Python: Limit SensitiveDataSources to prevent _some_ cross-talk

2026-05-02 04:05:14 +02:00 · 2021-07-01 12:08:12 +02:00
parent f64e58a21c
commit b0309dd321
2 changed files with 11 additions and 21 deletions
--- a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
+++ b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -76,26 +76,16 @@ private module SensitiveDataModeling {
  }

  /**
-   * Gets a reference to a string constant that, if used as the key in a lookup,
-   * indicates the presence of sensitive data with `classification`.
-   */
-  private DataFlow::LocalSourceNode sensitiveLookupStringConst(
-    DataFlow::TypeTracker t, SensitiveDataClassification classification
-  ) {
-    t.start() and
-    nameIndicatesSensitiveData(result.asExpr().(StrConst).getText(), classification)
-    or
-    exists(DataFlow::TypeTracker t2 |
-      result = sensitiveLookupStringConst(t2, classification).track(t2, t)
-    )
-  }
-
-  /**
-   * Gets a reference to a string constant that, if used as the key in a lookup,
-   * indicates the presence of sensitive data with `classification`.
+   * Gets a reference (in local scope) to a string constant that, if used as the key in
+   * a lookup, indicates the presence of sensitive data with `classification`.
   */
  DataFlow::Node sensitiveLookupStringConst(SensitiveDataClassification classification) {
-    sensitiveLookupStringConst(DataFlow::TypeTracker::end(), classification).flowsTo(result)
+    // Note: If this is implemented with type-tracking, we will get cross-talk as
+    // illustrated in python/ql/test/experimental/dataflow/sensitive-data/test.py
+    exists(DataFlow::LocalSourceNode source |
+      nameIndicatesSensitiveData(source.asExpr().(StrConst).getText(), classification) and
+      source.flowsTo(result)
+    )
  }

  /** A function call that is considered a source of sensitive data. */
--- a/python/ql/test/experimental/dataflow/sensitive-data/test.py
+++ b/python/ql/test/experimental/dataflow/sensitive-data/test.py
@@ -90,13 +90,13 @@ _configuration = {"sleep_timer": 5, "mysql_password": "1234"}
 def get_config(key):
    # Treating this as a SensitiveDataSource is questionable, since that will result in
    # _all_ calls to `get_config` being treated as giving sensitive data
-    return _configuration[key] # $ SensitiveDataSource=password
+    return _configuration[key]

 foo = get_config("mysql_password")
-print(foo) # $ SensitiveUse=password
+print(foo) # $ MISSING: SensitiveUse=password

 bar = get_config("sleep_timer")
-print(bar) # $ SPURIOUS: SensitiveUse=password
+print(bar)

 # Case 2: Providing function as argument