Python: Add additional taint steps for copy

RasmusWL · RasmusWL · commit e2a89aa29604 · 2020-08-26T19:39:38.000+02:00
deepcopy was already handled somehow, don't really know how :D
diff --git a/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll b/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll
@@ -34,6 +34,8 @@ predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeT
   jsonStep(nodeFrom, nodeTo)
   or
   containerStep(nodeFrom, nodeTo)
+  or
+  copyStep(nodeFrom, nodeTo)
 }
 
 /**
@@ -172,3 +174,19 @@ predicate containerStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
     call.getFunction().(AttrNode).getObject(name) = nodeFrom.getNode()
   )
 }
+
+
+/**
+ * Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to copying.
+ */
+predicate copyStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
+  exists(CallNode call | call = nodeTo.getNode() |
+    // Fully qualified: copy.copy, copy.deepcopy
+    (
+      call.getFunction().(NameNode).getId() in ["copy", "deepcopy"]
+      or
+      call.getFunction().(AttrNode).getObject("copy").(NameNode).getId() in ["copy", "deepcopy"]
+    ) and
+    call.getArg(0) = nodeFrom.getNode()
+  )
+}
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/TestTaint.expected b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/TestTaint.expected
@@ -18,7 +18,7 @@
 | collections.py:53 | ok   | test_access | reversed(..) |
 | collections.py:54 | ok   | test_access | iter(..) |
 | collections.py:55 | ok   | test_access | next(..) |
-| collections.py:56 | fail | test_access | copy(..) |
+| collections.py:56 | ok   | test_access | copy(..) |
 | collections.py:57 | ok   | test_access | deepcopy(..) |
 | collections.py:61 | fail | test_access | a |
 | collections.py:61 | fail | test_access | b |
