Skip to content

Python: Small Cleanups #5926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
codeql-ci merged 16 commits into from
Jul 2, 2021
Merged

Python: Small Cleanups #5926

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
9137f04
Python: Add getPostUpdateNode to DataFlow::Node
RasmusWL May 19, 2021
b02fb90
Python: Add getObject(string attrName) to AttrRef
RasmusWL May 19, 2021
3f5602c
Python: Refactoring of TaintTrackingPrivate
RasmusWL May 19, 2021
53f1d23
Python: Small refactor of TaintTrackingPrivate
RasmusWL May 19, 2021
a2e8417
Python: Use API graphs in TaintTrackingPrivate
RasmusWL May 19, 2021
aa8b730
Python: Use more API graphs in TaintTrackingPrivate
RasmusWL May 19, 2021
c4987e9
Python: Re-introduce syntactic handling of str/bytes/unicode
RasmusWL May 19, 2021
af13064
Merge branch 'main' into pr/RasmusWL/5926
RasmusWL Jun 14, 2021
870389a
Revert "Python: Re-introduce syntactic handling of str/bytes/unicode"
RasmusWL Jun 14, 2021
cc311ac
Python: Re-introduce syntactic handling of str/bytes/unicode (again)
RasmusWL Jun 14, 2021
0b767bb
Merge branch 'main' into small-cleanups
RasmusWL Jun 22, 2021
3b41c2f
Python: Use new `MethodCallNode` in TaintTrackingPrivate
RasmusWL Jun 22, 2021
e56dfe7
Python: AttrRef getOjbect/1 -> accesses/2
RasmusWL Jun 22, 2021
7a6eee5
Revert "Python: Add getPostUpdateNode to DataFlow::Node"
RasmusWL Jul 2, 2021
22c1556
Python: Fix code after removing `getPostUpdateNode`
RasmusWL Jul 2, 2021
81fab48
Python: Apply suggestions from code review
RasmusWL Jul 2, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions python/ql/src/semmle/python/dataflow/new/internal/Attributes.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,13 @@ abstract class AttrRef extends Node {
*/
abstract Node getObject();

/**
* Holds if this data flow node accesses attribute named `attrName` on object `object`.
*/
predicate accesses(Node object, string attrName) {
this.getObject() = object and this.getAttributeName() = attrName
}

/**
* Gets the expression node that defines the attribute being accessed, if any. This is
* usually an identifier or literal.
Expand Down
56 changes: 25 additions & 31 deletions python/ql/src/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
private import python
private import semmle.python.dataflow.new.DataFlow
private import semmle.python.dataflow.new.internal.DataFlowPrivate
private import semmle.python.dataflow.new.internal.DataFlowPrivate as DataFlowPrivate
private import semmle.python.dataflow.new.internal.TaintTrackingPublic
private import semmle.python.ApiGraphs

/**
* Holds if `node` should be a sanitizer in all global taint flow configurations
Expand Down Expand Up @@ -75,13 +76,13 @@ predicate subscriptStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
*/
predicate stringManipulation(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
// transforming something tainted into a string will make the string tainted
exists(CallNode call | call = nodeTo.getNode() |
call.getFunction().(NameNode).getId() in ["str", "bytes", "unicode"] and
exists(DataFlow::CallCfgNode call | call = nodeTo |
(
nodeFrom.getNode() = call.getArg(0)
call = API::builtin(["str", "bytes", "unicode"]).getACall()
or
nodeFrom.getNode() = call.getArgByName("object")
)
call.getFunction().asCfgNode().(NameNode).getId() in ["str", "bytes", "unicode"]
) and
nodeFrom in [call.getArg(0), call.getArgByName("object")]
)
or
// String methods. Note that this doesn't recognize `meth = "foo".upper; meth()`
Expand Down Expand Up @@ -148,54 +149,47 @@ predicate stringManipulation(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeT
predicate containerStep(DataFlow::CfgNode nodeFrom, DataFlow::Node nodeTo) {
// construction by literal
// TODO: Not limiting the content argument here feels like a BIG hack, but we currently get nothing for free :|
storeStep(nodeFrom, _, nodeTo)
DataFlowPrivate::storeStep(nodeFrom, _, nodeTo)
or
// constructor call
exists(CallNode call | call = nodeTo.asCfgNode() |
call.getFunction().(NameNode).getId() in [
"list", "set", "frozenset", "dict", "defaultdict", "tuple"
] and
call.getArg(0) = nodeFrom.getNode()
exists(DataFlow::CallCfgNode call | call = nodeTo |
call = API::builtin(["list", "set", "frozenset", "dict", "tuple"]).getACall() and
call.getArg(0) = nodeFrom
// TODO: Properly handle defaultdict/namedtuple
)
or
// functions operating on collections
exists(CallNode call | call = nodeTo.asCfgNode() |
call.getFunction().(NameNode).getId() in ["sorted", "reversed", "iter", "next"] and
call.getArg(0) = nodeFrom.getNode()
exists(DataFlow::CallCfgNode call | call = nodeTo |
call = API::builtin(["sorted", "reversed", "iter", "next"]).getACall() and
call.getArg(0) = nodeFrom
)
or
// methods
exists(CallNode call, string name | call = nodeTo.asCfgNode() |
name in [
exists(DataFlow::MethodCallNode call, string methodName | call = nodeTo |
methodName in [
// general
"copy", "pop",
// dict
"values", "items", "get", "popitem"
] and
call.getFunction().(AttrNode).getObject(name) = nodeFrom.asCfgNode()
call.calls(nodeFrom, methodName)
)
or
// list.append, set.add
exists(CallNode call, string name |
name in ["append", "add"] and
call.getFunction().(AttrNode).getObject(name) =
nodeTo.(DataFlow::PostUpdateNode).getPreUpdateNode().asCfgNode() and
call.getArg(0) = nodeFrom.getNode()
exists(DataFlow::MethodCallNode call, DataFlow::Node obj |
call.calls(obj, ["append", "add"]) and
obj = nodeTo.(DataFlow::PostUpdateNode).getPreUpdateNode() and
call.getArg(0) = nodeFrom
)
}

/**
* Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to copying.
*/
predicate copyStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
exists(CallNode call | call = nodeTo.getNode() |
// Fully qualified: copy.copy, copy.deepcopy
(
call.getFunction().(NameNode).getId() in ["copy", "deepcopy"]
or
call.getFunction().(AttrNode).getObject(["copy", "deepcopy"]).(NameNode).getId() = "copy"
) and
call.getArg(0) = nodeFrom.getNode()
exists(DataFlow::CallCfgNode call | call = nodeTo |
call = API::moduleImport("copy").getMember(["copy", "deepcopy"]).getACall() and
call.getArg(0) = nodeFrom
)
}

Expand Down
2 changes: 1 addition & 1 deletion python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_string.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ def non_syntactic():
_str = str
ensure_tainted(
meth(), # $ MISSING: tainted
_str(ts), # $ MISSING: tainted
_str(ts), # $ tainted
)


Expand Down