mirror of
https://github.com/github/codeql.git
synced 2026-05-01 03:35:13 +02:00
Merge pull request #2875 from RasmusWL/python-taint-urlsplit
Python: Add taint for urlsplit
This commit is contained in:
Taus
@@ -0,0 +1,7 @@
|
||||
| UrlsplitUrlparseTempSanitizer | [externally controlled string] | test.py:21 | Pi(urlsplit_res_0) [true] |
|
||||
| UrlsplitUrlparseTempSanitizer | [externally controlled string] | test.py:24 | Pi(urlsplit_res_3) [true] |
|
||||
| UrlsplitUrlparseTempSanitizer | [externally controlled string] | test.py:27 | Pi(urlsplit_res_6) [true] |
|
||||
| UrlsplitUrlparseTempSanitizer | [externally controlled string] | test.py:30 | Pi(urlsplit_res_9) [true] |
|
||||
| string equality sanitizer | externally controlled string | test.py:21 | Pi(urlsplit_res_0) [true] |
|
||||
| string equality sanitizer | externally controlled string | test.py:24 | Pi(urlsplit_res_3) [true] |
|
||||
| string equality sanitizer | externally controlled string | test.py:27 | Pi(urlsplit_res_6) [true] |
|
||||
@@ -0,0 +1,6 @@
|
||||
import python
|
||||
import Taint
|
||||
|
||||
from Sanitizer s, TaintKind taint, PyEdgeRefinement test
|
||||
where s.sanitizingEdge(taint, test)
|
||||
select s, taint, test.getTest().getLocation().toString(), test.getRepresentation()
|
||||
47
python/ql/test/library-tests/taint/namedtuple/Taint.qll
Normal file
47
python/ql/test/library-tests/taint/namedtuple/Taint.qll
Normal file
@@ -0,0 +1,47 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
class SimpleSource extends TaintSource {
|
||||
SimpleSource() { this.(NameNode).getId() = "TAINTED_STRING" }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
|
||||
override string toString() { result = "taint source" }
|
||||
}
|
||||
|
||||
class ListSource extends TaintSource {
|
||||
ListSource() { this.(NameNode).getId() = "TAINTED_LIST" }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringSequenceKind }
|
||||
|
||||
override string toString() { result = "list taint source" }
|
||||
}
|
||||
|
||||
class DictSource extends TaintSource {
|
||||
DictSource() { this.(NameNode).getId() = "TAINTED_DICT" }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringDictKind }
|
||||
|
||||
override string toString() { result = "dict taint source" }
|
||||
}
|
||||
|
||||
class TestConfig extends TaintTracking::Configuration {
|
||||
TestConfig() { this = "TestConfig" }
|
||||
|
||||
override predicate isSanitizer(Sanitizer sanitizer) {
|
||||
sanitizer instanceof UrlsplitUrlparseTempSanitizer
|
||||
}
|
||||
|
||||
override predicate isSource(TaintTracking::Source source) {
|
||||
source instanceof SimpleSource
|
||||
or
|
||||
source instanceof ListSource
|
||||
or
|
||||
source instanceof DictSource
|
||||
}
|
||||
|
||||
override predicate isSink(TaintTracking::Sink sink) {
|
||||
none()
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
| test.py:13 | test_basic | a | externally controlled string |
|
||||
| test.py:13 | test_basic | b | externally controlled string |
|
||||
| test.py:13 | test_basic | c | externally controlled string |
|
||||
| test.py:13 | test_basic | d | externally controlled string |
|
||||
| test.py:13 | test_basic | urlsplit_res | [externally controlled string] |
|
||||
| test.py:19 | test_sanitizer | Attribute | externally controlled string |
|
||||
| test.py:22 | test_sanitizer | Attribute | NO TAINT |
|
||||
| test.py:25 | test_sanitizer | Subscript | NO TAINT |
|
||||
| test.py:28 | test_sanitizer | Attribute | NO TAINT |
|
||||
| test.py:31 | test_sanitizer | Attribute | NO TAINT |
|
||||
| test.py:34 | test_sanitizer | Attribute | externally controlled string |
|
||||
| test.py:44 | test_namedtuple | a | NO TAINT |
|
||||
| test.py:44 | test_namedtuple | b | NO TAINT |
|
||||
| test.py:44 | test_namedtuple | c | NO TAINT |
|
||||
| test.py:44 | test_namedtuple | d | NO TAINT |
|
||||
18
python/ql/test/library-tests/taint/namedtuple/TestTaint.ql
Normal file
18
python/ql/test/library-tests/taint/namedtuple/TestTaint.ql
Normal file
@@ -0,0 +1,18 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import Taint
|
||||
|
||||
from Call call, Expr arg, string taint_string
|
||||
where
|
||||
call.getLocation().getFile().getShortName() = "test.py" and
|
||||
call.getFunc().(Name).getId() = "test" and
|
||||
arg = call.getAnArg() and
|
||||
(
|
||||
not exists(TaintedNode tainted | tainted.getAstNode() = arg) and
|
||||
taint_string = "NO TAINT"
|
||||
or
|
||||
exists(TaintedNode tainted | tainted.getAstNode() = arg |
|
||||
taint_string = tainted.getTaintKind().toString()
|
||||
)
|
||||
)
|
||||
select arg.getLocation().toString(), call.getScope().(Function).getName(), arg.toString(), taint_string
