
+| Taint externally controlled string | test.py:26 | test.py:26:23:26:36 | tainted_string |  |
+| Taint externally controlled string | test.py:29 | test.py:29:22:29:28 | TAINTED |  |
+| Taint externally controlled string | test.py:30 | test.py:30:8:30:21 | tainted_string |  |
+| Taint externally controlled string | test.py:30 | test.py:30:34:30:47 | tainted_string |  |
+| Taint externally controlled string | test.py:33 | test.py:33:23:33:36 | tainted_string |  |
+| Taint externally controlled string | test.py:36 | test.py:36:22:36:28 | TAINTED |  |
+| Taint externally controlled string | test.py:37 | test.py:37:9:37:27 | str() |  |
+| Taint externally controlled string | test.py:37 | test.py:37:13:37:26 | tainted_string |  |
+| Taint externally controlled string | test.py:38 | test.py:38:9:38:29 | bytes() |  |
+| Taint externally controlled string | test.py:38 | test.py:38:15:38:28 | tainted_string |  |
+| Taint externally controlled string | test.py:39 | test.py:39:9:39:46 | bytes() |  |
+| Taint externally controlled string | test.py:39 | test.py:39:15:39:28 | tainted_string |  |
 | Taint json[externally controlled string] | test.py:6 | test.py:6:20:6:45 | Attribute() |  |
 | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |
 | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:25 | Subscript |  |
@@ -52,8 +41,3 @@
 | Taint json[externally controlled string] | test.py:8 | test.py:8:9:8:18 | Attribute() |  |
 | Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:9 | b |  |
 | Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:14 | Subscript |  |
-| Taint {externally controlled string} | test.py:19 | test.py:19:20:19:31 | TAINTED_DICT |  |
-| Taint {externally controlled string} | test.py:20 | test.py:20:9:20:20 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:21 | test.py:21:9:21:20 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:22 | test.py:22:9:22:20 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:22 | test.py:22:9:22:27 | Attribute() |  |

