Python: Handle taint for % formatting

RasmusWL · RasmusWL · commit 1e447c5ca2c2 · 2020-08-24T14:15:27.000+02:00
diff --git a/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll b/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll
@@ -105,4 +105,14 @@ predicate stringMethods(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
     method_name = "format_map" and
     nodeFrom.getNode() = call.getArg(0)
   )
+  or
+  // % formatting
+  exists(BinaryExprNode fmt | fmt = nodeTo.getNode() |
+    fmt.getOp() instanceof Mod and
+    (
+      fmt.getLeft() = nodeFrom.getNode()
+      or
+      fmt.getRight() = nodeFrom.getNode()
+    )
+  )
 }
diff --git a/python/ql/test/experimental/dataflow/tainttracking/string/TestTaint.expected b/python/ql/test/experimental/dataflow/tainttracking/string/TestTaint.expected
@@ -43,3 +43,6 @@
 | test.py:89 | fail | str_methods | ts.join(..) |
 | test.py:99 | fail | non_syntactic | meth() |
 | test.py:100 | fail | non_syntactic | _str(..) |
+| test.py:109 | ok   | percent_fmt | BinaryExpr |
+| test.py:110 | ok   | percent_fmt | BinaryExpr |
+| test.py:111 | fail | percent_fmt | BinaryExpr |
diff --git a/python/ql/test/experimental/dataflow/tainttracking/string/test.py b/python/ql/test/experimental/dataflow/tainttracking/string/test.py
@@ -100,8 +100,21 @@ def non_syntactic():
         _str(ts),
     )
 
+
+def percent_fmt():
+    print("\n#percent_fmt")
+    ts = TAINTED_STRING
+    tainted_fmt = ts + " %s %s"
+    ensure_tainted(
+        tainted_fmt % (1, 2),
+        "%s foo bar" % ts,
+        "%s %s %s" % (1, 2, ts),
+    )
+
+
 # Make tests runable
 
 str_operations()
 str_methods()
 non_syntactic()
+percent_fmt()
