hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 12:45:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python taint-tracking. Fix bug in legacy API.

Browse Source
This commit is contained in:
Mark Shannon
2019-08-13 15:01:22 +01:00
parent 7c4a18eee3
commit fe9c9d479d
5 changed files with 59 additions and 177 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
python/ql/src/semmle/python/security/TaintTracking.qll
View File

@@ -318,7 +318,7 @@ class DictKind extends CollectionKind {
Implementation::copyCall(fromnode, tonode) and this = fromkind
or
tonode.(CallNode).getFunction().pointsTo(ObjectInternal::builtin("dict")) and
tonode.(CallNode).getArg(0) = fromnode
tonode.(CallNode).getArg(0) = fromnode and this = fromkind
or
dict_construct(fromnode, tonode) and this.getValue() = fromkind
}
@@ -430,11 +430,13 @@ abstract class TaintSource extends @py_flow_node {
final predicate flowsToSink(TaintKind srckind, TaintSink sink) {
exists(TaintedNode src, TaintedNode tsink |
src = this.getATaintNode() and
src.getTaintKind() = srckind and
src.getASuccessor*() = tsink and
this.isSourceOf(srckind, _) and
sink = tsink.getCfgNode() and
sink.sinks(tsink.getTaintKind()) and
tsink.getPath().noAttribute()
tsink.getPath().noAttribute() and
tsink.isSink()
)
}

3
python/ql/test/library-tests/taint/general/ModuleAttribute.expected
View File

@@ -1,4 +1,3 @@
| Module deep | x | Taint simple.test | | deep.py:20 |
| Module module | dangerous | Taint simple.test | | module.py:3 |
| Module test | module | Attribute 'dangerous' taint simple.test | | test.py:85 |
| Module test | unsafe | Taint simple.test | | test.py:155 |
| Module test | unsafe | Taint simple.test | | test.py:156 |

217
python/ql/test/library-tests/taint/general/TestDefn.expected
View File

@@ -1,191 +1,72 @@
| carrier.py:4 | ParameterDefinition | carrier.py:4 | Taint explicit.carrier | arg |
| carrier.py:4 | ParameterDefinition | carrier.py:4 | Taint simple.test | arg |
| carrier.py:5 | AttributeAssignment 'attr'(self_0) | carrier.py:5 | Attribute 'attr' taint explicit.carrier | self |
| carrier.py:5 | AttributeAssignment 'attr'(self_0) | carrier.py:5 | Attribute 'attr' taint simple.test | self |
| carrier.py:13 | ParameterDefinition | carrier.py:13 | Attribute 'attr' taint simple.test | arg |
| carrier.py:13 | ParameterDefinition | carrier.py:13 | Taint explicit.carrier | arg |
| carrier.py:17 | ImplicitCarrier() | carrier.py:17 | Attribute 'attr' taint simple.test | ImplicitCarrier() |
| carrier.py:21 | TAINT_CARRIER_SOURCE | carrier.py:21 | Taint explicit.carrier | TAINT_CARRIER_SOURCE |
| carrier.py:22 | MethodCallsiteRefinement(c_0) | carrier.py:21 | Taint explicit.carrier | TAINT_CARRIER_SOURCE |
| carrier.py:25 | hub() | carrier.py:25 | Attribute 'attr' taint simple.test | hub() |
| carrier.py:29 | hub() | carrier.py:29 | Taint explicit.carrier | hub() |
| carrier.py:30 | MethodCallsiteRefinement(c_0) | carrier.py:29 | Taint explicit.carrier | hub() |
| carrier.py:33 | ImplicitCarrier() | carrier.py:33 | Attribute 'attr' taint explicit.carrier | ImplicitCarrier() |
| carrier.py:34 | Attribute | carrier.py:34 | Taint explicit.carrier | Attribute |
| carrier.py:35 | MethodCallsiteRefinement(x_0) | carrier.py:34 | Taint explicit.carrier | Attribute |
