Python: Add unsafe deserialization sinks (CWE-502)

python/ql/test/library-tests/frameworks/joblib/ConceptsTest.expected

@@ -0,0 +1,2 @@
+failures
+testFailures

python/ql/test/library-tests/frameworks/joblib/ConceptsTest.ql

@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest

python/ql/test/library-tests/frameworks/joblib/Decoding.py

@@ -0,0 +1,4 @@
+import joblib
+
+joblib.load(file_)  # $ decodeInput=file_ decodeOutput=joblib.load(..) decodeFormat=joblib decodeMayExecuteInput
+joblib.load(filename=file_)  # $ decodeInput=file_ decodeOutput=joblib.load(..) decodeFormat=joblib decodeMayExecuteInput

python/ql/test/library-tests/frameworks/numpy/ConceptsTest.expected

@@ -0,0 +1,2 @@
+failures
+testFailures

python/ql/test/library-tests/frameworks/numpy/ConceptsTest.ql

@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest

python/ql/test/library-tests/frameworks/numpy/Decoding.py

@@ -0,0 +1,4 @@
+import numpy
+
+numpy.load(file_)  # $ decodeInput=file_ decodeOutput=numpy.load(..) decodeFormat=numpy decodeMayExecuteInput
+numpy.load(filename=file_)  # $ decodeInput=file_ decodeOutput=numpy.load(..) decodeFormat=numpy decodeMayExecuteInput

python/ql/test/library-tests/frameworks/pandas/ConceptsTest.expected

@@ -0,0 +1,2 @@
+failures
+testFailures

python/ql/test/library-tests/frameworks/pandas/ConceptsTest.ql

@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest

python/ql/test/library-tests/frameworks/pandas/Decoding.py

@@ -0,0 +1,4 @@
+import pandas
+
+pandas.read_pickle(file_)  # $ decodeInput=file_ decodeOutput=pandas.read_pickle(..) decodeFormat=pandas decodeMayExecuteInput
+pandas.read_pickle(filepath_or_buffer=file_)  # $ decodeInput=file_ decodeOutput=pandas.read_pickle(..) decodeFormat=pandas decodeMayExecuteInput

python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/unsafe_deserialization.py

@@ -19,3 +19,6 @@ def hello():
 
     import dill
     dill.loads(payload) # NOT OK
+
+    import pandas
+    pandas.read_pickle(payload) # NOT OK