Python: Add taint test for os.path.join

RasmusWL · RasmusWL · commit efa248471831 · 2020-09-30T11:35:21.000+02:00
Surprisingly the first two just worked, due to our very general handling of any
`join` methods :D
diff --git a/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll b/python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll
@@ -101,7 +101,7 @@ predicate stringManipulation(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeT
     nodeFrom.getNode() = object and
     method_name in ["partition", "rpartition", "rsplit", "split", "splitlines"]
     or
-    // List[str] -> str
+    // Iterable[str] -> str
     // TODO: check if these should be handled differently in regards to content
     method_name = "join" and
     nodeFrom.getNode() = call.getArg(0)
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/TestTaint.expected b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/TestTaint.expected
@@ -137,6 +137,9 @@
 | test_string.py:143 | fail | binary_decode_encode | base64.decodestring(..) |
 | test_string.py:148 | fail | binary_decode_encode | quopri.encodestring(..) |
 | test_string.py:149 | fail | binary_decode_encode | quopri.decodestring(..) |
+| test_string.py:158 | ok   | test_os_path_join | os.path.join(..) |
+| test_string.py:159 | ok   | test_os_path_join | os.path.join(..) |
+| test_string.py:160 | fail | test_os_path_join | os.path.join(..) |
 | test_unpacking.py:16 | ok   | unpacking | a |
 | test_unpacking.py:16 | ok   | unpacking | b |
 | test_unpacking.py:16 | ok   | unpacking | c |
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_string.py b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_string.py
@@ -150,10 +150,22 @@ def binary_decode_encode():
     )
 
 
+def test_os_path_join():
+    import os
+    print("\n# test_os_path_join")
+    ts = TAINTED_STRING
+    ensure_tainted(
+        os.path.join(ts, "foo", "bar"),
+        os.path.join(ts),
+        os.path.join("foo", "bar", ts),
+    )
+
+
 # Make tests runable
 
 str_operations()
 str_methods()
 non_syntactic()
 percent_fmt()
 binary_decode_encode()
+test_os_path_join()