| carrier.py:21 | TAINT_CARRIER_SOURCE | carrier.py:21 | Taint explicit.carrier | c |
| carrier.py:29 | hub() | carrier.py:29 | Taint explicit.carrier | c |
| deep.py:2 | ParameterDefinition | deep.py:2 | Taint simple.test | arg |
| deep.py:5 | ParameterDefinition | deep.py:5 | Taint simple.test | arg |
| deep.py:6 | ArgumentRefinement(arg_0) | deep.py:5 | Taint simple.test | arg |
| deep.py:8 | ParameterDefinition | deep.py:8 | Taint simple.test | arg |
| deep.py:9 | ArgumentRefinement(arg_0) | deep.py:8 | Taint simple.test | arg |
| deep.py:11 | ParameterDefinition | deep.py:11 | Taint simple.test | arg |
| deep.py:12 | ArgumentRefinement(arg_0) | deep.py:11 | Taint simple.test | arg |
| deep.py:14 | ParameterDefinition | deep.py:14 | Taint simple.test | arg |
| deep.py:15 | ArgumentRefinement(arg_0) | deep.py:14 | Taint simple.test | arg |
| deep.py:17 | ParameterDefinition | deep.py:17 | Taint simple.test | arg |
| deep.py:18 | ArgumentRefinement(arg_0) | deep.py:17 | Taint simple.test | arg |
| deep.py:20 | f6() | deep.py:20 | Taint simple.test | f6() |
| module.py:3 | SOURCE | module.py:3 | Taint simple.test | SOURCE |
| deep.py:20 | f6() | deep.py:20 | Taint simple.test | x |
| module.py:3 | SOURCE | module.py:3 | Taint simple.test | dangerous |
| rockpaperscissors.py:3 | ParameterDefinition | rockpaperscissors.py:3 | Taint scissors | arg |
| rockpaperscissors.py:6 | ParameterDefinition | rockpaperscissors.py:6 | Taint paper | arg |
| rockpaperscissors.py:6 | ParameterDefinition | rockpaperscissors.py:6 | Taint rock | arg |
| rockpaperscissors.py:6 | ParameterDefinition | rockpaperscissors.py:6 | Taint scissors | arg |
| rockpaperscissors.py:9 | ParameterDefinition | rockpaperscissors.py:9 | Taint paper | arg |
| rockpaperscissors.py:9 | ParameterDefinition | rockpaperscissors.py:9 | Taint scissors | arg |
| rockpaperscissors.py:19 | ROCK | rockpaperscissors.py:19 | Taint rock | ROCK |
| rockpaperscissors.py:20 | Attribute() | rockpaperscissors.py:20 | Taint scissors | Attribute() |
| rockpaperscissors.py:20 | MethodCallsiteRefinement(x_0) | rockpaperscissors.py:19 | Taint rock | ROCK |
| rockpaperscissors.py:21 | ArgumentRefinement(y_0) | rockpaperscissors.py:20 | Taint scissors | Attribute() |
| rockpaperscissors.py:24 | ROCK | rockpaperscissors.py:24 | Taint rock | ROCK |
| rockpaperscissors.py:25 | Attribute() | rockpaperscissors.py:25 | Taint paper | Attribute() |
| rockpaperscissors.py:25 | MethodCallsiteRefinement(x_0) | rockpaperscissors.py:24 | Taint rock | ROCK |
| rockpaperscissors.py:26 | ArgumentRefinement(y_0) | rockpaperscissors.py:25 | Taint paper | Attribute() |
| rockpaperscissors.py:29 | SCISSORS | rockpaperscissors.py:29 | Taint scissors | SCISSORS |
| rockpaperscissors.py:30 | Attribute() | rockpaperscissors.py:30 | Taint paper | Attribute() |
| rockpaperscissors.py:30 | MethodCallsiteRefinement(x_0) | rockpaperscissors.py:29 | Taint scissors | SCISSORS |
| rockpaperscissors.py:31 | ArgumentRefinement(x_1) | rockpaperscissors.py:29 | Taint scissors | SCISSORS |
| rockpaperscissors.py:32 | ArgumentRefinement(y_0) | rockpaperscissors.py:30 | Taint paper | Attribute() |
| rockpaperscissors.py:19 | ROCK | rockpaperscissors.py:19 | Taint rock | x |
