Python: Adjust shared taint tracking skeleton

So it fits the setup from Java/Go, with AdditionalTaintStep class.

Author: RasmusWL

python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll

@@ -1,7 +1,14 @@
 private import python
-private import TaintTrackingPublic
 private import experimental.dataflow.DataFlow
 private import experimental.dataflow.internal.DataFlowPrivate
+private import experimental.dataflow.internal.TaintTrackingPublic
+
+/**
+ * Holds if taint can flow in one local step from `nodeFrom` to `nodeTo` excluding
+ * local data flow steps. That is, `nodeFrom` and `nodeTo` are likely to represent
+ * different objects.
+ */
+predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { none() }
 
 /**
  * Holds if `node` should be a barrier in all global taint flow configurations
@@ -10,12 +17,11 @@ private import experimental.dataflow.internal.DataFlowPrivate
 predicate defaultTaintBarrier(DataFlow::Node node) { none() }
 
 /**
- * Holds if the additional step from `pred` to `succ` should be included in all
+ * Holds if the additional step from `nodeFrom` to `nodeTo` should be included in all
  * global taint flow configurations.
  */
-predicate defaultAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-  none()
-  // localAdditionalTaintStep(pred, succ)
-  // or
-  // succ = pred.(DataFlow::NonLocalJumpNode).getAJumpSuccessor(false)
+predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  localAdditionalTaintStep(nodeFrom, nodeTo)
+  or
+  any(AdditionalTaintStep a).step(nodeFrom, nodeTo)
 }

python/ql/src/experimental/dataflow/internal/TaintTrackingPublic.qll

@@ -6,27 +6,52 @@
 private import python
 private import TaintTrackingPrivate
 private import experimental.dataflow.DataFlow
-// /**
-//  * Holds if taint propagates from `source` to `sink` in zero or more local
-//  * (intra-procedural) steps.
-//  */
-// predicate localTaint(DataFlow::Node source, DataFlow::Node sink) { localTaintStep*(source, sink) }
-// // /**
-// //  * Holds if taint can flow from `e1` to `e2` in zero or more
-// //  * local (intra-procedural) steps.
-// //  */
-// // predicate localExprTaint(Expr e1, Expr e2) {
-// //   localTaint(DataFlow::exprNode(e1), DataFlow::exprNode(e2))
-// // }
-// // /** A member (property or field) that is tainted if its containing object is tainted. */
-// // abstract class TaintedMember extends AssignableMember { }
-// /**
-//  * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
-//  * (intra-procedural) step.
-//  */
-// predicate localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-//   // Ordinary data flow
-//   DataFlow::localFlowStep(nodeFrom, nodeTo)
-//   or
-//   localAdditionalTaintStep(nodeFrom, nodeTo)
-// }
+
+// Local taint flow and helpers
+/**
+ * Holds if taint propagates from `source` to `sink` in zero or more local
+ * (intra-procedural) steps.
+ */
+predicate localTaint(DataFlow::Node source, DataFlow::Node sink) { localTaintStep*(source, sink) }
+
+/**
+ * Holds if taint can flow from `e1` to `e2` in zero or more local (intra-procedural)
+ * steps.
+ */
+predicate localExprTaint(Expr e1, Expr e2) {
+  localTaint(DataFlow::exprNode(e1), DataFlow::exprNode(e2))
+}
+
+/**
+ * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
+ * (intra-procedural) step.
+ */
+predicate localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  // Ordinary data flow
+  DataFlow::localFlowStep(nodeFrom, nodeTo)
+  or
+  localAdditionalTaintStep(nodeFrom, nodeTo)
+}
+
+// AdditionalTaintStep for global taint flow
+private newtype TUnit = TMkUnit()
+
+/** A singleton class containing a single dummy "unit" value. */
+private class Unit extends TUnit {
+  /** Gets a textual representation of this element. */
+  string toString() { result = "unit" }
+}
+
+/**
+ * A unit class for adding additional taint steps.
+ *
+ * Extend this class to add additional taint steps that should apply to all
+ * taint configurations.
+ */
+class AdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `nodeFrom` to `nodeTo` should be considered a taint
+   * step for all configurations.
+   */
+  abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
+}