hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Only comparison with constant will clear taint

Browse Source 
tainted = SOURCE
    if tainted == tainted:
        SINK(tainted) # unsafe

before, in the body of the if statement, `tainted` was not tainted
This commit is contained in:
Rasmus Wriedt Larsen
2020-01-21 15:24:06 +01:00
parent 1498145415
commit bbe93f43d3
4 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
python/ql/src/semmle/python/dataflow/Implementation.qll
View File

@@ -806,7 +806,10 @@ private predicate testEvaluatesMaybe(ControlFlowNode test, ControlFlowNode use)
any(PyEdgeRefinement ref).getTest().getAChild*() = test and
test.getAChild*() = use and
not test.(UnaryExprNode).getNode().getOp() instanceof Not and
not Filters::equality_test(test, use, _, _) and
not exists(ControlFlowNode const |
Filters::equality_test(test, use, _, const) and
const.getNode() instanceof ImmutableLiteral
) and
not Filters::isinstance(test, _, use) and
not test = use
or

2
python/ql/test/library-tests/taint/general/TestSink.expected
View File

@@ -39,3 +39,5 @@
| simple.test | test.py:195 | 199 | t | simple.test |
| simple.test | test.py:208 | 214 | x | simple.test |
| simple.test | test.py:217 | 220 | tainted | simple.test |
| simple.test | test.py:229 | 231 | tainted | simple.test |
| simple.test | test.py:229 | 233 | tainted | simple.test |

3
python/ql/test/library-tests/taint/general/TestStep.expected
View File

@@ -203,3 +203,6 @@
| simple.test | test.py:217 | SOURCE | | --> | simple.test | test.py:220 | tainted | |
| simple.test | test.py:223 | SOURCE | | --> | simple.test | test.py:224 | tainted | |
| simple.test | test.py:229 | SOURCE | | --> | simple.test | test.py:230 | tainted | |
| simple.test | test.py:229 | SOURCE | | --> | simple.test | test.py:231 | tainted | |
| simple.test | test.py:229 | SOURCE | | --> | simple.test | test.py:232 | tainted | |
| simple.test | test.py:229 | SOURCE | | --> | simple.test | test.py:233 | tainted | |

8
python/ql/test/library-tests/taint/general/TestVar.expected
View File

@@ -199,4 +199,12 @@
| test.py:220 | tainted_5 | test.py:220 | Taint simple.test |
| test.py:223 | tainted_0 | test.py:223 | Taint simple.test |
| test.py:225 | tainted_1 | test.py:225 | Taint simple.test |
| test.py:228 | tainted_7 | test.py:228 | Taint simple.test |
| test.py:228 | tainted_8 | test.py:228 | Taint simple.test |
| test.py:229 | tainted_0 | test.py:229 | Taint simple.test |
| test.py:231 | tainted_1 | test.py:231 | Taint simple.test |
| test.py:231 | tainted_2 | test.py:231 | Taint simple.test |
| test.py:232 | tainted_3 | test.py:232 | Taint simple.test |
| test.py:232 | tainted_4 | test.py:232 | Taint simple.test |
| test.py:233 | tainted_5 | test.py:233 | Taint simple.test |
| test.py:233 | tainted_6 | test.py:233 | Taint simple.test |