diff --git a/python/ql/src/semmle/python/dataflow/Configuration.qll b/python/ql/src/semmle/python/dataflow/Configuration.qll index 3b5565dc781..3e1cab4764e 100644 --- a/python/ql/src/semmle/python/dataflow/Configuration.qll +++ b/python/ql/src/semmle/python/dataflow/Configuration.qll @@ -37,13 +37,24 @@ module TaintTracking { * Holds if `source` is a source of taint of `kind` that is relevant * for this configuration. */ - predicate isSource(DataFlow::Node source, TaintKind kind) { none() } + predicate isSource(DataFlow::Node node, TaintKind kind) { + exists(TaintSource source | + this.isSource(source) and + node.asCfgNode() = source and + source.isSourceOf(kind) + ) + } /** * Holds if `sink` is a sink of taint of `kind` that is relevant * for this configuration. */ - predicate isSink(DataFlow::Node sink, TaintKind kind) { none() } + predicate isSink(DataFlow::Node node, TaintKind kind) { + exists(TaintSink sink | + node.asCfgNode() = sink and + sink.sinks(kind) + ) + } /** * Holds if `src -> dest` should be considered as a flow edge @@ -60,12 +71,30 @@ module TaintTracking { predicate isBarrier(DataFlow::Node node) { none() } - predicate isBarrier(DataFlow::Node node, TaintKind kind) { none() } + predicate isBarrier(DataFlow::Node node, TaintKind kind) { + exists(Sanitizer sanitizer | + this.isSanitizer(sanitizer) + | + sanitizer.sanitizingNode(kind, node.asCfgNode()) + or + sanitizer.sanitizingEdge(kind, node.asVariable()) + or + sanitizer.sanitizingSingleEdge(kind, node.asVariable()) + or + sanitizer.sanitizingDefinition(kind, node.asVariable()) + or + exists(MethodCallsiteRefinement call, FunctionObject callee | + call = node.asVariable().getDefinition() and + callee.getACall() = call.getCall() and + sanitizer.sanitizingCall(kind, callee) + ) + ) + } /** * Holds if flow from `src` to `dest` is prohibited. */ - predicate isBarrierEdge(DataFlow::Node src, DataFlow::Node trg) { none() } + predicate isBarrierEdge(DataFlow::Node src, DataFlow::Node dest) { none() } /** * Holds if control flow from `test` along the `isTrue` edge is prohibited. diff --git a/python/ql/src/semmle/python/dataflow/Implementation.qll b/python/ql/src/semmle/python/dataflow/Implementation.qll index b9b8a287804..82adacfe5fe 100644 --- a/python/ql/src/semmle/python/dataflow/Implementation.qll +++ b/python/ql/src/semmle/python/dataflow/Implementation.qll @@ -238,29 +238,13 @@ class TaintTrackingImplementation extends string { predicate flowSource(DataFlow::Node node, TaintTrackingContext context, AttributePath path, TaintKind kind) { context = TNoParam() and path = TNoAttribute() and - ( - this.(TaintTracking::Configuration).isSource(node, kind) - or - exists(TaintSource source | - this.(TaintTracking::Configuration).isSource(source) and - node.asCfgNode() = source and - source.isSourceOf(kind) - ) - ) + this.(TaintTracking::Configuration).isSource(node, kind) } predicate flowSink(DataFlow::Node node, AttributePath path, TaintKind kind) { path = TNoAttribute() and - ( - this.(TaintTracking::Configuration).isSink(node, kind) - or - exists(TaintSink sink | - this.(TaintTracking::Configuration).isSink(sink) and - node.asCfgNode() = sink and - sink.sinks(kind) - ) - ) + this.(TaintTracking::Configuration).isSink(node, kind) } predicate isPathSource(TaintTrackingNode source) { @@ -293,28 +277,6 @@ class TaintTrackingImplementation extends string { ) } - predicate flowBarrier(DataFlow::Node node, TaintKind kind) { - this.(TaintTracking::Configuration).isBarrier(node, kind) - or - exists(Sanitizer sanitizer | - this.(TaintTracking::Configuration).isSanitizer(sanitizer) - | - sanitizer.sanitizingNode(kind, node.asCfgNode()) - or - sanitizer.sanitizingDefinition(kind, node.asVariable().getDefinition()) - or - exists(MethodCallsiteRefinement call, FunctionObject callee | - call = node.asVariable().getDefinition() and - callee.getACall() = call.getCall() and - sanitizer.sanitizingCall(kind, callee) - ) - or - sanitizer.sanitizingEdge(kind, node.asVariable().getDefinition()) - or - sanitizer.sanitizingSingleEdge(kind, node.asVariable().getDefinition()) - ) - } - /** Gets the boolean value that `test` evaluates to when `use` is tainted with `kind` * and `test` and `use` are part of a test in a branch. */ @@ -334,9 +296,14 @@ class TaintTrackingImplementation extends string { Filters::isinstance(test, c, use) and c.pointsTo(cls) | - kind.getType().getASuperType() = cls and result = true + exists(ClassValue scls | + scls = kind.getType() | + scls.getASuperType() = cls and result = true + or + not scls.getASuperType() = cls and result = false + ) or - not kind.getType().getASuperType() = cls and result = false + not exists(kind.getType()) and result = maybe() ) } @@ -379,7 +346,7 @@ class TaintTrackingImplementation extends string { ( not path = TNoAttribute() or - not this.flowBarrier(node, kind) and + not this.