Python: Fix additional taint-steps for cgi

So there isn't flow from *any* instance to *any* access of the methods, but only from the _actual_ instance where the method is accessed.
2025-12-20 10:46:30 +01:00 · 2020-12-15 11:41:00 +01:00
parent fabc6fb7d9
commit ed53742f03
1 changed files with 14 additions and 7 deletions
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -1209,14 +1209,21 @@ private module Stdlib {
      private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
        override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
          // Methods
-          nodeFrom = instance() and
-          nodeTo in [getvalueRef(), getfirstRef(), getlistRef()]
+          exists(DataFlow::AttrRead read | read = nodeTo and read.getObject() = nodeFrom |
+            nodeFrom = instance() and
+            nodeTo in [getvalueRef(), getfirstRef(), getlistRef()]
+          )
          or
-          nodeFrom = getvalueRef() and nodeTo = getvalueResult()
-          or
-          nodeFrom = getfirstRef() and nodeTo = getfirstResult()
-          or
-          nodeFrom = getlistRef() and nodeTo = getlistResult()
+          exists(CallNode call |
+            nodeTo.asCfgNode() = call and
+            call.getFunction() = nodeFrom.asCfgNode()
+          |
+            nodeFrom = getvalueRef() and nodeTo = getvalueResult()
+            or
+            nodeFrom = getfirstRef() and nodeTo = getfirstResult()
+            or
+            nodeFrom = getlistRef() and nodeTo = getlistResult()
+          )
          or
          // Indexing
          nodeFrom in [instance(), fieldList()] and