Python: Taint for string multiplication

2026-04-29 02:35:15 +02:00 · 2020-08-24 14:50:46 +02:00
parent b688fe68d6
commit cb4b4e91ab
3 changed files with 64 additions and 56 deletions
--- a/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll
+++ b/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll
@@ -119,6 +119,12 @@ predicate stringMethods(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
      fmt.getRight() = nodeFrom.getNode()
    )
  )
+  or
+  // string multiplication -- `"foo" * 10`
+  exists(BinaryExprNode mult | mult = nodeTo.getNode() |
+    mult.getOp() instanceof Mult and
+    mult.getLeft() = nodeFrom.getNode()
+  )
  // TODO: Handle encode/decode from base64/quopri
  // TODO: Handle os.path.join
  // TODO: Handle functions in https://docs.python.org/3/library/binascii.html