github
diff --git a/‎python/ql/src/semmle/python/dataflow/Implementation.qll‎
Lines changed: 56 additions & 42 deletions b/‎python/ql/src/semmle/python/dataflow/Implementation.qll‎
Lines changed: 56 additions & 42 deletions
diff --git a/‎python/ql/test/library-tests/taint/config/RockPaperScissors.expected‎
Lines changed: 37 additions & 0 deletions b/‎python/ql/test/library-tests/taint/config/RockPaperScissors.expected‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎python/ql/test/library-tests/taint/config/RockPaperScissors.ql‎
Lines changed: 13 additions & 0 deletions b/‎python/ql/test/library-tests/taint/config/RockPaperScissors.ql‎
Lines changed: 13 additions & 0 deletions
@@ -5,32 +5,34 @@ private import semmle.python.objects.ObjectInternal
 newtype TTaintTrackingContext =
     TNoParam()
     or
-    TParamContext(TaintKind param, int n) {
-        exists(CallNode call |
-            param.taints(call.getArg(n))
-        )
+    TParamContext(TaintKind param, AttributePath path, int n) {
+        any(TaintTrackingImplementation impl).callWithTaintedArgument(_, _, _, _, n, path, param)
     }
 
 class TaintTrackingContext extends TTaintTrackingContext {
 
     string toString()  { 
         this = TNoParam() and result = "No context"
         or
-        exists(TaintKind param, int n |
-            this = TParamContext(param, n) and
-            result = "Parameter " + n.toString() + " is " + param
+        exists(TaintKind param, AttributePath path, int n |
+            this = TParamContext(param, path, n) and
+            result = "Parameter " + n.toString() + "(" + path.toString() + ") is " + param
         )
     }
 
     TaintKind getParameterTaint(int n) {
-        this = TParamContext(result, n)
+        this = TParamContext(result, _, n)
+    }
+
+    AttributePath getAttributePath() {
+        this = TParamContext(_, result, _)
     }
 
     TaintTrackingContext getCaller() {
-        exists(TaintKind param, int n |
-            this = TParamContext(param, n) and
+        exists(TaintKind param, AttributePath path, int n |
+            this = TParamContext(param, path, n) and
             exists(TaintTrackingImplementation impl |
-                impl.callWithTaintedArgument(_, _, result, _, n, TNoAttribute(), param)
+                impl.callWithTaintedArgument(_, _, result, _, n, path, param)
             )
         )
     }
@@ -158,7 +160,7 @@ class TaintTrackingImplementation extends string {
 
     predicate isPathSink(TaintTrackingNode sink) {
         exists(DataFlow::Node sinknode, TaintKind kind |
-            sink = TTaintTrackingNode_(sinknode, TNoParam(), TNoAttribute(), kind, this) and
+            sink = TTaintTrackingNode_(sinknode, _, TNoAttribute(), kind, this) and
             this.(TaintTracking::Configuration).isSink(sinknode, kind)
         )
     }
@@ -181,20 +183,26 @@ class TaintTrackingImplementation extends string {
         this.importStep(src, node, context, path, kind)
         or
         this.fromImportStep(src, node, context, path, kind)
-        or
-        this.attributeLoadStep(src, node, context, path, kind)
-        or
-        this.getattrStep(src, node, context, path, kind)
+        //or
+        //this.attributeLoadStep(src, node, context, path, kind)
+        //or
+        //this.getattrStep(src, node, context, path, kind)
         or
         this.useStep(src, node, context, path, kind)
         or
         this.callTaintStep(src, node, context, path, kind)
         or
-        this.callFlowStep(src, node, context, path, kind)
+        this.returnFlowStep(src, node, context, path, kind)
+        //or
+        //this.iterationStep(src, node, context, path, kind)
+        //or
+        //this.yieldStep(src, node, context, path, kind)
+        //or
+        //this.subscriptStep(src, node, context, path, kind)
+        //or
+        //this.ifExprStep(src, node, context, path, kind)
         or
-        this.iterationStep(src, node, context, path, kind)
-        or
-        this.yieldStep(src, node, context, path, kind)
+        this.essaFlowStep(src, node, context, path, kind)
         or
         exists(DataFlow::Node srcnode, TaintKind srckind |
             this.(TaintTracking::Configuration).isAdditionalFlowStep(srcnode, node, srckind, kind) and
@@ -259,35 +267,40 @@ class TaintTrackingImplementation extends string {
         )
     }
 
