Merge pull request #2639 from RasmusWL/python-improve-dict-taint

Python: Improve tests for tainted collections

Author: tausbn

python/ql/test/library-tests/taint/collections/Taint.qll

@@ -0,0 +1,46 @@
+import python
+import semmle.python.security.TaintTracking
+import semmle.python.security.strings.Untrusted
+
+
+class SimpleSource extends TaintSource {
+
+    SimpleSource() { this.(NameNode).getId() = "TAINTED_STRING" }
+
+    override predicate isSourceOf(TaintKind kind) {
+        kind instanceof ExternalStringKind
+    }
+
+    override string toString() {
+        result = "taint source"
+    }
+
+}
+
+class ListSource extends TaintSource {
+
+    ListSource() { this.(NameNode).getId() = "TAINTED_LIST" }
+
+    override predicate isSourceOf(TaintKind kind) {
+        kind instanceof ExternalStringSequenceKind
+    }
+
+    override string toString() {
+        result = "list taint source"
+    }
+
+}
+
+class DictSource extends TaintSource {
+
+    DictSource() { this.(NameNode).getId() = "TAINTED_DICT" }
+
+    override predicate isSourceOf(TaintKind kind) {
+        kind instanceof ExternalStringDictKind
+    }
+
+    override string toString() {
+        result = "dict taint source"
+    }
+
+}