| rockpaperscissors.py:20 | Attribute() | rockpaperscissors.py:20 | Taint scissors | y |
| rockpaperscissors.py:24 | ROCK | rockpaperscissors.py:24 | Taint rock | x |
| rockpaperscissors.py:25 | Attribute() | rockpaperscissors.py:25 | Taint paper | y |
| rockpaperscissors.py:29 | SCISSORS | rockpaperscissors.py:29 | Taint scissors | x |
| rockpaperscissors.py:30 | Attribute() | rockpaperscissors.py:30 | Taint paper | y |
| sanitizer.py:3 | ParameterDefinition | sanitizer.py:3 | Taint Command injection | arg |
| sanitizer.py:3 | ParameterDefinition | sanitizer.py:3 | Taint SQL injection | arg |
| sanitizer.py:5 | ParameterDefinition | sanitizer.py:5 | Taint Command injection | arg |
| sanitizer.py:5 | ParameterDefinition | sanitizer.py:5 | Taint SQL injection | arg |
| sanitizer.py:8 | phi(x_2, x_4) | sanitizer.py:9 | Taint Command injection | user_input() |
| sanitizer.py:8 | phi(x_2, x_4) | sanitizer.py:9 | Taint SQL injection | user_input() |
| sanitizer.py:9 | user_input() | sanitizer.py:9 | Taint Command injection | user_input() |
| sanitizer.py:9 | user_input() | sanitizer.py:9 | Taint SQL injection | user_input() |
| sanitizer.py:11 | ArgumentRefinement(x_1) | sanitizer.py:9 | Taint Command injection | user_input() |
| sanitizer.py:11 | Pi(x_0) [true] | sanitizer.py:9 | Taint Command injection | user_input() |
| sanitizer.py:13 | ArgumentRefinement(x_3) | sanitizer.py:9 | Taint Command injection | user_input() |
| sanitizer.py:13 | ArgumentRefinement(x_3) | sanitizer.py:9 | Taint SQL injection | user_input() |
| sanitizer.py:13 | Pi(x_0) [false] | sanitizer.py:9 | Taint Command injection | user_input() |
| sanitizer.py:13 | Pi(x_0) [false] | sanitizer.py:9 | Taint SQL injection | user_input() |
| sanitizer.py:15 | phi(x_2, x_4) | sanitizer.py:16 | Taint Command injection | user_input() |
| sanitizer.py:15 | phi(x_2, x_4) | sanitizer.py:16 | Taint SQL injection | user_input() |
| sanitizer.py:16 | user_input() | sanitizer.py:16 | Taint Command injection | user_input() |
| sanitizer.py:16 | user_input() | sanitizer.py:16 | Taint SQL injection | user_input() |
| sanitizer.py:18 | ArgumentRefinement(x_1) | sanitizer.py:16 | Taint SQL injection | user_input() |
| sanitizer.py:18 | Pi(x_0) [true] | sanitizer.py:16 | Taint SQL injection | user_input() |
| sanitizer.py:20 | ArgumentRefinement(x_3) | sanitizer.py:16 | Taint Command injection | user_input() |
| sanitizer.py:20 | ArgumentRefinement(x_3) | sanitizer.py:16 | Taint SQL injection | user_input() |
| sanitizer.py:20 | Pi(x_0) [false] | sanitizer.py:16 | Taint Command injection | user_input() |
| sanitizer.py:20 | Pi(x_0) [false] | sanitizer.py:16 | Taint SQL injection | user_input() |
| sanitizer.py:23 | phi(x_2, x_4) | sanitizer.py:24 | Taint Command injection | user_input() |
| sanitizer.py:23 | phi(x_2, x_4) | sanitizer.py:24 | Taint SQL injection | user_input() |
| sanitizer.py:24 | user_input() | sanitizer.py:24 | Taint Command injection | user_input() |
| sanitizer.py:24 | user_input() | sanitizer.py:24 | Taint SQL injection | user_input() |
| sanitizer.py:26 | ArgumentRefinement(x_1) | sanitizer.py:24 | Taint Command injection | user_input() |
| sanitizer.py:26 | ArgumentRefinement(x_1) | sanitizer.py:24 | Taint SQL injection | user_input() |