+    //pragma [noinline]
+    //predicate argumentFlowStep(TaintTrackingNode src, DataFlow::Node node, TaintTrackingContext context, AttributePath path, TaintKind kind) {
+    //    exists(CallNode call, PythonFunctionObjectInternal pyfunc, int arg |
+    //        this.callWithTaintedArgument(src, call, _, pyfunc, arg, path, kind) and
+    //        node.asCfgNode() = pyfunc.getParameter(arg) and
+    //        context = TParamContext(kind, arg)
+    //    )
+    //    // TO DO... named parameters
+    //}
+
     pragma [noinline]
-    predicate callFlowStep(TaintTrackingNode src, DataFlow::Node node, TaintTrackingContext context, AttributePath path, TaintKind kind) {
-        exists(CallNode call, PythonFunctionObjectInternal pyfunc, int arg |
-            this.callWithTaintedArgument(src, call, _, pyfunc, arg, path, kind) and
-            node.asCfgNode() = pyfunc.getParameter(arg) and
-            context = TParamContext(kind, arg)
+    predicate returnFlowStep(TaintTrackingNode src, DataFlow::Node node, TaintTrackingContext context, AttributePath path, TaintKind kind) {
+        exists(CallNode call, PythonFunctionObjectInternal pyfunc, int arg, TaintKind callerKind, DataFlow::Node srcNode, AttributePath callerPath, TaintTrackingContext srcContext |
+            src = TTaintTrackingNode_(srcNode, srcContext, path, kind, this) and
+            this.callWithTaintedArgument(_, call, context, pyfunc, arg, callerPath, callerKind) and
+            srcContext = TParamContext(callerKind, callerPath, arg) and
+            node.asCfgNode() = call and
+            srcNode.asCfgNode() = any(Return ret | ret.getScope() = pyfunc.getScope()).getValue().getAFlowNode()
         )
-        or
-        exists(CallNode call, PythonFunctionObjectInternal pyfunc, int arg |
-            this.callWithTaintedArgument(src, call, context, pyfunc, arg, path, kind) and
-            src.getContext() = TParamContext(kind, arg)
-        )
-        // TO DO... named parameters
     }
 
-   predicate callWithTaintedArgument(TaintTrackingNode src, CallNode call, TaintTrackingContext caller, PythonFunctionObjectInternal pyfunc, int arg, AttributePath path, TaintKind kind) {
+    predicate callWithTaintedArgument(TaintTrackingNode src, CallNode call, TaintTrackingContext caller, CallableValue pyfunc, int arg, AttributePath path, TaintKind kind) {
         exists(DataFlow::Node srcnode |
             src = TTaintTrackingNode_(srcnode, caller, path, kind, this) and
-            srcnode.asCfgNode() = call.getArg(arg) and
-            pyfunc.getACall() = call
+            srcnode.asCfgNode() = pyfunc.getArgumentForCall(call, arg)
         )
     }
 
     pragma [noinline]
     predicate callTaintStep(TaintTrackingNode src, DataFlow::Node node, TaintTrackingContext context, AttributePath path, TaintKind kind) {
-        exists(DataFlow::Node srcnode, CallNode call, string name |
-            src = TTaintTrackingNode_(srcnode, context, path, kind, this) and
+        exists(DataFlow::Node srcnode, CallNode call, TaintKind srckind, string name |
+            src = TTaintTrackingNode_(srcnode, context, path, srckind, this) and
             call.getFunction().(AttrNode).getObject(name) = src.getNode().asCfgNode() and
-            kind = src.getTaintKind().getTaintOfMethodResult(name) and
+            kind = srckind.getTaintOfMethodResult(name) and
             node.asCfgNode() = call
         )
     }
@@ -366,7 +379,8 @@ class TaintTrackingImplementation extends string {
             src = TTaintTrackingNode_(srcnode, context, path, kind, this) and
             predvar = defn.getInput(pred) and
             not pred.unlikelySuccessor(defn.getBasicBlock()) and
-            not predvar.(DataFlowExtension::DataFlowVariable).prunedSuccessor(defn.getVariable())
+            not predvar.(DataFlowExtension::DataFlowVariable).prunedSuccessor(defn.getVariable()) and
+            srcnode.asVariable() = predvar
         )
     }
 
