Python: Add syntactic taint steps for json methods

RasmusWL · RasmusWL · commit 32f9d30136f7 · 2020-08-26T19:39:36.000+02:00
diff --git a/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll b/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll
@@ -30,6 +30,8 @@ predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeT
   subscriptStep(nodeFrom, nodeTo)
   or
   stringManipulation(nodeFrom, nodeTo)
+  or
+  jsonStep(nodeFrom, nodeTo)
 }
 
 /**
@@ -123,3 +125,13 @@ predicate stringManipulation(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeT
   // TODO: Handle os.path.join
   // TODO: Handle functions in https://docs.python.org/3/library/binascii.html
 }
+
+/**
+ * Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to JSON encoding/decoding.
+ */
+predicate jsonStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
+  exists(CallNode call | call = nodeTo.getNode() |
+    call.getFunction().(AttrNode).getObject(["load", "loads", "dumps"]).(NameNode).getId() = "json" and
+    call.getArg(0) = nodeFrom.getNode()
+  )
+}
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/TestTaint.expected b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/TestTaint.expected
@@ -35,8 +35,8 @@
 | collections.py:103 | fail | test_defaultdict | tainted_default_dict.copy() |
 | collections.py:106 | fail | test_defaultdict | v |
 | collections.py:108 | fail | test_defaultdict | v |
-| json.py:26 | fail | test | json.dumps(..) |
-| json.py:27 | fail | test | json.loads(..) |
+| json.py:26 | ok   | test | json.dumps(..) |
+| json.py:27 | ok   | test | json.loads(..) |
 | json.py:34 | fail | test | tainted_filelike |
 | json.py:35 | fail | test | json.load(..) |
 | json.py:48 | fail | non_syntacical | dumps(..) |
