Python: Handle all methods in StringKind.getTaintOfMethodResult

RasmusWL · RasmusWL · commit b7145af44739 · 2020-04-20T16:07:30.000+02:00
diff --git a/python/ql/src/semmle/python/security/strings/Basic.qll b/python/ql/src/semmle/python/security/strings/Basic.qll
@@ -8,8 +8,38 @@ abstract class StringKind extends TaintKind {
     StringKind() { this = this }
 
     override TaintKind getTaintOfMethodResult(string name) {
-        name in ["strip", "format", "lstrip", "rstrip", "ljust", "rjust", "title", "capitalize"] and
+        name in [
+            "capitalize",
+            "casefold",
+            "center",
+            "expandtabs",
+            "format",
+            "format_map",
+            "ljust",
+            "lstrip",
+            "lower",
+            "replace",
+            "rjust",
+            "rstrip",
+            "strip",
+            "swapcase",
+            "title",
+            "upper",
+            "zfill",
+            /* encode/decode is technically not correct, but close enough */
+            "encode",
+            "decode"
+        ] and
         result = this
+        or
+        name in [
+            "partition",
+            "rpartition",
+            "rsplit",
+            "split",
+            "splitlines"
+        ] and
+        result.(SequenceKind).getItem() = this
     }
 
     override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
diff --git a/python/ql/test/library-tests/taint/strings/TestStep.expected b/python/ql/test/library-tests/taint/strings/TestStep.expected
@@ -1,5 +1,10 @@
 | Taint [externally controlled string] | test.py:67 | test.py:67:20:67:43 | urlsplit() |  |  -->  | Taint [externally controlled string] | test.py:69 | test.py:69:10:69:21 | urlsplit_res |  |
 | Taint [externally controlled string] | test.py:68 | test.py:68:20:68:43 | urlparse() |  |  -->  | Taint [externally controlled string] | test.py:69 | test.py:69:24:69:35 | urlparse_res |  |
+| Taint [externally controlled string] | test.py:98 | test.py:98:9:98:37 | Attribute() |  |  -->  | Taint externally controlled string | test.py:98 | test.py:98:9:98:40 | Subscript |  |
+| Taint [externally controlled string] | test.py:102 | test.py:102:9:102:38 | Attribute() |  |  -->  | Taint externally controlled string | test.py:102 | test.py:102:9:102:41 | Subscript |  |
+| Taint [externally controlled string] | test.py:104 | test.py:104:9:104:37 | Attribute() |  |  -->  | Taint externally controlled string | test.py:104 | test.py:104:9:104:41 | Subscript |  |
+| Taint [externally controlled string] | test.py:107 | test.py:107:9:107:30 | Attribute() |  |  -->  | Taint externally controlled string | test.py:107 | test.py:107:9:107:33 | Subscript |  |
+| Taint [externally controlled string] | test.py:109 | test.py:109:9:109:35 | Attribute() |  |  -->  | Taint externally controlled string | test.py:109 | test.py:109:9:109:38 | Subscript |  |
 | Taint exception.info | test.py:44 | test.py:44:22:44:26 | taint | p1 = exception.info |  -->  | Taint exception.info | test.py:45 | test.py:45:17:45:21 | taint | p1 = exception.info |
 | Taint exception.info | test.py:45 | test.py:45:17:45:21 | taint | p1 = exception.info |  -->  | Taint exception.info | test.py:45 | test.py:45:12:45:22 | func() | p1 = exception.info |
 | Taint exception.info | test.py:45 | test.py:45:17:45:21 | taint | p1 = exception.info |  -->  | Taint exception.info | test.py:52 | test.py:52:19:52:21 | arg | p0 = exception.info |
@@ -66,6 +71,67 @@
 | Taint externally controlled string | test.py:72 | test.py:72:22:72:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:76 | test.py:76:12:76:25 | tainted_string |  |
 | Taint externally controlled string | test.py:74 | test.py:74:9:74:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:74 | test.py:74:9:74:30 | Attribute() |  |
 | Taint externally controlled string | test.py:74 | test.py:74:9:74:30 | Attribute() |  |  -->  | Taint externally controlled string | test.py:79 | test.py:79:10:79:10 | a |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:85 | test.py:85:9:85:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:86 | test.py:86:9:86:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:87 | test.py:87:9:87:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:88 | test.py:88:9:88:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:89 | test.py:89:9:89:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:90 | test.py:90:9:90:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:91 | test.py:91:9:91:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:92 | test.py:92:9:92:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:93 | test.py:93:9:93:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:94 | test.py:94:9:94:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:95 | test.py:95:9:95:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:96 | test.py:96:9:96:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:97 | test.py:97:9:97:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:98 | test.py:98:9:98:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:99 | test.py:99:9:99:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:100 | test.py:100:9:100:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:101 | test.py:101:9:101:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:102 | test.py:102:9:102:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:103 | test.py:103:9:103:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:104 | test.py:104:9:104:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:105 | test.py:105:9:105:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:106 | test.py:106:9:106:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:107 | test.py:107:9:107:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:108 | test.py:108:9:108:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:109 | test.py:109:9:109:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:110 | test.py:110:9:110:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:111 | test.py:111:9:111:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:112 | test.py:112:9:112:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:115 | test.py:115:9:115:22 | tainted_string |  |