|
||||
44
python/ql/test/library-tests/taint/namedtuple/test.py
Normal file
44
python/ql/test/library-tests/taint/namedtuple/test.py
Normal file
@@ -0,0 +1,44 @@
|
||||
from six.moves.urllib.parse import urlsplit
|
||||
|
||||
# Currently we don't have support for namedtuples in general, but do have special support
|
||||
# for `urlsplit` (and `urlparse`)
|
||||
|
||||
def test_basic():
|
||||
tainted_string = TAINTED_STRING
|
||||
urlsplit_res = urlsplit(tainted_string)
|
||||
a = urlsplit_res.netloc # field access
|
||||
b = urlsplit_res.hostname # property
|
||||
c = urlsplit_res[3] # indexing
|
||||
_, _, d, _, _ = urlsplit(tainted_string) # unpacking
|
||||
test(a, b, c, d, urlsplit_res)
|
||||
|
||||
def test_sanitizer():
|
||||
tainted_string = TAINTED_STRING
|
||||
urlsplit_res = urlsplit(tainted_string)
|
||||
|
||||
test(urlsplit_res.netloc) # should be tainted
|
||||
|
||||
if urlsplit_res.netloc == "OK":
|
||||
test(urlsplit_res.netloc)
|
||||
|
||||
if urlsplit_res[2] == "OK":
|
||||
test(urlsplit_res[0])
|
||||
|
||||
if urlsplit_res.netloc == "OK":
|
||||
test(urlsplit_res.path) # FN
|
||||
|
||||
if urlsplit_res.netloc in ["OK"]:
|
||||
test(urlsplit_res.netloc)
|
||||
|
||||
if urlsplit_res.netloc in ["OK", non_constant()]:
|
||||
test(urlsplit_res.netloc) # should be tainted
|
||||
|
||||
def test_namedtuple():
|
||||
tainted_string = TAINTED_STRING
|
||||
Point = namedtuple('Point', ['x', 'y'])
|
||||
p = Point('safe', tainted_string)
|
||||
a = p.x
|
||||
b = p.y
|
||||
c = p[0]
|
||||
d = p[1]
|
||||
test(a, b, c, d) # TODO: FN, at least p.y and p[1] should be tainted
|
||||
@@ -1,16 +0,0 @@
|
||||
| Taint exception.info | test.py:41 | test.py:41:22:41:26 | taint | p1 = exception.info |
|
||||
| Taint exception.info | test.py:42 | test.py:42:12:42:22 | func() | p1 = exception.info |
|
||||
| Taint exception.info | test.py:42 | test.py:42:17:42:21 | taint | p1 = exception.info |
|
||||
| Taint exception.info | test.py:45 | test.py:45:12:45:33 | TAINTED_EXCEPTION_INFO | |
|
||||
| Taint exception.info | test.py:46 | test.py:46:11:46:41 | cross_over() | |
|
||||
| Taint exception.info | test.py:46 | test.py:46:37:46:40 | info | |
|
||||
| Taint exception.info | test.py:48 | test.py:48:19:48:21 | arg | p0 = exception.info |
|
||||
| Taint exception.info | test.py:49 | test.py:49:12:49:14 | arg | p0 = exception.info |
|
||||
| Taint externally controlled string | test.py:41 | test.py:41:22:41:26 | taint | p1 = externally controlled string |
|
||||
| Taint externally controlled string | test.py:42 | test.py:42:12:42:22 | func() | p1 = externally controlled string |
|
||||
| Taint externally controlled string | test.py:42 | test.py:42:17:42:21 | taint | p1 = externally controlled string |
|
||||
| Taint externally controlled string | test.py:48 | test.py:48:19:48:21 | arg | p0 = externally controlled string |
|
||||
| Taint externally controlled string | test.py:49 | test.py:49:12:49:14 | arg | p0 = externally controlled string |
|
||||
| Taint externally controlled string | test.py:52 | test.py:52:11:52:33 | TAINTED_EXTERNAL_STRING | |
|
||||
| Taint externally controlled string | test.py:53 | test.py:53:11:53:41 | cross_over() | |
|
||||
| Taint externally controlled string | test.py:53 | test.py:53:38:53:40 | ext | |
|
||||
@@ -1,37 +0,0 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
|
||||
import semmle.python.security.Exceptions
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
|
||||
class ExceptionInfoSource extends TaintSource {
|
||||
|
||||
ExceptionInfoSource() { this.(NameNode).getId() = "TAINTED_EXCEPTION_INFO" }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) {
|
||||
kind instanceof ExceptionInfo
|
||||
}
|
||||
|
||||
override string toString() {
|
||||
result = "Exception info source"
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
class ExternalStringSource extends TaintSource {
|
||||
|
||||
ExternalStringSource() { this.(NameNode).getId() = "TAINTED_EXTERNAL_STRING" }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) {
|
||||
kind instanceof ExternalStringKind
|
||||
}
|
||||
|
||||
override string toString() {
|
||||
result = "Untrusted string source"
|
||||
}
|
||||
|
||||
}
|
||||
from TaintedNode n
|
||||
where n.getLocation().getFile().getShortName() = "test.py"
|
||||
select "Taint " + n.getTaintKind(), n.getLocation().toString(), n.getAstNode(), n.getContext()
|
||||
@@ -1,11 +1,12 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.Exceptions
|
||||
|
||||
|
||||
class SimpleSource extends TaintSource {
|
||||
|
||||
SimpleSource() { this.(NameNode).getId() = "TAINTED" }
