Python: Add iterable unpacking tests

Author: RasmusWL

python/ql/test/library-tests/taint/unpacking/Taint.qll

@@ -0,0 +1,27 @@
+import python
+import semmle.python.security.TaintTracking
+import semmle.python.security.strings.Untrusted
+
+class SimpleSource extends TaintSource {
+    SimpleSource() { this.(NameNode).getId() = "TAINTED_STRING" }
+
+    override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
+
+    override string toString() { result = "taint source" }
+}
+
+class ListSource extends TaintSource {
+    ListSource() { this.(NameNode).getId() = "TAINTED_LIST" }
+
+    override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringSequenceKind }
+
+    override string toString() { result = "list taint source" }
+}
+
+class DictSource extends TaintSource {
+    DictSource() { this.(NameNode).getId() = "TAINTED_DICT" }
+
+    override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringDictKind }
+
+    override string toString() { result = "dict taint source" }
+}

python/ql/test/library-tests/taint/unpacking/TestStep.expected

@@ -0,0 +1,14 @@
+| Taint [[externally controlled string]] | test.py:19 | test.py:19:10:19:18 | List |  |  -->  | Taint [[externally controlled string]] | test.py:22 | test.py:22:28:22:29 | ll |  |
+| Taint [[externally controlled string]] | test.py:19 | test.py:19:10:19:18 | List |  |  -->  | Taint [[externally controlled string]] | test.py:26 | test.py:26:28:26:29 | ll |  |
+| Taint [[externally controlled string]] | test.py:19 | test.py:19:10:19:18 | List |  |  -->  | Taint [[externally controlled string]] | test.py:30 | test.py:30:28:30:29 | ll |  |
+| Taint [externally controlled string] | test.py:6 | test.py:6:9:6:20 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:7 | test.py:7:15:7:15 | l |  |
+| Taint [externally controlled string] | test.py:12 | test.py:12:9:12:20 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:13 | test.py:13:17:13:17 | l |  |
+| Taint [externally controlled string] | test.py:18 | test.py:18:9:18:20 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:19 | test.py:19:11:19:11 | l |  |
+| Taint [externally controlled string] | test.py:18 | test.py:18:9:18:20 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:19 | test.py:19:14:19:14 | l |  |
+| Taint [externally controlled string] | test.py:18 | test.py:18:9:18:20 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:19 | test.py:19:17:19:17 | l |  |
+| Taint [externally controlled string] | test.py:19 | test.py:19:11:19:11 | l |  |  -->  | Taint [[externally controlled string]] | test.py:19 | test.py:19:10:19:18 | List |  |
+| Taint [externally controlled string] | test.py:19 | test.py:19:14:19:14 | l |  |  -->  | Taint [[externally controlled string]] | test.py:19 | test.py:19:10:19:18 | List |  |
+| Taint [externally controlled string] | test.py:19 | test.py:19:17:19:17 | l |  |  -->  | Taint [[externally controlled string]] | test.py:19 | test.py:19:10:19:18 | List |  |
+| Taint [externally controlled string] | test.py:43 | test.py:43:20:43:31 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:47 | test.py:47:28:47:39 | tainted_list |  |
+| Taint [externally controlled string] | test.py:47 | test.py:47:28:47:39 | tainted_list |  |  -->  | Taint [[externally controlled string]] | test.py:47 | test.py:47:28:47:54 | Tuple |  |
+| Taint [externally controlled string] | test.py:55 | test.py:55:27:55:38 | TAINTED_LIST |  |  -->  | Taint [[externally controlled string]] | test.py:55 | test.py:55:25:55:40 | List |  |

python/ql/test/library-tests/taint/unpacking/TestStep.ql

@@ -0,0 +1,11 @@
+import python
+import semmle.python.security.TaintTracking
+import Taint
+
+from TaintedNode n, TaintedNode s
+where
+    n.getLocation().getFile().getShortName() = "test.py" and
+    s.getLocation().getFile().getShortName() = "test.py" and
+    s = n.getASuccessor()
+select "Taint " + n.getTaintKind(), n.getLocation().toString(), n.getAstNode(), n.getContext(),
+    " --> ", "Taint " + s.getTaintKind(), s.getLocation().toString(), s.getAstNode(), s.getContext()

