Python taint-tracking: Lengthen steps to better conform to old edge relation.

markshannon · markshannon · commit 133909d7feb3 · 2019-08-29T10:31:50.000+01:00
diff --git a/python/ql/src/semmle/python/dataflow/Implementation.qll b/python/ql/src/semmle/python/dataflow/Implementation.qll
@@ -120,11 +120,16 @@ class TaintTrackingNode extends TTaintTrackingNode {
     }
 
     TaintTrackingNode getASuccessor() {
-        exists(DataFlow::Node node, TaintTrackingContext ctx, AttributePath path, 
-               TaintKind kind, TaintTracking::Configuration config |
-            result = TTaintTrackingNode_(node, ctx, path, kind, config) and
-            config.(TaintTrackingImplementation).flowStep(this, node, ctx, path, kind)
-        )
+        result.isVisible() and
+        result = this.getAnInvisibleSuccessor*().getAShortStepSuccessor()
+    }
+
+    TaintTrackingNode getAnInvisibleSuccessor() {
+        result = this.getAShortStepSuccessor() and not result.isVisible()
+    }
+
+    private TaintTrackingNode getAShortStepSuccessor() {
+        this.getConfiguration().(TaintTrackingImplementation).flowStep(this, result)
     }
 
     predicate isSource() {
@@ -135,6 +140,11 @@ class TaintTrackingNode extends TTaintTrackingNode {
         this.getConfiguration().(TaintTrackingImplementation).isPathSink(this)
     }
 
+    /** Holds if this node should be presented to the user as part of a path */
+    predicate isVisible() {
+        exists(this.getNode().asCfgNode())
+    }
+
 }
 
 class TaintTrackingImplementation extends string {
@@ -274,8 +284,8 @@ class TaintTrackingImplementation extends string {
         this.fromImportStep(src, node, context, path, kind)
         or
         this.attributeLoadStep(src, node, context, path, kind)
-        //or
-        //this.getattrStep(src, node, context, path, kind)
+        or
+        this.getattrStep(src, node, context, path, kind)
         or
         this.useStep(src, node, context, path, kind)
         or
@@ -284,10 +294,12 @@ class TaintTrackingImplementation extends string {
         this.returnFlowStep(src, node, context, path, kind)
         or
         this.iterationStep(src, node, context, path, kind)
-        //or
-        //this.yieldStep(src, node, context, path, kind)
-        //or
-        //this.subscriptStep(src, node, context, path, kind)
+        or
+        this.yieldStep(src, node, context, path, kind)
+        or
+        this.subscriptStep(src, node, context, path, kind)
+        or
+        this.parameterStep(src, node, context, path, kind)
         or
         this.ifExpStep(src, node, context, path, kind)
         or
@@ -346,15 +358,20 @@ class TaintTrackingImplementation extends string {
 
     pragma [noinline]
     predicate getattrStep(TaintTrackingNode src, DataFlow::Node node, TaintTrackingContext context, AttributePath path, TaintKind kind) {
-        exists(DataFlow::Node srcnode, AttributePath srcpath, string attrname |
-            src = TTaintTrackingNode_(srcnode, context, srcpath, kind, this) and
+        exists(DataFlow::Node srcnode, AttributePath srcpath, TaintKind srckind, string attrname |
+            src = TTaintTrackingNode_(srcnode, context, srcpath, srckind, this) and
             exists(CallNode call, ControlFlowNode arg |
                 call = node.asCfgNode() and
                 call.getFunction().pointsTo(ObjectInternal::builtin("getattr")) and
                 arg = call.getArg(0) and
                 attrname = call.getArg(1).getNode().(StrConst).getText() and
-                arg = srcnode.asCfgNode() and
-                path = srcpath.fromAttribute(attrname)
+                arg = srcnode.asCfgNode()
+                |
+                path = srcpath.fromAttribute(attrname) and
+                kind = srckind
+                or
+                path = srcpath and
+                kind = srckind.getTaintOfAttribute(attrname)
             )
         )
     }
@@ -416,6 +433,15 @@ class TaintTrackingImplementation extends string {
         )
     }
 
+    pragma [noinline]
+    predicate parameterStep(TaintTrackingNode src, DataFlow::Node node, TaintTrackingContext context, AttributePath path, TaintKind kind) {
+        exists(CallNode call, PythonFunctionObjectInternal pyfunc, int arg |
+            this.callWithTaintedArgument(src, call, _, pyfunc, arg, path, kind) and
+            node.asCfgNode() = pyfunc.getParameter(arg) and
+            context = TParamContext(kind, path, arg)
+        )
+    }
+
     pragma [noinline]
     predicate yieldStep(TaintTrackingNode src, DataFlow::Node node, TaintTrackingContext context, AttributePath path, TaintKind kind) {
         exists(DataFlow::Node srcnode, TaintKind itemkind |
@@ -519,13 +545,6 @@ class TaintTrackingImplementation extends string {
 
     pragma [noinline]
     predicate taintedParameterDefinition(TaintTrackingNode src, ParameterDefinition defn, TaintTrackingContext context, AttributePath path, TaintKind kind) {
-        exists(CallNode call, PythonFunctionObjectInternal pyfunc, int arg |
-            this.callWithTaintedArgument(src, call, _, pyfunc, arg, path, kind) and
-            defn.getDefiningNode() = pyfunc.getParameter(arg) and
-            context = TParamContext(kind, path, arg)
-        )
-        or
-        /* Tainted parameter (usually user-defined) */
         exists(DataFlow::Node srcnode |
             src = TTaintTrackingNode_(srcnode, context, path, kind, this) and
             srcnode.asCfgNode() = defn.getDefiningNode()
diff --git a/python/ql/src/semmle/python/security/Paths.qll b/python/ql/src/semmle/python/security/Paths.qll
@@ -8,3 +8,5 @@ query predicate edges(TaintTrackingNode fromnode, TaintTrackingNode tonode) {
     /* Don't record flow past sinks */
     not fromnode.isSink()
 }
+
+

Original file line number	Diff line number	Diff line change
`@@ -8,3 +8,5 @@ query predicate edges(TaintTrackingNode fromnode, TaintTrackingNode tonode) {`
`8`	`8`	`/* Don't record flow past sinks */`
`9`	`9`	`not fromnode.isSink()`
`10`	`10`	`}`
	`11`	`+`
	`12`	`+`