Python: Taint for string multiplication

RasmusWL · RasmusWL · commit cb4b4e91abc6 · 2020-08-24T14:54:06.000+02:00
diff --git a/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll b/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll
@@ -119,6 +119,12 @@ predicate stringMethods(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
       fmt.getRight() = nodeFrom.getNode()
     )
   )
+  or
+  // string multiplication -- `"foo" * 10`
+  exists(BinaryExprNode mult | mult = nodeTo.getNode() |
+    mult.getOp() instanceof Mult and
+    mult.getLeft() = nodeFrom.getNode()
+  )
   // TODO: Handle encode/decode from base64/quopri
   // TODO: Handle os.path.join
   // TODO: Handle functions in https://docs.python.org/3/library/binascii.html
diff --git a/python/ql/test/experimental/dataflow/tainttracking/string/TestTaint.expected b/python/ql/test/experimental/dataflow/tainttracking/string/TestTaint.expected
@@ -1,63 +1,64 @@
 | test.py:24 | ok   | str_operations | ts |
 | test.py:25 | ok   | str_operations | BinaryExpr |
 | test.py:26 | ok   | str_operations | BinaryExpr |
-| test.py:27 | ok   | str_operations | ts[Slice] |
+| test.py:27 | ok   | str_operations | BinaryExpr |
 | test.py:28 | ok   | str_operations | ts[Slice] |
 | test.py:29 | ok   | str_operations | ts[Slice] |
-| test.py:30 | ok   | str_operations | ts[0] |
-| test.py:31 | ok   | str_operations | str(..) |
-| test.py:32 | ok   | str_operations | bytes(..) |
-| test.py:41 | ok   | str_methods | ts.capitalize() |
-| test.py:42 | ok   | str_methods | ts.casefold() |
-| test.py:43 | ok   | str_methods | ts.center(..) |
-| test.py:44 | ok   | str_methods | ts.expandtabs() |
-| test.py:46 | ok   | str_methods | ts.format() |
-| test.py:47 | ok   | str_methods | "{}".format(..) |
-| test.py:48 | ok   | str_methods | "{unsafe}".format(..) |
-| test.py:50 | ok   | str_methods | ts.format_map(..) |
-| test.py:51 | fail | str_methods | "{unsafe}".format_map(..) |
-| test.py:53 | ok   | str_methods | ts.join(..) |
-| test.py:54 | fail | str_methods | "".join(..) |
-| test.py:56 | ok   | str_methods | ts.ljust(..) |
-| test.py:57 | ok   | str_methods | ts.lstrip() |
-| test.py:58 | ok   | str_methods | ts.lower() |
-| test.py:60 | ok   | str_methods | ts.replace(..) |
-| test.py:61 | ok   | str_methods | "safe".replace(..) |
-| test.py:63 | ok   | str_methods | ts.rjust(..) |
-| test.py:64 | ok   | str_methods | ts.rstrip() |
-| test.py:65 | ok   | str_methods | ts.strip() |
-| test.py:66 | ok   | str_methods | ts.swapcase() |
-| test.py:67 | ok   | str_methods | ts.title() |
-| test.py:68 | ok   | str_methods | ts.upper() |
-| test.py:69 | ok   | str_methods | ts.zfill(..) |
-| test.py:71 | ok   | str_methods | ts.encode(..) |
-| test.py:72 | ok   | str_methods | ts.encode(..).decode(..) |
-| test.py:74 | ok   | str_methods | tb.decode(..) |
-| test.py:75 | ok   | str_methods | tb.decode(..).encode(..) |
-| test.py:78 | ok   | str_methods | ts.partition(..) |
-| test.py:79 | ok   | str_methods | ts.rpartition(..) |
-| test.py:80 | ok   | str_methods | ts.rsplit(..) |
-| test.py:81 | ok   | str_methods | ts.split(..) |
-| test.py:82 | ok   | str_methods | ts.splitlines() |
-| test.py:87 | ok   | str_methods | "safe".replace(..) |
-| test.py:89 | fail | str_methods | ts.join(..) |
+| test.py:30 | ok   | str_operations | ts[Slice] |
+| test.py:31 | ok   | str_operations | ts[0] |
+| test.py:32 | ok   | str_operations | str(..) |
+| test.py:33 | ok   | str_operations | bytes(..) |
+| test.py:42 | ok   | str_methods | ts.capitalize() |
+| test.py:43 | ok   | str_methods | ts.casefold() |
+| test.py:44 | ok   | str_methods | ts.center(..) |
+| test.py:45 | ok   | str_methods | ts.expandtabs() |
+| test.py:47 | ok   | str_methods | ts.format() |
+| test.py:48 | ok   | str_methods | "{}".format(..) |
+| test.py:49 | ok   | str_methods | "{unsafe}".format(..) |
+| test.py:51 | ok   | str_methods | ts.format_map(..) |
+| test.py:52 | fail | str_methods | "{unsafe}".format_map(..) |
+| test.py:54 | ok   | str_methods | ts.join(..) |
+| test.py:55 | fail | str_methods | "".join(..) |
+| test.py:57 | ok   | str_methods | ts.ljust(..) |
+| test.py:58 | ok   | str_methods | ts.lstrip() |
+| test.py:59 | ok   | str_methods | ts.lower() |
+| test.py:61 | ok   | str_methods | ts.replace(..) |
+| test.py:62 | ok   | str_methods | "safe".replace(..) |
+| test.py:64 | ok   | str_methods | ts.rjust(..) |
+| test.py:65 | ok   | str_methods | ts.rstrip() |
