Merge pull request #4149 from RasmusWL/python-more-additional-taint-steps

Python: more additional taint steps

Author: yoff

python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll

@@ -30,6 +30,16 @@ predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeT
   subscriptStep(nodeFrom, nodeTo)
   or
   stringManipulation(nodeFrom, nodeTo)
+  or
+  jsonStep(nodeFrom, nodeTo)
+  or
+  containerStep(nodeFrom, nodeTo)
+  or
+  copyStep(nodeFrom, nodeTo)
+  or
+  forStep(nodeFrom, nodeTo)
+  or
+  unpackingAssignmentStep(nodeFrom, nodeTo)
 }
 
 /**
@@ -118,8 +128,101 @@ predicate stringManipulation(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeT
   )
   or
   // f-strings
-  nodeTo.getNode().getNode().(Fstring).getAValue() = nodeFrom.getNode().getNode()
+  nodeTo.asExpr().(Fstring).getAValue() = nodeFrom.asExpr()
   // TODO: Handle encode/decode from base64/quopri
   // TODO: Handle os.path.join
   // TODO: Handle functions in https://docs.python.org/3/library/binascii.html
 }
+
+/**
+ * Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to JSON encoding/decoding.
+ */
+predicate jsonStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
+  exists(CallNode call | call = nodeTo.getNode() |
+    call.getFunction().(AttrNode).getObject(["load", "loads", "dumps"]).(NameNode).getId() = "json" and
+    call.getArg(0) = nodeFrom.getNode()
+  )
+}
+
+/**
+ * Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to containers
+ * (lists/sets/dictionaries): literals, constructor invocation, methods. Note that this
+ * is currently very imprecise, as an example, since we model `dict.get`, we treat any
+ * `<tainted object>.get(<arg>)` will be tainted, whether it's true or not.
+ */
+predicate containerStep(DataFlow::CfgNode nodeFrom, DataFlow::Node nodeTo) {
+  // construction by literal
+  // TODO: Not limiting the content argument here feels like a BIG hack, but we currently get nothing for free :|
+  storeStep(nodeFrom, _, nodeTo)
+  or
+  // constructor call
+  exists(CallNode call | call = nodeTo.asCfgNode() |
+    call.getFunction().(NameNode).getId() in ["list", "set", "frozenset", "dict", "defaultdict",
+          "tuple"] and
+    call.getArg(0) = nodeFrom.getNode()
+  )
+  or
+  // functions operating on collections
+  exists(CallNode call | call = nodeTo.asCfgNode() |
+    call.getFunction().(NameNode).getId() in ["sorted", "reversed", "iter", "next"] and
+    call.getArg(0) = nodeFrom.getNode()
+  )
+  or
+  // methods
+  exists(CallNode call, string name | call = nodeTo.asCfgNode() |
+    name in ["copy",
+          // general
+          "pop",
+          // dict
+          "values", "items", "get", "popitem"] and
+    call.getFunction().(AttrNode).getObject(name) = nodeFrom.asCfgNode()
+  )
+  or
+  // list.append, set.add
+  exists(CallNode call, string name |
+    name in ["append", "add"] and
+    call.getFunction().(AttrNode).getObject(name) =
+      nodeTo.(PostUpdateNode).getPreUpdateNode().asCfgNode() and
+    call.getArg(0) = nodeFrom.getNode()
+  )
+}
+
+/**
+ * Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to copying.
+ */
+predicate copyStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
+  exists(CallNode call | call = nodeTo.getNode() |
+    // Fully qualified: copy.copy, copy.deepcopy
+    (
+      call.getFunction().(NameNode).getId() in ["copy", "deepcopy"]
+      or
+      call.getFunction().(AttrNode).getObject(["copy", "deepcopy"]).(NameNode).getId() = "copy"
+    ) and
+    call.getArg(0) = nodeFrom.getNode()
+  )
+}
+
+/**
+ * Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to `for`-iteration,
+ * for example `for x in xs`, or `for x,y in points`.
+ */
+predicate forStep(DataFlow::CfgNode nodeFrom, DataFlow::EssaNode nodeTo) {
+  exists(EssaNodeDefinition defn, For for |
+    for.getTarget().getAChildNode*() = defn.getDefiningNode().getNode() and
+    nodeTo.getVar() = defn and
+    nodeFrom.asExpr() = for.getIter()
+  )
+}
+
+/**
+ * Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to iterable unpacking.
+ * Only handles normal assignment (`x,y = calc_point()`), since `for x,y in points` is handled by `forStep`.
+ */
+predicate unpackingAssignmentStep(DataFlow::CfgNode nodeFrom, DataFlow::EssaNode nodeTo) {
+  // `a, b = myiterable` or `head, *tail = myiterable` (only Python 3)
+  exists(MultiAssignmentDefinition defn, Assign assign |
+    assign.getATarget().contains(defn.getDefiningNode().getNode()) and
+    nodeTo.getVar() = defn and
+    nodeFrom.asExpr() = assign.getValue()
+  )
+}