|
||||
SimpleSource() { this.(NameNode).getId() = "TAINTED_STRING" }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) {
|
||||
kind instanceof ExternalStringKind
|
||||
@@ -46,3 +47,16 @@ class DictSource extends TaintSource {
|
||||
}
|
||||
|
||||
|
||||
class ExceptionInfoSource extends TaintSource {
|
||||
|
||||
ExceptionInfoSource() { this.(NameNode).getId() = "TAINTED_EXCEPTION_INFO" }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) {
|
||||
kind instanceof ExceptionInfo
|
||||
}
|
||||
|
||||
override string toString() {
|
||||
result = "Exception info source"
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -1,43 +0,0 @@
|
||||
| Taint externally controlled string | test.py:5 | test.py:5:22:5:28 | TAINTED | |
|
||||
| Taint externally controlled string | test.py:6 | test.py:6:31:6:44 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:7 | test.py:7:9:7:25 | Subscript | |
|
||||
| Taint externally controlled string | test.py:8 | test.py:8:9:8:9 | a | |
|
||||
| Taint externally controlled string | test.py:8 | test.py:8:9:8:18 | Attribute() | |
|
||||
| Taint externally controlled string | test.py:9 | test.py:9:9:9:9 | b | |
|
||||
| Taint externally controlled string | test.py:9 | test.py:9:9:9:14 | Subscript | |
|
||||
| Taint externally controlled string | test.py:12 | test.py:12:22:12:28 | TAINTED | |
|
||||
| Taint externally controlled string | test.py:13 | test.py:13:9:13:22 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:13 | test.py:13:9:13:31 | Attribute() | |
|
||||
| Taint externally controlled string | test.py:14 | test.py:14:9:14:22 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:14 | test.py:14:9:14:29 | Attribute() | |
|
||||
| Taint externally controlled string | test.py:15 | test.py:15:9:15:22 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:15 | test.py:15:9:15:25 | Subscript | |
|
||||
| Taint externally controlled string | test.py:16 | test.py:16:9:16:22 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:16 | test.py:16:9:16:27 | Subscript | |
|
||||
| Taint externally controlled string | test.py:17 | test.py:17:9:17:32 | reversed() | |
|
||||
| Taint externally controlled string | test.py:17 | test.py:17:18:17:31 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:18 | test.py:18:9:18:28 | copy() | |
|
||||
| Taint externally controlled string | test.py:18 | test.py:18:14:18:27 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:19 | test.py:19:9:19:22 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:19 | test.py:19:9:19:30 | Attribute() | |
|
||||
| Taint externally controlled string | test.py:22 | test.py:22:22:22:28 | TAINTED | |
|
||||
| Taint externally controlled string | test.py:23 | test.py:23:8:23:21 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:26 | test.py:26:23:26:36 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:29 | test.py:29:22:29:28 | TAINTED | |
|
||||
| Taint externally controlled string | test.py:30 | test.py:30:8:30:21 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:30 | test.py:30:34:30:47 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:33 | test.py:33:23:33:36 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:36 | test.py:36:22:36:28 | TAINTED | |
|
||||
| Taint externally controlled string | test.py:37 | test.py:37:9:37:27 | str() | |
|
||||
| Taint externally controlled string | test.py:37 | test.py:37:13:37:26 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:38 | test.py:38:9:38:29 | bytes() | |
|
||||
| Taint externally controlled string | test.py:38 | test.py:38:15:38:28 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:39 | test.py:39:9:39:46 | bytes() | |
|
||||
| Taint externally controlled string | test.py:39 | test.py:39:15:39:28 | tainted_string | |
|
||||
| Taint json[externally controlled string] | test.py:6 | test.py:6:20:6:45 | Attribute() | |
|
||||
| Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json | |
|
||||
| Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:25 | Subscript | |
|
||||
| Taint json[externally controlled string] | test.py:8 | test.py:8:9:8:9 | a | |
|
||||
| Taint json[externally controlled string] | test.py:8 | test.py:8:9:8:18 | Attribute() | |
|
||||
| Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:9 | b | |
|
||||
| Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:14 | Subscript | |
|
||||
@@ -1,8 +0,0 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import Taint
|
||||
|
||||
|
||||
from TaintedNode n
|
||||
where n.getLocation().getFile().getShortName() = "test.py"
|
||||
select "Taint " + n.getTaintKind(), n.getLocation().toString(), n.getCfgNode().getNode(), n.getContext()
