Python: Add test for strange generator taint flow

I did check, and this was not a problem with the old call-graph on main! I'm absolutely baffled!
2025-12-24 04:36:35 +01:00 · 2022-11-04 11:40:19 +01:00
parent 36e8b8bfb9
commit aa382ac042
6 changed files with 79 additions and 0 deletions
--- a/python/ql/test/experimental/dataflow/tainttracking/generator-flow/InlineTaintTest.expected
+++ b/python/ql/test/experimental/dataflow/tainttracking/generator-flow/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
--- a/python/ql/test/experimental/dataflow/tainttracking/generator-flow/InlineTaintTest.ql
+++ b/python/ql/test/experimental/dataflow/tainttracking/generator-flow/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
--- a/python/ql/test/experimental/dataflow/tainttracking/generator-flow/NormalDataflowTest.expected
+++ b/python/ql/test/experimental/dataflow/tainttracking/generator-flow/NormalDataflowTest.expected
@@ -0,0 +1,2 @@
+missingAnnotationOnSink
+failures
--- a/python/ql/test/experimental/dataflow/tainttracking/generator-flow/NormalDataflowTest.ql
+++ b/python/ql/test/experimental/dataflow/tainttracking/generator-flow/NormalDataflowTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.dataflow.TestUtil.NormalDataflowTest
--- a/python/ql/test/experimental/dataflow/tainttracking/generator-flow/test_dataflow.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/generator-flow/test_dataflow.py
@@ -0,0 +1,34 @@
+def normal_helper(arg):
+    l = [arg]
+    return l[0]
+
+
+def generator_helper(arg):
+    l = [arg]
+    l = [x for x in l]
+    return l[0]
+
+
+def generator_helper_wo_source_use(arg):
+    l = [arg]
+    l = [x for x in l]
+    return l[0]
+
+
+def test_source():
+    x = normal_helper(SOURCE)
+    SINK(x) # $ flow="SOURCE, l:-1 -> x"
+
+    x = generator_helper(SOURCE)
+    SINK(x) # $ flow="SOURCE, l:-1 -> x"
+
+
+def test_non_source():
+    x = normal_helper(NONSOURCE)
+    SINK_F(x)
+
+    x = generator_helper(NONSOURCE)
+    SINK_F(x)
+
+    x = generator_helper_wo_source_use(NONSOURCE)
+    SINK_F(x)
--- a/python/ql/test/experimental/dataflow/tainttracking/generator-flow/test_taint.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/generator-flow/test_taint.py
@@ -0,0 +1,37 @@
+def normal_helper(arg):
+    l = [arg]
+    return l[0]
+
+# we had a regression where flow from a source to the argument of this function would
+# cause _all_ returns from this function to be treated as tainted. That is, the
+# `generator_helper(NONSOURCE)` call in `test_non_source` would result in taint :| This
+# is specific to taint-tracking, and does NOT appear in pure data-flow (see the
+# test_dataflow file)
+def generator_helper(arg):
+    l = [arg]
+    l = [x for x in l]
+    return l[0]
+
+
+def generator_helper_wo_source_use(arg):
+    l = [arg]
+    l = [x for x in l]
+    return l[0]
+
+def test_source():
+    x = normal_helper(TAINTED_STRING)
+    ensure_tainted(x) # $ tainted
+
+    x = generator_helper(TAINTED_STRING)
+    ensure_tainted(x) # $ tainted
+
+
+def test_non_source():
+    x = normal_helper(NONSOURCE)
+    ensure_not_tainted(x)
+
+    x = generator_helper(NONSOURCE)
+    ensure_not_tainted(x) # $ SPURIOUS: tainted
+
+    x = generator_helper_wo_source_use(NONSOURCE)
+    ensure_not_tainted(x)