python/ql/test/experimental/dataflow/tainttracking/TestTaintLib.qll

@@ -6,7 +6,8 @@ class TestTaintTrackingConfiguration extends TaintTracking::Configuration {
   TestTaintTrackingConfiguration() { this = "TestTaintTrackingConfiguration" }
 
   override predicate isSource(DataFlow::Node source) {
-    source.(DataFlow::CfgNode).getNode().(NameNode).getId() in ["TAINTED_STRING", "TAINTED_BYTES"]
+    source.(DataFlow::CfgNode).getNode().(NameNode).getId() in ["TAINTED_STRING", "TAINTED_BYTES",
+          "TAINTED_LIST", "TAINTED_DICT"]
   }
 
   override predicate isSink(DataFlow::Node sink) {
@@ -44,7 +45,8 @@ private string repr(Expr e) {
 
 query predicate test_taint(string arg_location, string test_res, string function_name, string repr) {
   exists(Call call, Expr arg, boolean expected_taint, boolean has_taint |
-    call.getLocation().getFile().getShortName() = "test.py" and
+    // only consider files that are extracted as part of the test
+    exists(call.getLocation().getFile().getRelativePath()) and
     (
       call.getFunc().(Name).getId() = "ensure_tainted" and
       expected_taint = true

python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.expected

@@ -0,0 +1,22 @@
+| test_collections.py:16 | ok   | test_access | tainted_list.copy() |
+| test_collections.py:24 | ok   | list_clear | tainted_list |
+| test_collections.py:27 | fail | list_clear | tainted_list |
+| test_string.py:17 | ok   | str_methods | ts.casefold() |
+| test_string.py:19 | ok   | str_methods | ts.format_map(..) |
+| test_string.py:20 | ok   | str_methods | "{unsafe}".format_map(..) |
+| test_string.py:31 | fail | binary_decode_encode | base64.a85encode(..) |
+| test_string.py:32 | fail | binary_decode_encode | base64.a85decode(..) |
+| test_string.py:35 | fail | binary_decode_encode | base64.b85encode(..) |
+| test_string.py:36 | fail | binary_decode_encode | base64.b85decode(..) |
+| test_string.py:39 | fail | binary_decode_encode | base64.encodebytes(..) |
+| test_string.py:40 | fail | binary_decode_encode | base64.decodebytes(..) |
+| test_string.py:48 | ok   | f_strings | Fstring |
+| test_unpacking.py:18 | ok   | extended_unpacking | first |
+| test_unpacking.py:18 | ok   | extended_unpacking | last |
+| test_unpacking.py:18 | ok   | extended_unpacking | rest |
+| test_unpacking.py:23 | ok   | also_allowed | a |
+| test_unpacking.py:31 | ok   | also_allowed | b |
+| test_unpacking.py:31 | ok   | also_allowed | c |
+| test_unpacking.py:39 | ok   | nested | x |
+| test_unpacking.py:39 | ok   | nested | xs |
+| test_unpacking.py:39 | ok   | nested | ys |