| sanitizer.py:26 | Pi(x_0) [true] | sanitizer.py:24 | Taint Command injection | user_input() |
| sanitizer.py:26 | Pi(x_0) [true] | sanitizer.py:24 | Taint SQL injection | user_input() |
| sanitizer.py:28 | ArgumentRefinement(x_3) | sanitizer.py:24 | Taint Command injection | user_input() |
| sanitizer.py:28 | ArgumentRefinement(x_3) | sanitizer.py:24 | Taint SQL injection | user_input() |
| sanitizer.py:28 | Pi(x_0) [false] | sanitizer.py:24 | Taint Command injection | user_input() |
| sanitizer.py:28 | Pi(x_0) [false] | sanitizer.py:24 | Taint SQL injection | user_input() |
| sanitizer.py:30 | phi(x_2, x_4) | sanitizer.py:31 | Taint Command injection | user_input() |
| sanitizer.py:30 | phi(x_2, x_4) | sanitizer.py:31 | Taint SQL injection | user_input() |
| sanitizer.py:31 | user_input() | sanitizer.py:31 | Taint Command injection | user_input() |
| sanitizer.py:31 | user_input() | sanitizer.py:31 | Taint SQL injection | user_input() |
| sanitizer.py:33 | ArgumentRefinement(x_1) | sanitizer.py:31 | Taint Command injection | user_input() |
| sanitizer.py:33 | ArgumentRefinement(x_1) | sanitizer.py:31 | Taint SQL injection | user_input() |
| sanitizer.py:33 | Pi(x_0) [true] | sanitizer.py:31 | Taint Command injection | user_input() |
| sanitizer.py:33 | Pi(x_0) [true] | sanitizer.py:31 | Taint SQL injection | user_input() |
| sanitizer.py:35 | ArgumentRefinement(x_3) | sanitizer.py:31 | Taint Command injection | user_input() |
| sanitizer.py:35 | ArgumentRefinement(x_3) | sanitizer.py:31 | Taint SQL injection | user_input() |
| sanitizer.py:35 | Pi(x_0) [false] | sanitizer.py:31 | Taint Command injection | user_input() |
| sanitizer.py:35 | Pi(x_0) [false] | sanitizer.py:31 | Taint SQL injection | user_input() |
| test.py:6 | SOURCE | test.py:6 | Taint simple.test | SOURCE |
| test.py:7 | ArgumentRefinement(s_0) | test.py:6 | Taint simple.test | SOURCE |
| sanitizer.py:9 | user_input() | sanitizer.py:9 | Taint Command injection | x |
| sanitizer.py:9 | user_input() | sanitizer.py:9 | Taint SQL injection | x |
| sanitizer.py:16 | user_input() | sanitizer.py:16 | Taint Command injection | x |
| sanitizer.py:16 | user_input() | sanitizer.py:16 | Taint SQL injection | x |
| sanitizer.py:24 | user_input() | sanitizer.py:24 | Taint Command injection | x |
| sanitizer.py:24 | user_input() | sanitizer.py:24 | Taint SQL injection | x |
| sanitizer.py:31 | user_input() | sanitizer.py:31 | Taint Command injection | x |
| sanitizer.py:31 | user_input() | sanitizer.py:31 | Taint SQL injection | x |
| test.py:6 | SOURCE | test.py:6 | Taint simple.test | s |
| test.py:12 | ParameterDefinition | test.py:12 | Taint simple.test | arg |
| test.py:13 | ArgumentRefinement(arg_0) | test.py:12 | Taint simple.test | arg |
| test.py:16 | source() | test.py:16 | Taint simple.test | source() |
| test.py:17 | ArgumentRefinement(t_0) | test.py:16 | Taint simple.test | source() |
| test.py:20 | SOURCE | test.py:20 | Taint simple.test | SOURCE |
| test.py:21 | ArgumentRefinement(t_0) | test.py:20 | Taint simple.test | SOURCE |
| test.py:24 | source() | test.py:24 | Taint simple.test | source() |
| test.py:25 | ArgumentRefinement(t_0) | test.py:24 | Taint simple.test | source() |
| test.py:31 | SOURCE | test.py:31 | Taint simple.test | SOURCE |