python/ql/test/library-tests/taint/unpacking/TestTaint.expected

@@ -0,0 +1,33 @@
+| test.py:8 | unpacking | a | NO TAINT |
+| test.py:8 | unpacking | b | NO TAINT |
+| test.py:8 | unpacking | c | NO TAINT |
+| test.py:14 | unpacking_to_list | a | NO TAINT |
+| test.py:14 | unpacking_to_list | b | NO TAINT |
+| test.py:14 | unpacking_to_list | c | NO TAINT |
+| test.py:23 | nested | a1 | NO TAINT |
+| test.py:23 | nested | a2 | NO TAINT |
+| test.py:23 | nested | a3 | NO TAINT |
+| test.py:23 | nested | b | NO TAINT |
+| test.py:23 | nested | c | NO TAINT |
+| test.py:27 | nested | a1 | NO TAINT |
+| test.py:27 | nested | a2 | NO TAINT |
+| test.py:27 | nested | a3 | NO TAINT |
+| test.py:27 | nested | b | NO TAINT |
+| test.py:27 | nested | c | NO TAINT |
+| test.py:31 | nested | a1 | NO TAINT |
+| test.py:31 | nested | a2 | NO TAINT |
+| test.py:31 | nested | a3 | NO TAINT |
+| test.py:31 | nested | b | NO TAINT |
+| test.py:31 | nested | c | NO TAINT |
+| test.py:38 | unpack_from_set | a | NO TAINT |
+| test.py:38 | unpack_from_set | b | NO TAINT |
+| test.py:38 | unpack_from_set | c | NO TAINT |
+| test.py:48 | contrived_1 | a | NO TAINT |
+| test.py:48 | contrived_1 | b | NO TAINT |
+| test.py:48 | contrived_1 | c | NO TAINT |
+| test.py:48 | contrived_1 | d | NO TAINT |
+| test.py:48 | contrived_1 | e | NO TAINT |
+| test.py:48 | contrived_1 | f | NO TAINT |
+| test.py:56 | contrived_2 | a | NO TAINT |
+| test.py:56 | contrived_2 | b | NO TAINT |
+| test.py:56 | contrived_2 | c | NO TAINT |

python/ql/test/library-tests/taint/unpacking/TestTaint.ql

@@ -0,0 +1,18 @@
+import python
+import semmle.python.security.TaintTracking
+import Taint
+
+from Call call, Expr arg, string taint_string
+where
+    call.getLocation().getFile().getShortName() = "test.py" and
+    call.getFunc().(Name).getId() = "test" and
+    arg = call.getAnArg() and
+    (
+        not exists(TaintedNode tainted | tainted.getAstNode() = arg) and
+        taint_string = "NO TAINT"
+        or
+        exists(TaintedNode tainted | tainted.getAstNode() = arg |
+            taint_string = tainted.getTaintKind().toString()
+        )
+    )
+select arg.getLocation().toString(), call.getScope().(Function).getName(), arg.toString(), taint_string

python/ql/test/library-tests/taint/unpacking/test.py

@@ -0,0 +1,58 @@
+def test(*args):
+    pass
+
+
+def unpacking():
+    l = TAINTED_LIST
+    a, b, c = l
+    test(a, b, c)
+
+
+def unpacking_to_list():
+    l = TAINTED_LIST
+    [a, b, c] = l
+    test(a, b, c)
+
+
+def nested():
+    l = TAINTED_LIST
+    ll = [l, l, l]
+
+    # list
+    [[a1, a2, a3], b, c] = ll
+    test(a1, a2, a3, b, c)
+
+    # tuple
+    ((a1, a2, a3), b, c) = ll
+    test(a1, a2, a3, b, c)
+
+    # mixed
+    [(a1, a2, a3), b, c] = ll
+    test(a1, a2, a3, b, c)
+
+
+def unpack_from_set():
+    # no guarantee on ordering ... don't know why you would ever do this
+    a, b, c = {"foo", "bar", TAINTED_STRING}
+    # either all should be tainted, or none of them
+    test(a, b, c)
+
+
+def contrived_1():
+    # A contrived example. Don't know why anyone would ever actually do this.
+    tainted_list = TAINTED_LIST
+    no_taint_list = [1,2,3]
+
+    # We don't handle this case currently, since we mark `d`, `e` and `f` as tainted.
+    (a, b, c), (d, e, f) = tainted_list, no_taint_list
+    test(a, b, c, d, e, f)
+
+
+def contrived_2():
+    # A contrived example. Don't know why anyone would ever actually do this.
+
+    # We currently only handle taint nested 2 levels.
+    [[[ (a,b,c) ]]] = [[[ TAINTED_LIST ]]]
+    test(a, b, c)
+
+# For Python 3, see https://www.python.org/dev/peps/pep-3132/