Python: Handle taint for f-strings

Which we seem to not handle in the current taint tracking :O

f-strings needs to be Python 3 only, so enabled that test setup. I really liked
the idea for having the version specific tests right next to the normal tests,
so you don't have to look in
test/experimental/3/dataflow/i/will/forget/to/look/here.

Author: RasmusWL

python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll

@@ -125,6 +125,9 @@ predicate stringMethods(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
     mult.getOp() instanceof Mult and
     mult.getLeft() = nodeFrom.getNode()
   )
+  or
+  // f-strings
+  nodeTo.getNode().getNode().(Fstring).getAValue() = nodeFrom.getNode().getNode()
   // TODO: Handle encode/decode from base64/quopri
   // TODO: Handle os.path.join
   // TODO: Handle functions in https://docs.python.org/3/library/binascii.html

…taflow/tainttracking/string/TestTaint.ql …ntal/dataflow/tainttracking/TestTaint.qlpython/ql/test/experimental/dataflow/tainttracking/string/TestTaint.ql renamed to python/ql/test/experimental/dataflow/tainttracking/TestTaint.ql python/ql/test/experimental/dataflow/tainttracking/string/TestTaint.ql renamed to python/ql/test/experimental/dataflow/tainttracking/TestTaint.ql

@@ -0,0 +1,7 @@
+| test.py:28 | fail | binary_decode_encode | base64.a85encode(..) |
+| test.py:29 | fail | binary_decode_encode | base64.a85decode(..) |
+| test.py:32 | fail | binary_decode_encode | base64.b85encode(..) |
+| test.py:33 | fail | binary_decode_encode | base64.b85decode(..) |
+| test.py:36 | fail | binary_decode_encode | base64.encodebytes(..) |
+| test.py:37 | fail | binary_decode_encode | base64.decodebytes(..) |
+| test.py:45 | ok   | f_strings | Fstring |

python/ql/test/experimental/dataflow/tainttracking/string-py3/TestTaint.expected

@@ -0,0 +1 @@
+../TestTaint.ql

python/ql/test/experimental/dataflow/tainttracking/string-py3/TestTaint.qlref

@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=1 --lang=3

python/ql/test/experimental/dataflow/tainttracking/string-py3/options

@@ -0,0 +1,51 @@
+# Python 3 specific taint tracking for string
+
+TAINTED_STRING = "TAINTED_STRING"
+TAINTED_BYTES = b"TAINTED_BYTES"
+
+
+def ensure_tainted(*args):
+    print("- ensure_tainted")
+    for i, arg in enumerate(args):
+        print("arg {}: {!r}".format(i, arg))
+
+
+def ensure_not_tainted(*args):
+    print("- ensure_not_tainted")
+    for i, arg in enumerate(args):
+        print("arg {}: {!r}".format(i, arg))
+
+
+# Actual tests
+
+def binary_decode_encode():
+    print("\n#percent_fmt")
+    tb = TAINTED_BYTES
+    import base64
+
+    ensure_tainted(
+        # New in Python 3.4
+        base64.a85encode(tb),
+        base64.a85decode(base64.a85encode(tb)),
+
+        # New in Python 3.4
+        base64.b85encode(tb),
+        base64.b85decode(base64.b85encode(tb)),
+
+        # New in Python 3.1
+        base64.encodebytes(tb),
+        base64.decodebytes(base64.encodebytes(tb)),
+    )
+
+
+def f_strings():
+    print("\n#f_strings")
+    ts = TAINTED_STRING
+
+    ensure_tainted(f"foo {ts} bar")
+
+
+# Make tests runable
+
+binary_decode_encode()
+f_strings()

python/ql/test/experimental/dataflow/tainttracking/string-py3/test.py

@@ -0,0 +1 @@
+../TestTaint.ql