Python: Recognize taint for iterable unpacking

RasmusWL · RasmusWL · commit 781024d67955 · 2020-01-27T14:43:07.000+01:00
diff --git a/python/ql/src/semmle/python/dataflow/Implementation.qll b/python/ql/src/semmle/python/dataflow/Implementation.qll
@@ -658,6 +658,8 @@ private class EssaTaintTracking extends string {
         or
         this.taintedAssignment(src, defn, context, path, kind)
         or
+        this.taintedMultiAssignment(src, defn, context, path, kind)
+        or
         this.taintedAttributeAssignment(src, defn, context, path, kind)
         or
         this.taintedParameterDefinition(src, defn, context, path, kind)
@@ -705,6 +707,32 @@ private class EssaTaintTracking extends string {
         )
     }
 
+    pragma[noinline]
+    private predicate taintedMultiAssignment(
+        TaintTrackingNode src, MultiAssignmentDefinition defn, TaintTrackingContext context,
+        AttributePath path, TaintKind kind
+    ) {
+        exists(DataFlow::Node srcnode, TaintKind srckind, Assign assign |
+            src = TTaintTrackingNode_(srcnode, context, path, srckind, this) and
+            path.noAttribute()
+        |
+            assign.getValue().getAFlowNode() = srcnode.asCfgNode() and
+            kind = iterable_unpacking_decent(assign.getATarget().getAFlowNode(), defn.getDefiningNode(),
+                    srckind)
+        )
+    }
+
+    /** `((x,y), ...) = value` with any nesting on LHS */
+    private TaintKind iterable_unpacking_decent(
+        SequenceNode left_parent, ControlFlowNode left_defn, CollectionKind parent_kind
+    ) {
+        left_parent.getAnElement() = left_defn and
+        result = parent_kind.getMember()
+        or
+        result = iterable_unpacking_decent(left_parent.getAnElement(), left_defn,
+                parent_kind.getMember())
+    }
+
     pragma[noinline]
     private predicate taintedAttributeAssignment(
         TaintTrackingNode src, AttributeAssignment defn, TaintTrackingContext context,
diff --git a/python/ql/test/library-tests/taint/collections/TestStep.expected b/python/ql/test/library-tests/taint/collections/TestStep.expected
@@ -26,6 +26,9 @@
 | Taint [externally controlled string] | test.py:29 | test.py:29:9:29:25 | Subscript |  |  -->  | Taint [externally controlled string] | test.py:32 | test.py:32:16:32:16 | c |  |
 | Taint [externally controlled string] | test.py:30 | test.py:30:9:30:20 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:30 | test.py:30:9:30:27 | Attribute() |  |
 | Taint [externally controlled string] | test.py:30 | test.py:30:9:30:27 | Attribute() |  |  -->  | Taint [externally controlled string] | test.py:32 | test.py:32:19:32:19 | d |  |
+| Taint [externally controlled string] | test.py:31 | test.py:31:15:31:26 | tainted_list |  |  -->  | Taint externally controlled string | test.py:32 | test.py:32:22:32:22 | e |  |
+| Taint [externally controlled string] | test.py:31 | test.py:31:15:31:26 | tainted_list |  |  -->  | Taint externally controlled string | test.py:32 | test.py:32:25:32:25 | f |  |
+| Taint [externally controlled string] | test.py:31 | test.py:31:15:31:26 | tainted_list |  |  -->  | Taint externally controlled string | test.py:32 | test.py:32:28:32:28 | g |  |
 | Taint [externally controlled string] | test.py:33 | test.py:33:14:33:25 | tainted_list |  |  -->  | Taint externally controlled string | test.py:33 | test.py:33:5:33:26 | For |  |
 | Taint [externally controlled string] | test.py:35 | test.py:35:14:35:35 | reversed() |  |  -->  | Taint externally controlled string | test.py:35 | test.py:35:5:35:36 | For |  |