@@ -390,11 +404,11 @@ class TaintTrackingImplementation extends string {
 
     pragma [noinline]
     predicate taintedParameterDefinition(TaintTrackingNode src, ParameterDefinition defn, TaintTrackingContext context, AttributePath path, TaintKind kind) {
-        exists(DataFlow::Node srcnode |
-            src = TTaintTrackingNode_(srcnode, context, path, kind, this) and
-            defn.getDefiningNode() = srcnode.asCfgNode()
+        exists(CallNode call, PythonFunctionObjectInternal pyfunc, int arg |
+            this.callWithTaintedArgument(src, call, _, pyfunc, arg, path, kind) and
+            defn.getDefiningNode() = pyfunc.getParameter(arg) and
+            context = TParamContext(kind, path, arg)
         )
-        // TO DO... class intializers
     }
 
     pragma [noinline]
 
@@ -0,0 +1,37 @@
+edges
+| carrier.py:21:5:21:5 | explicit.carrier at carrier.py:21 | carrier.py:22:10:22:10 | explicit.carrier at carrier.py:22 |
+| carrier.py:21:9:21:28 | explicit.carrier at carrier.py:21 | carrier.py:21:5:21:5 | explicit.carrier at carrier.py:21 |
+| carrier.py:22:10:22:10 | explicit.carrier at carrier.py:22 | carrier.py:22:10:22:22 | simple.test at carrier.py:22 |
+| rockpaperscissors.py:24:5:24:5 | rock at rockpaperscissors.py:24 | rockpaperscissors.py:25:9:25:9 | rock at rockpaperscissors.py:25 |
+| rockpaperscissors.py:24:9:24:12 | rock at rockpaperscissors.py:24 | rockpaperscissors.py:24:5:24:5 | rock at rockpaperscissors.py:24 |
+| rockpaperscissors.py:25:5:25:5 | paper at rockpaperscissors.py:25 | rockpaperscissors.py:26:14:26:14 | paper at rockpaperscissors.py:26 |
+| rockpaperscissors.py:25:9:25:9 | rock at rockpaperscissors.py:25 | rockpaperscissors.py:25:9:25:16 | scissors at rockpaperscissors.py:25 |
+| rockpaperscissors.py:25:9:25:16 | scissors at rockpaperscissors.py:25 | rockpaperscissors.py:25:9:25:23 | paper at rockpaperscissors.py:25 |
+| rockpaperscissors.py:25:9:25:23 | paper at rockpaperscissors.py:25 | rockpaperscissors.py:25:5:25:5 | paper at rockpaperscissors.py:25 |
+| test.py:6:5:6:5 | simple.test at test.py:6 | test.py:7:10:7:10 | simple.test at test.py:7 |
+| test.py:6:9:6:14 | simple.test at test.py:6 | test.py:6:5:6:5 | simple.test at test.py:6 |
+| test.py:12:10:12:12 | simple.test at test.py:12 | test.py:13:10:13:12 | simple.test at test.py:13 |
+| test.py:20:5:20:5 | simple.test at test.py:20 | test.py:21:10:21:10 | simple.test at test.py:21 |
+| test.py:20:9:20:14 | simple.test at test.py:20 | test.py:20:5:20:5 | simple.test at test.py:20 |
+| test.py:21:10:21:10 | simple.test at test.py:21 | test.py:12:10:12:12 | simple.test at test.py:12 |
+| test.py:37:9:37:9 | simple.test at test.py:37 | test.py:41:14:41:14 | simple.test at test.py:41 |
+| test.py:37:13:37:18 | simple.test at test.py:37 | test.py:37:9:37:9 | simple.test at test.py:37 |
+| test.py:49:17:49:19 | simple.test at test.py:49 | test.py:51:14:51:16 | simple.test at test.py:51 |
