Merge pull request #3132 from RasmusWL/python-fix-iterable-unpacking-taint-CP

Python: Fix iterable-unpacking taint CP

python/ql/src/semmle/python/dataflow/Implementation.qll

@@ -712,32 +712,16 @@ private class EssaTaintTracking extends string {
         TaintTrackingNode src, MultiAssignmentDefinition defn, TaintTrackingContext context,
         AttributePath path, TaintKind kind
     ) {
-        exists(DataFlow::Node srcnode, TaintKind srckind, Assign assign |
+        exists(DataFlow::Node srcnode, TaintKind srckind, Assign assign, int depth |
             src = TTaintTrackingNode_(srcnode, context, path, srckind, this) and
             path.noAttribute()
         |
             assign.getValue().getAFlowNode() = srcnode.asCfgNode() and
-            kind = iterable_unpacking_descent(assign.getATarget().getAFlowNode(), defn.getDefiningNode(),
-                    srckind)
+            depth = iterable_unpacking_descent(assign.getATarget().getAFlowNode(), defn.getDefiningNode()) and
+            kind = taint_at_depth(srckind, depth)
         )
     }
 
-    /** `((x,y), ...) = value` with any nesting on LHS */
-    private TaintKind iterable_unpacking_descent(
-        SequenceNode left_parent, ControlFlowNode left_defn, CollectionKind parent_kind
-    ) {
-        //TODO: Fix the cartesian product in this predicate
-        none() and
-        left_parent.getAnElement() = left_defn and
-        // Handle `a, *b = some_iterable`
-        if left_defn instanceof StarredNode
-        then result = parent_kind
-        else result = parent_kind.getMember()
-        or
-        result = iterable_unpacking_descent(left_parent.getAnElement(), left_defn,
-                parent_kind.getMember())
-    }
-
     pragma[noinline]
     private predicate taintedAttributeAssignment(
         TaintTrackingNode src, AttributeAssignment defn, TaintTrackingContext context,
@@ -967,6 +951,46 @@ private predicate piNodeTestAndUse(PyEdgeRefinement defn, ControlFlowNode test,
     test = defn.getTest() and use = defn.getInput().getASourceUse() and test.getAChild*() = use
 }
 
+/** Helper predicate for taintedMultiAssignment */
+private TaintKind taint_at_depth(SequenceKind parent_kind, int depth) {
+    depth >= 0 and
+    (
+        // base-case #0
+        depth = 0 and
+        result = parent_kind
+        or
+        // base-case #1
+        depth = 1 and
+        result = parent_kind.getMember()
+        or
+        // recursive case
+        depth > 1 and
+        result = taint_at_depth(parent_kind.getMember(), depth-1)
+    )
+}
+
+/** Helper predicate for taintedMultiAssignment
+ *
+ * Returns the `depth` the elements that are assigned to `left_defn` with iterable unpacking has,
+ * compared to `left_parent`. Special care is taken for `StarredNode` that is assigned a sequence of items.
+ *
+ * For example, `((x, *y), ...) = value` with any nesting on LHS
+ * - with `left_defn` = `x`, `left_parent` = `(x, *y)`, result = 1
+ * - with `left_defn` = `x`, `left_parent` = `((x, *y), ...)`, result = 2
+ * - with `left_defn` = `*y`, `left_parent` = `(x, *y)`, result = 0
+ * - with `left_defn` = `*y`, `left_parent` = `((x, *y), ...)`, result = 1
+ */
+int iterable_unpacking_descent(SequenceNode left_parent, ControlFlowNode left_defn) {
+    exists(Assign a | a.getATarget().getASubExpression*().getAFlowNode() = left_parent) and
+    left_parent.getAnElement() = left_defn and
+    // Handle `a, *b = some_iterable`
+    if left_defn instanceof StarredNode
+    then result = 0
+    else result = 1
+    or
+    result = 1 + iterable_unpacking_descent(left_parent.getAnElement(), left_defn)
+}
+
 module Implementation {
     /* A call that returns a copy (or similar) of the argument */
     predicate copyCall(ControlFlowNode fromnode, CallNode tonode) {

