Python: Add additional taint steps for for-iteration

2025-12-20 02:44:30 +01:00 · 2020-08-26 20:18:31 +02:00
parent e2a89aa296
commit afb160fbbb
3 changed files with 21 additions and 6 deletions
--- a/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll
+++ b/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll
@@ -36,6 +36,8 @@ predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeT
  containerStep(nodeFrom, nodeTo)
  or
  copyStep(nodeFrom, nodeTo)
+  or
+  forStep(nodeFrom, nodeTo)
 }

 /**
@@ -190,3 +192,16 @@ predicate copyStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
    call.getArg(0) = nodeFrom.getNode()
  )
 }
+
+
+/**
+ * Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to `for`-iteration,
+ * for example `for x in xs`, or `for x,y in points`.
+ */
+predicate forStep(DataFlow::CfgNode nodeFrom, DataFlow::EssaNode nodeTo) {
+  exists(EssaNodeDefinition defn, For for |
+    for.getTarget().getAChildNode*() = defn.getDefiningNode().getNode() and
+    nodeTo.getVar() = defn and
+    nodeFrom.getNode().getNode() = for.getIter()
+  )
+}