Python: Clean up taint steps for attributes

2026-05-02 04:05:14 +02:00 · 2022-02-07 13:03:14 +01:00
parent 59160eeb24
commit b276b2d48c
3 changed files with 22 additions and 5 deletions
--- a/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
@@ -167,8 +167,25 @@ predicate stringManipulation(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeT
 */
 predicate containerStep(DataFlow::CfgNode nodeFrom, DataFlow::Node nodeTo) {
  // construction by literal
-  // TODO: Not limiting the content argument here feels like a BIG hack, but we currently get nothing for free :|
-  DataFlowPrivate::storeStep(nodeFrom, _, nodeTo)
+  //
+  // TODO: once we have proper flow-summary modeling, we might not need this step any
+  // longer -- but there needs to be a matching read-step for the store-step, and we
+  // don't provide that right now.
+  DataFlowPrivate::listStoreStep(nodeFrom, _, nodeTo)
+  or
+  DataFlowPrivate::setStoreStep(nodeFrom, _, nodeTo)
+  or
+  DataFlowPrivate::tupleStoreStep(nodeFrom, _, nodeTo)
+  or
+  DataFlowPrivate::dictStoreStep(nodeFrom, _, nodeTo)
+  or
+  // comprehension, so there is taint-flow from `x` in `[x for x in xs]` to the
+  // resulting list of the list-comprehension.
+  //
+  // TODO: once we have proper flow-summary modeling, we might not need this step any
+  // longer -- but there needs to be a matching read-step for the store-step, and we
+  // don't provide that right now.
+  DataFlowPrivate::comprehensionStoreStep(nodeFrom, _, nodeTo)
  or
  // constructor call
  exists(DataFlow::CallCfgNode call | call = nodeTo |
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_attr.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_attr.py
@@ -25,7 +25,7 @@ def test_tainted_attr():
    # https://github.com/github/codeql/issues/7786

    f = Foo(TAINTED_STRING)
-    ensure_not_tainted(f) # $ SPURIOUS: tainted
+    ensure_not_tainted(f)
    ensure_tainted(f.arg) # $ tainted
    ensure_not_tainted(f.other_arg)

@@ -34,7 +34,7 @@ def test_tainted_attr():
    ensure_not_tainted(x, x.arg, x.other_arg)

    x.arg = TAINTED_STRING
-    ensure_not_tainted(x) # $ SPURIOUS: tainted
+    ensure_not_tainted(x)
    ensure_tainted(x.arg) # $ tainted
    ensure_not_tainted(f.other_arg)

--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_with.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_with.py
@@ -49,7 +49,7 @@ class Context_arg:
 def test_with_arg():
    ctx = Context_arg(TAINTED_STRING)
    with ctx as tainted:
-        ensure_tainted(tainted) # $ tainted
+        ensure_tainted(tainted) # $ MISSING: tainted