Python taint-tracking: Support iterables of taint.

2026-05-03 04:39:29 +02:00 · 2019-05-22 15:30:11 +01:00
parent 83ec5f1ae9
commit 97c98f29e4
8 changed files with 73 additions and 1 deletions
--- a/python/ql/test/library-tests/taint/general/TaintLib.qll
+++ b/python/ql/test/library-tests/taint/general/TaintLib.qll
@@ -362,7 +362,29 @@ class FalseySource  extends TaintSource {

 }

-
+class TaintIterable extends TaintKind {
+
+    TaintIterable() {
+        this = "iterable.simple"
+    }
+
+    override TaintKind getTaintForIteration() {
+        result instanceof SimpleTest
+    }
+
+}
+
+class TaintIterableSource extends TaintSource {
+
+    TaintIterableSource() {
+        this.(NameNode).getId() = "ITERABLE_SOURCE"
+    }
+
+    override predicate isSourceOf(TaintKind kind) {
+        kind instanceof TaintIterable
+    }
+
+}



--- a/python/ql/test/library-tests/taint/general/TestDefn.expected
+++ b/python/ql/test/library-tests/taint/general/TestDefn.expected
@@ -180,3 +180,6 @@
 | test.py:197 | Pi(t_0) [true] | test.py:195 | Taint simple.test | SOURCE |
 | test.py:199 | ArgumentRefinement(t_3) | test.py:195 | Taint simple.test | SOURCE |
 | test.py:199 | Pi(t_0) [false] | test.py:195 | Taint simple.test | SOURCE |
+| test.py:202 | ITERABLE_SOURCE | test.py:202 | Taint iterable.simple | ITERABLE_SOURCE |
+| test.py:203 | IterationDefinition | test.py:203 | Taint simple.test | i |
+| test.py:203 | phi(i_0, i_2) | test.py:203 | Taint simple.test | i |
--- a/python/ql/test/library-tests/taint/general/TestNode.expected
+++ b/python/ql/test/library-tests/taint/general/TestNode.expected
@@ -96,6 +96,8 @@
 | Taint explicit.carrier | carrier.py:35 | x |  |
 | Taint falsey | test.py:189 | FALSEY |  |
 | Taint falsey | test.py:190 | t |  |
+| Taint iterable.simple | test.py:202 | ITERABLE_SOURCE |  |
+| Taint iterable.simple | test.py:203 | t |  |
 | Taint paper | rockpaperscissors.py:6 | arg | rockpaperscissors.py:32 |
 | Taint paper | rockpaperscissors.py:9 | arg | rockpaperscissors.py:26 |
 | Taint paper | rockpaperscissors.py:25 | Attribute() |  |
@@ -226,6 +228,9 @@
 | Taint simple.test | test.py:196 | t |  |
 | Taint simple.test | test.py:197 | t |  |
 | Taint simple.test | test.py:199 | t |  |
+| Taint simple.test | test.py:203 | i |  |
+| Taint simple.test | test.py:204 | i |  |
+| Taint simple.test | test.py:205 | i |  |
 | Taint {simple.test} | test.py:169 | Dict |  |
 | Taint {simple.test} | test.py:171 | d |  |
 | Taint {simple.test} | test.py:173 | y |  |
--- a/python/ql/test/library-tests/taint/general/TestSource.expected
+++ b/python/ql/test/library-tests/taint/general/TestSource.expected
@@ -43,3 +43,4 @@
 | test.py:178 | SOURCE | simple.test |
 | test.py:189 | FALSEY | falsey |
 | test.py:195 | SOURCE | simple.test |
+| test.py:202 | ITERABLE_SOURCE | iterable.simple |
--- a/python/ql/test/library-tests/taint/general/TestStep.expected
+++ b/python/ql/test/library-tests/taint/general/TestStep.expected
@@ -83,6 +83,8 @@
 | Taint explicit.carrier | carrier.py:34 | Attribute |  |  -->  | Taint explicit.carrier | carrier.py:35 | x |  |
 | Taint explicit.carrier | carrier.py:35 | x |  |  -->  | Taint simple.test | carrier.py:35 | Attribute() |  |
 | Taint falsey | test.py:189 | FALSEY |  |  -->  | Taint falsey | test.py:190 | t |  |
+| Taint iterable.simple | test.py:202 | ITERABLE_SOURCE |  |  -->  | Taint iterable.simple | test.py:203 | t |  |
+| Taint iterable.simple | test.py:203 | t |  |  -->  | Taint simple.test | test.py:203 | i |  |
 | Taint paper | rockpaperscissors.py:25 | Attribute() |  |  -->  | Taint paper | rockpaperscissors.py:26 | y |  |
 | Taint paper | rockpaperscissors.py:26 | y |  |  -->  | Taint paper | rockpaperscissors.py:9 | arg | rockpaperscissors.py:26 |
 | Taint paper | rockpaperscissors.py:30 | Attribute() |  |  -->  | Taint paper | rockpaperscissors.py:32 | y |  |
@@ -181,6 +183,8 @@
 | Taint simple.test | test.py:195 | SOURCE |  |  -->  | Taint simple.test | test.py:196 | t |  |
 | Taint simple.test | test.py:195 | SOURCE |  |  -->  | Taint simple.test | test.py:197 | t |  |
 | Taint simple.test | test.py:195 | SOURCE |  |  -->  | Taint simple.test | test.py:199 | t |  |
+| Taint simple.test | test.py:203 | i |  |  -->  | Taint simple.test | test.py:204 | i |  |
+| Taint simple.test | test.py:203 | i |  |  -->  | Taint simple.test | test.py:205 | i |  |
 | Taint {simple.test} | test.py:169 | Dict |  |  -->  | Taint {simple.test} | test.py:171 | d |  |
 | Taint {simple.test} | test.py:169 | Dict |  |  -->  | Taint {simple.test} | test.py:175 | d |  |
 | Taint {simple.test} | test.py:171 | d |  |  -->  | Taint {simple.test} | test.py:173 | y |  |
--- a/python/ql/test/library-tests/taint/general/TestVar.expected
+++ b/python/ql/test/library-tests/taint/general/TestVar.expected
@@ -182,3 +182,6 @@
 | test.py:197 | t_2 | test.py:195 | Taint simple.test | SOURCE |
 | test.py:199 | t_3 | test.py:195 | Taint simple.test | SOURCE |
 | test.py:199 | t_4 | test.py:195 | Taint simple.test | SOURCE |
+| test.py:202 | t_0 | test.py:202 | Taint iterable.simple | ITERABLE_SOURCE |
+| test.py:203 | i_1 | test.py:203 | Taint simple.test | i |
+| test.py:203 | i_2 | test.py:203 | Taint simple.test | i |
--- a/python/ql/test/library-tests/taint/general/test.py
+++ b/python/ql/test/library-tests/taint/general/test.py
@@ -198,3 +198,9 @@ def flow_through_type_test_if_no_class():
    else:
        SINK(t)

+def flow_in_iteration():
+    t = ITERABLE_SOURCE
+    for i in t:
+        i
+    return i
+