Python: Track taint through 'yield' expressions.

2025-12-17 17:23:36 +01:00 · 2019-06-18 16:11:02 +01:00
parent 97c98f29e4
commit e8190d9a7b
8 changed files with 60 additions and 0 deletions
--- a/python/ql/src/semmle/python/security/TaintTracking.qll
+++ b/python/ql/src/semmle/python/security/TaintTracking.qll
@@ -875,6 +875,8 @@ library module TaintFlowImplementation {
        or
        iteration_step(fromnode, totaint, tocontext, tonode)
        or
+        yield_step(fromnode, totaint, tocontext, tonode)
+        or
        exists(DataFlowNode fromnodenode |
            fromnodenode = fromnode.getNode() and
            (
@@ -1065,6 +1067,26 @@ library module TaintFlowImplementation {
        )
    }

+    predicate yield_step(TaintedNode fromnode, TrackedValue totaint, CallContext tocontext, CallNode call) {
+        exists(PyFunctionObject func |
+            func.getFunction().isGenerator() and
+            func.getACall() = call and
+            (
+                fromnode.getContext() = tocontext.getCallee(call)
+                or
+                fromnode.getContext() = tocontext and tocontext = TTop()
+            ) and
+            exists(Yield yield |
+                yield.getScope() = func.getFunction() and
+                yield.getValue() = fromnode.getNode().getNode()
+            ) and
+            exists(SequenceKind seq |
+                seq.getItem() = fromnode.getTaintKind() and
+                totaint = fromnode.getTrackedValue().toKind(seq)
+            )
+        )
+    }
+
    predicate call_taint_step(TaintedNode fromnode, TrackedValue totaint, CallContext tocontext, CallNode call) {
        exists(string name |
            call.getFunction().(AttrNode).getObject(name) = fromnode.getNode() and