| test.py:37 | SOURCE | test.py:37 | Taint simple.test | SOURCE |
| test.py:41 | ArgumentRefinement(t_0) | test.py:37 | Taint simple.test | SOURCE |
| test.py:46 | ParameterDefinition | test.py:46 | Taint simple.test | arg |
| test.py:47 | ArgumentRefinement(arg_0) | test.py:46 | Taint simple.test | arg |
| test.py:20 | SOURCE | test.py:20 | Taint simple.test | t |
| test.py:31 | SOURCE | test.py:31 | Taint simple.test | t |
| test.py:37 | SOURCE | test.py:37 | Taint simple.test | t |
| test.py:49 | ParameterDefinition | test.py:49 | Taint simple.test | arg |
| test.py:49 | phi(arg_0, arg_1) | test.py:49 | Taint simple.test | arg |
| test.py:51 | ArgumentRefinement(arg_0) | test.py:49 | Taint simple.test | arg |
| test.py:54 | source2() | test.py:54 | Taint simple.test | source2() |
| test.py:55 | ArgumentRefinement(t_0) | test.py:54 | Taint simple.test | source2() |
| test.py:62 | SOURCE | test.py:62 | Taint simple.test | SOURCE |
| test.py:63 | phi(t_0, t_1) | test.py:62 | Taint simple.test | SOURCE |
| test.py:67 | SOURCE | test.py:67 | Taint simple.test | SOURCE |
| test.py:70 | phi(t_0, t_1) | test.py:67 | Taint simple.test | SOURCE |
| test.py:72 | ParameterDefinition | test.py:72 | Attribute 'x' taint simple.test | arg |
| test.py:62 | SOURCE | test.py:62 | Taint simple.test | t |
| test.py:67 | SOURCE | test.py:67 | Taint simple.test | t |
| test.py:72 | ParameterDefinition | test.py:72 | Taint basic.custom | arg |
| test.py:72 | ParameterDefinition | test.py:72 | Taint simple.test | arg |
| test.py:76 | SOURCE | test.py:76 | Taint simple.test | SOURCE |
| test.py:77 | hub() | test.py:77 | Taint simple.test | hub() |
| test.py:78 | ArgumentRefinement(t_1) | test.py:77 | Taint simple.test | hub() |
| test.py:85 | ImportExpr | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
| test.py:87 | ScopeEntryDefinition | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
| test.py:88 | Attribute | test.py:88 | Taint simple.test | Attribute |
| test.py:89 | ArgumentRefinement(t_0) | test.py:88 | Taint simple.test | Attribute |
| test.py:91 | ScopeEntryDefinition | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
| test.py:95 | ScopeEntryDefinition | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
| test.py:99 | ScopeEntryDefinition | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
| test.py:100 | Attribute() | test.py:100 | Taint simple.test | Attribute() |
| test.py:101 | ArgumentRefinement(t_0) | test.py:100 | Taint simple.test | Attribute() |
| test.py:105 | ParameterDefinition | test.py:105 | Attribute 'x' taint simple.test | arg |
| test.py:108 | ScopeEntryDefinition | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
| test.py:110 | AttributeAssignment 'x'(t_0) | test.py:110 | Attribute 'x' taint simple.test | t |
| test.py:113 | ScopeEntryDefinition | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
| test.py:115 | AttributeAssignment 'x'(t_0) | test.py:115 | Attribute 'x' taint simple.test | t |
| test.py:116 | hub() | test.py:116 | Attribute 'x' taint simple.test | hub() |
| test.py:117 | ArgumentRefinement(t_2) | test.py:116 | Attribute 'x' taint simple.test | hub() |
| test.py:120 | CUSTOM_SOURCE | test.py:120 | Taint basic.custom | CUSTOM_SOURCE |