python/ql/test/library-tests/taint/strings/TestStep.expected

@@ -1,40 +1,32 @@
-| Taint [externally controlled string] | test.py:12 | test.py:12:20:12:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:13 | test.py:13:9:13:20 | tainted_list |  |
-| Taint [externally controlled string] | test.py:12 | test.py:12:20:12:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:14 | test.py:14:9:14:20 | tainted_list |  |
-| Taint [externally controlled string] | test.py:12 | test.py:12:20:12:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:15 | test.py:15:9:15:20 | tainted_list |  |
-| Taint [externally controlled string] | test.py:12 | test.py:12:20:12:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:16 | test.py:16:9:16:20 | tainted_list |  |
-| Taint [externally controlled string] | test.py:13 | test.py:13:9:13:20 | tainted_list |  |  -->  | Taint externally controlled string | test.py:13 | test.py:13:9:13:23 | Subscript |  |
-| Taint [externally controlled string] | test.py:14 | test.py:14:9:14:20 | tainted_list |  |  -->  | Taint externally controlled string | test.py:14 | test.py:14:9:14:23 | Subscript |  |
-| Taint [externally controlled string] | test.py:15 | test.py:15:9:15:20 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:15 | test.py:15:9:15:25 | Subscript |  |
-| Taint [externally controlled string] | test.py:16 | test.py:16:9:16:20 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:16 | test.py:16:9:16:27 | Attribute() |  |
 | Taint externally controlled string | test.py:5 | test.py:5:22:5:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:6 | test.py:6:31:6:44 | tainted_string |  |
 | Taint externally controlled string | test.py:6 | test.py:6:31:6:44 | tainted_string |  |  -->  | Taint json[externally controlled string] | test.py:6 | test.py:6:20:6:45 | Attribute() |  |
 | Taint externally controlled string | test.py:7 | test.py:7:9:7:25 | Subscript |  |  -->  | Taint externally controlled string | test.py:8 | test.py:8:9:8:9 | a |  |
 | Taint externally controlled string | test.py:8 | test.py:8:9:8:18 | Attribute() |  |  -->  | Taint externally controlled string | test.py:9 | test.py:9:9:9:9 | b |  |
-| Taint externally controlled string | test.py:25 | test.py:25:22:25:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:26 | test.py:26:9:26:22 | tainted_string |  |
-| Taint externally controlled string | test.py:25 | test.py:25:22:25:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:27 | test.py:27:9:27:22 | tainted_string |  |
-| Taint externally controlled string | test.py:25 | test.py:25:22:25:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:28 | test.py:28:9:28:22 | tainted_string |  |
-| Taint externally controlled string | test.py:25 | test.py:25:22:25:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:29 | test.py:29:9:29:22 | tainted_string |  |
-| Taint externally controlled string | test.py:25 | test.py:25:22:25:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:30 | test.py:30:18:30:31 | tainted_string |  |
-| Taint externally controlled string | test.py:25 | test.py:25:22:25:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:31 | test.py:31:14:31:27 | tainted_string |  |
-| Taint externally controlled string | test.py:25 | test.py:25:22:25:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:32 | test.py:32:9:32:22 | tainted_string |  |
-| Taint externally controlled string | test.py:26 | test.py:26:9:26:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:26 | test.py:26:9:26:31 | Attribute() |  |
-| Taint externally controlled string | test.py:27 | test.py:27:9:27:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:27 | test.py:27:9:27:29 | Attribute() |  |
-| Taint externally controlled string | test.py:28 | test.py:28:9:28:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:28 | test.py:28:9:28:25 | Subscript |  |
-| Taint externally controlled string | test.py:29 | test.py:29:9:29:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:29 | test.py:29:9:29:27 | Subscript |  |
-| Taint externally controlled string | test.py:30 | test.py:30:18:30:31 | tainted_string |  |  -->  | Taint externally controlled string | test.py:30 | test.py:30:9:30:32 | reversed() |  |
-| Taint externally controlled string | test.py:31 | test.py:31:14:31:27 | tainted_string |  |  -->  | Taint externally controlled string | test.py:31 | test.py:31:9:31:28 | copy() |  |
-| Taint externally controlled string | test.py:32 | test.py:32:9:32:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:32 | test.py:32:9:32:30 | Attribute() |  |
-| Taint externally controlled string | test.py:35 | test.py:35:22:35:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:36 | test.py:36:8:36:21 | tainted_string |  |
-| Taint externally controlled string | test.py:35 | test.py:35:22:35:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:39 | test.py:39:23:39:36 | tainted_string |  |
-| Taint externally controlled string | test.py:42 | test.py:42:22:42:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:43 | test.py:43:8:43:21 | tainted_string |  |
-| Taint externally controlled string | test.py:42 | test.py:42:22:42:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:43 | test.py:43:34:43:47 | tainted_string |  |
-| Taint externally controlled string | test.py:42 | test.py:42:22:42:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:46 | test.py:46:23:46:36 | tainted_string |  |
-| Taint externally controlled string | test.py:49 | test.py:49:22:49:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:50 | test.py:50:13:50:26 | tainted_string |  |
-| Taint externally controlled string | test.py:49 | test.py:49:22:49:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:51 | test.py:51:15:51:28 | tainted_string |  |
-| Taint externally controlled string | test.py:49 | test.py:49:22:49:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:52 | test.py:52:15:52:28 | tainted_string |  |
-| Taint externally controlled string | test.py:50 | test.py:50:13:50:26 | tainted_string |  |  -->  | Taint externally controlled string | test.py:50 | test.py:50:9:50:27 | str() |  |
-| Taint externally controlled string | test.py:51 | test.py:51:15:51:28 | tainted_string |  |  -->  | Taint externally controlled string | test.py:51 | test.py:51:9:51:29 | bytes() |  |
-| Taint externally controlled string | test.py:52 | test.py:52:15:52:28 | tainted_string |  |  -->  | Taint externally controlled string | test.py:52 | test.py:52:9:52:46 | bytes() |  |
+| Taint externally controlled string | test.py:12 | test.py:12:22:12:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:13 | test.py:13:9:13:22 | tainted_string |  |
