Python: Model sensitive data from subscripts

RasmusWL · RasmusWL · commit 925e67d734dc · 2021-06-04T11:28:07.000+02:00
diff --git a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -126,6 +126,18 @@ private module SensitiveDataModeling {
     override SensitiveDataClassification getClassification() { result = classification }
   }
 
+  /** A subscript, where the key indicates the result will be sensitive data. */
+  class SensitiveSubscript extends SensitiveDataSource::Range {
+    SensitiveDataClassification classification;
+
+    SensitiveSubscript() {
+      this.asCfgNode().(SubscriptNode).getIndex() =
+        sensitiveLookupStringConst(classification).asCfgNode()
+    }
+
+    override SensitiveDataClassification getClassification() { result = classification }
+  }
+
   /** A call to `get` on an object, where the key indicates the result will be sensitive data. */
   class SensitiveGetCall extends SensitiveDataSource::Range, DataFlow::CallCfgNode {
     SensitiveDataClassification classification;
diff --git a/python/ql/test/experimental/dataflow/sensitive-data/test.py b/python/ql/test/experimental/dataflow/sensitive-data/test.py
@@ -34,7 +34,7 @@ def encrypt_password(pwd):
 print(password) # $ MISSING: SensitiveUse=password
 
 # Special handling of lookups of sensitive properties
-request.args["password"], # $ MISSING: SensitiveDataSource=password
+request.args["password"], # $ SensitiveDataSource=password
 request.args.get("password") # $ SensitiveDataSource=password
 
 x = "password"
