Python: Handle taint from bytes(obj)

RasmusWL · RasmusWL · commit 31b398937a6f · 2020-08-24T14:17:59.000+02:00
diff --git a/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll b/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll
@@ -67,7 +67,11 @@ predicate subscriptStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
 predicate stringMethods(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
   // transforming something tainted into a string will make the string tainted
   exists(CallNode call | call = nodeTo.getNode() |
-    call.getFunction().(NameNode).getId() = "str" and
+    (
+      call.getFunction().(NameNode).getId() = "str"
+      or
+      call.getFunction().(NameNode).getId() = "bytes"
+    ) and
     (
       nodeFrom.getNode() = call.getArg(0)
       or
diff --git a/python/ql/test/experimental/dataflow/tainttracking/string/TestTaint.expected b/python/ql/test/experimental/dataflow/tainttracking/string/TestTaint.expected
@@ -6,43 +6,44 @@
 | test.py:29 | ok   | str_operations | ts[Slice] |
 | test.py:30 | ok   | str_operations | ts[0] |
 | test.py:31 | ok   | str_operations | str(..) |
-| test.py:40 | ok   | str_methods | ts.capitalize() |
-| test.py:41 | ok   | str_methods | ts.casefold() |
-| test.py:42 | ok   | str_methods | ts.center(..) |
-| test.py:43 | ok   | str_methods | ts.expandtabs() |
-| test.py:45 | ok   | str_methods | ts.format() |
-| test.py:46 | ok   | str_methods | "{}".format(..) |
-| test.py:47 | ok   | str_methods | "{unsafe}".format(..) |
-| test.py:49 | ok   | str_methods | ts.format_map(..) |
-| test.py:50 | fail | str_methods | "{unsafe}".format_map(..) |
-| test.py:52 | ok   | str_methods | ts.join(..) |
-| test.py:53 | fail | str_methods | "".join(..) |
-| test.py:55 | ok   | str_methods | ts.ljust(..) |
-| test.py:56 | ok   | str_methods | ts.lstrip() |
-| test.py:57 | ok   | str_methods | ts.lower() |
-| test.py:59 | ok   | str_methods | ts.replace(..) |
-| test.py:60 | ok   | str_methods | "safe".replace(..) |
-| test.py:62 | ok   | str_methods | ts.rjust(..) |
-| test.py:63 | ok   | str_methods | ts.rstrip() |
-| test.py:64 | ok   | str_methods | ts.strip() |
-| test.py:65 | ok   | str_methods | ts.swapcase() |
-| test.py:66 | ok   | str_methods | ts.title() |
-| test.py:67 | ok   | str_methods | ts.upper() |
-| test.py:68 | ok   | str_methods | ts.zfill(..) |
-| test.py:70 | ok   | str_methods | ts.encode(..) |
-| test.py:71 | ok   | str_methods | ts.encode(..).decode(..) |
-| test.py:73 | ok   | str_methods | tb.decode(..) |
-| test.py:74 | ok   | str_methods | tb.decode(..).encode(..) |
-| test.py:77 | ok   | str_methods | ts.partition(..) |
-| test.py:78 | ok   | str_methods | ts.rpartition(..) |
-| test.py:79 | ok   | str_methods | ts.rsplit(..) |
-| test.py:80 | ok   | str_methods | ts.split(..) |
-| test.py:81 | ok   | str_methods | ts.splitlines() |
-| test.py:86 | ok   | str_methods | "safe".replace(..) |
-| test.py:88 | fail | str_methods | ts.join(..) |
+| test.py:32 | ok   | str_operations | bytes(..) |
+| test.py:41 | ok   | str_methods | ts.capitalize() |
+| test.py:42 | ok   | str_methods | ts.casefold() |
+| test.py:43 | ok   | str_methods | ts.center(..) |
+| test.py:44 | ok   | str_methods | ts.expandtabs() |
+| test.py:46 | ok   | str_methods | ts.format() |
+| test.py:47 | ok   | str_methods | "{}".format(..) |
+| test.py:48 | ok   | str_methods | "{unsafe}".format(..) |
+| test.py:50 | ok   | str_methods | ts.format_map(..) |
+| test.py:51 | fail | str_methods | "{unsafe}".format_map(..) |
+| test.py:53 | ok   | str_methods | ts.join(..) |
+| test.py:54 | fail | str_methods | "".join(..) |
+| test.py:56 | ok   | str_methods | ts.ljust(..) |
+| test.py:57 | ok   | str_methods | ts.lstrip() |
+| test.py:58 | ok   | str_methods | ts.lower() |
+| test.py:60 | ok   | str_methods | ts.replace(..) |
+| test.py:61 | ok   | str_methods | "safe".replace(..) |
+| test.py:63 | ok   | str_methods | ts.rjust(..) |
+| test.py:64 | ok   | str_methods | ts.rstrip() |
+| test.py:65 | ok   | str_methods | ts.strip() |
+| test.py:66 | ok   | str_methods | ts.swapcase() |
+| test.py:67 | ok   | str_methods | ts.title() |
+| test.py:68 | ok   | str_methods | ts.upper() |
+| test.py:69 | ok   | str_methods | ts.zfill(..) |
+| test.py:71 | ok   | str_methods | ts.encode(..) |
+| test.py:72 | ok   | str_methods | ts.encode(..).decode(..) |
+| test.py:74 | ok   | str_methods | tb.decode(..) |
+| test.py:75 | ok   | str_methods | tb.decode(..).encode(..) |
+| test.py:78 | ok   | str_methods | ts.partition(..) |
+| test.py:79 | ok   | str_methods | ts.rpartition(..) |
+| test.py:80 | ok   | str_methods | ts.rsplit(..) |
+| test.py:81 | ok   | str_methods | ts.split(..) |
+| test.py:82 | ok   | str_methods | ts.splitlines() |
+| test.py:87 | ok   | str_methods | "safe".replace(..) |
 | test.py:89 | fail | str_methods | ts.join(..) |
-| test.py:99 | fail | non_syntactic | meth() |
-| test.py:100 | fail | non_syntactic | _str(..) |
-| test.py:109 | ok   | percent_fmt | BinaryExpr |
+| test.py:90 | fail | str_methods | ts.join(..) |
+| test.py:100 | fail | non_syntactic | meth() |
+| test.py:101 | fail | non_syntactic | _str(..) |
 | test.py:110 | ok   | percent_fmt | BinaryExpr |
-| test.py:111 | fail | percent_fmt | BinaryExpr |
+| test.py:111 | ok   | percent_fmt | BinaryExpr |
+| test.py:112 | fail | percent_fmt | BinaryExpr |
diff --git a/python/ql/test/experimental/dataflow/tainttracking/string/test.py b/python/ql/test/experimental/dataflow/tainttracking/string/test.py
@@ -29,6 +29,7 @@ def str_operations():
         ts[0:1000],
         ts[0],
         str(ts),
+        bytes(ts),
     )
 
 

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ def str_operations():`
`29`	`29`	`ts[0:1000],`
`30`	`30`	`ts[0],`
`31`	`31`	`str(ts),`
	`32`	`+ bytes(ts),`
`32`	`33`	`)`
`33`	`34`
`34`	`35`