python/ql/test/3/library-tests/taint/unpacking/TestTaint.expected

@@ -1,9 +1,9 @@
-| test.py:11 | extended_unpacking | first | NO TAINT |
-| test.py:11 | extended_unpacking | last | NO TAINT |
-| test.py:11 | extended_unpacking | rest | NO TAINT |
-| test.py:16 | also_allowed | a | NO TAINT |
+| test.py:11 | extended_unpacking | first | externally controlled string |
+| test.py:11 | extended_unpacking | last | externally controlled string |
+| test.py:11 | extended_unpacking | rest | [externally controlled string] |
+| test.py:16 | also_allowed | a | [externally controlled string] |
 | test.py:24 | also_allowed | b | NO TAINT |
 | test.py:24 | also_allowed | c | NO TAINT |
-| test.py:31 | nested | x | NO TAINT |
-| test.py:31 | nested | xs | NO TAINT |
-| test.py:31 | nested | ys | NO TAINT |
+| test.py:31 | nested | x | externally controlled string |
+| test.py:31 | nested | xs | [externally controlled string] |
+| test.py:31 | nested | ys | [externally controlled string] |

python/ql/test/library-tests/taint/collections/TestStep.expected

@@ -26,6 +26,9 @@
 | Taint [externally controlled string] | test.py:29 | test.py:29:9:29:25 | Subscript |  |  -->  | Taint [externally controlled string] | test.py:32 | test.py:32:16:32:16 | c |  |
 | Taint [externally controlled string] | test.py:30 | test.py:30:9:30:20 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:30 | test.py:30:9:30:27 | Attribute() |  |
 | Taint [externally controlled string] | test.py:30 | test.py:30:9:30:27 | Attribute() |  |  -->  | Taint [externally controlled string] | test.py:32 | test.py:32:19:32:19 | d |  |
+| Taint [externally controlled string] | test.py:31 | test.py:31:15:31:26 | tainted_list |  |  -->  | Taint externally controlled string | test.py:32 | test.py:32:22:32:22 | e |  |
+| Taint [externally controlled string] | test.py:31 | test.py:31:15:31:26 | tainted_list |  |  -->  | Taint externally controlled string | test.py:32 | test.py:32:25:32:25 | f |  |
+| Taint [externally controlled string] | test.py:31 | test.py:31:15:31:26 | tainted_list |  |  -->  | Taint externally controlled string | test.py:32 | test.py:32:28:32:28 | g |  |
 | Taint [externally controlled string] | test.py:33 | test.py:33:14:33:25 | tainted_list |  |  -->  | Taint externally controlled string | test.py:33 | test.py:33:5:33:26 | For |  |
 | Taint [externally controlled string] | test.py:35 | test.py:35:14:35:35 | reversed() |  |  -->  | Taint externally controlled string | test.py:35 | test.py:35:5:35:36 | For |  |
 | Taint [externally controlled string] | test.py:35 | test.py:35:23:35:34 | tainted_list |  |  -->  | Taint [externally controlled string] | test.py:35 | test.py:35:14:35:35 | reversed() |  |

python/ql/test/library-tests/taint/collections/TestTaint.expected

@@ -10,9 +10,9 @@
 | test.py:32 | test_access | b | externally controlled string |
 | test.py:32 | test_access | c | [externally controlled string] |
 | test.py:32 | test_access | d | [externally controlled string] |
-| test.py:32 | test_access | e | NO TAINT |
-| test.py:32 | test_access | f | NO TAINT |
-| test.py:32 | test_access | g | NO TAINT |
+| test.py:32 | test_access | e | externally controlled string |
+| test.py:32 | test_access | f | externally controlled string |
+| test.py:32 | test_access | g | externally controlled string |
 | test.py:34 | test_access | h | externally controlled string |
 | test.py:36 | test_access | i | externally controlled string |
 | test.py:43 | test_dict_access | a | externally controlled string |

