Python: Only comparison with constant will clear taint

RasmusWL · RasmusWL · commit bbe93f43d3d4 · 2020-01-21T15:25:57.000+01:00
tainted = SOURCE
    if tainted == tainted:
        SINK(tainted) # unsafe

before, in the body of the if statement, `tainted` was not tainted
diff --git a/python/ql/src/semmle/python/dataflow/Implementation.qll b/python/ql/src/semmle/python/dataflow/Implementation.qll
@@ -806,7 +806,10 @@ private predicate testEvaluatesMaybe(ControlFlowNode test, ControlFlowNode use)
     any(PyEdgeRefinement ref).getTest().getAChild*() = test and
     test.getAChild*() = use and
     not test.(UnaryExprNode).getNode().getOp() instanceof Not and
-    not Filters::equality_test(test, use, _, _) and
+    not exists(ControlFlowNode const |
+        Filters::equality_test(test, use, _, const) and
+        const.getNode() instanceof ImmutableLiteral
+    ) and
     not Filters::isinstance(test, _, use) and
     not test = use
     or
diff --git a/python/ql/test/library-tests/taint/general/TestSink.expected b/python/ql/test/library-tests/taint/general/TestSink.expected
@@ -39,3 +39,5 @@
 | simple.test | test.py:195 | 199 | t | simple.test |
 | simple.test | test.py:208 | 214 | x | simple.test |
 | simple.test | test.py:217 | 220 | tainted | simple.test |
+| simple.test | test.py:229 | 231 | tainted | simple.test |
+| simple.test | test.py:229 | 233 | tainted | simple.test |
diff --git a/python/ql/test/library-tests/taint/general/TestStep.expected b/python/ql/test/library-tests/taint/general/TestStep.expected
@@ -203,3 +203,6 @@
 | simple.test | test.py:217 | SOURCE |  | --> | simple.test | test.py:220 | tainted |  |
 | simple.test | test.py:223 | SOURCE |  | --> | simple.test | test.py:224 | tainted |  |
 | simple.test | test.py:229 | SOURCE |  | --> | simple.test | test.py:230 | tainted |  |
+| simple.test | test.py:229 | SOURCE |  | --> | simple.test | test.py:231 | tainted |  |
+| simple.test | test.py:229 | SOURCE |  | --> | simple.test | test.py:232 | tainted |  |
+| simple.test | test.py:229 | SOURCE |  | --> | simple.test | test.py:233 | tainted |  |
diff --git a/python/ql/test/library-tests/taint/general/TestVar.expected b/python/ql/test/library-tests/taint/general/TestVar.expected
@@ -199,4 +199,12 @@
 | test.py:220 | tainted_5 | test.py:220 | Taint simple.test |
 | test.py:223 | tainted_0 | test.py:223 | Taint simple.test |
 | test.py:225 | tainted_1 | test.py:225 | Taint simple.test |
+| test.py:228 | tainted_7 | test.py:228 | Taint simple.test |
+| test.py:228 | tainted_8 | test.py:228 | Taint simple.test |
 | test.py:229 | tainted_0 | test.py:229 | Taint simple.test |
+| test.py:231 | tainted_1 | test.py:231 | Taint simple.test |
+| test.py:231 | tainted_2 | test.py:231 | Taint simple.test |
+| test.py:232 | tainted_3 | test.py:232 | Taint simple.test |
+| test.py:232 | tainted_4 | test.py:232 | Taint simple.test |
+| test.py:233 | tainted_5 | test.py:233 | Taint simple.test |
+| test.py:233 | tainted_6 | test.py:233 | Taint simple.test |
