Merge pull request #4109 from RasmusWL/python-basic-taint-tracking

Python: Basic taint tracking with shared library

Author: yoff

python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll

@@ -1,7 +1,14 @@
 private import python
-private import TaintTrackingPublic
 private import experimental.dataflow.DataFlow
 private import experimental.dataflow.internal.DataFlowPrivate
+private import experimental.dataflow.internal.TaintTrackingPublic
+
+/**
+ * Holds if taint can flow in one local step from `nodeFrom` to `nodeTo` excluding
+ * local data flow steps. That is, `nodeFrom` and `nodeTo` are likely to represent
+ * different objects.
+ */
+predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { none() }
 
 /**
  * Holds if `node` should be a barrier in all global taint flow configurations
@@ -10,12 +17,11 @@ private import experimental.dataflow.internal.DataFlowPrivate
 predicate defaultTaintBarrier(DataFlow::Node node) { none() }
 
 /**
- * Holds if the additional step from `pred` to `succ` should be included in all
+ * Holds if the additional step from `nodeFrom` to `nodeTo` should be included in all
  * global taint flow configurations.
  */
-predicate defaultAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-  none()
-  // localAdditionalTaintStep(pred, succ)
-  // or
-  // succ = pred.(DataFlow::NonLocalJumpNode).getAJumpSuccessor(false)
+predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  localAdditionalTaintStep(nodeFrom, nodeTo)
+  or
+  any(AdditionalTaintStep a).step(nodeFrom, nodeTo)
 }

python/ql/src/experimental/dataflow/internal/TaintTrackingPublic.qll

@@ -6,27 +6,52 @@
 private import python
 private import TaintTrackingPrivate
 private import experimental.dataflow.DataFlow
-// /**
-//  * Holds if taint propagates from `source` to `sink` in zero or more local
-//  * (intra-procedural) steps.
-//  */
-// predicate localTaint(DataFlow::Node source, DataFlow::Node sink) { localTaintStep*(source, sink) }
-// // /**
-// //  * Holds if taint can flow from `e1` to `e2` in zero or more
-// //  * local (intra-procedural) steps.
-// //  */
-// // predicate localExprTaint(Expr e1, Expr e2) {
-// //   localTaint(DataFlow::exprNode(e1), DataFlow::exprNode(e2))
-// // }
-// // /** A member (property or field) that is tainted if its containing object is tainted. */
-// // abstract class TaintedMember extends AssignableMember { }
-// /**
-//  * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
-//  * (intra-procedural) step.
-//  */
-// predicate localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-//   // Ordinary data flow
-//   DataFlow::localFlowStep(nodeFrom, nodeTo)
-//   or
-//   localAdditionalTaintStep(nodeFrom, nodeTo)
-// }
+
+// Local taint flow and helpers
+/**
+ * Holds if taint propagates from `source` to `sink` in zero or more local
+ * (intra-procedural) steps.
+ */
+predicate localTaint(DataFlow::Node source, DataFlow::Node sink) { localTaintStep*(source, sink) }
+
+/**
+ * Holds if taint can flow from `e1` to `e2` in zero or more local (intra-procedural)
+ * steps.
+ */
+predicate localExprTaint(Expr e1, Expr e2) {
+  localTaint(DataFlow::exprNode(e1), DataFlow::exprNode(e2))
+}
+
+/**
+ * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
+ * (intra-procedural) step.
+ */
+predicate localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  // Ordinary data flow
+  DataFlow::localFlowStep(nodeFrom, nodeTo)
+  or
+  localAdditionalTaintStep(nodeFrom, nodeTo)
+}
+
+// AdditionalTaintStep for global taint flow
+private newtype TUnit = TMkUnit()
+
+/** A singleton class containing a single dummy "unit" value. */
+private class Unit extends TUnit {
+  /** Gets a textual representation of this element. */
+  string toString() { result = "unit" }
+}
+
+/**
+ * A unit class for adding additional taint steps.
+ *
+ * Extend this class to add additional taint steps that should apply to all
+ * taint configurations.
+ */
+class AdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `nodeFrom` to `nodeTo` should be considered a taint
+   * step for all configurations.
+   */
+  abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
+}

python/ql/test/experimental/dataflow/tainttracking/basic/GlobalTaintTracking.expected

@@ -0,0 +1,2 @@
+| test.py:3:11:3:16 | ControlFlowNode for SOURCE | test.py:4:6:4:12 | ControlFlowNode for tainted |
+| test.py:7:20:7:25 | ControlFlowNode for SOURCE | test.py:8:10:8:21 | ControlFlowNode for also_tainted |

python/ql/test/experimental/dataflow/tainttracking/basic/GlobalTaintTracking.ql

@@ -0,0 +1,22 @@
+import python
+import experimental.dataflow.TaintTracking
+import experimental.dataflow.DataFlow
+
+class TestTaintTrackingConfiguration extends TaintTracking::Configuration {
+  TestTaintTrackingConfiguration() { this = "TestTaintTrackingConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.(DataFlow::CfgNode).getNode().(NameNode).getId() = "SOURCE"
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(CallNode call |
+      call.getFunction().(NameNode).getId() = "SINK" and
+      sink.(DataFlow::CfgNode).getNode() = call.getAnArg()
+    )
+  }
+}
+
+from TestTaintTrackingConfiguration config, DataFlow::Node source, DataFlow::Node sink
+where config.hasFlow(source, sink)
+select source, sink

python/ql/test/experimental/dataflow/tainttracking/basic/LocalTaintStep.expected

@@ -0,0 +1,5 @@
+| test.py:0:0:0:0 | SSA variable $ | test.py:0:0:0:0 | Exit node for Module test |
+| test.py:7:5:7:16 | SSA variable also_tainted | test.py:8:5:8:22 | SSA variable also_tainted |
+| test.py:7:5:7:16 | SSA variable also_tainted | test.py:8:10:8:21 | ControlFlowNode for also_tainted |
+| test.py:7:20:7:25 | ControlFlowNode for SOURCE | test.py:7:5:7:16 | SSA variable also_tainted |
+| test.py:8:5:8:22 | SSA variable also_tainted | test.py:6:1:6:11 | Exit node for Function func |

python/ql/test/experimental/dataflow/tainttracking/basic/LocalTaintStep.ql

@@ -0,0 +1,7 @@
+import python
+import experimental.dataflow.TaintTracking
+import experimental.dataflow.DataFlow
+
+from DataFlow::Node nodeFrom, DataFlow::Node nodeTo
+where TaintTracking::localTaintStep(nodeFrom, nodeTo)
+select nodeFrom, nodeTo

python/ql/test/experimental/dataflow/tainttracking/basic/test.py

@@ -0,0 +1,8 @@
+# Module level taint is different from inside functions, since shared dataflow library
+# relies on `getEnclosingCallable`
+tainted = SOURCE
+SINK(tainted)
+
+def func():
+    also_tainted = SOURCE
+    SINK(also_tainted)