python/ql/test/library-tests/taint/collections/TestStep.expected

@@ -0,0 +1,60 @@
+| Taint [externally controlled string] | test.py:9 | test.py:9:20:9:35 | List |  |  -->  | Taint [externally controlled string] | test.py:14 | test.py:14:14:14:25 | tainted_list |  |
+| Taint [externally controlled string] | test.py:9 | test.py:9:20:9:35 | List |  |  -->  | Taint [externally controlled string] | test.py:20 | test.py:20:15:20:26 | tainted_list |  |
+| Taint [externally controlled string] | test.py:9 | test.py:9:20:9:35 | List |  |  -->  | Taint [externally controlled string] | test.py:21 | test.py:21:13:21:24 | tainted_list |  |
+| Taint [externally controlled string] | test.py:9 | test.py:9:20:9:35 | List |  |  -->  | Taint [externally controlled string] | test.py:22 | test.py:22:19:22:30 | tainted_list |  |
+| Taint [externally controlled string] | test.py:10 | test.py:10:22:10:36 | Tuple |  |  -->  | Taint [externally controlled string] | test.py:15 | test.py:15:14:15:26 | tainted_tuple |  |
+| Taint [externally controlled string] | test.py:14 | test.py:14:9:14:26 | list() |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:10:23:10 | a |  |
+| Taint [externally controlled string] | test.py:14 | test.py:14:14:14:25 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:14 | test.py:14:9:14:26 | list() |  |
+| Taint [externally controlled string] | test.py:15 | test.py:15:9:15:27 | list() |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:13:23:13 | b |  |
+| Taint [externally controlled string] | test.py:15 | test.py:15:14:15:26 | tainted_tuple |  |  -->  | Taint [externally controlled string] | test.py:15 | test.py:15:9:15:27 | list() |  |
+| Taint [externally controlled string] | test.py:17 | test.py:17:9:17:35 | list() |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:19:23:19 | d |  |
+| Taint [externally controlled string] | test.py:17 | test.py:17:14:17:34 | Attribute() |  |  -->  | Taint [externally controlled string] | test.py:17 | test.py:17:9:17:35 | list() |  |
+| Taint [externally controlled string] | test.py:20 | test.py:20:9:20:27 | tuple() |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:25:23:25 | f |  |
+| Taint [externally controlled string] | test.py:20 | test.py:20:15:20:26 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:20 | test.py:20:9:20:27 | tuple() |  |
+| Taint [externally controlled string] | test.py:21 | test.py:21:9:21:25 | set() |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:28:23:28 | g |  |
+| Taint [externally controlled string] | test.py:21 | test.py:21:13:21:24 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:21 | test.py:21:9:21:25 | set() |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:27 | test.py:27:9:27:20 | tainted_list |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:28 | test.py:28:9:28:20 | tainted_list |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:29 | test.py:29:9:29:20 | tainted_list |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:30 | test.py:30:9:30:20 | tainted_list |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:31 | test.py:31:15:31:26 | tainted_list |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:33 | test.py:33:14:33:25 | tainted_list |  |
+| Taint [externally controlled string] | test.py:26 | test.py:26:20:26:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:35 | test.py:35:23:35:34 | tainted_list |  |
+| Taint [externally controlled string] | test.py:27 | test.py:27:9:27:20 | tainted_list |  |  -->  | Taint externally controlled string | test.py:27 | test.py:27:9:27:23 | Subscript |  |
+| Taint [externally controlled string] | test.py:28 | test.py:28:9:28:20 | tainted_list |  |  -->  | Taint externally controlled string | test.py:28 | test.py:28:9:28:23 | Subscript |  |
+| Taint [externally controlled string] | test.py:29 | test.py:29:9:29:20 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:29 | test.py:29:9:29:25 | Subscript |  |
+| Taint [externally controlled string] | test.py:29 | test.py:29:9:29:25 | Subscript |  |  -->  | Taint [externally controlled string] | test.py:32 | test.py:32:16:32:16 | c |  |
+| Taint [externally controlled string] | test.py:30 | test.py:30:9:30:20 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:30 | test.py:30:9:30:27 | Attribute() |  |
+| Taint [externally controlled string] | test.py:30 | test.py:30:9:30:27 | Attribute() |  |  -->  | Taint [externally controlled string] | test.py:32 | test.py:32:19:32:19 | d |  |
+| Taint [externally controlled string] | test.py:33 | test.py:33:14:33:25 | tainted_list |  |  -->  | Taint externally controlled string | test.py:33 | test.py:33:5:33:26 | For |  |
+| Taint [externally controlled string] | test.py:35 | test.py:35:14:35:35 | reversed() |  |  -->  | Taint externally controlled string | test.py:35 | test.py:35:5:35:36 | For |  |
+| Taint [externally controlled string] | test.py:35 | test.py:35:23:35:34 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:35 | test.py:35:14:35:35 | reversed() |  |
+| Taint [externally controlled string] | test.py:44 | test.py:44:14:44:34 | Attribute() |  |  -->  | Taint externally controlled string | test.py:44 | test.py:44:5:44:35 | For |  |
+| Taint externally controlled string | test.py:8 | test.py:8:22:8:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:9 | test.py:9:21:9:34 | tainted_string |  |
+| Taint externally controlled string | test.py:8 | test.py:8:22:8:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:10 | test.py:10:22:10:35 | tainted_string |  |
+| Taint externally controlled string | test.py:8 | test.py:8:22:8:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:11 | test.py:11:20:11:33 | tainted_string |  |
+| Taint externally controlled string | test.py:8 | test.py:8:22:8:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:12 | test.py:12:28:12:41 | tainted_string |  |
+| Taint externally controlled string | test.py:9 | test.py:9:21:9:34 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:9 | test.py:9:20:9:35 | List |  |
+| Taint externally controlled string | test.py:10 | test.py:10:22:10:35 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:10 | test.py:10:22:10:36 | Tuple |  |
+| Taint externally controlled string | test.py:12 | test.py:12:28:12:41 | tainted_string |  |  -->  | Taint {externally controlled string} | test.py:12 | test.py:12:20:12:42 | Dict |  |
+| Taint externally controlled string | test.py:27 | test.py:27:9:27:23 | Subscript |  |  -->  | Taint externally controlled string | test.py:32 | test.py:32:10:32:10 | a |  |
+| Taint externally controlled string | test.py:28 | test.py:28:9:28:23 | Subscript |  |  -->  | Taint externally controlled string | test.py:32 | test.py:32:13:32:13 | b |  |
+| Taint externally controlled string | test.py:33 | test.py:33:5:33:26 | For |  |  -->  | Taint externally controlled string | test.py:34 | test.py:34:14:34:14 | h |  |
+| Taint externally controlled string | test.py:35 | test.py:35:5:35:36 | For |  |  -->  | Taint externally controlled string | test.py:36 | test.py:36:14:36:14 | i |  |
+| Taint externally controlled string | test.py:40 | test.py:40:9:40:28 | Subscript |  |  -->  | Taint externally controlled string | test.py:43 | test.py:43:10:43:10 | a |  |
+| Taint externally controlled string | test.py:41 | test.py:41:9:41:23 | Subscript |  |  -->  | Taint externally controlled string | test.py:43 | test.py:43:13:43:13 | b |  |
+| Taint externally controlled string | test.py:44 | test.py:44:5:44:35 | For |  |  -->  | Taint externally controlled string | test.py:45 | test.py:45:14:45:14 | d |  |
+| Taint externally controlled string | test.py:62 | test.py:62:34:62:47 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:62 | test.py:62:5:62:47 | BinaryExpr |  |
+| Taint {externally controlled string} | test.py:12 | test.py:12:20:12:42 | Dict |  |  -->  | Taint {externally controlled string} | test.py:17 | test.py:17:14:17:25 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:12 | test.py:12:20:12:42 | Dict |  |  -->  | Taint {externally controlled string} | test.py:18 | test.py:18:14:18:25 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:17 | test.py:17:14:17:25 | tainted_dict |  |  -->  | Taint [externally controlled string] | test.py:17 | test.py:17:14:17:34 | Attribute() |  |
+| Taint {externally controlled string} | test.py:39 | test.py:39:20:39:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:40 | test.py:40:9:40:20 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:39 | test.py:39:20:39:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:41 | test.py:41:9:41:20 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:39 | test.py:39:20:39:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:42 | test.py:42:9:42:20 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:39 | test.py:39:20:39:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:44 | test.py:44:14:44:25 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:39 | test.py:39:20:39:31 | TAINTED_DICT |  |  -->  | Taint {externally controlled string} | test.py:46 | test.py:46:17:46:28 | tainted_dict |  |
+| Taint {externally controlled string} | test.py:40 | test.py:40:9:40:20 | tainted_dict |  |  -->  | Taint externally controlled string | test.py:40 | test.py:40:9:40:28 | Subscript |  |
+| Taint {externally controlled string} | test.py:41 | test.py:41:9:41:20 | tainted_dict |  |  -->  | Taint externally controlled string | test.py:41 | test.py:41:9:41:23 | Subscript |  |
+| Taint {externally controlled string} | test.py:42 | test.py:42:9:42:20 | tainted_dict |  |  -->  | Taint {externally controlled string} | test.py:42 | test.py:42:9:42:27 | Attribute() |  |
+| Taint {externally controlled string} | test.py:42 | test.py:42:9:42:27 | Attribute() |  |  -->  | Taint {externally controlled string} | test.py:43 | test.py:43:16:43:16 | c |  |
+| Taint {externally controlled string} | test.py:44 | test.py:44:14:44:25 | tainted_dict |  |  -->  | Taint [externally controlled string] | test.py:44 | test.py:44:14:44:34 | Attribute() |  |

