Python: Model exec and eval calls as CodeExecution

2026-05-03 20:58:03 +02:00 · 2020-10-07 20:37:43 +02:00
parent 73971cff76
commit c69a61bac5
7 changed files with 102 additions and 9 deletions
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/ConceptsTest.expected
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/ConceptsTest.expected
@@ -1 +0,0 @@
-| CodeExecution.py:4:29:4:50 | Comment # $getCode="print(42)" | Missing result:getCode="print(42)" |
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP1.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP1.py
@@ -8,4 +8,4 @@ def eval(*args, **kwargs):


 # This function call might be marked as a code execution, but it actually isn't.
-eval("print(42)")
+eval("print(42)")  # $f+:getCode="print(42)"
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP2.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP2.py
@@ -10,4 +10,4 @@ def foo(*args, **kwargs):
 eval = foo

 # This function call might be marked as a code execution, but it actually isn't.
-eval("print(42)")
+eval("print(42)")  # $f+:getCode="print(42)"
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP3.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP3.py
@@ -16,4 +16,4 @@ def foo(*args, **kwargs):
 builtins.eval = foo

 # This function call might be marked as a code execution, but it actually isn't.
-eval("print(42)")
+eval("print(42)")  # $f+:getCode="print(42)"
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/ConceptsTest.expected
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/ConceptsTest.expected
@@ -1,5 +0,0 @@
-| CodeExecution.py:12:20:12:41 | Comment # $getCode="print(42)" | Missing result:getCode="print(42)" |
-| CodeExecution.py:13:20:13:41 | Comment # $getCode="print(42)" | Missing result:getCode="print(42)" |
-| CodeExecution.py:15:29:15:50 | Comment # $getCode="print(42)" | Missing result:getCode="print(42)" |
-| CodeExecution.py:18:12:18:25 | Comment # $getCode=cmd | Missing result:getCode=cmd |
-| CodeExecution.py:21:12:21:25 | Comment # $getCode=cmd | Missing result:getCode=cmd |
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-094/CodeInjection.expected
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-094/CodeInjection.expected
@@ -1,3 +1,10 @@
 edges
+| code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:7:10:7:13 | ControlFlowNode for code |
+| code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:8:10:8:13 | ControlFlowNode for code |
 nodes
+| code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| code_injection.py:7:10:7:13 | ControlFlowNode for code | semmle.label | ControlFlowNode for code |
+| code_injection.py:8:10:8:13 | ControlFlowNode for code | semmle.label | ControlFlowNode for code |
 #select
+| code_injection.py:7:10:7:13 | ControlFlowNode for code | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:7:10:7:13 | ControlFlowNode for code | $@ flows to here and is interpreted as code. | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | A user-provided value |
+| code_injection.py:8:10:8:13 | ControlFlowNode for code | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:8:10:8:13 | ControlFlowNode for code | $@ flows to here and is interpreted as code. | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | A user-provided value |
				`@@ -1 +0,0 @@`
				`\| CodeExecution.py:4:29:4:50 \| Comment # $getCode="print(42)" \| Missing result:getCode="print(42)" \|`