…ow/tainttracking/string-py3/TestTaint.ql …aultAdditionalTaintStep-py3/TestTaint.qlpython/ql/test/experimental/dataflow/tainttracking/string-py3/TestTaint.ql renamed to python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.ql python/ql/test/experimental/dataflow/tainttracking/string-py3/TestTaint.ql renamed to python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.ql

@@ -0,0 +1,32 @@
+# Add taintlib to PATH so it can be imported during runtime without any hassle
+import sys; import os; sys.path.append(os.path.dirname(os.path.dirname((__file__))))
+from taintlib import *
+
+# This has no runtime impact, but allows autocomplete to work
+from typing import TYPE_CHECKING
+if TYPE_CHECKING:
+    from ..taintlib import *
+
+# Actual tests
+
+def test_access():
+    tainted_list = TAINTED_LIST
+
+    ensure_tainted(
+        tainted_list.copy(),
+    )
+
+
+def list_clear():
+    tainted_string = TAINTED_STRING
+    tainted_list = [tainted_string]
+
+    ensure_tainted(tainted_list)
+
+    tainted_list.clear()
+    ensure_not_tainted(tainted_list)
+
+# Make tests runable
+
+test_access()
+list_clear()

…ataflow/tainttracking/string-py3/options …g/defaultAdditionalTaintStep-py3/optionspython/ql/test/experimental/dataflow/tainttracking/string-py3/options renamed to python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/options python/ql/test/experimental/dataflow/tainttracking/string-py3/options renamed to python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/options

@@ -1,20 +1,11 @@
-# Python 3 specific taint tracking for string
-
-TAINTED_STRING = "TAINTED_STRING"
-TAINTED_BYTES = b"TAINTED_BYTES"
-
-
-def ensure_tainted(*args):
-    print("- ensure_tainted")
-    for i, arg in enumerate(args):
-        print("arg {}: {!r}".format(i, arg))
-
-
-def ensure_not_tainted(*args):
-    print("- ensure_not_tainted")
-    for i, arg in enumerate(args):
-        print("arg {}: {!r}".format(i, arg))
-
+# Add taintlib to PATH so it can be imported during runtime without any hassle
+import sys; import os; sys.path.append(os.path.dirname(os.path.dirname((__file__))))
+from taintlib import *
+
+# This has no runtime impact, but allows autocomplete to work
+from typing import TYPE_CHECKING
+if TYPE_CHECKING:
+    from ..taintlib import *
 
 # Actual tests
 

python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_collections.py

@@ -0,0 +1,46 @@
+# Add taintlib to PATH so it can be imported during runtime without any hassle
+import sys; import os; sys.path.append(os.path.dirname(os.path.dirname((__file__))))
+from taintlib import *
+
+# This has no runtime impact, but allows autocomplete to work
+from typing import TYPE_CHECKING
+if TYPE_CHECKING:
+    from ..taintlib import *
+
+# Actual tests
+
+# Extended Iterable Unpacking -- PEP 3132
+# https://www.python.org/dev/peps/pep-3132/
+
+
+def extended_unpacking():
+    first, *rest, last = TAINTED_LIST
+    ensure_tainted(first, rest, last)
+
+
+def also_allowed():
+    *a, = TAINTED_LIST
+    ensure_tainted(a)
+
+    # for b, *c in [(1, 2, 3), (4, 5, 6, 7)]:
+        # print(c)
+        # i=0; c=[2,3]
+        # i=1; c=[5,6,7]
+
+    for b, *c in [TAINTED_LIST, TAINTED_LIST]:
+        ensure_tainted(b, c)
+
+
+def nested():
+    l = TAINTED_LIST
+    ll = [l,l]
+
+    [[x, *xs], ys] = ll
+    ensure_tainted(x, xs, ys)
+
+
+# Make tests runable
+
+extended_unpacking()
+also_allowed()
+nested()