Python: Add modeling of idna PyPI package

python/change-notes/2021-05-10-idna-add-modeling.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added modeling of the PyPI package `idna`, for encoding/decoding Internationalised Domain Names in Applications.

python/ql/src/semmle/python/Frameworks.qll

@@ -10,6 +10,7 @@ private import semmle.python.frameworks.Dill
 private import semmle.python.frameworks.Django
 private import semmle.python.frameworks.Fabric
 private import semmle.python.frameworks.Flask
+private import semmle.python.frameworks.Idna
 private import semmle.python.frameworks.Invoke
 private import semmle.python.frameworks.MysqlConnectorPython
 private import semmle.python.frameworks.MySQLdb

python/ql/src/semmle/python/frameworks/Idna.qll

@@ -0,0 +1,40 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `idna` PyPI package.
+ * See https://pypi.org/project/idna/.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides models for the `idna` PyPI package.
+ * See https://pypi.org/project/idna/.
+ */
+private module IdnaModel {
+  /** A call to `idna.encode`. */
+  private class IdnaEncodeCall extends Encoding::Range, DataFlow::CallCfgNode {
+    IdnaEncodeCall() { this = API::moduleImport("idna").getMember("encode").getACall() }
+
+    override DataFlow::Node getAnInput() { result = [this.getArg(0), this.getArgByName("s")] }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getFormat() { result = "IDNA" }
+  }
+
+  /** A call to `idna.decode`. */
+  private class IdnaDecodeCall extends Decoding::Range, DataFlow::CallCfgNode {
+    IdnaDecodeCall() { this = API::moduleImport("idna").getMember("decode").getACall() }
+
+    override DataFlow::Node getAnInput() { result = [this.getArg(0), this.getArgByName("s")] }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getFormat() { result = "IDNA" }
+
+    override predicate mayExecuteInput() { none() }
+  }
+}

python/ql/test/library-tests/frameworks/idna/ConceptsTest.ql

@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest

python/ql/test/library-tests/frameworks/idna/InlineTaintTest.expected

@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures

python/ql/test/library-tests/frameworks/idna/InlineTaintTest.ql

@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest

python/ql/test/library-tests/frameworks/idna/taint_test.py

@@ -0,0 +1,13 @@
+import idna
+
+def test_idna():
+    ts = TAINTED_STRING
+    tb = TAINTED_BYTES
+
+    ensure_tainted(
+        idna.encode(ts),  # $ tainted encodeInput=ts encodeOutput=Attribute() encodeFormat=IDNA
+        idna.encode(s=ts),  # $ tainted encodeInput=ts encodeOutput=Attribute() encodeFormat=IDNA
+
+        idna.decode(tb),  # $ tainted decodeInput=tb decodeOutput=Attribute() decodeFormat=IDNA
+        idna.decode(s=tb),  # $ tainted decodeInput=tb decodeOutput=Attribute() decodeFormat=IDNA
+    )