|
||||
@@ -1,38 +1,76 @@
|
||||
| Taint externally controlled string | test.py:5 | test.py:5:22:5:28 | TAINTED | | --> | Taint externally controlled string | test.py:6 | test.py:6:31:6:44 | tainted_string | |
|
||||
| Taint [externally controlled string] | test.py:67 | test.py:67:20:67:43 | urlsplit() | | --> | Taint [externally controlled string] | test.py:69 | test.py:69:10:69:21 | urlsplit_res | |
|
||||
| Taint [externally controlled string] | test.py:68 | test.py:68:20:68:43 | urlparse() | | --> | Taint [externally controlled string] | test.py:69 | test.py:69:24:69:35 | urlparse_res | |
|
||||
| Taint exception.info | test.py:44 | test.py:44:22:44:26 | taint | p1 = exception.info | --> | Taint exception.info | test.py:45 | test.py:45:17:45:21 | taint | p1 = exception.info |
|
||||
| Taint exception.info | test.py:45 | test.py:45:17:45:21 | taint | p1 = exception.info | --> | Taint exception.info | test.py:45 | test.py:45:12:45:22 | func() | p1 = exception.info |
|
||||
| Taint exception.info | test.py:45 | test.py:45:17:45:21 | taint | p1 = exception.info | --> | Taint exception.info | test.py:52 | test.py:52:19:52:21 | arg | p0 = exception.info |
|
||||
| Taint exception.info | test.py:48 | test.py:48:12:48:33 | TAINTED_EXCEPTION_INFO | | --> | Taint exception.info | test.py:49 | test.py:49:37:49:40 | info | |
|
||||
| Taint exception.info | test.py:49 | test.py:49:11:49:41 | cross_over() | | --> | Taint exception.info | test.py:50 | test.py:50:10:50:12 | res | |
|
||||
| Taint exception.info | test.py:49 | test.py:49:37:49:40 | info | | --> | Taint exception.info | test.py:44 | test.py:44:22:44:26 | taint | p1 = exception.info |
|
||||
| Taint exception.info | test.py:49 | test.py:49:37:49:40 | info | | --> | Taint exception.info | test.py:49 | test.py:49:11:49:41 | cross_over() | |
|
||||
| Taint exception.info | test.py:52 | test.py:52:19:52:21 | arg | p0 = exception.info | --> | Taint exception.info | test.py:53 | test.py:53:12:53:14 | arg | p0 = exception.info |
|
||||
| Taint externally controlled string | test.py:5 | test.py:5:22:5:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:6 | test.py:6:31:6:44 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:6 | test.py:6:31:6:44 | tainted_string | | --> | Taint json[externally controlled string] | test.py:6 | test.py:6:20:6:45 | Attribute() | |
|
||||
| Taint externally controlled string | test.py:7 | test.py:7:9:7:25 | Subscript | | --> | Taint externally controlled string | test.py:8 | test.py:8:9:8:9 | a | |
|
||||
| Taint externally controlled string | test.py:7 | test.py:7:9:7:25 | Subscript | | --> | Taint externally controlled string | test.py:10 | test.py:10:10:10:10 | a | |
|
||||
| Taint externally controlled string | test.py:8 | test.py:8:9:8:18 | Attribute() | | --> | Taint externally controlled string | test.py:9 | test.py:9:9:9:9 | b | |
|
||||
| Taint externally controlled string | test.py:12 | test.py:12:22:12:28 | TAINTED | | --> | Taint externally controlled string | test.py:13 | test.py:13:9:13:22 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:12 | test.py:12:22:12:28 | TAINTED | | --> | Taint externally controlled string | test.py:14 | test.py:14:9:14:22 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:12 | test.py:12:22:12:28 | TAINTED | | --> | Taint externally controlled string | test.py:15 | test.py:15:9:15:22 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:12 | test.py:12:22:12:28 | TAINTED | | --> | Taint externally controlled string | test.py:16 | test.py:16:9:16:22 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:12 | test.py:12:22:12:28 | TAINTED | | --> | Taint externally controlled string | test.py:17 | test.py:17:18:17:31 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:12 | test.py:12:22:12:28 | TAINTED | | --> | Taint externally controlled string | test.py:18 | test.py:18:14:18:27 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:12 | test.py:12:22:12:28 | TAINTED | | --> | Taint externally controlled string | test.py:19 | test.py:19:9:19:22 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:13 | test.py:13:9:13:22 | tainted_string | | --> | Taint externally controlled string | test.py:13 | test.py:13:9:13:31 | Attribute() | |
|
||||
| Taint externally controlled string | test.py:14 | test.py:14:9:14:22 | tainted_string | | --> | Taint externally controlled string | test.py:14 | test.py:14:9:14:29 | Attribute() | |
|
||||
| Taint externally controlled string | test.py:15 | test.py:15:9:15:22 | tainted_string | | --> | Taint externally controlled string | test.py:15 | test.py:15:9:15:25 | Subscript | |
|
||||
