Python: Annotate test file

Also add test of custom flow
2026-04-27 01:35:13 +02:00 · 2020-08-31 09:06:13 +02:00
parent 654c4f39ac
commit 5f3eda0a22
3 changed files with 54 additions and 24 deletions
--- a/python/ql/test/experimental/dataflow/regression/custom_dataflow.expected
+++ b/python/ql/test/experimental/dataflow/regression/custom_dataflow.expected
@@ -0,0 +1 @@
+| test.py:126:13:126:25 | ControlFlowNode for CUSTOM_SOURCE | test.py:130:21:130:21 | ControlFlowNode for t |
--- a/python/ql/test/experimental/dataflow/regression/custom_dataflow.ql
+++ b/python/ql/test/experimental/dataflow/regression/custom_dataflow.ql
@@ -0,0 +1,29 @@
+/**
+ * This query is meant to catch the flows from `CUSTOM_SOURCE` to `CUSTOM_SINK`.
+ *
+ * This should be compared to
+ * python/ql/test/library-tests/taint/dataflow/Dataflow.ql
+ * A first goal is to have identical results; after that we
+ * hope to remove the false positive.
+ */
+
+import experimental.dataflow.DataFlow
+
+class CustomTestConfiguration extends DataFlow::Configuration {
+  CustomTestConfiguration() { this = "CustomTestConfiguration" }
+
+  override predicate isSource(DataFlow::Node node) {
+    node.(DataFlow::CfgNode).getNode().(NameNode).getId() = "CUSTOM_SOURCE"
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(CallNode call |
+      call.getFunction().(NameNode).getId() in ["CUSTOM_SINK", "CUSTOM_SINK_F"] and
+      node.(DataFlow::CfgNode).getNode() = call.getAnArg()
+    )
+  }
+}
+
+from DataFlow::Node source, DataFlow::Node sink
+where exists(CustomTestConfiguration cfg | cfg.hasFlow(source, sink))
+select source, sink
--- a/python/ql/test/experimental/dataflow/regression/test.py
+++ b/python/ql/test/experimental/dataflow/regression/test.py
@@ -30,7 +30,7 @@ def test6(cond):
    else:
        t = SOURCE
    if cond:
-        SINK(t)
+        SINK_F(t)

 def test7(cond):
    if cond:
@@ -50,7 +50,7 @@ def sink3(cond, arg):
    if cond:
        sink(arg)

-def test8(cond):
+def test8(cond):  # This flow is shadowed by previous tests, perhaps do a path query
    t = source2()
    sink2(t)

@@ -80,21 +80,21 @@ def test11():
 def test12():
    t = "safe"
    t = hub(t)
-    SINK(t)
+    SINK_F(t)

 import module

 def test13():
    t = module.dangerous
-    SINK(t)
+    SINK(t)  # Flow not found

 def test14():
    t = module.safe
-    SINK(t)
+    SINK_F(t)

 def test15():
    t = module.safe2
-    SINK(t)
+    SINK_F(t)

 def test16():
    t = module.dangerous_func()
@@ -108,13 +108,13 @@ def x_sink(arg):
 def test17():
    t = C()
    t.x = module.dangerous
-    SINK(t.x)
+    SINK(t.x)  # Flow not found

 def test18():
    t = C()
    t.x = module.dangerous
    t = hub(t)
-    x_sink(t)
+    x_sink(t)  # Flow not found

 def test19():
    t = CUSTOM_SOURCE
@@ -137,23 +137,23 @@ def test21(cond):
    else:
        t = SOURCE
    if not cond:
-        CUSTOM_SINK(t)
+        CUSTOM_SINK_F(t)
    else:
-        SINK(t)
+        SINK_F(t)

 def test22(cond):
    if cond:
        t = CUSTOM_SOURCE
    else:
        t = SOURCE
-    t = TAINT_FROM_ARG(t)
+    t = TAINT_FROM_ARG(t)  # Blocks data flow
    if cond:
        CUSTOM_SINK(t)
    else:
        SINK(t)

 from module import dangerous as unsafe
-SINK(unsafe)
+SINK(unsafe)  # Flow not found

 def test23():
    with SOURCE as t:
@@ -161,16 +161,16 @@ def test23():

 def test24():
    s = SOURCE
-    SANITIZE(s)
-    SINK(s)
+    SANITIZE(s)  # Does not block data flow
+    SINK_F(s)

 def test_update_extend(x, y):
    l = [SOURCE]
    d = {"key" : SOURCE}
    x.extend(l)
    y.update(d)
-    SINK(x[0])
-    SINK(y["key"])
+    SINK(x[0])  # Flow not found
+    SINK(y["key"])  # Flow not found
    l2 = list(l)
    d2 = dict(d)

@@ -179,9 +179,9 @@ def test_truth():
    if t:
        SINK(t)
    else:
-        SINK(t)
+        SINK_F(t)  # False positive
    if not t:
-        SINK(t)
+        SINK_F(t)  # False positive
    else:
        SINK(t)

@@ -194,12 +194,12 @@ def test_early_exit():
 def flow_through_type_test_if_no_class():
    t = SOURCE
    if isinstance(t, str):
-        SINK(t)
+        SINK(t)  # Flows's both here..
    else:
-        SINK(t)
+        SINK(t)  # ..and here

 def flow_in_iteration():
-    t = ITERABLE_SOURCE
+    t = ITERABLE_SOURCE  # Seems to not be sunk anywhere
    for i in t:
        i
    return i
@@ -211,19 +211,19 @@ def flow_in_generator():

 def flow_from_generator():
    for x in flow_in_generator():
-        SINK(x)
+        SINK(x)  # Flow not found

 def const_eq_clears_taint():
    tainted = SOURCE
    if tainted == "safe":
-        SINK(tainted) # safe
+        SINK(tainted) # safe  # FP
    SINK(tainted) # unsafe

 def const_eq_clears_taint2():
    tainted = SOURCE
    if tainted != "safe":
        return
-    SINK(tainted) # safe
+    SINK(tainted) # safe  # FP

 def non_const_eq_preserves_taint(x):
    tainted = SOURCE
				`@@ -0,0 +1 @@`
				`\| test.py:126:13:126:25 \| ControlFlowNode for CUSTOM_SOURCE \| test.py:130:21:130:21 \| ControlFlowNode for t \|`