 | Taint [externally controlled string] | test.py:35 | test.py:35:23:35:34 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:35 | test.py:35:14:35:35 | reversed() |  |
diff --git a/python/ql/test/library-tests/taint/collections/TestTaint.expected b/python/ql/test/library-tests/taint/collections/TestTaint.expected
@@ -10,9 +10,9 @@
 | test.py:32 | test_access | b | externally controlled string |
 | test.py:32 | test_access | c | [externally controlled string] |
 | test.py:32 | test_access | d | [externally controlled string] |
-| test.py:32 | test_access | e | NO TAINT |
-| test.py:32 | test_access | f | NO TAINT |
-| test.py:32 | test_access | g | NO TAINT |
+| test.py:32 | test_access | e | externally controlled string |
+| test.py:32 | test_access | f | externally controlled string |
+| test.py:32 | test_access | g | externally controlled string |
 | test.py:34 | test_access | h | externally controlled string |
 | test.py:36 | test_access | i | externally controlled string |
 | test.py:43 | test_dict_access | a | externally controlled string |
diff --git a/python/ql/test/library-tests/taint/collections/test.py b/python/ql/test/library-tests/taint/collections/test.py
@@ -28,7 +28,7 @@ def test_access():
     b = tainted_list[x]
     c = tainted_list[y:z]
     d = tainted_list.copy()
-    e, f, g = tainted_list # TODO: currently not handled
+    e, f, g = tainted_list
     test(a, b, c, d, e, f, g)
     for h in tainted_list:
         test(h)
diff --git a/python/ql/test/library-tests/taint/unpacking/TestStep.expected b/python/ql/test/library-tests/taint/unpacking/TestStep.expected
@@ -1,8 +1,35 @@
 | Taint [[externally controlled string]] | test.py:19 | test.py:19:10:19:18 | List |  |  -->  | Taint [[externally controlled string]] | test.py:22 | test.py:22:28:22:29 | ll |  |
 | Taint [[externally controlled string]] | test.py:19 | test.py:19:10:19:18 | List |  |  -->  | Taint [[externally controlled string]] | test.py:26 | test.py:26:28:26:29 | ll |  |
 | Taint [[externally controlled string]] | test.py:19 | test.py:19:10:19:18 | List |  |  -->  | Taint [[externally controlled string]] | test.py:30 | test.py:30:28:30:29 | ll |  |
+| Taint [[externally controlled string]] | test.py:22 | test.py:22:28:22:29 | ll |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:22:23:22 | b |  |
+| Taint [[externally controlled string]] | test.py:22 | test.py:22:28:22:29 | ll |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:25:23:25 | c |  |
+| Taint [[externally controlled string]] | test.py:22 | test.py:22:28:22:29 | ll |  |  -->  | Taint externally controlled string | test.py:23 | test.py:23:10:23:11 | a1 |  |
+| Taint [[externally controlled string]] | test.py:22 | test.py:22:28:22:29 | ll |  |  -->  | Taint externally controlled string | test.py:23 | test.py:23:14:23:15 | a2 |  |
+| Taint [[externally controlled string]] | test.py:22 | test.py:22:28:22:29 | ll |  |  -->  | Taint externally controlled string | test.py:23 | test.py:23:18:23:19 | a3 |  |
+| Taint [[externally controlled string]] | test.py:26 | test.py:26:28:26:29 | ll |  |  -->  | Taint [externally controlled string] | test.py:27 | test.py:27:22:27:22 | b |  |
+| Taint [[externally controlled string]] | test.py:26 | test.py:26:28:26:29 | ll |  |  -->  | Taint [externally controlled string] | test.py:27 | test.py:27:25:27:25 | c |  |
+| Taint [[externally controlled string]] | test.py:26 | test.py:26:28:26:29 | ll |  |  -->  | Taint externally controlled string | test.py:27 | test.py:27:10:27:11 | a1 |  |
+| Taint [[externally controlled string]] | test.py:26 | test.py:26:28:26:29 | ll |  |  -->  | Taint externally controlled string | test.py:27 | test.py:27:14:27:15 | a2 |  |