| Taint externally controlled string | test.py:16 | test.py:16:9:16:22 | tainted_string | | --> | Taint externally controlled string | test.py:16 | test.py:16:9:16:27 | Subscript | |
|
||||
| Taint externally controlled string | test.py:17 | test.py:17:18:17:31 | tainted_string | | --> | Taint externally controlled string | test.py:17 | test.py:17:9:17:32 | reversed() | |
|
||||
| Taint externally controlled string | test.py:18 | test.py:18:14:18:27 | tainted_string | | --> | Taint externally controlled string | test.py:18 | test.py:18:9:18:28 | copy() | |
|
||||
| Taint externally controlled string | test.py:19 | test.py:19:9:19:22 | tainted_string | | --> | Taint externally controlled string | test.py:19 | test.py:19:9:19:30 | Attribute() | |
|
||||
| Taint externally controlled string | test.py:22 | test.py:22:22:22:28 | TAINTED | | --> | Taint externally controlled string | test.py:23 | test.py:23:8:23:21 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:22 | test.py:22:22:22:28 | TAINTED | | --> | Taint externally controlled string | test.py:26 | test.py:26:23:26:36 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:29 | test.py:29:22:29:28 | TAINTED | | --> | Taint externally controlled string | test.py:30 | test.py:30:8:30:21 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:29 | test.py:29:22:29:28 | TAINTED | | --> | Taint externally controlled string | test.py:30 | test.py:30:34:30:47 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:29 | test.py:29:22:29:28 | TAINTED | | --> | Taint externally controlled string | test.py:33 | test.py:33:23:33:36 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:36 | test.py:36:22:36:28 | TAINTED | | --> | Taint externally controlled string | test.py:37 | test.py:37:13:37:26 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:36 | test.py:36:22:36:28 | TAINTED | | --> | Taint externally controlled string | test.py:38 | test.py:38:15:38:28 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:36 | test.py:36:22:36:28 | TAINTED | | --> | Taint externally controlled string | test.py:39 | test.py:39:15:39:28 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:37 | test.py:37:13:37:26 | tainted_string | | --> | Taint externally controlled string | test.py:37 | test.py:37:9:37:27 | str() | |
|
||||
| Taint externally controlled string | test.py:38 | test.py:38:15:38:28 | tainted_string | | --> | Taint externally controlled string | test.py:38 | test.py:38:9:38:29 | bytes() | |
|
||||
| Taint externally controlled string | test.py:39 | test.py:39:15:39:28 | tainted_string | | --> | Taint externally controlled string | test.py:39 | test.py:39:9:39:46 | bytes() | |
|
||||
| Taint externally controlled string | test.py:8 | test.py:8:9:8:18 | Attribute() | | --> | Taint externally controlled string | test.py:10 | test.py:10:13:10:13 | b | |
|
||||
| Taint externally controlled string | test.py:9 | test.py:9:9:9:14 | Subscript | | --> | Taint externally controlled string | test.py:10 | test.py:10:16:10:16 | c | |
|
||||
| Taint externally controlled string | test.py:13 | test.py:13:22:13:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:14 | test.py:14:9:14:22 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:13 | test.py:13:22:13:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:15 | test.py:15:9:15:22 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:13 | test.py:13:22:13:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:16 | test.py:16:9:16:22 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:13 | test.py:13:22:13:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:17 | test.py:17:9:17:22 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:13 | test.py:13:22:13:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:18 | test.py:18:18:18:31 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:13 | test.py:13:22:13:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:19 | test.py:19:14:19:27 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:13 | test.py:13:22:13:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:20 | test.py:20:9:20:22 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:14 | test.py:14:9:14:22 | tainted_string | | --> | Taint externally controlled string | test.py:14 | test.py:14:9:14:31 | Attribute() | |
|
||||
| Taint externally controlled string | test.py:14 | test.py:14:9:14:31 | Attribute() | | --> | Taint externally controlled string | test.py:21 | test.py:21:10:21:10 | a | |
|
||||
| Taint externally controlled string | test.py:15 | test.py:15:9:15:22 | tainted_string | | --> | Taint externally controlled string | test.py:15 | test.py:15:9:15:29 | Attribute() | |
|
||||
