Merge pull request #4 from yoff/RasmusWL-python-more-complete-dataflow-tests

Python: Annotate test file

Author: RasmusWL

python/ql/test/experimental/dataflow/regression/custom_dataflow.expected

@@ -0,0 +1 @@
+| test.py:126:13:126:25 | ControlFlowNode for CUSTOM_SOURCE | test.py:130:21:130:21 | ControlFlowNode for t |

python/ql/test/experimental/dataflow/regression/custom_dataflow.ql

@@ -0,0 +1,29 @@
+/**
+ * This query is meant to catch the flows from `CUSTOM_SOURCE` to `CUSTOM_SINK`.
+ *
+ * This should be compared to
+ * python/ql/test/library-tests/taint/dataflow/Dataflow.ql
+ * A first goal is to have identical results; after that we
+ * hope to remove the false positive.
+ */
+
+import experimental.dataflow.DataFlow
+
+class CustomTestConfiguration extends DataFlow::Configuration {
+  CustomTestConfiguration() { this = "CustomTestConfiguration" }
+
+  override predicate isSource(DataFlow::Node node) {
+    node.(DataFlow::CfgNode).getNode().(NameNode).getId() = "CUSTOM_SOURCE"
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(CallNode call |
+      call.getFunction().(NameNode).getId() in ["CUSTOM_SINK", "CUSTOM_SINK_F"] and
+      node.(DataFlow::CfgNode).getNode() = call.getAnArg()
+    )
+  }
+}
+
+from DataFlow::Node source, DataFlow::Node sink
+where exists(CustomTestConfiguration cfg | cfg.hasFlow(source, sink))
+select source, sink

python/ql/test/experimental/dataflow/regression/dataflow.expected

@@ -10,15 +10,10 @@
 | test.py:76:9:76:14 | ControlFlowNode for SOURCE | test.py:78:10:78:10 | ControlFlowNode for t |
 | test.py:128:13:128:18 | ControlFlowNode for SOURCE | test.py:132:14:132:14 | ControlFlowNode for t |
 | test.py:159:10:159:15 | ControlFlowNode for SOURCE | test.py:160:14:160:14 | ControlFlowNode for t |
-| test.py:163:9:163:14 | ControlFlowNode for SOURCE | test.py:165:10:165:10 | ControlFlowNode for s |
+| test.py:163:9:163:14 | ControlFlowNode for SOURCE | test.py:165:12:165:12 | ControlFlowNode for s |
 | test.py:178:9:178:14 | ControlFlowNode for SOURCE | test.py:180:14:180:14 | ControlFlowNode for t |
-| test.py:178:9:178:14 | ControlFlowNode for SOURCE | test.py:182:14:182:14 | ControlFlowNode for t |
-| test.py:178:9:178:14 | ControlFlowNode for SOURCE | test.py:184:14:184:14 | ControlFlowNode for t |
+| test.py:178:9:178:14 | ControlFlowNode for SOURCE | test.py:182:16:182:16 | ControlFlowNode for t |
+| test.py:178:9:178:14 | ControlFlowNode for SOURCE | test.py:184:16:184:16 | ControlFlowNode for t |
 | test.py:178:9:178:14 | ControlFlowNode for SOURCE | test.py:186:14:186:14 | ControlFlowNode for t |
 | test.py:195:9:195:14 | ControlFlowNode for SOURCE | test.py:197:14:197:14 | ControlFlowNode for t |
 | test.py:195:9:195:14 | ControlFlowNode for SOURCE | test.py:199:14:199:14 | ControlFlowNode for t |
-| test.py:217:15:217:20 | ControlFlowNode for SOURCE | test.py:219:14:219:20 | ControlFlowNode for tainted |
-| test.py:217:15:217:20 | ControlFlowNode for SOURCE | test.py:220:10:220:16 | ControlFlowNode for tainted |
-| test.py:223:15:223:20 | ControlFlowNode for SOURCE | test.py:226:10:226:16 | ControlFlowNode for tainted |
-| test.py:229:15:229:20 | ControlFlowNode for SOURCE | test.py:231:14:231:20 | ControlFlowNode for tainted |
-| test.py:229:15:229:20 | ControlFlowNode for SOURCE | test.py:233:14:233:20 | ControlFlowNode for tainted |

python/ql/test/experimental/dataflow/regression/test.py

@@ -30,7 +30,7 @@ def test6(cond):
     else:
         t = SOURCE
     if cond:
-        SINK(t)
+        SINK_F(t)
 
 def test7(cond):
     if cond:
@@ -40,8 +40,8 @@ def test7(cond):
     if cond:
         SINK(t)
 