python/ql/test/library-tests/taint/collections/TestStep.ql

@@ -0,0 +1,11 @@
+import python
+import semmle.python.security.TaintTracking
+import Taint
+
+from TaintedNode n, TaintedNode s
+where
+    n.getLocation().getFile().getShortName() = "test.py" and
+    s.getLocation().getFile().getShortName() = "test.py" and
+    s = n.getASuccessor()
+select "Taint " + n.getTaintKind(), n.getLocation().toString(), n.getAstNode(), n.getContext(),
+    " --> ", "Taint " + s.getTaintKind(), s.getLocation().toString(), s.getAstNode(), s.getContext()

python/ql/test/library-tests/taint/collections/TestTaint.expected

@@ -0,0 +1,33 @@
+| test.py:23 | test_construction | a | [externally controlled string] |
+| test.py:23 | test_construction | b | [externally controlled string] |
+| test.py:23 | test_construction | c | NO TAINT |
+| test.py:23 | test_construction | d | [externally controlled string] |
+| test.py:23 | test_construction | e | NO TAINT |
+| test.py:23 | test_construction | f | [externally controlled string] |
+| test.py:23 | test_construction | g | [externally controlled string] |
+| test.py:23 | test_construction | h | NO TAINT |
+| test.py:32 | test_access | a | externally controlled string |
+| test.py:32 | test_access | b | externally controlled string |
+| test.py:32 | test_access | c | [externally controlled string] |
+| test.py:32 | test_access | d | [externally controlled string] |
+| test.py:32 | test_access | e | NO TAINT |
+| test.py:32 | test_access | f | NO TAINT |
+| test.py:32 | test_access | g | NO TAINT |
+| test.py:34 | test_access | h | externally controlled string |
+| test.py:36 | test_access | i | externally controlled string |
+| test.py:43 | test_dict_access | a | externally controlled string |
+| test.py:43 | test_dict_access | b | externally controlled string |
+| test.py:43 | test_dict_access | c | {externally controlled string} |
+| test.py:45 | test_dict_access | d | externally controlled string |
+| test.py:47 | test_dict_access | e | NO TAINT |
+| test.py:58 | test_named_tuple | a | NO TAINT |
+| test.py:58 | test_named_tuple | b | NO TAINT |
+| test.py:58 | test_named_tuple | c | NO TAINT |
+| test.py:58 | test_named_tuple | d | NO TAINT |
+| test.py:58 | test_named_tuple | e | NO TAINT |
+| test.py:58 | test_named_tuple | f | NO TAINT |
+| test.py:67 | test_defaultdict | a | NO TAINT |
+| test.py:67 | test_defaultdict | b | NO TAINT |
+| test.py:67 | test_defaultdict | c | NO TAINT |
+| test.py:69 | test_defaultdict | d | NO TAINT |
+| test.py:71 | test_defaultdict | e | NO TAINT |