| Taint externally controlled string | test.py:15 | test.py:15:9:15:29 | Attribute() | | --> | Taint externally controlled string | test.py:21 | test.py:21:13:21:13 | b | |
|
||||
| Taint externally controlled string | test.py:16 | test.py:16:9:16:22 | tainted_string | | --> | Taint externally controlled string | test.py:16 | test.py:16:9:16:25 | Subscript | |
|
||||
| Taint externally controlled string | test.py:16 | test.py:16:9:16:25 | Subscript | | --> | Taint externally controlled string | test.py:21 | test.py:21:16:21:16 | c | |
|
||||
| Taint externally controlled string | test.py:17 | test.py:17:9:17:22 | tainted_string | | --> | Taint externally controlled string | test.py:17 | test.py:17:9:17:27 | Subscript | |
|
||||
| Taint externally controlled string | test.py:17 | test.py:17:9:17:27 | Subscript | | --> | Taint externally controlled string | test.py:21 | test.py:21:19:21:19 | d | |
|
||||
| Taint externally controlled string | test.py:18 | test.py:18:9:18:32 | reversed() | | --> | Taint externally controlled string | test.py:21 | test.py:21:22:21:22 | e | |
|
||||
| Taint externally controlled string | test.py:18 | test.py:18:18:18:31 | tainted_string | | --> | Taint externally controlled string | test.py:18 | test.py:18:9:18:32 | reversed() | |
|
||||
| Taint externally controlled string | test.py:19 | test.py:19:9:19:28 | copy() | | --> | Taint externally controlled string | test.py:21 | test.py:21:25:21:25 | f | |
|
||||
| Taint externally controlled string | test.py:19 | test.py:19:14:19:27 | tainted_string | | --> | Taint externally controlled string | test.py:19 | test.py:19:9:19:28 | copy() | |
|
||||
| Taint externally controlled string | test.py:20 | test.py:20:9:20:22 | tainted_string | | --> | Taint externally controlled string | test.py:20 | test.py:20:9:20:30 | Attribute() | |
|
||||
| Taint externally controlled string | test.py:20 | test.py:20:9:20:30 | Attribute() | | --> | Taint externally controlled string | test.py:21 | test.py:21:28:21:28 | g | |
|
||||
| Taint externally controlled string | test.py:24 | test.py:24:22:24:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:25 | test.py:25:8:25:21 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:24 | test.py:24:22:24:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:28 | test.py:28:14:28:27 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:31 | test.py:31:22:31:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:32 | test.py:32:8:32:21 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:31 | test.py:31:22:31:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:32 | test.py:32:34:32:47 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:31 | test.py:31:22:31:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:35 | test.py:35:14:35:27 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:38 | test.py:38:22:38:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:39 | test.py:39:13:39:26 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:38 | test.py:38:22:38:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:40 | test.py:40:15:40:28 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:38 | test.py:38:22:38:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:41 | test.py:41:15:41:28 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:39 | test.py:39:9:39:27 | str() | | --> | Taint externally controlled string | test.py:42 | test.py:42:10:42:10 | a | |
|
||||
| Taint externally controlled string | test.py:39 | test.py:39:13:39:26 | tainted_string | | --> | Taint externally controlled string | test.py:39 | test.py:39:9:39:27 | str() | |
|
||||
| Taint externally controlled string | test.py:40 | test.py:40:9:40:29 | bytes() | | --> | Taint externally controlled string | test.py:42 | test.py:42:13:42:13 | b | |
|
||||
| Taint externally controlled string | test.py:40 | test.py:40:15:40:28 | tainted_string | | --> | Taint externally controlled string | test.py:40 | test.py:40:9:40:29 | bytes() | |
|
||||
| Taint externally controlled string | test.py:41 | test.py:41:9:41:46 | bytes() | | --> | Taint externally controlled string | test.py:42 | test.py:42:16:42:16 | c | |
|
||||
| Taint externally controlled string | test.py:41 | test.py:41:15:41:28 | tainted_string | | --> | Taint externally controlled string | test.py:41 | test.py:41:9:41:46 | bytes() | |
|
||||
| Taint externally controlled string | test.py:44 | test.py:44:22:44:26 | taint | p1 = externally controlled string | --> | Taint externally controlled string | test.py:45 | test.py:45:17:45:21 | taint | p1 = externally controlled string |
|
||||