+| Taint [[externally controlled string]] | test.py:26 | test.py:26:28:26:29 | ll |  |  -->  | Taint externally controlled string | test.py:27 | test.py:27:18:27:19 | a3 |  |
+| Taint [[externally controlled string]] | test.py:30 | test.py:30:28:30:29 | ll |  |  -->  | Taint [externally controlled string] | test.py:31 | test.py:31:22:31:22 | b |  |
+| Taint [[externally controlled string]] | test.py:30 | test.py:30:28:30:29 | ll |  |  -->  | Taint [externally controlled string] | test.py:31 | test.py:31:25:31:25 | c |  |
+| Taint [[externally controlled string]] | test.py:30 | test.py:30:28:30:29 | ll |  |  -->  | Taint externally controlled string | test.py:31 | test.py:31:10:31:11 | a1 |  |
+| Taint [[externally controlled string]] | test.py:30 | test.py:30:28:30:29 | ll |  |  -->  | Taint externally controlled string | test.py:31 | test.py:31:14:31:15 | a2 |  |
+| Taint [[externally controlled string]] | test.py:30 | test.py:30:28:30:29 | ll |  |  -->  | Taint externally controlled string | test.py:31 | test.py:31:18:31:19 | a3 |  |
+| Taint [[externally controlled string]] | test.py:47 | test.py:47:28:47:54 | Tuple |  |  -->  | Taint externally controlled string | test.py:48 | test.py:48:10:48:10 | a |  |
+| Taint [[externally controlled string]] | test.py:47 | test.py:47:28:47:54 | Tuple |  |  -->  | Taint externally controlled string | test.py:48 | test.py:48:13:48:13 | b |  |
+| Taint [[externally controlled string]] | test.py:47 | test.py:47:28:47:54 | Tuple |  |  -->  | Taint externally controlled string | test.py:48 | test.py:48:16:48:16 | c |  |
+| Taint [[externally controlled string]] | test.py:47 | test.py:47:28:47:54 | Tuple |  |  -->  | Taint externally controlled string | test.py:48 | test.py:48:19:48:19 | d |  |
+| Taint [[externally controlled string]] | test.py:47 | test.py:47:28:47:54 | Tuple |  |  -->  | Taint externally controlled string | test.py:48 | test.py:48:22:48:22 | e |  |
+| Taint [[externally controlled string]] | test.py:47 | test.py:47:28:47:54 | Tuple |  |  -->  | Taint externally controlled string | test.py:48 | test.py:48:25:48:25 | f |  |
 | Taint [externally controlled string] | test.py:6 | test.py:6:9:6:20 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:7 | test.py:7:15:7:15 | l |  |
+| Taint [externally controlled string] | test.py:7 | test.py:7:15:7:15 | l |  |  -->  | Taint externally controlled string | test.py:8 | test.py:8:10:8:10 | a |  |
+| Taint [externally controlled string] | test.py:7 | test.py:7:15:7:15 | l |  |  -->  | Taint externally controlled string | test.py:8 | test.py:8:13:8:13 | b |  |
+| Taint [externally controlled string] | test.py:7 | test.py:7:15:7:15 | l |  |  -->  | Taint externally controlled string | test.py:8 | test.py:8:16:8:16 | c |  |
 | Taint [externally controlled string] | test.py:12 | test.py:12:9:12:20 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:13 | test.py:13:17:13:17 | l |  |
+| Taint [externally controlled string] | test.py:13 | test.py:13:17:13:17 | l |  |  -->  | Taint externally controlled string | test.py:14 | test.py:14:10:14:10 | a |  |
+| Taint [externally controlled string] | test.py:13 | test.py:13:17:13:17 | l |  |  -->  | Taint externally controlled string | test.py:14 | test.py:14:13:14:13 | b |  |
+| Taint [externally controlled string] | test.py:13 | test.py:13:17:13:17 | l |  |  -->  | Taint externally controlled string | test.py:14 | test.py:14:16:14:16 | c |  |
 | Taint [externally controlled string] | test.py:18 | test.py:18:9:18:20 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:19 | test.py:19:11:19:11 | l |  |
