Python: Add basic taint support for urlsplit/urlparse

2026-05-02 04:05:14 +02:00 · 2020-02-19 16:22:09 +01:00
parent 74345b1c05
commit fd270cc02c
8 changed files with 206 additions and 0 deletions
--- a/python/ql/test/library-tests/taint/namedtuple/Taint.qll
+++ b/python/ql/test/library-tests/taint/namedtuple/Taint.qll
@@ -0,0 +1,27 @@
+import python
+import semmle.python.security.TaintTracking
+import semmle.python.security.strings.Untrusted
+
+class SimpleSource extends TaintSource {
+    SimpleSource() { this.(NameNode).getId() = "TAINTED_STRING" }
+
+    override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
+
+    override string toString() { result = "taint source" }
+}
+
+class ListSource extends TaintSource {
+    ListSource() { this.(NameNode).getId() = "TAINTED_LIST" }
+
+    override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringSequenceKind }
+
+    override string toString() { result = "list taint source" }
+}
+
+class DictSource extends TaintSource {
+    DictSource() { this.(NameNode).getId() = "TAINTED_DICT" }
+
+    override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringDictKind }
+
+    override string toString() { result = "dict taint source" }
+}
--- a/python/ql/test/library-tests/taint/namedtuple/TestTaint.expected
+++ b/python/ql/test/library-tests/taint/namedtuple/TestTaint.expected
@@ -0,0 +1,11 @@
+| test.py:13 | test_basic | a | externally controlled string |
+| test.py:13 | test_basic | b | externally controlled string |
+| test.py:13 | test_basic | c | externally controlled string |
+| test.py:13 | test_basic | d | externally controlled string |
+| test.py:13 | test_basic | urlsplit_res | [externally controlled string] |
+| test.py:20 | test_sanitizer | Attribute | externally controlled string |
+| test.py:23 | test_sanitizer | Subscript | externally controlled string |
+| test.py:33 | test_namedtuple | a | NO TAINT |
+| test.py:33 | test_namedtuple | b | NO TAINT |
+| test.py:33 | test_namedtuple | c | NO TAINT |
+| test.py:33 | test_namedtuple | d | NO TAINT |
--- a/python/ql/test/library-tests/taint/namedtuple/TestTaint.ql
+++ b/python/ql/test/library-tests/taint/namedtuple/TestTaint.ql
@@ -0,0 +1,18 @@
+import python
+import semmle.python.security.TaintTracking
+import Taint
+
+from Call call, Expr arg, string taint_string
+where
+    call.getLocation().getFile().getShortName() = "test.py" and
+    call.getFunc().(Name).getId() = "test" and
+    arg = call.getAnArg() and
+    (
+        not exists(TaintedNode tainted | tainted.getAstNode() = arg) and
+        taint_string = "NO TAINT"
+        or
+        exists(TaintedNode tainted | tainted.getAstNode() = arg |
+            taint_string = tainted.getTaintKind().toString()
+        )
+    )
+select arg.getLocation().toString(), call.getScope().(Function).getName(), arg.toString(), taint_string
--- a/python/ql/test/library-tests/taint/namedtuple/test.py
+++ b/python/ql/test/library-tests/taint/namedtuple/test.py
@@ -0,0 +1,33 @@
+from six.moves.urllib.parse import urlsplit
+
+# Currently we don't have support for namedtuples in general, but do have special support
+# for `urlsplit` (and `urlparse`)
+
+def test_basic():
+    tainted_string = TAINTED_STRING
+    urlsplit_res = urlsplit(tainted_string)
+    a = urlsplit_res.netloc # field access
+    b = urlsplit_res.hostname # property
+    c = urlsplit_res[3] # indexing
+    _, _, d, _, _ = urlsplit(tainted_string) # unpacking
+    test(a, b, c, d, urlsplit_res)
+
+def test_sanitizer():
+    tainted_string = TAINTED_STRING
+    urlsplit_res = urlsplit(tainted_string)
+
+    if urlsplit_res.netloc == "OK":
+        test(urlsplit_res.netloc) # TODO: FP, should not be tainted here
+
+    if urlsplit_res[2] == "OK":
+        test(urlsplit_res[0]) # TODO: FP, should not be tainted here
+
+def test_namedtuple():
+    tainted_string = TAINTED_STRING
+    Point = namedtuple('Point', ['x', 'y'])