| Taint externally controlled string | test.py:45 | test.py:45:17:45:21 | taint | p1 = externally controlled string | --> | Taint externally controlled string | test.py:45 | test.py:45:12:45:22 | func() | p1 = externally controlled string |
|
||||
| Taint externally controlled string | test.py:45 | test.py:45:17:45:21 | taint | p1 = externally controlled string | --> | Taint externally controlled string | test.py:52 | test.py:52:19:52:21 | arg | p0 = externally controlled string |
|
||||
| Taint externally controlled string | test.py:52 | test.py:52:19:52:21 | arg | p0 = externally controlled string | --> | Taint externally controlled string | test.py:53 | test.py:53:12:53:14 | arg | p0 = externally controlled string |
|
||||
| Taint externally controlled string | test.py:56 | test.py:56:11:56:24 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:57 | test.py:57:38:57:40 | ext | |
|
||||
| Taint externally controlled string | test.py:57 | test.py:57:11:57:41 | cross_over() | | --> | Taint externally controlled string | test.py:58 | test.py:58:10:58:12 | res | |
|
||||
| Taint externally controlled string | test.py:57 | test.py:57:38:57:40 | ext | | --> | Taint externally controlled string | test.py:44 | test.py:44:22:44:26 | taint | p1 = externally controlled string |
|
||||
| Taint externally controlled string | test.py:57 | test.py:57:38:57:40 | ext | | --> | Taint externally controlled string | test.py:57 | test.py:57:11:57:41 | cross_over() | |
|
||||
| Taint externally controlled string | test.py:66 | test.py:66:22:66:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:67 | test.py:67:29:67:42 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:66 | test.py:66:22:66:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:68 | test.py:68:29:68:42 | tainted_string | |
|
||||
| Taint externally controlled string | test.py:67 | test.py:67:29:67:42 | tainted_string | | --> | Taint [externally controlled string] | test.py:67 | test.py:67:20:67:43 | urlsplit() | |
|
||||
| Taint externally controlled string | test.py:68 | test.py:68:29:68:42 | tainted_string | | --> | Taint [externally controlled string] | test.py:68 | test.py:68:20:68:43 | urlparse() | |
|
||||
| Taint json[externally controlled string] | test.py:6 | test.py:6:20:6:45 | Attribute() | | --> | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json | |
|
||||
| Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json | | --> | Taint externally controlled string | test.py:7 | test.py:7:9:7:25 | Subscript | |
|
||||
| Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json | | --> | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:25 | Subscript | |
|
||||
| Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:25 | Subscript | | --> | Taint json[externally controlled string] | test.py:8 | test.py:8:9:8:9 | a | |
|
||||
| Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:25 | Subscript | | --> | Taint json[externally controlled string] | test.py:10 | test.py:10:10:10:10 | a | |
|
||||
| Taint json[externally controlled string] | test.py:8 | test.py:8:9:8:9 | a | | --> | Taint externally controlled string | test.py:8 | test.py:8:9:8:18 | Attribute() | |
|
||||
| Taint json[externally controlled string] | test.py:8 | test.py:8:9:8:9 | a | | --> | Taint json[externally controlled string] | test.py:8 | test.py:8:9:8:18 | Attribute() | |
|
||||
| Taint json[externally controlled string] | test.py:8 | test.py:8:9:8:18 | Attribute() | | --> | Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:9 | b | |
|
||||
| Taint json[externally controlled string] | test.py:8 | test.py:8:9:8:18 | Attribute() | | --> | Taint json[externally controlled string] | test.py:10 | test.py:10:13:10:13 | b | |
|
||||
| Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:9 | b | | --> | Taint externally controlled string | test.py:9 | test.py:9:9:9:14 | Subscript | |
|
||||
| Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:9 | b | | --> | Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:14 | Subscript | |
|
||||
| Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:14 | Subscript | | --> | Taint json[externally controlled string] | test.py:10 | test.py:10:16:10:16 | c | |
|
||||
|
||||
@@ -0,0 +1,24 @@
|
||||
| test.py:10 | test_json | a | externally controlled string |
|
||||
| test.py:10 | test_json | a | json[externally controlled string] |
|
||||
| test.py:10 | test_json | b | externally controlled string |
|
||||
| test.py:10 | test_json | b | json[externally controlled string] |
|
||||
| test.py:10 | test_json | c | externally controlled string |
|
||||
| test.py:10 | test_json | c | json[externally controlled string] |
|
||||
| test.py:21 | test_str | a | externally controlled string |