+| Taint externally controlled string | test.py:82 | test.py:82:22:82:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:116 | test.py:116:9:116:22 | tainted_string |  |
+| Taint externally controlled string | test.py:85 | test.py:85:9:85:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:85 | test.py:85:9:85:35 | Attribute() |  |
+| Taint externally controlled string | test.py:86 | test.py:86:9:86:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:86 | test.py:86:9:86:33 | Attribute() |  |
+| Taint externally controlled string | test.py:87 | test.py:87:9:87:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:87 | test.py:87:9:87:31 | Attribute() |  |
+| Taint externally controlled string | test.py:88 | test.py:88:9:88:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:88 | test.py:88:9:88:38 | Attribute() |  |
+| Taint externally controlled string | test.py:89 | test.py:89:9:89:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:89 | test.py:89:9:89:38 | Attribute() |  |
+| Taint externally controlled string | test.py:89 | test.py:89:9:89:38 | Attribute() |  |  -->  | Taint externally controlled string | test.py:89 | test.py:89:9:89:54 | Attribute() |  |
+| Taint externally controlled string | test.py:90 | test.py:90:9:90:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:90 | test.py:90:9:90:35 | Attribute() |  |
+| Taint externally controlled string | test.py:91 | test.py:91:9:91:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:91 | test.py:91:9:91:37 | Attribute() |  |
+| Taint externally controlled string | test.py:92 | test.py:92:9:92:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:92 | test.py:92:9:92:46 | Attribute() |  |
+| Taint externally controlled string | test.py:93 | test.py:93:9:93:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:93 | test.py:93:9:93:33 | Attribute() |  |
+| Taint externally controlled string | test.py:94 | test.py:94:9:94:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:94 | test.py:94:9:94:30 | Attribute() |  |
+| Taint externally controlled string | test.py:95 | test.py:95:9:95:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:95 | test.py:95:9:95:31 | Attribute() |  |
+| Taint externally controlled string | test.py:96 | test.py:96:9:96:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:96 | test.py:96:9:96:35 | Attribute() |  |
+| Taint externally controlled string | test.py:97 | test.py:97:9:97:22 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:97 | test.py:97:9:97:37 | Attribute() |  |
+| Taint externally controlled string | test.py:98 | test.py:98:9:98:22 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:98 | test.py:98:9:98:37 | Attribute() |  |
+| Taint externally controlled string | test.py:99 | test.py:99:9:99:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:99 | test.py:99:9:99:42 | Attribute() |  |
+| Taint externally controlled string | test.py:100 | test.py:100:9:100:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:100 | test.py:100:9:100:33 | Attribute() |  |
+| Taint externally controlled string | test.py:101 | test.py:101:9:101:22 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:101 | test.py:101:9:101:38 | Attribute() |  |
+| Taint externally controlled string | test.py:102 | test.py:102:9:102:22 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:102 | test.py:102:9:102:38 | Attribute() |  |
+| Taint externally controlled string | test.py:103 | test.py:103:9:103:22 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:103 | test.py:103:9:103:37 | Attribute() |  |
+| Taint externally controlled string | test.py:104 | test.py:104:9:104:22 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:104 | test.py:104:9:104:37 | Attribute() |  |
+| Taint externally controlled string | test.py:105 | test.py:105:9:105:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:105 | test.py:105:9:105:31 | Attribute() |  |
+| Taint externally controlled string | test.py:106 | test.py:106:9:106:22 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:106 | test.py:106:9:106:30 | Attribute() |  |
+| Taint externally controlled string | test.py:107 | test.py:107:9:107:22 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:107 | test.py:107:9:107:30 | Attribute() |  |
+| Taint externally controlled string | test.py:108 | test.py:108:9:108:22 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:108 | test.py:108:9:108:35 | Attribute() |  |
+| Taint externally controlled string | test.py:109 | test.py:109:9:109:22 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:109 | test.py:109:9:109:35 | Attribute() |  |
+| Taint externally controlled string | test.py:110 | test.py:110:9:110:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:110 | test.py:110:9:110:30 | Attribute() |  |