python/ql/test/library-tests/taint/namedtuple/TestTaint.expected

@@ -1,7 +1,7 @@
 | test.py:13 | test_basic | a | externally controlled string |
 | test.py:13 | test_basic | b | externally controlled string |
 | test.py:13 | test_basic | c | externally controlled string |
-| test.py:13 | test_basic | d | NO TAINT |
+| test.py:13 | test_basic | d | externally controlled string |
 | test.py:13 | test_basic | urlsplit_res | [externally controlled string] |
 | test.py:19 | test_sanitizer | Attribute | externally controlled string |
 | test.py:22 | test_sanitizer | Attribute | NO TAINT |

python/ql/test/library-tests/taint/unpacking/TestStep.expected

@@ -1,8 +1,35 @@
 | Taint [[externally controlled string]] | test.py:19 | test.py:19:10:19:18 | List |  |  -->  | Taint [[externally controlled string]] | test.py:22 | test.py:22:28:22:29 | ll |  |
 | Taint [[externally controlled string]] | test.py:19 | test.py:19:10:19:18 | List |  |  -->  | Taint [[externally controlled string]] | test.py:26 | test.py:26:28:26:29 | ll |  |
 | Taint [[externally controlled string]] | test.py:19 | test.py:19:10:19:18 | List |  |  -->  | Taint [[externally controlled string]] | test.py:30 | test.py:30:28:30:29 | ll |  |
+| Taint [[externally controlled string]] | test.py:22 | test.py:22:28:22:29 | ll |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:22:23:22 | b |  |
+| Taint [[externally controlled string]] | test.py:22 | test.py:22:28:22:29 | ll |  |  -->  | Taint [externally controlled string] | test.py:23 | test.py:23:25:23:25 | c |  |
+| Taint [[externally controlled string]] | test.py:22 | test.py:22:28:22:29 | ll |  |  -->  | Taint externally controlled string | test.py:23 | test.py:23:10:23:11 | a1 |  |
+| Taint [[externally controlled string]] | test.py:22 | test.py:22:28:22:29 | ll |  |  -->  | Taint externally controlled string | test.py:23 | test.py:23:14:23:15 | a2 |  |
+| Taint [[externally controlled string]] | test.py:22 | test.py:22:28:22:29 | ll |  |  -->  | Taint externally controlled string | test.py:23 | test.py:23:18:23:19 | a3 |  |
+| Taint [[externally controlled string]] | test.py:26 | test.py:26:28:26:29 | ll |  |  -->  | Taint [externally controlled string] | test.py:27 | test.py:27:22:27:22 | b |  |
+| Taint [[externally controlled string]] | test.py:26 | test.py:26:28:26:29 | ll |  |  -->  | Taint [externally controlled string] | test.py:27 | test.py:27:25:27:25 | c |  |
+| Taint [[externally controlled string]] | test.py:26 | test.py:26:28:26:29 | ll |  |  -->  | Taint externally controlled string | test.py:27 | test.py:27:10:27:11 | a1 |  |
+| Taint [[externally controlled string]] | test.py:26 | test.py:26:28:26:29 | ll |  |  -->  | Taint externally controlled string | test.py:27 | test.py:27:14:27:15 | a2 |  |
+| Taint [[externally controlled string]] | test.py:26 | test.py:26:28:26:29 | ll |  |  -->  | Taint externally controlled string | test.py:27 | test.py:27:18:27:19 | a3 |  |
+| Taint [[externally controlled string]] | test.py:30 | test.py:30:28:30:29 | ll |  |  -->  | Taint [externally controlled string] | test.py:31 | test.py:31:22:31:22 | b |  |
+| Taint [[externally controlled string]] | test.py:30 | test.py:30:28:30:29 | ll |  |  -->  | Taint [externally controlled string] | test.py:31 | test.py:31:25:31:25 | c |  |
