Python: Proper threat-model handling for argparse

2026-04-25 16:55:19 +02:00 · 2024-08-09 16:20:41 +02:00
parent 56c85ffe54
commit e1801f3a29
3 changed files with 33 additions and 5 deletions
--- a/python/ql/test/library-tests/frameworks/stdlib/threat_models.py
+++ b/python/ql/test/library-tests/frameworks/stdlib/threat_models.py
@@ -30,14 +30,14 @@ import argparse
 parser = argparse.ArgumentParser()
 parser.add_argument("foo")

-args = parser.parse_args() # $ MISSING: threatModelSource[commandargs]=parser.parse_args()
-ensure_tainted(args.foo) # $ MISSING: tainted
+args = parser.parse_args() # $ threatModelSource[commandargs]=parser.parse_args()
+ensure_tainted(args.foo) # $ tainted

 explicit_argv_parsing = parser.parse_args(sys.argv) # $ threatModelSource[commandargs]=sys.argv
-ensure_tainted(explicit_argv_parsing.foo) # $ MISSING: tainted
+ensure_tainted(explicit_argv_parsing.foo) # $ tainted

 fake_args = parser.parse_args(["<foo>"])
-ensure_not_tainted(fake_args.foo)
+ensure_not_tainted(fake_args.foo) # $ SPURIOUS: tainted

 ########################################
 # reading input from stdin