-def source2(arg):
-    return source(arg)
+def source2():
+    return source()
 
 def sink2(arg):
     sink(arg)
@@ -50,7 +50,7 @@ def sink3(cond, arg):
     if cond:
         sink(arg)
 
-def test8(cond):
+def test8(cond):  # This test currently adds nothing, as we only track SOURCE -> SINK, and previous tests already add flow from line 10 to line 13
     t = source2()
     sink2(t)
 
@@ -80,21 +80,21 @@ def test11():
 def test12():
     t = "safe"
     t = hub(t)
-    SINK(t)
+    SINK_F(t)
 
 import module
 
 def test13():
     t = module.dangerous
-    SINK(t)
+    SINK(t)  # Flow not found
 
 def test14():
     t = module.safe
-    SINK(t)
+    SINK_F(t)
 
 def test15():
     t = module.safe2
-    SINK(t)
+    SINK_F(t)
 
 def test16():
     t = module.dangerous_func()
@@ -108,13 +108,13 @@ def x_sink(arg):
 def test17():
     t = C()
     t.x = module.dangerous
-    SINK(t.x)
+    SINK(t.x)  # Flow not found
 
 def test18():
     t = C()
     t.x = module.dangerous
     t = hub(t)
-    x_sink(t)
+    x_sink(t)  # Flow not found
 
 def test19():
     t = CUSTOM_SOURCE
@@ -137,40 +137,40 @@ def test21(cond):
     else:
         t = SOURCE
     if not cond:
-        CUSTOM_SINK(t)
+        CUSTOM_SINK_F(t)
     else:
-        SINK(t)
+        SINK_F(t)
 
 def test22(cond):
     if cond:
         t = CUSTOM_SOURCE
     else:
         t = SOURCE
-    t = TAINT_FROM_ARG(t)
+    t = TAINT_FROM_ARG(t)  # Blocks data flow
     if cond:
         CUSTOM_SINK(t)
     else:
         SINK(t)
 
 from module import dangerous as unsafe
-SINK(unsafe)
+SINK(unsafe)  # Flow not found
 
 def test23():
     with SOURCE as t:
         SINK(t)
 
 def test24():
     s = SOURCE
-    SANITIZE(s)
-    SINK(s)
+    SANITIZE(s)  # Does not block data flow
+    SINK_F(s)
 
 def test_update_extend(x, y):
     l = [SOURCE]
     d = {"key" : SOURCE}
     x.extend(l)
     y.update(d)
-    SINK(x[0])
-    SINK(y["key"])
+    SINK(x[0])  # Flow not found
+    SINK(y["key"])  # Flow not found
     l2 = list(l)
     d2 = dict(d)
 
@@ -179,9 +179,9 @@ def test_truth():
     if t:
         SINK(t)
     else:
-        SINK(t)
+        SINK_F(t)  # False positive
     if not t:
-        SINK(t)
+        SINK_F(t)  # False positive
     else:
         SINK(t)
 
@@ -194,15 +194,15 @@ def test_early_exit():
 def flow_through_type_test_if_no_class():
     t = SOURCE
     if isinstance(t, str):
-        SINK(t)
+        SINK(t)  # Flows's both here..
     else:
-        SINK(t)
+        SINK(t)  # ..and here
 
 def flow_in_iteration():
-    t = ITERABLE_SOURCE
+    t = [SOURCE]
     for i in t:
-        i
-    return i
+        SINK(i)  # Flow not found
+    SINK(i)  # Flow not found
 
 def flow_in_generator():
     seq = [SOURCE]
@@ -211,23 +211,4 @@ def flow_in_generator():
 
 def flow_from_generator():
     for x in flow_in_generator():
-        SINK(x)
-
-def const_eq_clears_taint():
-    tainted = SOURCE
-    if tainted == "safe":
-        SINK(tainted) # safe
-    SINK(tainted) # unsafe
-
-def const_eq_clears_taint2():
-    tainted = SOURCE
-    if tainted != "safe":
-        return
-    SINK(tainted) # safe
-
-def non_const_eq_preserves_taint(x):
-    tainted = SOURCE
-    if tainted == tainted:
-        SINK(tainted) # unsafe
-    if tainted == x:
-        SINK(tainted) # unsafe
+        SINK(x)  # Flow not found