| test.py:121 | hub() | test.py:121 | Taint basic.custom | hub() |
| test.py:122 | ArgumentRefinement(t_1) | test.py:121 | Taint basic.custom | hub() |
| test.py:126 | CUSTOM_SOURCE | test.py:126 | Taint basic.custom | CUSTOM_SOURCE |
| test.py:128 | SOURCE | test.py:128 | Taint simple.test | SOURCE |
| test.py:130 | ArgumentRefinement(t_0) | test.py:126 | Taint basic.custom | CUSTOM_SOURCE |
| test.py:132 | ArgumentRefinement(t_2) | test.py:128 | Taint simple.test | SOURCE |
| test.py:136 | CUSTOM_SOURCE | test.py:136 | Taint basic.custom | CUSTOM_SOURCE |
| test.py:138 | SOURCE | test.py:138 | Taint simple.test | SOURCE |
| test.py:140 | ArgumentRefinement(t_2) | test.py:138 | Taint simple.test | SOURCE |
| test.py:142 | ArgumentRefinement(t_0) | test.py:136 | Taint basic.custom | CUSTOM_SOURCE |
| test.py:146 | CUSTOM_SOURCE | test.py:146 | Taint basic.custom | CUSTOM_SOURCE |
| test.py:148 | SOURCE | test.py:148 | Taint simple.test | SOURCE |
| test.py:149 | TAINT_FROM_ARG() | test.py:149 | Taint basic.custom | TAINT_FROM_ARG() |
| test.py:151 | ArgumentRefinement(t_1) | test.py:149 | Taint basic.custom | TAINT_FROM_ARG() |
| test.py:155 | ImportMember | test.py:155 | Taint simple.test | ImportMember |
| test.py:156 | ArgumentRefinement(unsafe_0) | test.py:155 | Taint simple.test | ImportMember |
| test.py:159 | with | test.py:159 | Taint simple.test | SOURCE |
| test.py:160 | ArgumentRefinement(t_0) | test.py:159 | Taint simple.test | SOURCE |
| test.py:163 | SOURCE | test.py:163 | Taint simple.test | SOURCE |
| test.py:168 | List | test.py:168 | Taint [simple.test] | List |
| test.py:169 | Dict | test.py:169 | Taint {simple.test} | Dict |
| test.py:170 | ArgumentRefinement(l_0) | test.py:168 | Taint [simple.test] | List |
| test.py:171 | ArgumentRefinement(d_0) | test.py:169 | Taint {simple.test} | Dict |
| test.py:174 | ArgumentRefinement(l_1) | test.py:168 | Taint [simple.test] | List |
| test.py:174 | list() | test.py:174 | Taint [simple.test] | list() |
| test.py:175 | ArgumentRefinement(d_1) | test.py:169 | Taint {simple.test} | Dict |
| test.py:175 | dict() | test.py:175 | Taint {simple.test} | dict() |
| test.py:178 | SOURCE | test.py:178 | Taint simple.test | SOURCE |
| test.py:180 | ArgumentRefinement(t_1) | test.py:178 | Taint simple.test | SOURCE |
| test.py:180 | Pi(t_0) [true] | test.py:178 | Taint simple.test | SOURCE |
| test.py:183 | SingleSuccessorGuard(t_2) [false] | test.py:178 | Taint simple.test | SOURCE |
| test.py:186 | ArgumentRefinement(t_3) | test.py:178 | Taint simple.test | SOURCE |
| test.py:189 | FALSEY | test.py:189 | Taint falsey | FALSEY |
| test.py:191 | Pi(t_0) [true] | test.py:189 | Taint falsey | FALSEY |
| test.py:194 | phi(t_2, t_4) | test.py:195 | Taint simple.test | SOURCE |
| test.py:195 | SOURCE | test.py:195 | Taint simple.test | SOURCE |
| test.py:197 | ArgumentRefinement(t_1) | test.py:195 | Taint simple.test | SOURCE |
| test.py:197 | Pi(t_0) [true] | test.py:195 | Taint simple.test | SOURCE |
| test.py:199 | ArgumentRefinement(t_3) | test.py:195 | Taint simple.test | SOURCE |
| test.py:199 | Pi(t_0) [false] | test.py:195 | Taint simple.test | SOURCE |
| test.py:202 | ITERABLE_SOURCE | test.py:202 | Taint iterable.simple | ITERABLE_SOURCE |