+| Taint [[externally controlled string]] | test.py:30 | test.py:30:28:30:29 | ll |  |  -->  | Taint externally controlled string | test.py:31 | test.py:31:10:31:11 | a1 |  |
+| Taint [[externally controlled string]] | test.py:30 | test.py:30:28:30:29 | ll |  |  -->  | Taint externally controlled string | test.py:31 | test.py:31:14:31:15 | a2 |  |
+| Taint [[externally controlled string]] | test.py:30 | test.py:30:28:30:29 | ll |  |  -->  | Taint externally controlled string | test.py:31 | test.py:31:18:31:19 | a3 |  |
+| Taint [[externally controlled string]] | test.py:47 | test.py:47:28:47:54 | Tuple |  |  -->  | Taint externally controlled string | test.py:48 | test.py:48:10:48:10 | a |  |
+| Taint [[externally controlled string]] | test.py:47 | test.py:47:28:47:54 | Tuple |  |  -->  | Taint externally controlled string | test.py:48 | test.py:48:13:48:13 | b |  |
+| Taint [[externally controlled string]] | test.py:47 | test.py:47:28:47:54 | Tuple |  |  -->  | Taint externally controlled string | test.py:48 | test.py:48:16:48:16 | c |  |
+| Taint [[externally controlled string]] | test.py:47 | test.py:47:28:47:54 | Tuple |  |  -->  | Taint externally controlled string | test.py:48 | test.py:48:19:48:19 | d |  |
+| Taint [[externally controlled string]] | test.py:47 | test.py:47:28:47:54 | Tuple |  |  -->  | Taint externally controlled string | test.py:48 | test.py:48:22:48:22 | e |  |
+| Taint [[externally controlled string]] | test.py:47 | test.py:47:28:47:54 | Tuple |  |  -->  | Taint externally controlled string | test.py:48 | test.py:48:25:48:25 | f |  |
 | Taint [externally controlled string] | test.py:6 | test.py:6:9:6:20 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:7 | test.py:7:15:7:15 | l |  |
+| Taint [externally controlled string] | test.py:7 | test.py:7:15:7:15 | l |  |  -->  | Taint externally controlled string | test.py:8 | test.py:8:10:8:10 | a |  |
+| Taint [externally controlled string] | test.py:7 | test.py:7:15:7:15 | l |  |  -->  | Taint externally controlled string | test.py:8 | test.py:8:13:8:13 | b |  |
+| Taint [externally controlled string] | test.py:7 | test.py:7:15:7:15 | l |  |  -->  | Taint externally controlled string | test.py:8 | test.py:8:16:8:16 | c |  |
 | Taint [externally controlled string] | test.py:12 | test.py:12:9:12:20 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:13 | test.py:13:17:13:17 | l |  |
+| Taint [externally controlled string] | test.py:13 | test.py:13:17:13:17 | l |  |  -->  | Taint externally controlled string | test.py:14 | test.py:14:10:14:10 | a |  |
+| Taint [externally controlled string] | test.py:13 | test.py:13:17:13:17 | l |  |  -->  | Taint externally controlled string | test.py:14 | test.py:14:13:14:13 | b |  |
+| Taint [externally controlled string] | test.py:13 | test.py:13:17:13:17 | l |  |  -->  | Taint externally controlled string | test.py:14 | test.py:14:16:14:16 | c |  |
 | Taint [externally controlled string] | test.py:18 | test.py:18:9:18:20 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:19 | test.py:19:11:19:11 | l |  |
 | Taint [externally controlled string] | test.py:18 | test.py:18:9:18:20 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:19 | test.py:19:14:19:14 | l |  |
 | Taint [externally controlled string] | test.py:18 | test.py:18:9:18:20 | TAINTED_LIST |  |  -->  | Taint [externally controlled string] | test.py:19 | test.py:19:17:19:17 | l |  |