+| Taint externally controlled string | test.py:111 | test.py:111:9:111:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:111 | test.py:111:9:111:33 | Attribute() |  |
+| Taint externally controlled string | test.py:112 | test.py:112:9:112:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:112 | test.py:112:9:112:30 | Attribute() |  |
+| Taint externally controlled string | test.py:115 | test.py:115:9:115:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:115 | test.py:115:9:115:30 | Attribute() |  |
+| Taint externally controlled string | test.py:116 | test.py:116:9:116:22 | tainted_string |  |  -->  | Taint externally controlled string | test.py:116 | test.py:116:9:116:33 | Attribute() |  |
 | Taint json[externally controlled string] | test.py:6 | test.py:6:20:6:45 | Attribute() |  |  -->  | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |
 | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |  -->  | Taint externally controlled string | test.py:7 | test.py:7:9:7:25 | Subscript |  |
 | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |  -->  | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:25 | Subscript |  |
diff --git a/python/ql/test/library-tests/taint/strings/TestTaint.expected b/python/ql/test/library-tests/taint/strings/TestTaint.expected
@@ -24,3 +24,33 @@
 | test.py:69 | test_urlsplit_urlparse | urlsplit_res | [externally controlled string] |
 | test.py:79 | test_method_reference | a | externally controlled string |
 | test.py:79 | test_method_reference | b | NO TAINT |
+| test.py:85 | test_str_methods | Attribute() | externally controlled string |
+| test.py:86 | test_str_methods | Attribute() | externally controlled string |
+| test.py:87 | test_str_methods | Attribute() | externally controlled string |
+| test.py:88 | test_str_methods | Attribute() | externally controlled string |
+| test.py:89 | test_str_methods | Attribute() | externally controlled string |
+| test.py:90 | test_str_methods | Attribute() | externally controlled string |
+| test.py:91 | test_str_methods | Attribute() | externally controlled string |
+| test.py:92 | test_str_methods | Attribute() | externally controlled string |
+| test.py:93 | test_str_methods | Attribute() | externally controlled string |
+| test.py:94 | test_str_methods | Attribute() | externally controlled string |
+| test.py:95 | test_str_methods | Attribute() | externally controlled string |
+| test.py:96 | test_str_methods | Attribute() | externally controlled string |
+| test.py:97 | test_str_methods | Attribute() | [externally controlled string] |
+| test.py:98 | test_str_methods | Subscript | externally controlled string |
+| test.py:99 | test_str_methods | Attribute() | externally controlled string |
+| test.py:100 | test_str_methods | Attribute() | externally controlled string |
+| test.py:101 | test_str_methods | Attribute() | [externally controlled string] |
+| test.py:102 | test_str_methods | Subscript | externally controlled string |
+| test.py:103 | test_str_methods | Attribute() | [externally controlled string] |
+| test.py:104 | test_str_methods | Subscript | externally controlled string |
+| test.py:105 | test_str_methods | Attribute() | externally controlled string |
+| test.py:106 | test_str_methods | Attribute() | [externally controlled string] |
+| test.py:107 | test_str_methods | Subscript | externally controlled string |
+| test.py:108 | test_str_methods | Attribute() | [externally controlled string] |
+| test.py:109 | test_str_methods | Subscript | externally controlled string |
+| test.py:110 | test_str_methods | Attribute() | externally controlled string |
+| test.py:111 | test_str_methods | Attribute() | externally controlled string |
+| test.py:112 | test_str_methods | Attribute() | externally controlled string |
+| test.py:115 | test_str_methods | Attribute() | externally controlled string |
+| test.py:116 | test_str_methods | Attribute() | externally controlled string |
diff --git a/python/ql/test/library-tests/taint/strings/test.py b/python/ql/test/library-tests/taint/strings/test.py
@@ -77,3 +77,41 @@ def test_method_reference():
     b = func()
 
     test(a, b) # TODO: `b` not tainted
+
+def test_str_methods():
+    tainted_string = TAINTED_STRING
+
+    test(
+        tainted_string.capitalize(),
+        tainted_string.casefold(),
+        tainted_string.center(),
+        tainted_string.encode('utf-8'),
+        tainted_string.encode('utf-8').decode('utf-8'),
+        tainted_string.expandtabs(),
+        tainted_string.format(foo=42),
+        tainted_string.format_map({'foo': 42}),
+        tainted_string.ljust(100),
+        tainted_string.lower(),
+        tainted_string.lstrip(),
+        tainted_string.lstrip('w.'),
+        tainted_string.partition(';'),
+        tainted_string.partition(';')[0],
+        tainted_string.replace('/', '', 1),
+        tainted_string.rjust(100),
+        tainted_string.rpartition(';'),
+        tainted_string.rpartition(';')[2],
+        tainted_string.rsplit(';', 4),
+        tainted_string.rsplit(';', 4)[-1],
+        tainted_string.rstrip(),
+        tainted_string.split(),
+        tainted_string.split()[0],
+        tainted_string.splitlines(),
+        tainted_string.splitlines()[0],
+        tainted_string.strip(),
+        tainted_string.swapcase(),
+        tainted_string.title(),
+        # ignoring, as I have never seen this in practice
+        # tainted_string.translate(translation_table),
+        tainted_string.upper(),
+        tainted_string.zfill(100),
+    )
