Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit a77f118

Browse files
RasmusWLRasmusWL
committed
Python: Shared taint tracking: Handle string concat + subcript
1 parent 61f89ca commit a77f118

2 files changed

Lines changed: 42 additions & 13 deletions

File tree

python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll

Lines changed: 36 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -3,13 +3,6 @@ private import experimental.dataflow.DataFlow
33
private import experimental.dataflow.internal.DataFlowPrivate
44
private import experimental.dataflow.internal.TaintTrackingPublic
55

6-
/**
7-
* Holds if taint can flow in one local step from `nodeFrom` to `nodeTo` excluding
8-
* local data flow steps. That is, `nodeFrom` and `nodeTo` are likely to represent
9-
* different objects.
10-
*/
11-
predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { none() }
12-
136
/**
147
* Holds if `node` should be a barrier in all global taint flow configurations
158
* but not in local taint.
@@ -25,3 +18,39 @@ predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nod
2518
or
2619
any(AdditionalTaintStep a).step(nodeFrom, nodeTo)
2720
}
21+
22+
/**
23+
* Holds if taint can flow in one local step from `nodeFrom` to `nodeTo` excluding
24+
* local data flow steps. That is, `nodeFrom` and `nodeTo` are likely to represent
25+
* different objects.
26+
*/
27+
predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
28+
concatStep(nodeFrom, nodeTo)
29+
or
30+
subscriptStep(nodeFrom, nodeTo)
31+
}
32+
33+
/**
34+
* Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to concatenation.
35+
*
36+
* Note that since we cannot easily distinguish interesting types (like string, list, tuple), so
37+
* we consider any `+` operation to propagate taint. After consulting with the JS team, this
38+
* should doesn't sound like it is a big problem in practice.
39+
*/
40+
predicate concatStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
41+
exists(BinaryExprNode add | add = nodeTo.getNode() |
42+
add.getOp() instanceof Add and
43+
(
44+
add.getLeft() = nodeFrom.getNode()
45+
or
46+
add.getRight() = nodeFrom.getNode()
47+
)
48+
)
49+
}
50+
51+
/**
52+
* Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to subscripting.
53+
*/
54+
predicate subscriptStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
55+
nodeTo.getNode().(SubscriptNode).getObject() = nodeFrom.getNode()
56+
}

python/ql/test/experimental/dataflow/tainttracking/string/TestTaint.expected

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
11
| test.py:24 | ok | str_operations | ts |
2-
| test.py:25 | fail | str_operations | BinaryExpr |
3-
| test.py:26 | fail | str_operations | BinaryExpr |
4-
| test.py:27 | fail | str_operations | ts[Slice] |
5-
| test.py:28 | fail | str_operations | ts[Slice] |
6-
| test.py:29 | fail | str_operations | ts[Slice] |
7-
| test.py:30 | fail | str_operations | ts[0] |
2+
| test.py:25 | ok | str_operations | BinaryExpr |
3+
| test.py:26 | ok | str_operations | BinaryExpr |
4+
| test.py:27 | ok | str_operations | ts[Slice] |
5+
| test.py:28 | ok | str_operations | ts[Slice] |
6+
| test.py:29 | ok | str_operations | ts[Slice] |
7+
| test.py:30 | ok | str_operations | ts[0] |
88
| test.py:31 | fail | str_operations | str(..) |
99
| test.py:40 | fail | str_methods | ts.capitalize() |
1010
| test.py:41 | fail | str_methods | ts.casefold() |

0 commit comments

Comments
 (0)