 | Taint [externally controlled string] | test.py:18 | test.py:18:9:18:20 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:19 | test.py:19:14:19:14 | l |  |
 | Taint [externally controlled string] | test.py:18 | test.py:18:9:18:20 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:19 | test.py:19:17:19:17 | l |  |
diff --git a/python/ql/test/library-tests/taint/unpacking/TestTaint.expected b/python/ql/test/library-tests/taint/unpacking/TestTaint.expected
@@ -1,33 +1,33 @@
-| test.py:8 | unpacking | a | NO TAINT |
-| test.py:8 | unpacking | b | NO TAINT |
-| test.py:8 | unpacking | c | NO TAINT |
-| test.py:14 | unpacking_to_list | a | NO TAINT |
-| test.py:14 | unpacking_to_list | b | NO TAINT |
-| test.py:14 | unpacking_to_list | c | NO TAINT |
-| test.py:23 | nested | a1 | NO TAINT |
-| test.py:23 | nested | a2 | NO TAINT |
-| test.py:23 | nested | a3 | NO TAINT |
-| test.py:23 | nested | b | NO TAINT |
-| test.py:23 | nested | c | NO TAINT |
-| test.py:27 | nested | a1 | NO TAINT |
-| test.py:27 | nested | a2 | NO TAINT |
-| test.py:27 | nested | a3 | NO TAINT |
-| test.py:27 | nested | b | NO TAINT |
-| test.py:27 | nested | c | NO TAINT |
-| test.py:31 | nested | a1 | NO TAINT |
-| test.py:31 | nested | a2 | NO TAINT |
-| test.py:31 | nested | a3 | NO TAINT |
-| test.py:31 | nested | b | NO TAINT |
-| test.py:31 | nested | c | NO TAINT |
+| test.py:8 | unpacking | a | externally controlled string |
+| test.py:8 | unpacking | b | externally controlled string |
+| test.py:8 | unpacking | c | externally controlled string |
+| test.py:14 | unpacking_to_list | a | externally controlled string |
+| test.py:14 | unpacking_to_list | b | externally controlled string |
+| test.py:14 | unpacking_to_list | c | externally controlled string |
+| test.py:23 | nested | a1 | externally controlled string |
+| test.py:23 | nested | a2 | externally controlled string |
+| test.py:23 | nested | a3 | externally controlled string |
+| test.py:23 | nested | b | [externally controlled string] |
+| test.py:23 | nested | c | [externally controlled string] |
+| test.py:27 | nested | a1 | externally controlled string |
+| test.py:27 | nested | a2 | externally controlled string |
+| test.py:27 | nested | a3 | externally controlled string |
+| test.py:27 | nested | b | [externally controlled string] |
+| test.py:27 | nested | c | [externally controlled string] |
+| test.py:31 | nested | a1 | externally controlled string |
+| test.py:31 | nested | a2 | externally controlled string |
+| test.py:31 | nested | a3 | externally controlled string |
+| test.py:31 | nested | b | [externally controlled string] |
+| test.py:31 | nested | c | [externally controlled string] |
 | test.py:38 | unpack_from_set | a | NO TAINT |
 | test.py:38 | unpack_from_set | b | NO TAINT |
 | test.py:38 | unpack_from_set | c | NO TAINT |
-| test.py:48 | contrived_1 | a | NO TAINT |
-| test.py:48 | contrived_1 | b | NO TAINT |
-| test.py:48 | contrived_1 | c | NO TAINT |
-| test.py:48 | contrived_1 | d | NO TAINT |
-| test.py:48 | contrived_1 | e | NO TAINT |
-| test.py:48 | contrived_1 | f | NO TAINT |
+| test.py:48 | contrived_1 | a | externally controlled string |
+| test.py:48 | contrived_1 | b | externally controlled string |
+| test.py:48 | contrived_1 | c | externally controlled string |
+| test.py:48 | contrived_1 | d | externally controlled string |
+| test.py:48 | contrived_1 | e | externally controlled string |
+| test.py:48 | contrived_1 | f | externally controlled string |
 | test.py:56 | contrived_2 | a | NO TAINT |
 | test.py:56 | contrived_2 | b | NO TAINT |
 | test.py:56 | contrived_2 | c | NO TAINT |
