Python: Handle taint for f-strings

Which we seem to not handle in the current taint tracking :O f-strings needs to be Python 3 only, so enabled that test setup. I really liked the idea for having the version specific tests right next to the normal tests, so you don't have to look in test/experimental/3/dataflow/i/will/forget/to/look/here.
2026-04-29 18:55:14 +02:00 · 2020-08-24 16:29:30 +02:00
parent cb4b4e91ab
commit d96ef73033
7 changed files with 64 additions and 0 deletions
--- a/python/ql/test/experimental/dataflow/tainttracking/string-py3/TestTaint.expected
+++ b/python/ql/test/experimental/dataflow/tainttracking/string-py3/TestTaint.expected
@@ -0,0 +1,7 @@
+| test.py:28 | fail | binary_decode_encode | base64.a85encode(..) |
+| test.py:29 | fail | binary_decode_encode | base64.a85decode(..) |
+| test.py:32 | fail | binary_decode_encode | base64.b85encode(..) |
+| test.py:33 | fail | binary_decode_encode | base64.b85decode(..) |
+| test.py:36 | fail | binary_decode_encode | base64.encodebytes(..) |
+| test.py:37 | fail | binary_decode_encode | base64.decodebytes(..) |
+| test.py:45 | ok   | f_strings | Fstring |
--- a/python/ql/test/experimental/dataflow/tainttracking/string-py3/TestTaint.qlref
+++ b/python/ql/test/experimental/dataflow/tainttracking/string-py3/TestTaint.qlref
@@ -0,0 +1 @@
+../TestTaint.ql
--- a/python/ql/test/experimental/dataflow/tainttracking/string-py3/options
+++ b/python/ql/test/experimental/dataflow/tainttracking/string-py3/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=1 --lang=3
--- a/python/ql/test/experimental/dataflow/tainttracking/string-py3/test.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/string-py3/test.py
@@ -0,0 +1,51 @@
+# Python 3 specific taint tracking for string
+
+TAINTED_STRING = "TAINTED_STRING"
+TAINTED_BYTES = b"TAINTED_BYTES"
+
+
+def ensure_tainted(*args):
+    print("- ensure_tainted")
+    for i, arg in enumerate(args):
+        print("arg {}: {!r}".format(i, arg))
+
+
+def ensure_not_tainted(*args):
+    print("- ensure_not_tainted")
+    for i, arg in enumerate(args):
+        print("arg {}: {!r}".format(i, arg))
+
+
+# Actual tests
+
+def binary_decode_encode():
+    print("\n#percent_fmt")
+    tb = TAINTED_BYTES
+    import base64
+
+    ensure_tainted(
+        # New in Python 3.4
+        base64.a85encode(tb),
+        base64.a85decode(base64.a85encode(tb)),
+
+        # New in Python 3.4
+        base64.b85encode(tb),
+        base64.b85decode(base64.b85encode(tb)),
+
+        # New in Python 3.1
+        base64.encodebytes(tb),
+        base64.decodebytes(base64.encodebytes(tb)),
+    )
+
+
+def f_strings():
+    print("\n#f_strings")
+    ts = TAINTED_STRING
+
+    ensure_tainted(f"foo {ts} bar")
+
+
+# Make tests runable
+
+binary_decode_encode()
+f_strings()
				`@@ -0,0 +1 @@`
				`semmle-extractor-options: --max-import-depth=1 --lang=3`