Merge pull request #2100 from RasmusWL/python-fix-hasFlowPath

Python: Fix hasFlowPath default implementation of isSink/2

Author: taus-semmle

python/ql/src/semmle/python/dataflow/Configuration.qll

@@ -51,6 +51,7 @@ module TaintTracking {
          */
         predicate isSink(DataFlow::Node node, TaintKind kind) {
             exists(TaintSink sink |
+                this.isSink(sink) and
                 node.asCfgNode() = sink and
                 sink.sinks(kind)
             )

python/ql/test/library-tests/taint/flowpath_regression/Config.qll

@@ -0,0 +1,45 @@
+import python
+import semmle.python.security.TaintTracking
+import semmle.python.security.strings.Untrusted
+
+class FooSource extends TaintSource {
+    FooSource() { this.(CallNode).getFunction().(NameNode).getId() = "foo_source" }
+
+    override predicate isSourceOf(TaintKind kind) { kind instanceof UntrustedStringKind }
+
+    override string toString() { result = "FooSource" }
+}
+
+class FooSink extends TaintSink {
+    FooSink() {
+        exists(CallNode call |
+            call.getFunction().(NameNode).getId() = "foo_sink" and
+            call.getAnArg() = this
+        )
+    }
+
+    override predicate sinks(TaintKind kind) { kind instanceof UntrustedStringKind }
+
+    override string toString() { result = "FooSink" }
+}
+
+class FooConfig extends TaintTracking::Configuration {
+    FooConfig() { this = "FooConfig" }
+
+    override predicate isSource(TaintTracking::Source source) { source instanceof FooSource }
+
+    override predicate isSink(TaintTracking::Sink sink) { sink instanceof FooSink }
+}
+
+class BarSink extends TaintSink {
+    BarSink() {
+        exists(CallNode call |
+            call.getFunction().(NameNode).getId() = "bar_sink" and
+            call.getAnArg() = this
+        )
+    }
+
+    override predicate sinks(TaintKind kind) { kind instanceof UntrustedStringKind }
+
+    override string toString() { result = "BarSink" }
+}

python/ql/test/library-tests/taint/flowpath_regression/Path.expected

@@ -0,0 +1 @@
+| test.py:16:9:16:20 | foo_source() | test.py:17:14:17:14 | x |

python/ql/test/library-tests/taint/flowpath_regression/Path.ql

@@ -0,0 +1,6 @@
+import python
+import Config
+
+from FooConfig config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
+select src.getSource(), sink.getSink()

python/ql/test/library-tests/taint/flowpath_regression/test.py

@@ -0,0 +1,22 @@
+def foo_source():
+    return 'foo'
+
+
+def foo_sink(x):
+    if x == 'foo':
+        print('fire the foo missiles')
+
+
+def bar_sink(x):
+    if x == 'bar':
+        print('fire the bar missiles')
+
+
+def should_report():
+    x = foo_source()
+    foo_sink(x)
+
+
+def should_not_report():
+    x = foo_source()
+    bar_sink(x)