+| test.py:66 | ok   | str_methods | ts.strip() |
+| test.py:67 | ok   | str_methods | ts.swapcase() |
+| test.py:68 | ok   | str_methods | ts.title() |
+| test.py:69 | ok   | str_methods | ts.upper() |
+| test.py:70 | ok   | str_methods | ts.zfill(..) |
+| test.py:72 | ok   | str_methods | ts.encode(..) |
+| test.py:73 | ok   | str_methods | ts.encode(..).decode(..) |
+| test.py:75 | ok   | str_methods | tb.decode(..) |
+| test.py:76 | ok   | str_methods | tb.decode(..).encode(..) |
+| test.py:79 | ok   | str_methods | ts.partition(..) |
+| test.py:80 | ok   | str_methods | ts.rpartition(..) |
+| test.py:81 | ok   | str_methods | ts.rsplit(..) |
+| test.py:82 | ok   | str_methods | ts.split(..) |
+| test.py:83 | ok   | str_methods | ts.splitlines() |
+| test.py:88 | ok   | str_methods | "safe".replace(..) |
 | test.py:90 | fail | str_methods | ts.join(..) |
-| test.py:100 | fail | non_syntactic | meth() |
-| test.py:101 | fail | non_syntactic | _str(..) |
-| test.py:110 | ok   | percent_fmt | BinaryExpr |
+| test.py:91 | fail | str_methods | ts.join(..) |
+| test.py:101 | fail | non_syntactic | meth() |
+| test.py:102 | fail | non_syntactic | _str(..) |
 | test.py:111 | ok   | percent_fmt | BinaryExpr |
-| test.py:112 | fail | percent_fmt | BinaryExpr |
-| test.py:122 | fail | binary_decode_encode | base64.b64encode(..) |
-| test.py:123 | fail | binary_decode_encode | base64.b64decode(..) |
-| test.py:125 | fail | binary_decode_encode | base64.standard_b64encode(..) |
-| test.py:126 | fail | binary_decode_encode | base64.standard_b64decode(..) |
-| test.py:128 | fail | binary_decode_encode | base64.urlsafe_b64encode(..) |
-| test.py:129 | fail | binary_decode_encode | base64.urlsafe_b64decode(..) |
-| test.py:131 | fail | binary_decode_encode | base64.b32encode(..) |
-| test.py:132 | fail | binary_decode_encode | base64.b32decode(..) |
-| test.py:134 | fail | binary_decode_encode | base64.b16encode(..) |
-| test.py:135 | fail | binary_decode_encode | base64.b16decode(..) |
-| test.py:150 | fail | binary_decode_encode | base64.encodestring(..) |
-| test.py:151 | fail | binary_decode_encode | base64.decodestring(..) |
-| test.py:156 | fail | binary_decode_encode | quopri.encodestring(..) |
-| test.py:157 | fail | binary_decode_encode | quopri.decodestring(..) |
+| test.py:112 | ok   | percent_fmt | BinaryExpr |
+| test.py:113 | fail | percent_fmt | BinaryExpr |
+| test.py:123 | fail | binary_decode_encode | base64.b64encode(..) |
+| test.py:124 | fail | binary_decode_encode | base64.b64decode(..) |
+| test.py:126 | fail | binary_decode_encode | base64.standard_b64encode(..) |
+| test.py:127 | fail | binary_decode_encode | base64.standard_b64decode(..) |
+| test.py:129 | fail | binary_decode_encode | base64.urlsafe_b64encode(..) |
+| test.py:130 | fail | binary_decode_encode | base64.urlsafe_b64decode(..) |
+| test.py:132 | fail | binary_decode_encode | base64.b32encode(..) |
+| test.py:133 | fail | binary_decode_encode | base64.b32decode(..) |
+| test.py:135 | fail | binary_decode_encode | base64.b16encode(..) |
+| test.py:136 | fail | binary_decode_encode | base64.b16decode(..) |
+| test.py:151 | fail | binary_decode_encode | base64.encodestring(..) |
+| test.py:152 | fail | binary_decode_encode | base64.decodestring(..) |
+| test.py:157 | fail | binary_decode_encode | quopri.encodestring(..) |
+| test.py:158 | fail | binary_decode_encode | quopri.decodestring(..) |
diff --git a/python/ql/test/experimental/dataflow/tainttracking/string/test.py b/python/ql/test/experimental/dataflow/tainttracking/string/test.py
@@ -24,6 +24,7 @@ def str_operations():
         ts,
         ts + "foo",
         "foo" + ts,
+        ts * 5,
         ts[0 : len(ts)],
         ts[:],
         ts[0:1000],

Original file line number	Diff line number	Diff line change
`@@ -119,6 +119,12 @@ predicate stringMethods(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {`
`119`	`119`	`fmt.getRight() = nodeFrom.getNode()`
`120`	`120`	`)`
`121`	`121`	`)`
	`122`	`+ or`
	`123`	+ // string multiplication -- `"foo" * 10`
	`124`	`+ exists(BinaryExprNode mult \| mult = nodeTo.getNode() \|`
	`125`	`+ mult.getOp() instanceof Mult and`
	`126`	`+ mult.getLeft() = nodeFrom.getNode()`
	`127`	`+ )`
`122`	`128`	`// TODO: Handle encode/decode from base64/quopri`
`123`	`129`	`// TODO: Handle os.path.join`
`124`	`130`	`// TODO: Handle functions in https://docs.python.org/3/library/binascii.html`