mirror of
https://github.com/github/codeql.git
synced 2025-12-20 02:44:30 +01:00
3e7dc12246
The meat of this PR is described in the new python/ql/test/experimental/meta/InlineTaintTest.qll file: > Defines a InlineExpectationsTest for checking whether any arguments in > `ensure_tainted` and `ensure_not_tainted` calls are tainted. > > Also defines query predicates to ensure that: > - if any arguments to `ensure_not_tainted` are tainted, their annotation is marked with `SPURIOUS`. > - if any arguments to `ensure_tainted` are not tainted, their annotation is marked with `MISSING`. > > The functionality of this module is tested in `ql/test/experimental/meta/inline-taint-test-demo`.
36 lines
1.1 KiB
Plaintext
36 lines
1.1 KiB
Plaintext
import experimental.meta.InlineTaintTest
|
|
|
|
class IsSafeCheck extends DataFlow::BarrierGuard {
|
|
IsSafeCheck() {
|
|
this.(CallNode).getNode().getFunc().(Name).getId() in ["is_safe", "emulated_is_safe"]
|
|
}
|
|
|
|
override predicate checks(ControlFlowNode node, boolean branch) {
|
|
node = this.(CallNode).getAnArg() and
|
|
branch = true
|
|
}
|
|
}
|
|
|
|
class CustomSanitizerOverrides extends TestTaintTrackingConfiguration {
|
|
override predicate isSanitizer(DataFlow::Node node) {
|
|
exists(Call call |
|
|
call.getFunc().(Name).getId() = "emulated_authentication_check" and
|
|
call.getArg(0) = node.asExpr()
|
|
)
|
|
or
|
|
node.asExpr().(Call).getFunc().(Name).getId() = "emulated_escaping"
|
|
}
|
|
|
|
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { guard instanceof IsSafeCheck }
|
|
}
|
|
|
|
query predicate isSanitizer(TestTaintTrackingConfiguration conf, DataFlow::Node node) {
|
|
exists(node.getLocation().getFile().getRelativePath()) and
|
|
conf.isSanitizer(node)
|
|
}
|
|
|
|
query predicate isSanitizerGuard(TestTaintTrackingConfiguration conf, DataFlow::BarrierGuard guard) {
|
|
exists(guard.getLocation().getFile().getRelativePath()) and
|
|
conf.isSanitizerGuard(guard)
|
|
}
|