Python: Model keyword args to json loads/dumps

2026-05-05 05:35:13 +02:00 · 2021-05-10 14:33:27 +02:00
parent 784e0cdb96
commit 63f28d7d9b
2 changed files with 4 additions and 4 deletions
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -511,7 +511,7 @@ private module Stdlib {

    override predicate mayExecuteInput() { none() }

-    override DataFlow::Node getAnInput() { result.asCfgNode() = node.getArg(0) }
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("s")] }

    override DataFlow::Node getOutput() { result = this }

@@ -525,7 +525,7 @@ private module Stdlib {
  private class JsonDumpsCall extends Encoding::Range, DataFlow::CallCfgNode {
    JsonDumpsCall() { this = json().getMember("dumps").getACall() }

-    override DataFlow::Node getAnInput() { result.asCfgNode() = node.getArg(0) }
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("obj")] }

    override DataFlow::Node getOutput() { result = this }

--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
@@ -22,9 +22,9 @@ def test():
    ensure_tainted(
        encoded, # $ tainted
        json.dumps(ts), # $ tainted
-        json.dumps(obj=ts), # $ MISSING: tainted
+        json.dumps(obj=ts), # $ tainted
        json.loads(encoded), # $ tainted
-        json.loads(s=encoded), # $ MISSING: tainted
+        json.loads(s=encoded), # $ tainted
    )

    # load/dump with file-like