Python: Add modeling of jmespath

2026-04-30 03:05:15 +02:00 · 2021-06-09 12:13:29 +02:00
parent 5cdd60d0d6
commit fa6abea465
5 changed files with 43 additions and 4 deletions
--- a/python/change-notes/2021-06-09-add-jmespath-modeling.md
+++ b/python/change-notes/2021-06-09-add-jmespath-modeling.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added modeling of the PyPI package `jmespath`.
--- a/python/ql/src/semmle/python/Frameworks.qll
+++ b/python/ql/src/semmle/python/Frameworks.qll
@@ -12,6 +12,7 @@ private import semmle.python.frameworks.Fabric
 private import semmle.python.frameworks.Flask
 private import semmle.python.frameworks.Idna
 private import semmle.python.frameworks.Invoke
+private import semmle.python.frameworks.Jmespath
 private import semmle.python.frameworks.MysqlConnectorPython
 private import semmle.python.frameworks.MySQLdb
 private import semmle.python.frameworks.Psycopg2
--- a/python/ql/src/semmle/python/frameworks/Jmespath.qll
+++ b/python/ql/src/semmle/python/frameworks/Jmespath.qll
@@ -0,0 +1,35 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `jmespath` PyPI package.
+ * See https://pypi.org/project/jmespath/.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides models for the `jmespath` PyPI package.
+ * See https://pypi.org/project/jmespath/.
+ */
+private module Jmespath {
+  class JmespathAdditionalTaintSteps extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+      exists(DataFlow::CallCfgNode call |
+        call = API::moduleImport("jmespath").getMember("search").getACall() and
+        nodeFrom in [call.getArg(1), call.getArgByName("data")] and
+        nodeTo = call
+        or
+        call =
+          API::moduleImport("jmespath")
+              .getMember("compile")
+              .getReturn()
+              .getMember("search")
+              .getACall() and
+        nodeFrom in [call.getArg(0), call.getArgByName("value")] and
+        nodeTo = call
+      )
+    }
+  }
+}
--- a/python/ql/test/library-tests/frameworks/jmespath/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/jmespath/taint_test.py
@@ -6,11 +6,11 @@ def test_idna():
    expression = jmespath.compile("foo.bar")

    ensure_tainted(
-        jmespath.search("foo.bar", data), # $ MISSING: tainted
-        jmespath.search("foo.bar", data=data), # $ MISSING: tainted
+        jmespath.search("foo.bar", data), # $ tainted
+        jmespath.search("foo.bar", data=data), # $ tainted

-        expression.search(data), # $ MISSING: tainted
-        expression.search(value=data) # $ MISSING: tainted
+        expression.search(data), # $ tainted
+        expression.search(value=data) # $ tainted
    )

    # since ```jmespath.search("{wat: `foo`}", {})``` works (and outputs a dictionary),