Python: Model json load/dump

2026-04-29 10:45:15 +02:00 · 2021-05-10 14:35:33 +02:00
parent 63f28d7d9b
commit 72d08f4d6e
2 changed files with 38 additions and 4 deletions
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -518,6 +518,22 @@ private module Stdlib {
    override string getFormat() { result = "JSON" }
  }

+  /**
+   * A call to `json.load`
+   * See https://docs.python.org/3/library/json.html#json.load
+   */
+  private class JsonLoadCall extends Decoding::Range, DataFlow::CallCfgNode {
+    JsonLoadCall() { this = json().getMember("load").getACall() }
+
+    override predicate mayExecuteInput() { none() }
+
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("fp")] }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getFormat() { result = "JSON" }
+  }
+
  /**
   * A call to `json.dumps`
   * See https://docs.python.org/3/library/json.html#json.dumps
@@ -532,6 +548,24 @@ private module Stdlib {
    override string getFormat() { result = "JSON" }
  }

+  /**
+   * A call to `json.dump`
+   * See https://docs.python.org/3/library/json.html#json.dump
+   */
+  private class JsonDumpCall extends Encoding::Range, DataFlow::CallCfgNode {
+    JsonDumpCall() { this = json().getMember("dump").getACall() }
+
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("obj")] }
+
+    override DataFlow::Node getOutput() {
+      result.(DataFlow::PostUpdateNode).getPreUpdateNode() in [
+          this.getArg(1), this.getArgByName("fp")
+        ]
+    }
+
+    override string getFormat() { result = "JSON" }
+  }
+
  // ---------------------------------------------------------------------------
  // cgi
  // ---------------------------------------------------------------------------
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
@@ -33,8 +33,8 @@ def test():

    tainted_filelike.seek(0)
    ensure_tainted(
-        tainted_filelike, # $ MISSING: tainted
-        json.load(tainted_filelike), # $ MISSING: tainted
+        tainted_filelike, # $ tainted
+        json.load(tainted_filelike), # $ tainted
    )

    # load/dump with file-like using keyword-args
@@ -43,8 +43,8 @@ def test():

    tainted_filelike.seek(0)
    ensure_tainted(
-        tainted_filelike, # $ MISSING: tainted
-        json.load(fp=tainted_filelike), # $ MISSING: tainted
+        tainted_filelike, # $ tainted
+        json.load(fp=tainted_filelike), # $ tainted
    )