Python: Update CWE-312 queries to use new taint-tracking configuration.

Author: markshannon

python/ql/src/Security/CWE-312/CleartextLogging.ql

@@ -24,12 +24,13 @@ class CleartextLoggingConfiguration extends TaintTracking::Configuration {
 
     CleartextLoggingConfiguration() {  this = "ClearTextLogging" }
 
-    override predicate isSource(TaintSource src) {
-        src instanceof SensitiveData::Source
+    override predicate isSource(DataFlow::Node src, TaintKind kind) {
+        src.asCfgNode().(SensitiveData::Source).isSourceOf(kind)
     }
 
-    override predicate isSink(TaintSink sink) {
-        sink instanceof ClearTextLogging::Sink
+    override predicate isSink(DataFlow::Node sink, TaintKind kind) {
+        sink.asCfgNode() instanceof ClearTextLogging::Sink and
+        kind instanceof SensitiveData
     }
 
 }

python/ql/src/Security/CWE-312/CleartextStorage.ql

@@ -23,12 +23,13 @@ class CleartextStorageConfiguration extends TaintTracking::Configuration {
 
     CleartextStorageConfiguration() {  this = "ClearTextStorage" }
 
-    override predicate isSource(TaintSource src) {
-        src instanceof SensitiveData::Source
+    override predicate isSource(DataFlow::Node src, TaintKind kind) {
+        src.asCfgNode().(SensitiveData::Source).isSourceOf(kind)
     }
 
-    override predicate isSink(TaintSink sink) {
-        sink instanceof ClearTextStorage::Sink
+    override predicate isSink(DataFlow::Node sink, TaintKind kind) {
+        sink.asCfgNode() instanceof ClearTextStorage::Sink and
+        kind instanceof SensitiveData
     }
 
 }

python/ql/src/semmle/python/dataflow/Files.qll

@@ -10,15 +10,17 @@ class OpenFile extends TaintKind {
 
 }
 
+class OpenFileConfiguration extends TaintTracking::Configuration {
 
-class OpenFileSource extends TaintSource {
+    OpenFileConfiguration() {  this = "Open file configuration" }
 
-    OpenFileSource() {
-        theOpenFunction().(FunctionObject).getACall() = this
+    override predicate isSource(DataFlow::Node src, TaintKind kind) {
+        theOpenFunction().(FunctionObject).getACall() = src.asCfgNode() and
+        kind instanceof OpenFile
     }
 
-    override predicate isSourceOf(TaintKind kind) {
-        kind instanceof OpenFile
+    override predicate isSink(DataFlow::Node sink, TaintKind kind) {
+        none()
     }
 
-}
+}

python/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected

@@ -1,8 +1,6 @@
 edges
-| password_in_cookie.py:7:16:7:27 | dict of externally controlled string | password_in_cookie.py:7:16:7:43 | externally controlled string |
-| password_in_cookie.py:7:16:7:43 | a password | password_in_cookie.py:9:33:9:40 | a password |
-| password_in_cookie.py:7:16:7:43 | externally controlled string | password_in_cookie.py:9:33:9:40 | externally controlled string |
 | test.py:7:16:7:29 | a password | test.py:8:35:8:42 | a password |
 #select
-| test.py:8:35:8:42 | Taint sink | test.py:7:16:7:29 | a password | test.py:8:35:8:42 | a password | Sensitive data returned by $@ is logged here. | test.py:7:16:7:29 | Taint source | a call returning a password |
-| test.py:14:30:14:39 | Taint sink | test.py:14:30:14:39 | a certificate or key | test.py:14:30:14:39 | a certificate or key | Sensitive data returned by $@ is logged here. | test.py:14:30:14:39 | Taint source | a call returning a certificate or key |
+| test.py:8:35:8:42 | password | test.py:7:16:7:29 | a password | test.py:8:35:8:42 | a password | Sensitive data returned by $@ is logged here. | test.py:7:16:7:29 | get_password() | a call returning a password |
+| test.py:14:30:14:39 | get_cert() | test.py:14:30:14:39 | a certificate or key | test.py:14:30:14:39 | a certificate or key | Sensitive data returned by $@ is logged here. | test.py:14:30:14:39 | get_cert() | a call returning a certificate or key |
+| test.py:17:11:17:24 | get_password() | test.py:17:11:17:24 | a password | test.py:17:11:17:24 | a password | Sensitive data returned by $@ is logged here. | test.py:17:11:17:24 | get_password() | a call returning a password |

python/ql/test/query-tests/Security/CWE-312/CleartextStorage.expected

@@ -1,7 +1,6 @@
 edges
-| password_in_cookie.py:7:16:7:27 | dict of externally controlled string | password_in_cookie.py:7:16:7:43 | externally controlled string |
 | password_in_cookie.py:7:16:7:43 | a password | password_in_cookie.py:9:33:9:40 | a password |
-| password_in_cookie.py:7:16:7:43 | externally controlled string | password_in_cookie.py:9:33:9:40 | externally controlled string |
-| test.py:7:16:7:29 | a password | test.py:8:35:8:42 | a password |
+| test.py:20:12:20:21 | a certificate or key | test.py:22:20:22:23 | a certificate or key |
 #select
-| password_in_cookie.py:9:33:9:40 | Taint sink | password_in_cookie.py:7:16:7:43 | a password | password_in_cookie.py:9:33:9:40 | a password | Sensitive data from $@ is stored here. | password_in_cookie.py:7:16:7:43 | Taint source | a request parameter containing a password |
+| password_in_cookie.py:9:33:9:40 | password | password_in_cookie.py:7:16:7:43 | a password | password_in_cookie.py:9:33:9:40 | a password | Sensitive data from $@ is stored here. | password_in_cookie.py:7:16:7:43 | Attribute() | a request parameter containing a password |
+| test.py:22:20:22:23 | cert | test.py:20:12:20:21 | a certificate or key | test.py:22:20:22:23 | a certificate or key | Sensitive data from $@ is stored here. | test.py:20:12:20:21 | get_cert() | a call returning a certificate or key |

python/ql/test/query-tests/Security/CWE-312/test.py

@@ -13,3 +13,10 @@ def get_cert():
 def log_cert():
     logging.debug("Cert=%s", get_cert())
 
+def print_password():
+    print(get_password())
+
+def write_cert(filename):
+    cert = get_cert()
+    with open(filename, "w") as file:
+        file.write(cert)