Python: Model stdin thread-model

2026-04-29 02:35:15 +02:00 · 2024-08-09 16:36:19 +02:00
parent e1801f3a29
commit 66f389a4b6
3 changed files with 18 additions and 4 deletions
--- a/python/ql/lib/semmle/python/frameworks/Stdlib.model.yml
+++ b/python/ql/lib/semmle/python/frameworks/Stdlib.model.yml
@@ -12,6 +12,9 @@ extensions:
      - ['sys', 'Member[argv]', 'commandargs']
      - ['sys', 'Member[orig_argv]', 'commandargs']

+      - ['sys', 'Member[stdin]', 'stdin']
+      - ['builtins', 'Member[input].ReturnValue', 'stdin']
+
      # if no argument is given, the default is to use sys.argv[1:]
      - ['argparse.ArgumentParser', 'Member[parse_args,parse_known_args].WithArity[0].ReturnValue', 'commandargs']
  - addsTo:
@@ -20,5 +23,3 @@ extensions:
    data:
      - ['argparse.ArgumentParser', 'Member[parse_args,parse_known_args]', 'Argument[0,args:]', 'ReturnValue', 'taint']
      # note: taint of attribute lookups is handled in QL
-
-      # TODO: input / read from stdin
--- a/python/ql/lib/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -5009,6 +5009,19 @@ module StdlibPrivate {
      nodeTo.(DataFlow::AttrRead).getObject() = nodeFrom
    }
  }
+
+  // ---------------------------------------------------------------------------
+  // sys
+  // ---------------------------------------------------------------------------
+  /**
+   * An access of `sys.stdin`/`sys.stdout`/`sys.stderr`, to get additional FileLike
+   * modeling.
+   */
+  private class SysStandardStreams extends Stdlib::FileLikeObject::InstanceSource, DataFlow::Node {
+    SysStandardStreams() {
+      this = API::moduleImport("sys").getMember(["stdin", "stdout", "stderr"]).asSource()
+    }
+  }
 }

 // ---------------------------------------------------------------------------
--- a/python/ql/test/library-tests/frameworks/stdlib/threat_models.py
+++ b/python/ql/test/library-tests/frameworks/stdlib/threat_models.py
@@ -44,8 +44,8 @@ ensure_not_tainted(fake_args.foo) # $ SPURIOUS: tainted
 ########################################

 ensure_tainted(
-    sys.stdin.readline(), # $ MISSING: tainted threatModelSource
-    input(), # $ MISSING: tainted threatModelSource
+    sys.stdin.readline(), # $ tainted threatModelSource[stdin]=sys.stdin
+    input(), # $ tainted threatModelSource[stdin]=input()
 )

 ########################################