python/ql/test/library-tests/taint/unpacking/TestTaint.expected

@@ -1,33 +1,33 @@
-| test.py:8 | unpacking | a | NO TAINT |
-| test.py:8 | unpacking | b | NO TAINT |
-| test.py:8 | unpacking | c | NO TAINT |
-| test.py:14 | unpacking_to_list | a | NO TAINT |
-| test.py:14 | unpacking_to_list | b | NO TAINT |
-| test.py:14 | unpacking_to_list | c | NO TAINT |
-| test.py:23 | nested | a1 | NO TAINT |
-| test.py:23 | nested | a2 | NO TAINT |
-| test.py:23 | nested | a3 | NO TAINT |
-| test.py:23 | nested | b | NO TAINT |
-| test.py:23 | nested | c | NO TAINT |
-| test.py:27 | nested | a1 | NO TAINT |
-| test.py:27 | nested | a2 | NO TAINT |
-| test.py:27 | nested | a3 | NO TAINT |
-| test.py:27 | nested | b | NO TAINT |
-| test.py:27 | nested | c | NO TAINT |
-| test.py:31 | nested | a1 | NO TAINT |
-| test.py:31 | nested | a2 | NO TAINT |
-| test.py:31 | nested | a3 | NO TAINT |
-| test.py:31 | nested | b | NO TAINT |
-| test.py:31 | nested | c | NO TAINT |
+| test.py:8 | unpacking | a | externally controlled string |
+| test.py:8 | unpacking | b | externally controlled string |
+| test.py:8 | unpacking | c | externally controlled string |
+| test.py:14 | unpacking_to_list | a | externally controlled string |
+| test.py:14 | unpacking_to_list | b | externally controlled string |
+| test.py:14 | unpacking_to_list | c | externally controlled string |
+| test.py:23 | nested | a1 | externally controlled string |
+| test.py:23 | nested | a2 | externally controlled string |
+| test.py:23 | nested | a3 | externally controlled string |
+| test.py:23 | nested | b | [externally controlled string] |
+| test.py:23 | nested | c | [externally controlled string] |
+| test.py:27 | nested | a1 | externally controlled string |
+| test.py:27 | nested | a2 | externally controlled string |
+| test.py:27 | nested | a3 | externally controlled string |
+| test.py:27 | nested | b | [externally controlled string] |
+| test.py:27 | nested | c | [externally controlled string] |
+| test.py:31 | nested | a1 | externally controlled string |
+| test.py:31 | nested | a2 | externally controlled string |
+| test.py:31 | nested | a3 | externally controlled string |
+| test.py:31 | nested | b | [externally controlled string] |
+| test.py:31 | nested | c | [externally controlled string] |
 | test.py:38 | unpack_from_set | a | NO TAINT |
 | test.py:38 | unpack_from_set | b | NO TAINT |
 | test.py:38 | unpack_from_set | c | NO TAINT |
-| test.py:48 | contrived_1 | a | NO TAINT |
-| test.py:48 | contrived_1 | b | NO TAINT |
-| test.py:48 | contrived_1 | c | NO TAINT |
-| test.py:48 | contrived_1 | d | NO TAINT |
-| test.py:48 | contrived_1 | e | NO TAINT |
-| test.py:48 | contrived_1 | f | NO TAINT |
+| test.py:48 | contrived_1 | a | externally controlled string |
+| test.py:48 | contrived_1 | b | externally controlled string |
+| test.py:48 | contrived_1 | c | externally controlled string |
+| test.py:48 | contrived_1 | d | externally controlled string |
+| test.py:48 | contrived_1 | e | externally controlled string |
+| test.py:48 | contrived_1 | f | externally controlled string |
 | test.py:56 | contrived_2 | a | NO TAINT |
 | test.py:56 | contrived_2 | b | NO TAINT |
 | test.py:56 | contrived_2 | c | NO TAINT |