| test.py:203 | For | test.py:203 | Taint simple.test | For |
| test.py:203 | phi(i_0, i_2) | test.py:203 | Taint simple.test | For |
| test.py:208 | List | test.py:208 | Taint [simple.test] | List |
| test.py:209 | For | test.py:209 | Taint simple.test | For |
| test.py:209 | phi(i_0, i_2) | test.py:209 | Taint simple.test | For |
| test.py:213 | For | test.py:213 | Taint simple.test | For |
| test.py:213 | phi(x_2, x_3) | test.py:213 | Taint simple.test | For |
| test.py:214 | ArgumentRefinement(x_1) | test.py:213 | Taint simple.test | For |
| test.py:76 | SOURCE | test.py:76 | Taint simple.test | t |
| test.py:77 | hub() | test.py:77 | Taint simple.test | t |
| test.py:120 | CUSTOM_SOURCE | test.py:120 | Taint basic.custom | t |
| test.py:121 | hub() | test.py:121 | Taint basic.custom | t |
| test.py:126 | CUSTOM_SOURCE | test.py:126 | Taint basic.custom | t |
| test.py:128 | SOURCE | test.py:128 | Taint simple.test | t |
| test.py:136 | CUSTOM_SOURCE | test.py:136 | Taint basic.custom | t |
| test.py:138 | SOURCE | test.py:138 | Taint simple.test | t |
| test.py:146 | CUSTOM_SOURCE | test.py:146 | Taint basic.custom | t |
| test.py:148 | SOURCE | test.py:148 | Taint simple.test | t |
| test.py:149 | TAINT_FROM_ARG() | test.py:149 | Taint basic.custom | t |
| test.py:155 | ImportMember | test.py:155 | Taint simple.test | unsafe |
| test.py:163 | SOURCE | test.py:163 | Taint simple.test | s |
| test.py:168 | List | test.py:168 | Taint [simple.test] | l |
| test.py:169 | Dict | test.py:169 | Taint {simple.test} | d |
| test.py:174 | list() | test.py:174 | Taint [simple.test] | l2 |
| test.py:175 | dict() | test.py:175 | Taint {simple.test} | d2 |
| test.py:178 | SOURCE | test.py:178 | Taint simple.test | t |
| test.py:189 | FALSEY | test.py:189 | Taint falsey | t |
| test.py:195 | SOURCE | test.py:195 | Taint simple.test | t |
| test.py:202 | ITERABLE_SOURCE | test.py:202 | Taint iterable.simple | t |
| test.py:203 | For | test.py:203 | Taint simple.test | i |
| test.py:208 | List | test.py:208 | Taint [simple.test] | seq |
| test.py:209 | For | test.py:209 | Taint simple.test | i |
| test.py:213 | For | test.py:213 | Taint simple.test | x |

4
python/ql/test/library-tests/taint/general/TestDefn.ql
View File

@@ -3,7 +3,7 @@ import semmle.python.security.TaintTest
import TaintLib
from EssaDefinition defn, TaintedNode n
from EssaNodeDefinition defn, TaintedNode n
where n.getNode().asVariable() = defn.getVariable()
select
defn.getLocation().toString(), defn.getRepresentation(), n.getLocation().toString(), "Taint " + n.getTaintKind(), n.getCfgNode().getNode().toString()
defn.getLocation().toString(), defn.getRepresentation(), n.getLocation().toString(), "Taint " + n.getTaintKind(), defn.getDefiningNode().getNode().toString()

6
python/ql/test/library-tests/taint/general/TestStep.ql
View File

@@ -3,10 +3,10 @@ import semmle.python.security.TaintTracking
import TaintLib
from TaintedNode n, TaintedNode s, string label
from TaintedNode n, TaintedNode s
where
s = n.getASuccessor(label)
s = n.getASuccessor()
select
n.getTaintKind(), n.getLocation().toString(), n.getNode().toString(), n.getContext(),
"- " + label + " ->",
"-->",
s.getTaintKind(), s.getLocation().toString(), s.getNode().toString(), s.getContext()