Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit cf2eacd

Browse files
RasmusWLRasmusWL
committed
Python: Adjust additional taint after PostUpdateNode addition
Still no results though :(
1 parent 4e73abc commit cf2eacd

1 file changed

Lines changed: 6 additions & 7 deletions

File tree

python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -150,40 +150,39 @@ predicate jsonStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
150150
* is currently very imprecise, as an example, since we model `dict.get`, we treat any
151151
* `<tainted object>.get(<arg>)` will be tainted, whether it's true or not.
152152
*/
153-
predicate containerStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
153+
predicate containerStep(DataFlow::CfgNode nodeFrom, DataFlow::Node nodeTo) {
154154
// construction by literal
155155
// TODO: Not limiting the content argument here feels like a BIG hack, but we currently get nothing for free :|
156156
storeStep(nodeFrom, _, nodeTo)
157157
or
158158
// constructor call
159-
exists(CallNode call | call = nodeTo.getNode() |
159+
exists(CallNode call | call = nodeTo.asCfgNode() |
160160
call.getFunction().(NameNode).getId() in ["list", "set", "frozenset", "dict", "defaultdict",
161161
"tuple"] and
162162
call.getArg(0) = nodeFrom.getNode()
163163
)
164164
or
165165
// functions operating on collections
166-
exists(CallNode call | call = nodeTo.getNode() |
166+
exists(CallNode call | call = nodeTo.asCfgNode() |
167167
call.getFunction().(NameNode).getId() in ["sorted", "reversed", "iter", "next"] and
168168
call.getArg(0) = nodeFrom.getNode()
169169
)
170170
or
171171
// methods
172-
exists(CallNode call, string name | call = nodeTo.getNode() |
172+
exists(CallNode call, string name | call = nodeTo.asCfgNode() |
173173
name in ["copy",
174174
// general
175175
"pop",
176176
// dict
177177
"values", "items", "get", "popitem"] and
178-
call.getFunction().(AttrNode).getObject(name) = nodeFrom.getNode()
178+
call.getFunction().(AttrNode).getObject(name) = nodeFrom.asCfgNode()
179179
)
180180
or
181181
// list.append, set.add
182-
// NOTE: this currently doesn't work, since there are no PostUpdateNodes
183182
exists(CallNode call, string name |
184183
name in ["append", "add"] and
185184
call.getFunction().(AttrNode).getObject(name) =
186-
nodeTo.(PostUpdateNode).getPreUpdateNode().(DataFlow::CfgNode).getNode() and
185+
nodeTo.(PostUpdateNode).getPreUpdateNode().asCfgNode() and
187186
call.getArg(0) = nodeFrom.getNode()
188187
)
189188
}

0 commit comments

Comments
 (0)