Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 5f3eda0

Browse files
yoffyoff
committed
Python: Annotate test file
Also add test of custom flow
1 parent 654c4f3 commit 5f3eda0

3 files changed

Lines changed: 54 additions & 24 deletions

File tree

python/ql/test/experimental/dataflow/regression/custom_dataflow.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
| test.py:126:13:126:25 | ControlFlowNode for CUSTOM_SOURCE | test.py:130:21:130:21 | ControlFlowNode for t |

python/ql/test/experimental/dataflow/regression/custom_dataflow.ql

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
/**
2+
* This query is meant to catch the flows from `CUSTOM_SOURCE` to `CUSTOM_SINK`.
3+
*
4+
* This should be compared to
5+
* python/ql/test/library-tests/taint/dataflow/Dataflow.ql
6+
* A first goal is to have identical results; after that we
7+
* hope to remove the false positive.
8+
*/
9+
10+
import experimental.dataflow.DataFlow
11+
12+
class CustomTestConfiguration extends DataFlow::Configuration {
13+
CustomTestConfiguration() { this = "CustomTestConfiguration" }
14+
15+
override predicate isSource(DataFlow::Node node) {
16+
node.(DataFlow::CfgNode).getNode().(NameNode).getId() = "CUSTOM_SOURCE"
17+
}
18+
19+
override predicate isSink(DataFlow::Node node) {
20+
exists(CallNode call |
21+
call.getFunction().(NameNode).getId() in ["CUSTOM_SINK", "CUSTOM_SINK_F"] and
22+
node.(DataFlow::CfgNode).getNode() = call.getAnArg()
23+
)
24+
}
25+
}
26+
27+
from DataFlow::Node source, DataFlow::Node sink
28+
where exists(CustomTestConfiguration cfg | cfg.hasFlow(source, sink))
29+
select source, sink

python/ql/test/experimental/dataflow/regression/test.py

Lines changed: 24 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ def test6(cond):
3030
else:
3131
t = SOURCE
3232
if cond:
33-
SINK(t)
33+
SINK_F(t)
3434

3535
def test7(cond):
3636
if cond:
@@ -50,7 +50,7 @@ def sink3(cond, arg):
5050
if cond:
5151
sink(arg)
5252

53-
def test8(cond):
53+
def test8(cond): # This flow is shadowed by previous tests, perhaps do a path query
5454
t = source2()
5555
sink2(t)
5656

@@ -80,21 +80,21 @@ def test11():
8080
def test12():
8181
t = "safe"
8282
t = hub(t)
83-
SINK(t)
83+
SINK_F(t)
8484

8585
import module
8686

8787
def test13():
8888
t = module.dangerous
89-
SINK(t)
89+
SINK(t) # Flow not found
9090

9191
def test14():
9292
t = module.safe
93-
SINK(t)
93+
SINK_F(t)
9494

9595
def test15():
9696
t = module.safe2
97-
SINK(t)
97+
SINK_F(t)
9898

9999
def test16():
100100
t = module.dangerous_func()
@@ -108,13 +108,13 @@ def x_sink(arg):
108108
def test17():
109109
t = C()
110110
t.x = module.dangerous
111-
SINK(t.x)
111+
SINK(t.x) # Flow not found
112112

113113
def test18():
114114
t = C()
115115
t.x = module.dangerous
116116
t = hub(t)
117-
x_sink(t)
117+
x_sink(t) # Flow not found
118118

119119
def test19():
120120
t = CUSTOM_SOURCE
@@ -137,40 +137,40 @@ def test21(cond):
137137
else:
138138
t = SOURCE
139139
if not cond:
140-
CUSTOM_SINK(t)
140+
CUSTOM_SINK_F(t)
141141
else:
142-
SINK(t)
142+
SINK_F(t)
143143

144144
def test22(cond):
145145
if cond:
146146
t = CUSTOM_SOURCE
147147
else:
148148
t = SOURCE
149-
t = TAINT_FROM_ARG(t)
149+
t = TAINT_FROM_ARG(t) # Blocks data flow
150150
if cond:
151151
CUSTOM_SINK(t)
152152
else:
153153
SINK(t)
154154

155155
from module import dangerous as unsafe
156-
SINK(unsafe)
156+
SINK(unsafe) # Flow not found
157157

158158
def test23():
159159
with SOURCE as t:
160160
SINK(t)
161161

162162
def test24():
163163
s = SOURCE
164-
SANITIZE(s)
165-
SINK(s)
164+
SANITIZE(s) # Does not block data flow
165+
SINK_F(s)
166166

167167
def test_update_extend(x, y):
168168
l = [SOURCE]
169169
d = {"key" : SOURCE}
170170
x.extend(l)
171171
y.update(d)
172-
SINK(x[0])
173-
SINK(y["key"])
172+
SINK(x[0]) # Flow not found
173+
SINK(y["key"]) # Flow not found
174174
l2 = list(l)
175175
d2 = dict(d)
176176

@@ -179,9 +179,9 @@ def test_truth():
179179
if t:
180180
SINK(t)
181181
else:
182-
SINK(t)
182+
SINK_F(t) # False positive
183183
if not t:
184-
SINK(t)
184+
SINK_F(t) # False positive
185185
else:
186186
SINK(t)
187187

@@ -194,12 +194,12 @@ def test_early_exit():
194194
def flow_through_type_test_if_no_class():
195195
t = SOURCE
196196
if isinstance(t, str):
197-
SINK(t)
197+
SINK(t) # Flows's both here..
198198
else:
199-
SINK(t)
199+
SINK(t) # ..and here
200200

201201
def flow_in_iteration():
202-
t = ITERABLE_SOURCE
202+
t = ITERABLE_SOURCE # Seems to not be sunk anywhere
203203
for i in t:
204204
i
205205
return i
@@ -211,19 +211,19 @@ def flow_in_generator():
211211

212212
def flow_from_generator():
213213
for x in flow_in_generator():
214-
SINK(x)
214+
SINK(x) # Flow not found
215215

216216
def const_eq_clears_taint():
217217
tainted = SOURCE
218218
if tainted == "safe":
219-
SINK(tainted) # safe
219+
SINK(tainted) # safe # FP
220220
SINK(tainted) # unsafe
221221

222222
def const_eq_clears_taint2():
223223
tainted = SOURCE
224224
if tainted != "safe":
225225
return
226-
SINK(tainted) # safe
226+
SINK(tainted) # safe # FP
227227

228228
def non_const_eq_preserves_taint(x):
229229
tainted = SOURCE

0 commit comments

Comments
 (0)