|
||||
| test.py:21 | test_str | b | externally controlled string |
|
||||
| test.py:21 | test_str | c | externally controlled string |
|
||||
| test.py:21 | test_str | d | externally controlled string |
|
||||
| test.py:21 | test_str | e | externally controlled string |
|
||||
| test.py:21 | test_str | f | externally controlled string |
|
||||
| test.py:21 | test_str | g | externally controlled string |
|
||||
| test.py:26 | test_const_sanitizer1 | tainted_string | NO TAINT |
|
||||
| test.py:28 | test_const_sanitizer1 | tainted_string | externally controlled string |
|
||||
| test.py:33 | test_const_sanitizer2 | tainted_string | NO TAINT |
|
||||
| test.py:35 | test_const_sanitizer2 | tainted_string | externally controlled string |
|
||||
| test.py:42 | test_str2 | a | externally controlled string |
|
||||
| test.py:42 | test_str2 | b | externally controlled string |
|
||||
| test.py:42 | test_str2 | c | externally controlled string |
|
||||
| test.py:50 | test_exc_info | res | exception.info |
|
||||
| test.py:58 | test_untrusted | res | externally controlled string |
|
||||
| test.py:69 | test_urlsplit_urlparse | urlparse_res | [externally controlled string] |
|
||||
| test.py:69 | test_urlsplit_urlparse | urlsplit_res | [externally controlled string] |
|
||||
18
python/ql/test/library-tests/taint/strings/TestTaint.ql
Normal file
18
python/ql/test/library-tests/taint/strings/TestTaint.ql
Normal file
@@ -0,0 +1,18 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import Taint
|
||||
|
||||
from Call call, Expr arg, string taint_string
|
||||
where
|
||||
call.getLocation().getFile().getShortName() = "test.py" and
|
||||
call.getFunc().(Name).getId() = "test" and
|
||||
arg = call.getAnArg() and
|
||||
(
|
||||
not exists(TaintedNode tainted | tainted.getAstNode() = arg) and
|
||||
taint_string = "NO TAINT"
|
||||
or
|
||||
exists(TaintedNode tainted | tainted.getAstNode() = arg |
|
||||
taint_string = tainted.getTaintKind().toString()
|
||||
)
|
||||
)
|
||||
select arg.getLocation().toString(), call.getScope().(Function).getName(), arg.toString(), taint_string
|
||||
@@ -2,41 +2,44 @@ import json
|
||||
from copy import copy
|
||||
|
||||
def test_json():
|
||||
tainted_string = TAINTED
|
||||
tainted_string = TAINTED_STRING
|
||||
tainted_json = json.loads(tainted_string)
|
||||
a = tainted_json["x"]
|
||||
b = a.get("y")
|
||||
c = b["z"]
|
||||
test(a, b, c)
|
||||
|
||||
def test_str():
|
||||
tainted_string = TAINTED
|
||||
tainted_string = TAINTED_STRING
|
||||
a = tainted_string.ljust(8)
|
||||
b = tainted_string.copy()
|
||||
c = tainted_string[:]
|
||||
d = tainted_string[::2]
|
||||
e = reversed(tainted_string)
|
||||
f = copy(tainted_string)
|
||||
h = tainted_string.strip()
|
||||
g = tainted_string.strip()
|
||||
test(a, b, c, d, e, f, g)
|
||||
|
||||
def test_const_sanitizer1():
|
||||
tainted_string = TAINTED
|
||||
tainted_string = TAINTED_STRING
|
||||
if tainted_string == "OK":
|
||||
not_tainted(tainted_string)
|
||||
test(tainted_string) # not tainted
|
||||
else:
|
||||
still_tainted(tainted_string)
|
||||
test(tainted_string) # still tainted
|
||||
|
||||
def test_const_sanitizer2():
|
||||
tainted_string = TAINTED
|
||||
tainted_string = TAINTED_STRING
|
||||
if tainted_string == "OK" or tainted_string == "ALSO_OK":
|
||||
not_tainted(tainted_string)
|
||||
test(tainted_string) # not tainted
|
||||
else:
|
||||
still_tainted(tainted_string)
|
||||
test(tainted_string) # still tainted
|
||||
|
||||
def test_str2():
|
||||
tainted_string = TAINTED
|
||||
tainted_string = TAINTED_STRING
|
||||
a = str(tainted_string)
|
||||
b = bytes(tainted_string) # This is an error in Python 3
|
||||
c = bytes(tainted_string, encoding="utf8") # This is an error in Python 2
|
||||
test(a, b, c)
|
||||
|
||||
def cross_over(func, taint):
|
||||
return func(taint)
|
||||
@@ -44,13 +47,23 @@ def cross_over(func, taint):
|
||||
def test_exc_info():
|
||||
info = TAINTED_EXCEPTION_INFO
|
||||
res = cross_over(exc_info_call, info)
|
||||
test(res)
|
||||
|
||||
def exc_info_call(arg):
|
||||
return arg
|
||||
|
||||
def test_untrusted():
|
||||
ext = TAINTED_EXTERNAL_STRING
|
||||
ext = TAINTED_STRING
|
||||
res = cross_over(untrusted_call, ext)
|
||||
test(res)
|
||||
|
||||
def exc_untrusted_call(arg):
|
||||
return arg
|
||||
|
||||
from six.moves.urllib.parse import urlsplit, urlparse
|
||||
|
||||
def test_urlsplit_urlparse():
|
||||
tainted_string = TAINTED_STRING
|
||||
urlsplit_res = urlsplit(tainted_string)
|
||||
urlparse_res = urlparse(tainted_string)
|
||||
test(urlsplit_res, urlparse_res)
|
||||
|
||||
Reference in New Issue
Block a user