+    p = Point('safe', tainted_string)
+    a = p.x
+    b = p.y
+    c = p[0]
+    d = p[1]
+    test(a, b, c, d) # TODO: FN, at least p.y and p[1] should be tainted
--- a/python/ql/test/library-tests/taint/strings/TestStep.expected
+++ b/python/ql/test/library-tests/taint/strings/TestStep.expected
@@ -1,3 +1,5 @@
+| Taint [externally controlled string] | test.py:67 | test.py:67:20:67:43 | urlsplit() |  |  -->  | Taint [externally controlled string] | test.py:69 | test.py:69:10:69:21 | urlsplit_res |  |
+| Taint [externally controlled string] | test.py:68 | test.py:68:20:68:43 | urlparse() |  |  -->  | Taint [externally controlled string] | test.py:69 | test.py:69:24:69:35 | urlparse_res |  |
 | Taint exception.info | test.py:44 | test.py:44:22:44:26 | taint | p1 = exception.info |  -->  | Taint exception.info | test.py:45 | test.py:45:17:45:21 | taint | p1 = exception.info |
 | Taint exception.info | test.py:45 | test.py:45:17:45:21 | taint | p1 = exception.info |  -->  | Taint exception.info | test.py:45 | test.py:45:12:45:22 | func() | p1 = exception.info |
 | Taint exception.info | test.py:45 | test.py:45:17:45:21 | taint | p1 = exception.info |  -->  | Taint exception.info | test.py:52 | test.py:52:19:52:21 | arg | p0 = exception.info |
@@ -56,6 +58,10 @@
 | Taint externally controlled string | test.py:57 | test.py:57:11:57:41 | cross_over() |  |  -->  | Taint externally controlled string | test.py:58 | test.py:58:10:58:12 | res |  |
 | Taint externally controlled string | test.py:57 | test.py:57:38:57:40 | ext |  |  -->  | Taint externally controlled string | test.py:44 | test.py:44:22:44:26 | taint | p1 = externally controlled string |
 | Taint externally controlled string | test.py:57 | test.py:57:38:57:40 | ext |  |  -->  | Taint externally controlled string | test.py:57 | test.py:57:11:57:41 | cross_over() |  |
+| Taint externally controlled string | test.py:66 | test.py:66:22:66:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:67 | test.py:67:29:67:42 | tainted_string |  |
+| Taint externally controlled string | test.py:66 | test.py:66:22:66:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:68 | test.py:68:29:68:42 | tainted_string |  |
+| Taint externally controlled string | test.py:67 | test.py:67:29:67:42 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:67 | test.py:67:20:67:43 | urlsplit() |  |
+| Taint externally controlled string | test.py:68 | test.py:68:29:68:42 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:68 | test.py:68:20:68:43 | urlparse() |  |
 | Taint json[externally controlled string] | test.py:6 | test.py:6:20:6:45 | Attribute() |  |  -->  | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |
 | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |  -->  | Taint externally controlled string | test.py:7 | test.py:7:9:7:25 | Subscript |  |
 | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |  -->  | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:25 | Subscript |  |
--- a/python/ql/test/library-tests/taint/strings/TestTaint.expected
+++ b/python/ql/test/library-tests/taint/strings/TestTaint.expected
@@ -20,3 +20,5 @@
 | test.py:42 | test_str2 | c | externally controlled string |
 | test.py:50 | test_exc_info | res | exception.info |
 | test.py:58 | test_untrusted | res | externally controlled string |
+| test.py:69 | test_urlsplit_urlparse | urlparse_res | [externally controlled string] |
+| test.py:69 | test_urlsplit_urlparse | urlsplit_res | [externally controlled string] |
--- a/python/ql/test/library-tests/taint/strings/test.py
+++ b/python/ql/test/library-tests/taint/strings/test.py
@@ -59,3 +59,11 @@ def test_untrusted():

 def exc_untrusted_call(arg):
    return arg
+
+from six.moves.urllib.parse import urlsplit, urlparse
+
+def test_urlsplit_urlparse():
+    tainted_string = TAINTED_STRING
+    urlsplit_res = urlsplit(tainted_string)
+    urlparse_res = urlparse(tainted_string)
+    test(urlsplit_res, urlparse_res)