python/ql/test/library-tests/taint/collections/TestTaint.ql

@@ -0,0 +1,18 @@
+import python
+import semmle.python.security.TaintTracking
+import Taint
+
+from Call call, Expr arg, string taint_string
+where
+    call.getLocation().getFile().getShortName() = "test.py" and
+    call.getFunc().(Name).getId() = "test" and
+    arg = call.getAnArg() and
+    (
+        not exists(TaintedNode tainted | tainted.getAstNode() = arg) and
+        taint_string = "NO TAINT"
+        or
+        exists(TaintedNode tainted | tainted.getAstNode() = arg |
+            taint_string = tainted.getTaintKind().toString()
+        )
+    )
+select arg.getLocation().toString(), call.getScope().(Function).getName(), arg.toString(), taint_string

python/ql/test/library-tests/taint/collections/test.py

@@ -0,0 +1,71 @@
+from collections import defaultdict, namedtuple
+
+# Use to show only interesting results in qltest output
+def test(*args):
+    pass
+
+def test_construction():
+    tainted_string = TAINTED_STRING
+    tainted_list = [tainted_string]
+    tainted_tuple = (tainted_string,)
+    tainted_set = {tainted_string} # TODO: set currently not handled
+    tainted_dict = {'key': tainted_string}
+
+    a = list(tainted_list)
+    b = list(tainted_tuple)
+    c = list(tainted_set) # TODO: set currently not handled
+    d = list(tainted_dict.values())
+    e = list(tainted_dict.items()) # TODO: dict.items() currently not handled
+
+    f = tuple(tainted_list)
+    g = set(tainted_list)
+    h = frozenset(tainted_list) # TODO: frozenset constructor currently not handled
+    test(a, b, c, d, e, f, g, h)
+
+def test_access():
+    tainted_list = TAINTED_LIST
+    a = tainted_list[0]
+    b = tainted_list[x]
+    c = tainted_list[y:z]
+    d = tainted_list.copy()
+    e, f, g = tainted_list # TODO: currently not handled
+    test(a, b, c, d, e, f, g)
+    for h in tainted_list:
+        test(h)
+    for i in reversed(tainted_list):
+        test(i)
+
+def test_dict_access(x):
+    tainted_dict = TAINTED_DICT
+    a = tainted_dict["name"]
+    b = tainted_dict[x]
+    c = tainted_dict.copy()
+    test(a, b, c)
+    for d in tainted_dict.values():
+        test(d)
+    for _, e in tainted_dict.items(): # TODO: dict.items() currently not handled
+        test(e)
+
+def test_named_tuple(): # TODO: namedtuple currently not handled
+    Point = namedtuple('Point', ['x', 'y'])
+    point = Point(TAINTED_STRING, 'const')
+
+    a = point[0]
+    b = point.x
+    c = point[1]
+    d = point.y
+    e, f = point
+    test(a, b, c, d, e, f)
+
+def test_defaultdict(key, x): # TODO: defaultdict currently not handled
+    tainted_default_dict = defaultdict(str)
+    tainted_default_dict[key] += TAINTED_STRING
+
+    a = tainted_dict["name"]
+    b = tainted_dict[x]
+    c = tainted_dict.copy()
+    test(a, b, c)
+    for d in tainted_dict.values():
+        test(d)
+    for _, e in tainted_dict.items():
+        test(e)