+| test.py:51:14:51:16 | simple.test at test.py:51 | test.py:12:10:12:12 | simple.test at test.py:12 |
+| test.py:62:9:62:9 | simple.test at test.py:62 | test.py:63:5:63:9 | simple.test at test.py:63 |
+| test.py:62:13:62:18 | simple.test at test.py:62 | test.py:62:9:62:9 | simple.test at test.py:62 |
+| test.py:63:5:63:9 | simple.test at test.py:63 | test.py:63:17:63:17 | simple.test at test.py:63 |
+| test.py:63:17:63:17 | simple.test at test.py:63 | test.py:49:17:49:19 | simple.test at test.py:49 |
+| test.py:67:9:67:9 | simple.test at test.py:67 | test.py:70:5:70:9 | simple.test at test.py:70 |
+| test.py:67:13:67:18 | simple.test at test.py:67 | test.py:67:9:67:9 | simple.test at test.py:67 |
+| test.py:70:5:70:9 | simple.test at test.py:70 | test.py:70:17:70:17 | simple.test at test.py:70 |
+| test.py:70:17:70:17 | simple.test at test.py:70 | test.py:49:17:49:19 | simple.test at test.py:49 |
+| test.py:126:9:126:9 | simple.test at test.py:126 | test.py:130:21:130:21 | simple.test at test.py:130 |
+| test.py:126:13:126:25 | simple.test at test.py:126 | test.py:126:9:126:9 | simple.test at test.py:126 |
+| test.py:128:9:128:9 | simple.test at test.py:128 | test.py:132:14:132:14 | simple.test at test.py:132 |
+| test.py:128:13:128:18 | simple.test at test.py:128 | test.py:128:9:128:9 | simple.test at test.py:128 |
+parents
+#select
+| rockpaperscissors.py:13:10:13:17 | ControlFlowNode for SCISSORS | rockpaperscissors.py:13:10:13:17 | scissors at rockpaperscissors.py:13 | rockpaperscissors.py:13:10:13:17 | scissors at rockpaperscissors.py:13 | $@ looses to $@. | rockpaperscissors.py:13:10:13:17 | ControlFlowNode for SCISSORS | scissors | rockpaperscissors.py:13:10:13:17 | ControlFlowNode for SCISSORS | scissors |
+| rockpaperscissors.py:16:11:16:14 | ControlFlowNode for ROCK | rockpaperscissors.py:16:11:16:14 | rock at rockpaperscissors.py:16 | rockpaperscissors.py:16:11:16:14 | rock at rockpaperscissors.py:16 | $@ looses to $@. | rockpaperscissors.py:16:11:16:14 | ControlFlowNode for ROCK | rock | rockpaperscissors.py:16:11:16:14 | ControlFlowNode for ROCK | rock |
+| rockpaperscissors.py:26:14:26:14 | ControlFlowNode for y | rockpaperscissors.py:24:9:24:12 | rock at rockpaperscissors.py:24 | rockpaperscissors.py:26:14:26:14 | paper at rockpaperscissors.py:26 | $@ looses to $@. | rockpaperscissors.py:24:9:24:12 | ControlFlowNode for ROCK | rock | rockpaperscissors.py:26:14:26:14 | ControlFlowNode for y | paper |
@@ -0,0 +1,13 @@
+
+/**
+ * @kind path-problem
+ */
+
+import python
+import semmle.python.security.TaintTracking
+import TaintLib
+import semmle.python.security.Paths
+
+from RockPaperScissorConfig config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
+select sink.getSink(), src, sink, "$@ looses to $@.", src.getNode(), src.getTaintKind().toString(), sink.getNode(), sink.getTaintKind().toString()