(TaintTracking::Configuration).isBarrier(node, kind) and exists(DataFlow::Node srcnode, TaintKind srckind | src = TTaintTrackingNode_(srcnode, _, _, srckind, this) and not this.prunedEdge(srcnode, node, srckind, kind) @@ -687,15 +654,18 @@ class TaintTrackingImplementation extends string { this.taintedExceptionCapture(src, defn, context, path, kind) or this.taintedScopeEntryDefinition(src, defn, context, path, kind) + or + this.taintedWith(src, defn, context, path, kind) } pragma [noinline] predicate taintedPhi(TaintTrackingNode src, PhiFunction defn, TaintTrackingContext context, AttributePath path, TaintKind kind) { - exists(DataFlow::Node srcnode, BasicBlock pred, EssaVariable predvar | + exists(DataFlow::Node srcnode, BasicBlock pred, EssaVariable predvar, DataFlow::Node phi | src = TTaintTrackingNode_(srcnode, context, path, kind, this) and + defn = phi.asVariable().getDefinition() and predvar = defn.getInput(pred) and not pred.unlikelySuccessor(defn.getBasicBlock()) and - not predvar.(DataFlowExtension::DataFlowVariable).prunedSuccessor(defn.getVariable()) and + not this.(TaintTracking::Configuration).isBarrierEdge(srcnode, phi) and srcnode.asVariable() = predvar ) } @@ -791,6 +761,14 @@ class TaintTrackingImplementation extends string { ) } + pragma [noinline] + predicate taintedWith(TaintTrackingNode src, WithDefinition defn, TaintTrackingContext context, AttributePath path, TaintKind kind) { + exists(DataFlow::Node srcnode | + src = TTaintTrackingNode_(srcnode, context, path, kind, this) and + with_flow(_, srcnode.asCfgNode(), defn.getDefiningNode()) + ) + } + predicate moduleAttributeTainted(ModuleValue m, string name, TaintTrackingNode taint) { exists(DataFlow::Node srcnode, EssaVariable var | taint = TTaintTrackingNode_(srcnode, TNoParam(), _, _, this) and @@ -803,6 +781,13 @@ class TaintTrackingImplementation extends string { } +/* Helper predicate for tainted_with */ +private predicate with_flow(With with, ControlFlowNode contextManager, ControlFlowNode var) { + with.getContextExpr() = contextManager.getNode() and + with.getOptionalVars() = var.getNode() and + contextManager.strictlyDominates(var) +} + /* Backwards compatibility with config-less taint-tracking */ private class LegacyConfiguration extends TaintTracking::Configuration { @@ -811,20 +796,14 @@ private class LegacyConfiguration extends TaintTracking::Configuration { this = "Semmle: Internal legacy configuration" } - override predicate isSource(DataFlow::Node source, TaintKind kind) { + override predicate isSource(TaintSource src) { isValid() and - exists(TaintSource src | - source.asCfgNode() = src and - src.isSourceOf(kind) - ) + src = src } - override predicate isSink(DataFlow::Node sink, TaintKind kind) { + override predicate isSink(TaintSink sink) { isValid() and - exists(TaintSink snk | - sink.asCfgNode() = snk and - snk.sinks(kind) - ) + sink = sink } override predicate isSanitizer(Sanitizer sanitizer) { @@ -836,6 +815,45 @@ private class LegacyConfiguration extends TaintTracking::Configuration { not exists(TaintTracking::Configuration config | config != this) } + override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node dest) { + isValid() and + exists(DataFlowExtension::DataFlowNode legacyExtension | + src.asCfgNode() = legacyExtension + | + dest.asCfgNode() = legacyExtension.getASuccessorNode() + or + dest.asVariable() = legacyExtension.getASuccessorVariable() + or + dest.asCfgNode() = legacyExtension.getAReturnSuccessorNode(_) + or + dest.asCfgNode() = legacyExtension.getACalleeSuccessorNode(_) + ) + } + + override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node dest, TaintKind srckind, TaintKind destkind) { + isValid() and + exists(DataFlowExtension::DataFlowNode legacyExtension | + src.asCfgNode() = legacyExtension + | + dest.asCfgNode() = legacyExtension.getASuccessorNode(srckind, destkind) + ) + } + + override predicate isBarrierEdge(DataFlow::Node src, DataFlow::Node dest) { + isValid() and + ( + exists(DataFlowExtension::DataFlowVariable legacyExtension | + src.asVariable() = legacyExtension and + legacyExtension.prunedSuccessor(dest.asVariable()) + ) + or + exists(DataFlowExtension::DataFlowNode legacyExtension | + src.asCfgNode() = legacyExtension and + legacyExtension.prunedSuccessor(dest.asCfgNode()) + ) + ) + } + } module Implementation { diff --git a/python/ql/test/library-tests/taint/config/RockPaperScissors.expected b/python/ql/test/library-tests/taint/config/RockPaperScissors.expected index f57d68cdcd2..80bae394e50 100644 --- a/python/ql/test/library-tests/taint/config/RockPaperScissors.expected +++ b/python/ql/test/library-tests/taint/config/RockPaperScissors.expected @@ -72,9 +72,11 @@ edges | test.py:126:13:126:25 | simple.test | test.py:130:21:130:21 | simple.test | | test.py:128:13:128:18 | simple.test | test.py:132:14:132:14 | simple.test | | test.py:155:20:155:38 | simple.test | test.py:156:6:156:11 | simple.test | +| test.py:159:10:159:15 | simple.test | test.py:160:14:160:14 | simple.test | | test.py:163:9:163:14 | simple.test | test.py:165:10:165:10 | simple.test | | test.py:178:9:178:14 | simple.test | test.py:180:14:180:14 | simple.test | | test.py:178:9:178:14 | simple.test | test.py:186:14:186:14 | simple.test | +| test.py:195:9:195:14 | simple.test | test.py:197:14:197:14 | simple.test | | test.py:195:9:195:14 | simple.test | test.py:199:14:199:14 | simple.test | | test.py:208:11:208:18 | sequence of simple.test | test.py:209:14:209:16 | sequence of simple.test | | test.py:208:12:208:17 | simple.test | test.py:208:11:208:18 | sequence of simple.test | diff --git a/python/ql/test/library-tests/taint/config/Simple.expected b/python/ql/test/library-tests/taint/config/Simple.expected index 01248cd330e..6c2b87aa31e 100644 --- a/python/ql/test/library-tests/taint/config/Simple.expected +++ b/python/ql/test/library-tests/taint/config/Simple.expected @@ -72,9 +72,11 @@ edges | test.py:126:13:126:25 | simple.test | test.py:130:21:130:21 | simple.test | | test.py:128:13:128:18 | simple.test | test.py:132:14:132:14 | simple.test | | test.py:155:20:155:38 | simple.test | test.py:156:6:156:11 | simple.test | +| test.py:159:10:159:15 | simple.test | test.py:160:14:160:14 | simple.test | | test.py:163:9:163:14 | simple.test | test.py:165:10:165:10 | simple.test | | test.py:178:9:178:14 | simple.test | test.py:180:14:180:14 | simple.test | | test.py:178:9:178:14 | simple.test | test.py:186:14:186:14 | simple.test | +| test.py:195:9:195:14 | simple.test | test.py:197:14:197:14 | simple.test | | test.py:195:9:195:14 | simple.test | test.py:199:14:199:14 | simple.test | | test.py:208:11:208:18 | sequence of simple.test | test.py:209:14:209:16 | sequence of simple.test | | test.py:208:12:208:17 | simple.test | test.py:208:11:208:18 | sequence of simple.test | @@ -104,8 +106,10 @@ edges | test.py:111:10:111:12 | Attribute | module.py:3:13:3:18 | simple.test | test.py:111:10:111:12 | simple.test | $@ flows to $@. | module.py:3:13:3:18 | SOURCE | simple.test | test.py:111:10:111:12 | Attribute | simple.test | | test.py:132:14:132:14 | t | test.py:128:13:128:18 | simple.test | test.py:132:14:132:14 | simple.test | $@ flows to $@. | test.py:128:13:128:18 | SOURCE | simple.test | test.py:132:14:132:14 | t | simple.test | | test.py:156:6:156:11 | unsafe | module.py:3:13:3:18 | simple.test | test.py:156:6:156:11 | simple.test | $@ flows to $@. | module.py:3:13:3:18 | SOURCE | simple.test | test.py:156:6:156:11 | unsafe | simple.test | +| test.py:160:14:160:14 | t | test.py:159:10:159:15 | simple.test | test.py:160:14:160:14 | simple.test | $@ flows to $@. | test.py:159:10:159:15 | SOURCE | simple.test | test.py:160:14:160:14 | t | simple.test | | test.py:165:10:165:10 | s | test.py:163:9:163:14 | simple.test | test.py:165:10:165:10 | simple.test | $@ flows to $@. | test.py:163:9:163:14 | SOURCE | simple.test | test.py:165:10:165:10 | s | simple.test | | test.py:180:14:180:14 | t | test.py:178:9:178:14 | simple.test | test.py:180:14:180:14 | simple.test | $@ flows to $@. | test.py:178:9:178:14 | SOURCE | simple.test | test.py:180:14:180:14 | t | simple.test | | test.py:186:14:186:14 | t | test.py:178:9:178:14 | simple.test | test.py:186:14:186:14 | simple.test | $@ flows to $@. | test.py:178:9:178:14 | SOURCE | simple.test | test.py:186:14:186:14 | t | simple.test | +| test.py:197:14:197:14 | t | test.py:195:9:195:14 | simple.test | test.py:197:14:197:14 | simple.test | $@ flows to $@. | test.py:195:9:195:14 | SOURCE | simple.test | test.py:197:14:197:14 | t | simple.test | | test.py:199:14:199:14 | t | test.py:195:9:195:14 | simple.test | test.py:199:14:199:14 | simple.test | $@ flows to $@. | test.py:195:9:195:14 | SOURCE | simple.test | test.py:199:14:199:14 | t | simple.test | | test.py:214:14:214:14 | x | test.py:208:12:208:17 | simple.test | test.py:214:14:214:14 | simple.test | $@ flows to $@. | test.py:208:12:208:17 | SOURCE | simple.test | test.py:214:14:214:14 | x | simple.test | diff --git a/python/ql/test/library-tests/taint/config/TestNode.expected b/python/ql/test/library-tests/taint/config/TestNode.expected index cca29b17af2..0ced3ffb426 100644 --- a/python/ql/test/library-tests/taint/config/TestNode.expected +++ b/python/ql/test/library-tests/taint/config/TestNode.expected @@ -268,6 +268,9 @@ | simple.test | test.py:156 | GSSA Variable unsafe | no attribute | | | simple.test | test.py:156 | unsafe | no attribute | | | simple.test | test.py:159 | SOURCE | no attribute | | +| simple.test | test.py:159 | SSA variable t | no attribute | | +| simple.test | test.py:160 | SSA variable t | no attribute | | +| simple.test | test.py:160 | t | no attribute | | | simple.test | test.py:163 | SOURCE | no attribute | | | simple.test | test.py:163 | SSA variable s | no attribute | | | simple.test | test.py:164 | SSA variable s | no attribute | | @@ -289,6 +292,8 @@ | simple.test | test.py:195 | SOURCE | no attribute | | | simple.test | test.py:195 | SSA variable t | no attribute | | | simple.test | test.py:196 | t | no attribute | | +| simple.test | test.py:197 | SSA variable t | no attribute | | +| simple.test | test.py:197 | t | no attribute | | | simple.test | test.py:199 | SSA variable t | no attribute | | | simple.test | test.py:199 | t | no attribute | | | simple.test | test.py:208 | SOURCE | no attribute | | diff --git a/python/ql/test/library-tests/taint/config/TestStep.expected b/python/ql/test/library-tests/taint/config/TestStep.expected index 0579d9bd6ae..1ad4426ca97 100644 --- a/python/ql/test/library-tests/taint/config/TestStep.expected +++ b/python/ql/test/library-tests/taint/config/TestStep.expected @@ -122,6 +122,7 @@ | Simple config: | simple.test | test.py:138 | SOURCE | | --> | simple.test | test.py:140 | t | | | Simple config: | simple.test | test.py:148 | SOURCE | | --> | simple.test | test.py:149 | t | | | Simple config: | simple.test | test.py:155 | ImportMember | | --> | simple.test | test.py:156 | unsafe | | +| Simple config: | simple.test | test.py:159 | SOURCE | | --> | simple.test | test.py:160 | t | | | Simple config: | simple.test | test.py:163 | SOURCE | | --> | simple.test | test.py:164 | s | | | Simple config: | simple.test | test.py:163 | SOURCE | | --> | simple.test | test.py:165 | s | | | Simple config: | simple.test | test.py:168 | SOURCE | | --> | [simple.test] | test.py:168 | List | | @@ -131,6 +132,7 @@ | Simple config: | simple.test | test.py:178 | SOURCE | | --> | simple.test | test.py:183 | t | | | Simple config: | simple.test | test.py:178 | SOURCE | | --> | simple.test | test.py:186 | t | | | Simple config: | simple.test | test.py:195 | SOURCE | | --> | simple.test | test.py:196 | t | | +| Simple config: | simple.test | test.py:195 | SOURCE | | --> | simple.test | test.py:197 | t | | | Simple config: | simple.test | test.py:195 | SOURCE | | --> | simple.test | test.py:199 | t | | | Simple config: | simple.test | test.py:208 | SOURCE | | --> | [simple.test] | test.py:208 | List | | | Simple config: | simple.test | test.py:209 | For | | --> | simple.test | test.py:210 | i | | diff --git a/python/ql/test/library-tests/taint/extensions/TestNode.expected b/python/ql/test/library-tests/taint/extensions/TestNode.expected index 3c0912519d2..71a89d1792c 100644 --- a/python/ql/test/library-tests/taint/extensions/TestNode.expected +++ b/python/ql/test/library-tests/taint/extensions/TestNode.expected @@ -1,8 +1,9 @@ -| Taint simple.test | visitor.py:10 | arg | visitor.py:26 | -| Taint simple.test | visitor.py:13 | arg | visitor.py:26 | -| Taint simple.test | visitor.py:18 | arg | visitor.py:26 | -| Taint simple.test | visitor.py:19 | arg | visitor.py:26 | -| Taint simple.test | visitor.py:21 | arg | visitor.py:26 | +WARNING: Predicate getNode has been deprecated and may be removed in future (TestNode.ql:7,77-84) +| Taint simple.test | visitor.py:10 | arg | p2 = simple.test | +| Taint simple.test | visitor.py:13 | arg | p2 = simple.test | +| Taint simple.test | visitor.py:18 | arg | | +| Taint simple.test | visitor.py:19 | arg | | +| Taint simple.test | visitor.py:21 | arg | | | Taint simple.test | visitor.py:26 | Attribute() | | | Taint simple.test | visitor.py:26 | SOURCE | | | Taint simple.test | visitor.py:27 | x | | diff --git a/python/ql/test/library-tests/taint/extensions/TestNode.ql b/python/ql/test/library-tests/taint/extensions/TestNode.ql index 11f697a8bfe..842c63186ba 100644 --- a/python/ql/test/library-tests/taint/extensions/TestNode.ql +++ b/python/ql/test/library-tests/taint/extensions/TestNode.ql @@ -4,5 +4,5 @@ import ExtensionsLib from TaintedNode n -select n.getTrackedValue(), n.getLocation().toString(), n.getNode().getNode().toString(), n.getContext() +select "Taint " + n.getTaintKind(), n.getLocation().toString(), n.getNode().getNode().toString(), n.getContext() diff --git a/python/ql/test/library-tests/taint/extensions/TestStep.expected b/python/ql/test/library-tests/taint/extensions/TestStep.expected index 382aabc3ae7..da27b3caf9e 100644 --- a/python/ql/test/library-tests/taint/extensions/TestStep.expected +++ b/python/ql/test/library-tests/taint/extensions/TestStep.expected @@ -1,7 +1,9 @@ -| Taint simple.test | visitor.py:10 | arg | visitor.py:26 | --> | Taint simple.test | visitor.py:13 | arg | visitor.py:26 | -| Taint simple.test | visitor.py:18 | arg | visitor.py:26 | --> | Taint simple.test | visitor.py:19 | arg | visitor.py:26 | -| Taint simple.test | visitor.py:19 | arg | visitor.py:26 | --> | Taint simple.test | visitor.py:26 | Attribute() | | +WARNING: Predicate getNode has been deprecated and may be removed in future (TestStep.ql:9,74-81) +WARNING: Predicate getNode has been deprecated and may be removed in future (TestStep.ql:11,74-81) +| Taint simple.test | visitor.py:10 | arg | p2 = simple.test | --> | Taint simple.test | visitor.py:13 | arg | p2 = simple.test | +| Taint simple.test | visitor.py:18 | arg | | --> | Taint simple.test | visitor.py:19 | arg | | +| Taint simple.test | visitor.py:19 | arg | | --> | Taint simple.test | visitor.py:26 | Attribute() | | | Taint simple.test | visitor.py:26 | Attribute() | | --> | Taint simple.test | visitor.py:27 | x | | -| Taint simple.test | visitor.py:26 | SOURCE | | --> | Taint simple.test | visitor.py:10 | arg | visitor.py:26 | -| Taint simple.test | visitor.py:26 | SOURCE | | --> | Taint simple.test | visitor.py:18 | arg | visitor.py:26 | -| Taint simple.test | visitor.py:26 | SOURCE | | --> | Taint simple.test | visitor.py:21 | arg | visitor.py:26 | +| Taint simple.test | visitor.py:26 | SOURCE | | --> | Taint simple.test | visitor.py:10 | arg | p2 = simple.test | +| Taint simple.test | visitor.py:26 | SOURCE | | --> | Taint simple.test | visitor.py:18 | arg | | +| Taint simple.test | visitor.py:26 | SOURCE | | --> | Taint simple.test | visitor.py:21 | arg | | diff --git a/python/ql/test/library-tests/taint/extensions/TestStep.ql b/python/ql/test/library-tests/taint/extensions/TestStep.ql index 4623101a957..95003b44270 100644 --- a/python/ql/test/library-tests/taint/extensions/TestStep.ql +++ b/python/ql/test/library-tests/taint/extensions/TestStep.ql @@ -6,6 +6,6 @@ import ExtensionsLib from TaintedNode n, TaintedNode s where s = n.getASuccessor() select - n.getTrackedValue(), n.getLocation().toString(), n.getNode().getNode().toString(), n.getContext(), + "Taint " + n.getTaintKind(), n.getLocation().toString(), n.getNode().getNode().toString(), n.getContext(), " --> ", - s.getTrackedValue(), s.getLocation().toString(), s.getNode().getNode().toString(), s.getContext() + "Taint " + s.getTaintKind(), s.getLocation().toString(), s.getNode().getNode().toString(), s.getContext() diff --git a/python/ql/test/library-tests/taint/general/ParamSource.expected b/python/ql/test/library-tests/taint/general/ParamSource.expected index 63154e3dce6..4a480090358 100644 --- a/python/ql/test/library-tests/taint/general/ParamSource.expected +++ b/python/ql/test/library-tests/taint/general/ParamSource.expected @@ -1,5 +1,3 @@ -| test | carrier.py:4 | 18 | Attribute | test | -| test | carrier.py:4 | 26 | Attribute() | test | | test | test.py:12 | 13 | arg | test | | test | test.py:46 | 13 | arg | test | | test | test.py:49 | 13 | arg | test | diff --git a/python/ql/test/library-tests/taint/general/TaintLib.qll b/python/ql/test/library-tests/taint/general/TaintLib.qll index 7cb7788b07b..b3984b32976 100644 --- a/python/ql/test/library-tests/taint/general/TaintLib.qll +++ b/python/ql/test/library-tests/taint/general/TaintLib.qll @@ -50,6 +50,13 @@ class SimpleSanitizer extends Sanitizer { taint instanceof SimpleTest } + override predicate sanitizingDefinition(TaintKind taint, EssaDefinition def) { + exists(CallNode call | + def.(ArgumentRefinement).getInput().getAUse() = call.getAnArg() and + call.getFunction().(NameNode).getId() = "SANITIZE" + ) and + taint instanceof SimpleTest + } } class BasicCustomTaint extends TaintKind { diff --git a/python/ql/test/library-tests/taint/general/TaintSanity.ql b/python/ql/test/library-tests/taint/general/TaintSanity.ql index 394c39ce491..ddfa5a3af32 100644 --- a/python/ql/test/library-tests/taint/general/TaintSanity.ql +++ b/python/ql/test/library-tests/taint/general/TaintSanity.ql @@ -1,26 +1,26 @@ import python -import semmle.python.security.TaintTest +import semmle.python.dataflow.TaintTracking +import semmle.python.dataflow.Implementation import TaintLib -from TaintFlowTest::TrackedValue taint, CallContext c, ControlFlowNode n, string what +from TaintKind taint, TaintTrackingContext c, DataFlow::Node n, string what, TaintTrackingImplementation impl where -not exists(TaintedNode t | t.getTrackedValue() = taint and t.getNode() = n and t.getContext() = c) and +not exists(TaintedNode t | t.getTaintKind() = taint and t.getNode() = n and t.getContext() = c) and ( - TaintFlowTest::step(_, taint, c, n) and what = "missing node at end of step" + impl.flowStep(_, n, c, _, taint, _) and what = "missing node at end of step" or - n.(TaintSource).isSourceOf(taint.(TaintFlowTest::TrackedTaint).getKind(), c) and what = "missing node for source" - + impl.flowSource(n, c, _, taint) and what = "missing node for source" ) or -exists(TaintedNode t | t.getTrackedValue() = taint and t.getNode() = n and t.getContext() = c +exists(TaintedNode t | t.getTaintKind() = taint and t.getNode() = n and t.getContext() = c | - not TaintFlowTest::step(_, taint, c, n) and - not n.(TaintSource).isSourceOf(taint.(TaintFlowTest::TrackedTaint).getKind(), c) and what = "TaintedNode with no reason" + not impl.flowStep(_, n, c, _, taint, _) and + not impl.flowSource(n, c, _, taint) and what = "TaintedNode with no reason" or - TaintFlowTest::step(t, taint, c, n) and what = "step ends where it starts" + impl.flowStep(t, n, c, _, taint, _) and what = "step ends where it starts" or - TaintFlowTest::step(t, _, _, _) and not TaintFlowTest::step(_, taint, c, n) and - not n.(TaintSource).isSourceOf(taint.