33
44# Various instances where flow is undesirable
55
6- tainted = NOT_TAINTED
7- ensure_not_tainted (tainted )
6+
7+ # A global variable that starts out being not tainted, but gets tainted through a later assignment.
8+ # In this case, we do not want flow from the tainting assignment back to the place where the value
9+ # was used in a potentially unsafe manner.
10+
11+ tainted_later = NOT_TAINTED
12+ ensure_not_tainted (tainted_later )
813
914def write_global ():
10- global tainted
11- tainted = TAINTED_STRING
15+ global tainted_later
16+ tainted_later = TAINTED_STRING
17+
18+
19+ # A global variable that starts out tainted, and is subsequently reassigned to be untainted.
20+ # In this case we don't want flow from the first assignment to any of its uses.
21+
22+ initially_tainted = TAINTED_STRING
23+ len (initially_tainted ) # Some call that _could_ potentially modify `initially_tainted`
24+ initially_tainted = NOT_TAINTED
25+ ensure_not_tainted (initially_tainted )
26+
27+ def use_of_initially_tainted ():
28+ ensure_not_tainted (initially_tainted ) # FP
29+
30+
31+ # A very similar case to the above, but here we _do_ want taint flow, because the initially tainted
32+ # value is actually used before it gets reassigned to an untainted value.
33+
34+ def use_of_initially_tainted2 ():
35+ ensure_tainted (initially_tainted )
1236
13- tainted2 = TAINTED_STRING
14- len ( tainted2 )
15- tainted2 = NOT_TAINTED
16- ensure_not_tainted (tainted2 )
37+ initially_tainted2 = TAINTED_STRING
38+ use_of_initially_tainted2 ( )
39+ initially_tainted2 = NOT_TAINTED
40+ ensure_not_tainted (initially_tainted2 )
1741
18- def use_of_tainted2 ():
19- global tainted2
20- tainted2 = NOT_TAINTED
2142
2243# Flow via global assigment
2344
@@ -28,5 +49,6 @@ def write_tainted():
2849def sink_global ():
2950 ensure_tainted (g )
3051
52+ write_global ()
3153write_tainted ()
3254sink_global ()
0 commit comments