Python: Use Value API for sensitive data analysis.

Author: markshannon

python/ql/src/semmle/python/objects/Modules.qll

@@ -398,8 +398,11 @@ class AbsentModuleAttributeObjectInternal extends ObjectInternal, TAbsentModuleA
 
     override predicate subscriptUnknown() { any() }
 
-    /* We know what this is called, but not its innate name */
-    override string getName() { none() }
+    /* We know what this is called, but not its innate name.
+     * However, if we are looking for things by name, this is a reasonable approximation */
+    override string getName() {
+        this = TAbsentModuleAttribute(_, result)
+    }
 
     override predicate contextSensitiveCallee() { none() }
 

python/ql/src/semmle/python/security/SensitiveData.qll

@@ -110,12 +110,12 @@ module SensitiveData {
         override string repr() { result = "a certificate or key" }
     }
 
-    private SensitiveData fromFunction(FunctionObject f) {
-        result = HeuristicNames::getSensitiveDataForName(f.getName())
+    private SensitiveData fromFunction(Value func) {
+        result = HeuristicNames::getSensitiveDataForName(func.getName())
         or
         // This is particularly to pick up methods with an argument like "password", which
         // may indicate a lookup.
-        exists(string name | name = f.getFunction().getAnArg().asName().getId() |
+        exists(string name | name = func.(PythonFunctionValue).getScope().getAnArg().asName().getId() |
             result = HeuristicNames::getSensitiveDataForName(name)
         )
     }
@@ -131,7 +131,7 @@ module SensitiveData {
         SensitiveData data;
 
         SensitiveCallSource() {
-            exists(FunctionObject callee |
+            exists(Value callee |
                 callee.getACall() = this |
                 data = fromFunction(callee)
             )

python/ql/test/library-tests/security/sensitive/Sources.expected

@@ -0,0 +1,5 @@
+| test.py:16:1:16:14 | test.py:16 | a call returning a password |
+| test.py:17:1:17:12 | test.py:17 | a call returning a password |
+| test.py:18:1:18:12 | test.py:18 | a call returning a secret |
+| test.py:19:1:19:19 | test.py:19 | a call returning a certificate or key |
+| test.py:20:1:20:12 | test.py:20 | a call returning an ID |

python/ql/test/library-tests/security/sensitive/Sources.ql

@@ -0,0 +1,7 @@
+
+import python
+
+import semmle.python.security.SensitiveData
+
+from SensitiveData::Source src
+select src.getLocation(), src.repr()

python/ql/test/library-tests/security/sensitive/test.py

@@ -0,0 +1,21 @@
+
+from not_found import get_passwd, account_id
+
+def get_password():
+    pass
+
+def get_secret():
+    pass
+
+def fetch_certificate():
+    pass
+
+def encrypt_password(pwd):
+    pass
+
+get_password()
+get_passwd()
+get_secret()
+fetch_certificate()
+account_id()
+safe_to_store = encrypt_password(pwd)