Python: Add test for strange generator taint flow

RasmusWL · RasmusWL · commit aa382ac04242 · 2022-11-22T14:46:33.000+01:00
I did check, and this was not a problem with the old call-graph on main!

I'm absolutely baffled!
diff --git a/python/ql/test/experimental/dataflow/tainttracking/generator-flow/InlineTaintTest.expected b/python/ql/test/experimental/dataflow/tainttracking/generator-flow/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
diff --git a/python/ql/test/experimental/dataflow/tainttracking/generator-flow/InlineTaintTest.ql b/python/ql/test/experimental/dataflow/tainttracking/generator-flow/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
diff --git a/python/ql/test/experimental/dataflow/tainttracking/generator-flow/NormalDataflowTest.expected b/python/ql/test/experimental/dataflow/tainttracking/generator-flow/NormalDataflowTest.expected
@@ -0,0 +1,2 @@
+missingAnnotationOnSink
+failures
diff --git a/python/ql/test/experimental/dataflow/tainttracking/generator-flow/NormalDataflowTest.ql b/python/ql/test/experimental/dataflow/tainttracking/generator-flow/NormalDataflowTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.dataflow.TestUtil.NormalDataflowTest
diff --git a/python/ql/test/experimental/dataflow/tainttracking/generator-flow/test_dataflow.py b/python/ql/test/experimental/dataflow/tainttracking/generator-flow/test_dataflow.py
@@ -0,0 +1,34 @@
+def normal_helper(arg):
+    l = [arg]
+    return l[0]
+
+
+def generator_helper(arg):
+    l = [arg]
+    l = [x for x in l]
+    return l[0]
+
+
+def generator_helper_wo_source_use(arg):
+    l = [arg]
+    l = [x for x in l]
+    return l[0]
+
+
+def test_source():
+    x = normal_helper(SOURCE)
+    SINK(x) # $ flow="SOURCE, l:-1 -> x"
+
+    x = generator_helper(SOURCE)
+    SINK(x) # $ flow="SOURCE, l:-1 -> x"
+
+
+def test_non_source():
+    x = normal_helper(NONSOURCE)
+    SINK_F(x)
+
+    x = generator_helper(NONSOURCE)
+    SINK_F(x)
+
+    x = generator_helper_wo_source_use(NONSOURCE)
+    SINK_F(x)
diff --git a/python/ql/test/experimental/dataflow/tainttracking/generator-flow/test_taint.py b/python/ql/test/experimental/dataflow/tainttracking/generator-flow/test_taint.py
@@ -0,0 +1,37 @@
+def normal_helper(arg):
+    l = [arg]
+    return l[0]
+
+# we had a regression where flow from a source to the argument of this function would
+# cause _all_ returns from this function to be treated as tainted. That is, the
+# `generator_helper(NONSOURCE)` call in `test_non_source` would result in taint :| This
+# is specific to taint-tracking, and does NOT appear in pure data-flow (see the
+# test_dataflow file)
+def generator_helper(arg):
+    l = [arg]
+    l = [x for x in l]
+    return l[0]
+
+
+def generator_helper_wo_source_use(arg):
+    l = [arg]
+    l = [x for x in l]
+    return l[0]
+
+def test_source():
+    x = normal_helper(TAINTED_STRING)
+    ensure_tainted(x) # $ tainted
+
+    x = generator_helper(TAINTED_STRING)
+    ensure_tainted(x) # $ tainted
+
+
+def test_non_source():
+    x = normal_helper(NONSOURCE)
+    ensure_not_tainted(x)
+
+    x = generator_helper(NONSOURCE)
+    ensure_not_tainted(x) # $ SPURIOUS: tainted
+
+    x = generator_helper_wo_source_use(NONSOURCE)
+    ensure_not_tainted(x)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+argumentToEnsureNotTaintedNotMarkedAsSpurious`
	`2`	`+untaintedArgumentToEnsureTaintedNotMarkedAsMissing`
	`3`	`+failures`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+import experimental.meta.InlineTaintTest`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+missingAnnotationOnSink`
	`2`	`+failures`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+import python`
	`2`	`+import experimental.dataflow.TestUtil.NormalDataflowTest`