Python: Add modeling of ujson PyPI package

The problem with `tainted_filelike` not having taint, is that in the call `ujson.dump(tainted_obj, tainted_filelike)` there is no PostUpdateNote for `tainted_filelike` :( The reason is that points-to is not able to resolve the call, so none of the clauses in `argumentPreUpdateNode` matches See 08731fc6cf/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll (L101-L111) Let's deal with that issue in an other PR though
2026-05-01 03:35:13 +02:00 · 2021-05-10 15:07:55 +02:00
parent 72d08f4d6e
commit c2a6b811fc
9 changed files with 130 additions and 0 deletions
--- a/python/ql/test/library-tests/frameworks/ujson/ConceptsTest.expected
+++ b/python/ql/test/library-tests/frameworks/ujson/ConceptsTest.expected
--- a/python/ql/test/library-tests/frameworks/ujson/ConceptsTest.ql
+++ b/python/ql/test/library-tests/frameworks/ujson/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
--- a/python/ql/test/library-tests/frameworks/ujson/InlineTaintTest.expected
+++ b/python/ql/test/library-tests/frameworks/ujson/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
--- a/python/ql/test/library-tests/frameworks/ujson/InlineTaintTest.ql
+++ b/python/ql/test/library-tests/frameworks/ujson/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
--- a/python/ql/test/library-tests/frameworks/ujson/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/ujson/taint_test.py
@@ -0,0 +1,44 @@
+import ujson
+from io import StringIO
+
+def test():
+    ts = TAINTED_STRING
+    tainted_obj = {"foo": ts}
+
+    encoded = ujson.dumps(tainted_obj) # $ encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
+
+    ensure_tainted(
+        encoded, # $ tainted
+        ujson.dumps(tainted_obj), # $ tainted encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
+        ujson.dumps(obj=tainted_obj), # $ tainted encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
+        ujson.loads(encoded), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=encoded
+        ujson.loads(obj=encoded), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=encoded
+
+        ujson.encode(tainted_obj), # $ tainted encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
+        ujson.encode(obj=tainted_obj), # $ tainted encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
+        ujson.decode(encoded), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=encoded
+        ujson.decode(obj=encoded), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=encoded
+    )
+
+    # load/dump with file-like
+    tainted_filelike = StringIO()
+    ujson.dump(tainted_obj, tainted_filelike) # $ encodeFormat=JSON encodeInput=tainted_obj
+
+    tainted_filelike.seek(0)
+    ensure_tainted(
+        tainted_filelike, # $ MISSING: tainted
+        ujson.load(tainted_filelike), # $ decodeOutput=Attribute() decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
+    )
+
+    # load/dump with file-like using keyword-args does not work in `ujson`
+
+
+# To make things runable
+
+TAINTED_STRING = "TAINTED_STRING"
+def ensure_tainted(*args):
+    print("- ensure_tainted")
+    for i, arg in enumerate(args):
+        print("arg {}: {!r}".format(i, arg))
+
+test()