Merge pull request #13729 from yoff/python/model-aws-lambdas

Python/JavaScript: Shared module for serverless functions

python/ql/test/library-tests/frameworks/serverless/InlineTaintTest.expected

@@ -0,0 +1,4 @@
+failures
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+testFailures

python/ql/test/library-tests/frameworks/serverless/InlineTaintTest.ql

@@ -0,0 +1,2 @@
+import experimental.meta.InlineTaintTest
+import MakeInlineTaintTest<TestTaintTrackingConfig>

python/ql/test/library-tests/frameworks/serverless/aws_lambda/function/extra_lambdas.py

@@ -0,0 +1,13 @@
+def handler1(event, context):
+    ensure_tainted(event) # $ tainted
+    return "Hello World!"
+
+def handler2(event, context):
+    ensure_tainted(event) # $ tainted
+    return "Hello World!"
+
+# This function is not mentioned in template.yml
+# and so it is not receiving user input.
+def non_handler(event, context):
+    ensure_not_tainted(event)
+    return "Hello World!"

python/ql/test/library-tests/frameworks/serverless/aws_lambda/function/lambda_function.py

@@ -0,0 +1,11 @@
+def lambda_handler(event, context):
+    ensure_tainted(
+        event, # $ tainted
+        # event is usually a dict, see https://docs.aws.amazon.com/lambda/latest/dg/python-handler.html
+        event["key"], # $ tainted
+        event["key"]["key2"], # $ tainted
+        event["key"][0], # $ tainted
+        # but can also be a list
+        event[0], # $ tainted
+    )
+    return "OK"

python/ql/test/library-tests/frameworks/serverless/aws_lambda/template.yml

@@ -0,0 +1,62 @@
+# inspired by https://github.com/awsdocs/aws-lambda-developer-guide/blob/main/sample-apps/blank-python/template.yml
+# but we have added extra handlers
+AWSTemplateFormatVersion: '2010-09-09'
+Transform: 'AWS::Serverless-2016-10-31'
+Description: An AWS Lambda application that calls the Lambda API.
+Resources:
+  function:
+    Type: AWS::Serverless::Function
+    Properties:
+      Handler: lambda_function.lambda_handler
+      Runtime: python3.8
+      CodeUri: function/.
+      Description: Call the AWS Lambda API
+      Timeout: 10
+      # Function's execution role
+      Policies:
+        - AWSLambdaBasicExecutionRole
+        - AWSLambda_ReadOnlyAccess
+        - AWSXrayWriteOnlyAccess
+      Tracing: Active
+      Layers:
+        - !Ref libs
+  function:
+    Type: AWS::Serverless::Function
+    Properties:
+      Handler: extra_lambdas.handler1
+      Runtime: python3.8
+      CodeUri: function/.
+      Description: Call the AWS Lambda API
+      Timeout: 10
+      # Function's execution role
+      Policies:
+        - AWSLambdaBasicExecutionRole
+        - AWSLambda_ReadOnlyAccess
+        - AWSXrayWriteOnlyAccess
+      Tracing: Active
+      Layers:
+        - !Ref libs
+  function:
+    Type: AWS::Serverless::Function
+    Properties:
+      Handler: extra_lambdas.handler2
+      Runtime: python3.8
+      CodeUri: function/.
+      Description: Call the AWS Lambda API
+      Timeout: 10
+      # Function's execution role
+      Policies:
+        - AWSLambdaBasicExecutionRole
+        - AWSLambda_ReadOnlyAccess
+        - AWSXrayWriteOnlyAccess
+      Tracing: Active
+      Layers:
+        - !Ref libs
+  libs:
+    Type: AWS::Serverless::LayerVersion
+    Properties:
+      LayerName: blank-python-lib
+      Description: Dependencies for the blank-python sample app.
+      ContentUri: package/.
+      CompatibleRuntimes:
+        - python3.8

python/ql/test/library-tests/frameworks/serverless/options

@@ -0,0 +1 @@
+semmle-extractor-options: -R .