hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

python: split tests into taint and value

Browse Source 
and add summaries
This commit is contained in:
Rasmus Lerchedahl Petersen
2023-06-19 11:41:41 +02:00
parent eb3c33dfe2
commit e111a19524
9 changed files with 123 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
python/ql/test/experimental/dataflow/model-summaries/TestSummaries.qll
View File

@@ -1,8 +0,0 @@
private import python
private import semmle.python.dataflow.new.FlowSummary
private import semmle.python.frameworks.data.ModelsAsData
private import semmle.python.ApiGraphs
private class StepsFromModel extends ModelInput::SummaryModelCsv {
override predicate row(string row) { none() }
}

0
python/ql/test/experimental/dataflow/model-summaries/NormalTaintTrackingTest.expected → python/ql/test/experimental/dataflow/model-summaries/dataflow/NormalDataflowTest.expected
View File

3
python/ql/test/experimental/dataflow/model-summaries/dataflow/NormalDataflowTest.ql Normal file
View File

@@ -0,0 +1,3 @@
import python
private import TestSummaries
import experimental.dataflow.TestUtil.NormalDataflowTest

20
python/ql/test/experimental/dataflow/model-summaries/dataflow/TestSummaries.qll Normal file
View File

@@ -0,0 +1,20 @@
private import python
private import semmle.python.dataflow.new.FlowSummary
private import semmle.python.frameworks.data.ModelsAsData
private import semmle.python.ApiGraphs
private class StepsFromModel extends ModelInput::SummaryModelCsv {
override predicate row(string row) {
row =
[
"Foo;Member[MS_identity];Argument[0];ReturnValue;value",
"Foo;Member[MS_apply_lambda];Argument[1];Argument[0].Parameter[0];value",
"Foo;Member[MS_apply_lambda];Argument[0].ReturnValue;ReturnValue;value",
"Foo;Member[MS_reversed];Argument[0].ListElement;ReturnValue.ListElement;value",
"Foo;Member[MS_list_map];Argument[1].ListElement;Argument[0].Parameter[0];value",
"Foo;Member[MS_list_map];Argument[0].ReturnValue;ReturnValue.ListElement;value",
"Foo;Member[MS_append_to_list];Argument[0].ListElement;ReturnValue.ListElement;value",
"Foo;Member[MS_append_to_list];Argument[1];ReturnValue.ListElement;value"
]
}
}

69
python/ql/test/experimental/dataflow/model-summaries/dataflow/model_summaries.py Normal file
View File

@@ -0,0 +1,69 @@
import sys
import os
sys.path.append(os.path.dirname(os.path.dirname((__file__))))
from testlib import expects
# These are defined so that we can evaluate the test code.
NONSOURCE = "not a source"
SOURCE = "source"
def is_source(x):
return x == "source" or x == b"source" or x == 42 or x == 42.0 or x == 42j
def SINK(x):
if is_source(x):
print("OK")
else:
print("Unexpected flow", x)
def SINK_F(x):
if is_source(x):
print("Unexpected flow", x)
else:
print("OK")
from Foo import MS_identity, MS_apply_lambda, MS_reversed, MS_list_map, MS_append_to_list
# Simple summary
tainted = MS_identity(SOURCE)
SINK(tainted) # $ flow="SOURCE, l:-1 -> tainted"
# Lambda summary
tainted_lambda = MS_apply_lambda(lambda x: [x], SOURCE)
SINK(tainted_lambda[0]) # $ flow="SOURCE, l:-1 -> tainted_lambda[0]"
# A lambda that breaks the flow
untainted_lambda = MS_apply_lambda(lambda x: 1, SOURCE)
SINK_F(untainted_lambda)
# Collection summaries
tainted_list = MS_reversed([SOURCE])
SINK(tainted_list[0]) # $ flow="SOURCE, l:-1 -> tainted_list[0]"
# Complex summaries
def box(x):
return [x]
tainted_mapped = MS_list_map(box, [SOURCE])
SINK(tainted_mapped[0][0]) # $ flow="SOURCE, l:-1 -> tainted_mapped[0][0]"
def explicit_identity(x):
return x
tainted_mapped_explicit = MS_list_map(explicit_identity, [SOURCE])
SINK(tainted_mapped_explicit[0]) # $ flow="SOURCE, l:-1 -> tainted_mapped_explicit[0]"
tainted_mapped_summary = MS_list_map(MS_identity, [SOURCE])
SINK(tainted_mapped_summary[0]) # $ flow="SOURCE, l:-1 -> tainted_mapped_summary[0]"
tainted_list = MS_append_to_list([], SOURCE)
SINK(tainted_list[0]) # $ flow="SOURCE, l:-1 -> tainted_list[0]"
tainted_list = MS_append_to_list([SOURCE], NONSOURCE)
SINK(tainted_list[0]) # $ flow="SOURCE, l:-1 -> tainted_list[0]"

