Skip to content

Commit ebd9bc3

Browse files
markshannonmarkshannon
committed
Python: Improve taint tracking to account for truthiness of the taint kind.
1 parent 8a16164 commit ebd9bc3

File tree

7 files changed

+42
-1
lines changed

7 files changed

+42
-1
lines changed

python/ql/src/semmle/python/security/TaintTracking.qll

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -148,6 +148,16 @@ abstract class TaintKind extends string {
148148
none()
149149
}
150150

151+
/** Gets the boolean values (may be one, neither, or both) that
152+
* may result from the Python expression `bool(this)`
153+
*/
154+
boolean booleanValue() {
155+
/* Default to true as the vast majority of taint is strings and
156+
* the empty string is almost always benign.
157+
*/
158+
result = true
159+
}
160+
151161
string repr() { result = this }
152162

153163
}
@@ -1190,7 +1200,8 @@ library module TaintFlowImplementation {
11901200
sanitizer.sanitizingEdge(kind, test)
11911201
)
11921202
|
1193-
not Filters::isinstance(test.getTest(), _, var.getSourceVariable().getAUse())
1203+
not Filters::isinstance(test.getTest(), _, var.getSourceVariable().getAUse()) and
1204+
not test.getTest() = var.getSourceVariable().getAUse()
11941205
or
11951206
exists(ControlFlowNode c, ClassObject cls |
11961207
Filters::isinstance(test.getTest(), c, var.getSourceVariable().getAUse())
@@ -1200,6 +1211,8 @@ library module TaintFlowImplementation {
12001211
or
12011212
test.getSense() = false and not kind.getClass().getAnImproperSuperType() = cls
12021213
)
1214+
or
1215+
test.getTest() = var.getSourceVariable().getAUse() and kind.booleanValue() = test.getSense()
12031216
)
12041217
}
12051218

python/ql/test/library-tests/taint/general/TestNode.expected

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -215,6 +215,11 @@
215215
| Taint simple.test | test.py:169 | SOURCE | |
216216
| Taint simple.test | test.py:172 | Subscript | |
217217
| Taint simple.test | test.py:173 | Subscript | |
218+
| Taint simple.test | test.py:178 | SOURCE | |
219+
| Taint simple.test | test.py:179 | t | |
220+
| Taint simple.test | test.py:180 | t | |
221+
| Taint simple.test | test.py:183 | t | |
222+
| Taint simple.test | test.py:186 | t | |
218223
| Taint {simple.test} | test.py:169 | Dict | |
219224
| Taint {simple.test} | test.py:171 | d | |
220225
| Taint {simple.test} | test.py:173 | y | |

python/ql/test/library-tests/taint/general/TestSink.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,3 +32,5 @@
3232
| simple.test | test.py:159 | 160 | t | simple.test |
3333
| simple.test | test.py:168 | 172 | Subscript | simple.test |
3434
| simple.test | test.py:169 | 173 | Subscript | simple.test |
35+
| simple.test | test.py:178 | 180 | t | simple.test |
36+
| simple.test | test.py:178 | 186 | t | simple.test |

python/ql/test/library-tests/taint/general/TestSource.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,3 +40,4 @@
4040
| test.py:163 | SOURCE | simple.test |
4141
| test.py:168 | SOURCE | simple.test |
4242
| test.py:169 | SOURCE | simple.test |
43+
| test.py:178 | SOURCE | simple.test |

python/ql/test/library-tests/taint/general/TestStep.expected

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -173,6 +173,10 @@
173173
| Taint simple.test | test.py:163 | SOURCE | | --> | Taint simple.test | test.py:164 | s | |
174174
| Taint simple.test | test.py:168 | SOURCE | | --> | Taint [simple.test] | test.py:168 | List | |
175175
| Taint simple.test | test.py:169 | SOURCE | | --> | Taint {simple.test} | test.py:169 | Dict | |
176+
| Taint simple.test | test.py:178 | SOURCE | | --> | Taint simple.test | test.py:179 | t | |
177+
| Taint simple.test | test.py:178 | SOURCE | | --> | Taint simple.test | test.py:180 | t | |
178+
| Taint simple.test | test.py:178 | SOURCE | | --> | Taint simple.test | test.py:183 | t | |
179+
| Taint simple.test | test.py:178 | SOURCE | | --> | Taint simple.test | test.py:186 | t | |
176180
| Taint {simple.test} | test.py:169 | Dict | | --> | Taint {simple.test} | test.py:171 | d | |
177181
| Taint {simple.test} | test.py:169 | Dict | | --> | Taint {simple.test} | test.py:175 | d | |
178182
| Taint {simple.test} | test.py:171 | d | | --> | Taint {simple.test} | test.py:173 | y | |

python/ql/test/library-tests/taint/general/TestVar.expected

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -177,3 +177,8 @@
177177
| test.py:174 | l_2 | test.py:168 | Taint [simple.test] | List |
178178
| test.py:175 | d2_0 | test.py:175 | Taint {simple.test} | dict() |
179179
| test.py:175 | d_2 | test.py:169 | Taint {simple.test} | Dict |
180+
| test.py:178 | t_0 | test.py:178 | Taint simple.test | SOURCE |
181+
| test.py:180 | t_1 | test.py:178 | Taint simple.test | SOURCE |
182+
| test.py:180 | t_2 | test.py:178 | Taint simple.test | SOURCE |
183+
| test.py:183 | t_3 | test.py:178 | Taint simple.test | SOURCE |
184+
| test.py:186 | t_4 | test.py:178 | Taint simple.test | SOURCE |

python/ql/test/library-tests/taint/general/test.py

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -173,3 +173,14 @@ def test_update_extend(x, y):
173173
SINK(y["key"])
174174
l2 = list(l)
175175
d2 = dict(d)
176+
177+
def test_truth():
178+
t = SOURCE
179+
if t:
180+
SINK(t)
181+
else:
182+
SINK(t)
183+
if not t:
184+
SINK(t)
185+
else:
186+
SINK(t)

0 commit comments

Comments
 (0)