+| Taint externally controlled string | test.py:12 | test.py:12:22:12:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:14 | test.py:14:9:14:22 | tainted_string |  |
+| Taint externally controlled string | test.py:12 | test.py:12:22:12:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:15 | test.py:15:9:15:22 | tainted_string |  |
+| Taint externally controlled string | test.py:12 | test.py:12:22:12:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:16 | test.py:16:9:16:22 | tainted_string |  |
+| Taint externally controlled string | test.py:12 | test.py:12:22:12:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:17 | test.py:17:18:17:31 | tainted_string |  |
+| Taint externally controlled string | test.py:12 | test.py:12:22:12:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:18 | test.py:18:14:18:27 | tainted_string |  |
+| Taint externally controlled string | test.py:12 | test.py:12:22:12:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:19 | test.py:19:9:19:22 | tainted_string |  |
+| Taint externally controlled string | test.py:13 | test.py:13:9:13:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:13 | test.py:13:9:13:31 | Attribute() |  |
+| Taint externally controlled string | test.py:14 | test.py:14:9:14:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:14 | test.py:14:9:14:29 | Attribute() |  |
+| Taint externally controlled string | test.py:15 | test.py:15:9:15:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:15 | test.py:15:9:15:25 | Subscript |  |
+| Taint externally controlled string | test.py:16 | test.py:16:9:16:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:16 | test.py:16:9:16:27 | Subscript |  |
+| Taint externally controlled string | test.py:17 | test.py:17:18:17:31 | tainted_string |  |  -->  | Taint externally controlled string | test.py:17 | test.py:17:9:17:32 | reversed() |  |
+| Taint externally controlled string | test.py:18 | test.py:18:14:18:27 | tainted_string |  |  -->  | Taint externally controlled string | test.py:18 | test.py:18:9:18:28 | copy() |  |
+| Taint externally controlled string | test.py:19 | test.py:19:9:19:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:19 | test.py:19:9:19:30 | Attribute() |  |
+| Taint externally controlled string | test.py:22 | test.py:22:22:22:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:23 | test.py:23:8:23:21 | tainted_string |  |
+| Taint externally controlled string | test.py:22 | test.py:22:22:22:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:26 | test.py:26:23:26:36 | tainted_string |  |
+| Taint externally controlled string | test.py:29 | test.py:29:22:29:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:30 | test.py:30:8:30:21 | tainted_string |  |
+| Taint externally controlled string | test.py:29 | test.py:29:22:29:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:30 | test.py:30:34:30:47 | tainted_string |  |
+| Taint externally controlled string | test.py:29 | test.py:29:22:29:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:33 | test.py:33:23:33:36 | tainted_string |  |
+| Taint externally controlled string | test.py:36 | test.py:36:22:36:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:37 | test.py:37:13:37:26 | tainted_string |  |
+| Taint externally controlled string | test.py:36 | test.py:36:22:36:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:38 | test.py:38:15:38:28 | tainted_string |  |
+| Taint externally controlled string | test.py:36 | test.py:36:22:36:28 | TAINTED |  |  -->  | Taint externally controlled string | test.py:39 | test.py:39:15:39:28 | tainted_string |  |
+| Taint externally controlled string | test.py:37 | test.py:37:13:37:26 | tainted_string |  |  -->  | Taint externally controlled string | test.py:37 | test.py:37:9:37:27 | str() |  |
+| Taint externally controlled string | test.py:38 | test.py:38:15:38:28 | tainted_string |  |  -->  | Taint externally controlled string | test.py:38 | test.py:38:9:38:29 | bytes() |  |
+| Taint externally controlled string | test.py:39 | test.py:39:15:39:28 | tainted_string |  |  -->  | Taint externally controlled string | test.py:39 | test.py:39:9:39:46 | bytes() |  |
 | Taint json[externally controlled string] | test.py:6 | test.py:6:20:6:45 | Attribute() |  |  -->  | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |
 | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |  -->  | Taint externally controlled string | test.py:7 | test.py:7:9:7:25 | Subscript |  |
 | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |  -->  | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:25 | Subscript |  |
@@ -44,9 +36,3 @@
 | Taint json[externally controlled string] | test.py:8 | test.py:8:9:8:18 | Attribute() |  |  -->  | Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:9 | b |  |
 | Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:9 | b |  |  -->  | Taint externally controlled string | test.py:9 | test.py:9:9:9:14 | Subscript |  |
 | Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:9 | b |  |  -->  | Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:14 | Subscript |  |
-| Taint {externally controlled string} | test.py:19 | test.py:19:20:19:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:20 | test.py:20:9:20:20 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:19 | test.py:19:20:19:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:21 | test.py:21:9:21:20 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:19 | test.py:19:20:19:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:22 | test.py:22:9:22:20 | tainted_dict |  |
-| Taint {externally controlled string} | test.py:20 | test.py:20:9:20:20 | tainted_dict |  |  -->  | Taint externally controlled string | test.py:20 | test.py:20:9:20:28 | Subscript |  |
-| Taint {externally controlled string} | test.py:21 | test.py:21:9:21:20 | tainted_dict |  |  -->  | Taint externally controlled string | test.py:21 | test.py:21:9:21:23 | Subscript |  |
-| Taint {externally controlled string} | test.py:22 | test.py:22:9:22:20 | tainted_dict |  |  -->  | Taint {externally controlled string} | test.py:22 | test.py:22:9:22:27 | Attribute() |  |

python/ql/test/library-tests/taint/strings/test.py

@@ -8,19 +8,6 @@ def test_json():
     b = a.get("y")
     c = b["z"]
 
-def test_list(x, y, z):
-    tainted_list = TAINTED_LIST
-    a = tainted_list[0]
-    b = tainted_list[x]
-    c = tainted_list[y:z]
-    d = tainted_list.copy()
-
-def test_dict(x):
-    tainted_dict = TAINTED_DICT
-    a = tainted_dict["name"]
-    b = tainted_dict[x]
-    c = tainted_dict.copy()
-
 def test_str():
     tainted_string = TAINTED
     a = tainted_string.ljust(8)