2
python/ql/test/experimental/dataflow/model-summaries/taint/NormalTaintTrackingTest.expected Normal file
View File

@@ -0,0 +1,2 @@
missingAnnotationOnSink
failures

0
python/ql/test/experimental/dataflow/model-summaries/NormalTaintTrackingTest.ql → python/ql/test/experimental/dataflow/model-summaries/taint/NormalTaintTrackingTest.ql
View File

19
python/ql/test/experimental/dataflow/model-summaries/taint/TestSummaries.qll Normal file
View File

@@ -0,0 +1,19 @@
private import python
private import semmle.python.dataflow.new.FlowSummary
private import semmle.python.frameworks.data.ModelsAsData
private import semmle.python.ApiGraphs
private class StepsFromModel extends ModelInput::SummaryModelCsv {
override predicate row(string row) {
row =
[
"Foo;Member[MS_identity];Argument[0];ReturnValue;value",
"Foo;Member[MS_apply_lambda];Argument[1];Argument[0].Parameter[0];value",
"Foo;Member[MS_apply_lambda];Argument[0].ReturnValue;ReturnValue;value",
"Foo;Member[MS_reversed];Argument[0];ReturnValue;taint",
"Foo;Member[MS_list_map];Argument[1];ReturnValue;taint",
"Foo;Member[MS_append_to_list];Argument[0];ReturnValue;taint",
"json;Member[MS_loads];Argument[0];ReturnValue;taint"
]
}
}

20
python/ql/test/experimental/dataflow/model-summaries/model_summaries.py → python/ql/test/experimental/dataflow/model-summaries/taint/model_summaries_taint.py
View File

@@ -28,15 +28,15 @@ def SINK_F(x):
print("OK")
from Foo import MS_identity
from Foo import MS_identity, MS_apply_lambda, MS_reversed, MS_list_map, MS_append_to_list
# Simple summary
tainted = MS_identity(SOURCE)
SINK(tainted) # $ MISSING: flow="SOURCE, l:-1 -> tainted"
SINK(tainted) # $ flow="SOURCE, l:-1 -> tainted"
# Lambda summary
tainted_lambda = MS_apply_lambda(lambda x: x + 1, SOURCE)
SINK(tainted_lambda) # $ MISSING: flow="SOURCE, l:-1 -> tainted_lambda"
SINK(tainted_lambda) # $ flow="SOURCE, l:-1 -> tainted_lambda"
# A lambda that breaks the flow
untainted_lambda = MS_apply_lambda(lambda x: 1, SOURCE)
@@ -44,27 +44,27 @@ SINK_F(untainted_lambda)
# Collection summaries
tainted_list = MS_reversed([SOURCE])
SINK(tainted_list[0]) # $ MISSING: flow="SOURCE, l:-1 -> tainted_list[0]"
SINK(tainted_list[0]) # $ flow="SOURCE, l:-1 -> tainted_list[0]"
# Complex summaries
def add_colon(x):
return x + ":"
tainted_mapped = MS_list_map(add_colon, [SOURCE])
SINK(tainted_mapped[0]) # $ MISSING: flow="SOURCE, l:-1 -> tainted_mapped[0]"
SINK(tainted_mapped[0]) # $ flow="SOURCE, l:-1 -> tainted_mapped[0]"
def explicit_identity(x):
return x
tainted_mapped_explicit = MS_list_map(explicit_identity, [SOURCE])
SINK(tainted_mapped_explicit[0]) # $ MISSING: flow="SOURCE, l:-1 -> tainted_mapped_explicit[0]"
SINK(tainted_mapped_explicit[0]) # $ flow="SOURCE, l:-1 -> tainted_mapped_explicit[0]"
tainted_mapped_summary = MS_list_map(MS_identity, [SOURCE])
SINK(tainted_mapped_summary[0]) # $ MISSING: flow="SOURCE, l:-1 -> tainted_mapped_summary[0]"
SINK(tainted_mapped_summary[0]) # $ flow="SOURCE, l:-1 -> tainted_mapped_summary[0]"
tainted_list = MS_append_to_list([], SOURCE)
SINK(tainted_list[0]) # $ MISSING: flow="SOURCE, l:-1 -> tainted_list[0]"
tainted_list = MS_append_to_list([SOURCE], NONSOURCE)
SINK(tainted_list[0]) # $ flow="SOURCE, l:-1 -> tainted_list[0]"
from json import MS_loads as json_loads
tainted_resultlist = json_loads(SOURCE)
SINK(tainted_resultlist[0]) # $ MISSING: flow="SOURCE, l:-1 -> tainted_resultlist[0]"
SINK(tainted_resultlist[0]) # $ flow="SOURCE, l:-1 -> tainted_resultlist[0]"