(TaintFlowTest::TrackedTaint).getKind(), c) and what = "No predecessor and not a source" + impl.flowStep(t, _, _, _, _, _) and not impl.flowStep(_, n, c, _, taint, _) and + not impl.flowSource(n, c, _, taint) and what = "No predecessor and not a source" ) select n.getLocation(), taint, c, n.toString(), what diff --git a/python/ql/test/library-tests/taint/general/TestDefn.expected b/python/ql/test/library-tests/taint/general/TestDefn.expected index 6f2d60df012..d043238382c 100644 --- a/python/ql/test/library-tests/taint/general/TestDefn.expected +++ b/python/ql/test/library-tests/taint/general/TestDefn.expected @@ -59,9 +59,15 @@ | test.py:76 | SOURCE | test.py:76 | Taint simple.test | t | | test.py:77 | hub() | test.py:77 | Taint simple.test | t | | test.py:85 | ImportExpr | test.py:85 | Taint .dangerous = simple.test | module | +| test.py:87 | ScopeEntryDefinition | test.py:87 | Taint .dangerous = simple.test | Function test13 | | test.py:88 | Attribute | test.py:88 | Taint simple.test | t | +| test.py:91 | ScopeEntryDefinition | test.py:91 | Taint .dangerous = simple.test | Function test14 | +| test.py:95 | ScopeEntryDefinition | test.py:95 | Taint .dangerous = simple.test | Function test15 | +| test.py:99 | ScopeEntryDefinition | test.py:99 | Taint .dangerous = simple.test | Function test16 | | test.py:100 | Attribute() | test.py:100 | Taint simple.test | t | | test.py:105 | ParameterDefinition | test.py:105 | Taint .x = simple.test | arg | +| test.py:108 | ScopeEntryDefinition | test.py:108 | Taint .dangerous = simple.test | Function test17 | +| test.py:113 | ScopeEntryDefinition | test.py:113 | Taint .dangerous = simple.test | Function test18 | | test.py:116 | hub() | test.py:116 | Taint .x = simple.test | t | | test.py:120 | CUSTOM_SOURCE | test.py:120 | Taint basic.custom | t | | test.py:121 | hub() | test.py:121 | Taint basic.custom | t | @@ -73,6 +79,7 @@ | test.py:148 | SOURCE | test.py:148 | Taint simple.test | t | | test.py:149 | TAINT_FROM_ARG() | test.py:149 | Taint basic.custom | t | | test.py:155 | ImportMember | test.py:155 | Taint simple.test | unsafe | +| test.py:159 | with | test.py:159 | Taint simple.test | t | | test.py:163 | SOURCE | test.py:163 | Taint simple.test | s | | test.py:168 | List | test.py:168 | Taint sequence of simple.test | l | | test.py:169 | Dict | test.py:169 | Taint dict of simple.test | d | diff --git a/python/ql/test/library-tests/taint/general/TestSink.expected b/python/ql/test/library-tests/taint/general/TestSink.expected index 4ae2eb46b36..d9b4c3679fe 100644 --- a/python/ql/test/library-tests/taint/general/TestSink.expected +++ b/python/ql/test/library-tests/taint/general/TestSink.expected @@ -14,6 +14,7 @@ | rock | rockpaperscissors.py:24 | 26 | y | paper | | scissors | rockpaperscissors.py:13 | 13 | SCISSORS | scissors | | simple.test | carrier.py:17 | 18 | Attribute | simple.test | +| simple.test | carrier.py:25 | 26 | Attribute() | simple.test | | simple.test | module.py:3 | 89 | t | simple.test | | simple.test | module.py:3 | 106 | Attribute | simple.test | | simple.test | module.py:3 | 111 | Attribute | simple.test | diff --git a/python/ql/test/library-tests/taint/general/TestStep.expected b/python/ql/test/library-tests/taint/general/TestStep.expected index 0f39dbac5a1..5c72b522a5c 100644 --- a/python/ql/test/library-tests/taint/general/TestStep.expected +++ b/python/ql/test/library-tests/taint/general/TestStep.expected @@ -3,22 +3,29 @@ | .attr = simple.test | carrier.py:10 | self | p0.attr = simple.test | --> | .attr = simple.test | carrier.py:11 | self | p0.attr = simple.test | | .attr = simple.test | carrier.py:11 | self | p0.attr = simple.test | --> | simple.test | carrier.py:11 | Attribute | p0.attr = simple.test | | .attr = simple.test | carrier.py:13 | arg | p0.attr = simple.test | --> | .attr = simple.test | carrier.py:14 | arg | p0.attr = simple.test | -| .attr = simple.test | carrier.py:14 | arg | p0.attr = simple.test | --> | .attr = simple.test | carrier.py:25 | hub() | | | .attr = simple.test | carrier.py:17 | ImplicitCarrier() | | --> | .attr = simple.test | carrier.py:18 | c | | | .attr = simple.test | carrier.py:18 | c | | --> | simple.test | carrier.py:18 | Attribute | | | .attr = simple.test | carrier.py:25 | ImplicitCarrier() | | --> | .attr = simple.test | carrier.py:13 | arg | p0.attr = simple.test | +| .attr = simple.test | carrier.py:25 | ImplicitCarrier() | | --> | .attr = simple.test | carrier.py:25 | hub() | | | .attr = simple.test | carrier.py:25 | hub() | | --> | .attr = simple.test | carrier.py:26 | c | | | .attr = simple.test | carrier.py:26 | c | | --> | .attr = simple.test | carrier.py:10 | self | p0.attr = simple.test | +| .attr = simple.test | carrier.py:26 | c | | --> | simple.test | carrier.py:26 | Attribute() | | +| .dangerous = simple.test | test.py:85 | ImportExpr | | --> | .dangerous = simple.test | test.py:88 | module | | +| .dangerous = simple.test | test.py:85 | ImportExpr | | --> | .dangerous = simple.test | test.py:92 | module | | +| .dangerous = simple.test | test.py:85 | ImportExpr | | --> | .dangerous = simple.test | test.py:96 | module | | +| .dangerous = simple.test | test.py:85 | ImportExpr | | --> | .dangerous = simple.test | test.py:100 | module | | +| .dangerous = simple.test | test.py:85 | ImportExpr | | --> | .dangerous = simple.test | test.py:110 | module | | +| .dangerous = simple.test | test.py:85 | ImportExpr | | --> | .dangerous = simple.test | test.py:115 | module | | | .dangerous = simple.test | test.py:88 | module | | --> | simple.test | test.py:88 | Attribute | | | .dangerous = simple.test | test.py:110 | module | | --> | simple.test | test.py:110 | Attribute | | | .dangerous = simple.test | test.py:115 | module | | --> | simple.test | test.py:115 | Attribute | | | .x = simple.test | test.py:72 | arg | p0.x = simple.test | --> | .x = simple.test | test.py:73 | arg | p0.x = simple.test | -| .x = simple.test | test.py:73 | arg | p0.x = simple.test | --> | .x = simple.test | test.py:116 | hub() | | | .x = simple.test | test.py:105 | arg | p0.x = simple.test | --> | .x = simple.test | test.py:106 | arg | p0.x = simple.test | | .x = simple.test | test.py:106 | arg | p0.x = simple.test | --> | simple.test | test.py:106 | Attribute | p0.x = simple.test | | .x = simple.test | test.py:111 | t | | --> | simple.test | test.py:111 | Attribute | | | .x = simple.test | test.py:116 | hub() | | --> | .x = simple.test | test.py:117 | t | | | .x = simple.test | test.py:116 | t | | --> | .x = simple.test | test.py:72 | arg | p0.x = simple.test | +| .x = simple.test | test.py:116 | t | | --> | .x = simple.test | test.py:116 | hub() | | | .x = simple.test | test.py:117 | t | | --> | .x = simple.test | test.py:105 | arg | p0.x = simple.test | | Command injection | sanitizer.py:9 | user_input() | | --> | Command injection | sanitizer.py:10 | x | | | Command injection | sanitizer.py:9 | user_input() | | --> | Command injection | sanitizer.py:11 | x | | @@ -47,9 +54,9 @@ | SQL injection | sanitizer.py:31 | user_input() | | --> | SQL injection | sanitizer.py:33 | x | | | SQL injection | sanitizer.py:31 | user_input() | | --> | SQL injection | sanitizer.py:35 | x | | | basic.custom | test.py:72 | arg | p0 = basic.custom | --> | basic.custom | test.py:73 | arg | p0 = basic.custom | -| basic.custom | test.py:73 | arg | p0 = basic.custom | --> | basic.custom | test.py:121 | hub() | | | basic.custom | test.py:120 | CUSTOM_SOURCE | | --> | basic.custom | test.py:121 | t | | | basic.custom | test.py:121 | TAINT_FROM_ARG() | | --> | basic.custom | test.py:72 | arg | p0 = basic.custom | +| basic.custom | test.py:121 | TAINT_FROM_ARG() | | --> | basic.custom | test.py:121 | hub() | | | basic.custom | test.py:121 | hub() | | --> | basic.custom | test.py:122 | t | | | basic.custom | test.py:121 | t | | --> | basic.custom | test.py:121 | TAINT_FROM_ARG() | | | basic.custom | test.py:126 | CUSTOM_SOURCE | | --> | basic.custom | test.py:130 | t | | @@ -59,16 +66,19 @@ | basic.custom | test.py:149 | t | | --> | basic.custom | test.py:149 | TAINT_FROM_ARG() | | | dict of simple.test | test.py:169 | Dict | | --> | dict of simple.test | test.py:171 | d | | | dict of simple.test | test.py:169 | Dict | | --> | dict of simple.test | test.py:175 | d | | +| dict of simple.test | test.py:171 | SSA variable y | | --> | dict of simple.test | test.py:173 | y | | +| dict of simple.test | test.py:171 | d | | --> | dict of simple.test | test.py:171 | SSA variable y | | +| dict of simple.test | test.py:173 | y | | --> | simple.test | test.py:173 | Subscript | | | dict of simple.test | test.py:175 | d | | --> | dict of simple.test | test.py:175 | dict() | | | explicit.carrier | carrier.py:4 | arg | p1 = explicit.carrier | --> | explicit.carrier | carrier.py:5 | arg | p1 = explicit.carrier | -| explicit.carrier | carrier.py:5 | arg | p1 = explicit.carrier | --> | .attr = explicit.carrier | carrier.py:33 | ImplicitCarrier() | | | explicit.carrier | carrier.py:13 | arg | p0 = explicit.carrier | --> | explicit.carrier | carrier.py:14 | arg | p0 = explicit.carrier | -| explicit.carrier | carrier.py:14 | arg | p0 = explicit.carrier | --> | explicit.carrier | carrier.py:29 | hub() | | | explicit.carrier | carrier.py:21 | TAINT_CARRIER_SOURCE | | --> | explicit.carrier | carrier.py:22 | c | | | explicit.carrier | carrier.py:22 | c | | --> | simple.test | carrier.py:22 | Attribute() | | | explicit.carrier | carrier.py:29 | TAINT_CARRIER_SOURCE | | --> | explicit.carrier | carrier.py:13 | arg | p0 = explicit.carrier | +| explicit.carrier | carrier.py:29 | TAINT_CARRIER_SOURCE | | --> | explicit.carrier | carrier.py:29 | hub() | | | explicit.carrier | carrier.py:29 | hub() | | --> | explicit.carrier | carrier.py:30 | c | | | explicit.carrier | carrier.py:30 | c | | --> | simple.test | carrier.py:30 | Attribute() | | +| explicit.carrier | carrier.py:33 | TAINT_CARRIER_SOURCE | | --> | .attr = explicit.carrier | carrier.py:33 | ImplicitCarrier() | | | explicit.carrier | carrier.py:33 | TAINT_CARRIER_SOURCE | | --> | explicit.carrier | carrier.py:4 | arg | p1 = explicit.carrier | | explicit.carrier | carrier.py:34 | Attribute | | --> | explicit.carrier | carrier.py:35 | x | | | explicit.carrier | carrier.py:35 | x | | --> | simple.test | carrier.py:35 | Attribute() | | @@ -95,34 +105,36 @@ | scissors | rockpaperscissors.py:31 | x | | --> | scissors | rockpaperscissors.py:6 | arg | p0 = scissors | | sequence of simple.test | test.py:168 | List | | --> | sequence of simple.test | test.py:170 | l | | | sequence of simple.test | test.py:168 | List | | --> | sequence of simple.test | test.py:174 | l | | +| sequence of simple.test | test.py:170 | SSA variable x | | --> | sequence of simple.test | test.py:172 | x | | +| sequence of simple.test | test.py:170 | l | | --> | sequence of simple.test | test.py:170 | SSA variable x | | +| sequence of simple.test | test.py:172 | x | | --> | simple.test | test.py:172 | Subscript | | | sequence of simple.test | test.py:174 | l | | --> | sequence of simple.test | test.py:174 | list() | | | sequence of simple.test | test.py:208 | List | | --> | sequence of simple.test | test.py:209 | seq | | | sequence of simple.test | test.py:209 | seq | | --> | simple.test | test.py:209 | For | | | sequence of simple.test | test.py:213 | flow_in_generator() | | --> | simple.test | test.py:213 | For | | | simple.test | carrier.py:4 | arg | p1 = simple.test | --> | simple.test | carrier.py:5 | arg | p1 = simple.test | -| simple.test | carrier.py:5 | arg | p1 = simple.test | --> | .attr = simple.test | carrier.py:17 | ImplicitCarrier() | | -| simple.test | carrier.py:5 | arg | p1 = simple.test | --> | .attr = simple.test | carrier.py:25 | ImplicitCarrier() | | -| simple.test | carrier.py:11 | Attribute | p0.attr = simple.test | --> | simple.test | carrier.py:26 | Attribute() | | +| simple.test | carrier.py:17 | SOURCE | | --> | .attr = simple.test | carrier.py:17 | ImplicitCarrier() | | | simple.test | carrier.py:17 | SOURCE | | --> | simple.test | carrier.py:4 | arg | p1 = simple.test | +| simple.test | carrier.py:25 | SOURCE | | --> | .attr = simple.test | carrier.py:25 | ImplicitCarrier() | | | simple.test | carrier.py:25 | SOURCE | | --> | simple.test | carrier.py:4 | arg | p1 = simple.test | | simple.test | deep.py:2 | arg | p0 = simple.test | --> | simple.test | deep.py:3 | arg | p0 = simple.test | -| simple.test | deep.py:3 | arg | p0 = simple.test | --> | simple.test | deep.py:6 | f1() | p0 = simple.test | | simple.test | deep.py:5 | arg | p0 = simple.test | --> | simple.test | deep.py:6 | arg | p0 = simple.test | | simple.test | deep.py:6 | arg | p0 = simple.test | --> | simple.test | deep.py:2 | arg | p0 = simple.test | -| simple.test | deep.py:6 | f1() | p0 = simple.test | --> | simple.test | deep.py:9 | f2() | p0 = simple.test | +| simple.test | deep.py:6 | arg | p0 = simple.test | --> | simple.test | deep.py:6 | f1() | p0 = simple.test | | simple.test | deep.py:8 | arg | p0 = simple.test | --> | simple.test | deep.py:9 | arg | p0 = simple.test | | simple.test | deep.py:9 | arg | p0 = simple.test | --> | simple.test | deep.py:5 | arg | p0 = simple.test | -| simple.test | deep.py:9 | f2() | p0 = simple.test | --> | simple.test | deep.py:12 | f3() | p0 = simple.test | +| simple.test | deep.py:9 | arg | p0 = simple.test | --> | simple.test | deep.py:9 | f2() | p0 = simple.test | | simple.test | deep.py:11 | arg | p0 = simple.test | --> | simple.test | deep.py:12 | arg | p0 = simple.test | | simple.test | deep.py:12 | arg | p0 = simple.test | --> | simple.test | deep.py:8 | arg | p0 = simple.test | -| simple.test | deep.py:12 | f3() | p0 = simple.test | --> | simple.test | deep.py:15 | f4() | p0 = simple.test | +| simple.test | deep.py:12 | arg | p0 = simple.test | --> | simple.test | deep.py:12 | f3() | p0 = simple.test | | simple.test | deep.py:14 | arg | p0 = simple.test | --> | simple.test | deep.py:15 | arg | p0 = simple.test | | simple.test | deep.py:15 | arg | p0 = simple.test | --> | simple.test | deep.py:11 | arg | p0 = simple.test | -| simple.test | deep.py:15 | f4() | p0 = simple.test | --> | simple.test | deep.py:18 | f5() | p0 = simple.test | +| simple.test | deep.py:15 | arg | p0 = simple.test | --> | simple.test | deep.py:15 | f4() | p0 = simple.test | | simple.test | deep.py:17 | arg | p0 = simple.test | --> | simple.test | deep.py:18 | arg | p0 = simple.test | | simple.test | deep.py:18 | arg | p0 = simple.test | --> | simple.test | deep.py:14 | arg | p0 = simple.test | -| simple.test | deep.py:18 | f5() | p0 = simple.test | --> | simple.test | deep.py:20 | f6() | | +| simple.test | deep.py:18 | arg | p0 = simple.test | --> | simple.test | deep.py:18 | f5() | p0 = simple.test | | simple.test | deep.py:20 | SOURCE | | --> | simple.test | deep.py:17 | arg | p0 = simple.test | +| simple.test | deep.py:20 | SOURCE | | --> | simple.test | deep.py:20 | f6() | | | simple.test | deep.py:20 | f6() | | --> | simple.test | deep.py:22 | x | | | simple.test | module.py:3 | SOURCE | | --> | .dangerous = simple.test | test.py:85 | ImportExpr | | | simple.test | module.py:3 | SOURCE | | --> | .dangerous = simple.test | test.py:88 | module | | @@ -157,10 +169,10 @@ | simple.test | test.py:67 | SOURCE | | --> | simple.test | test.py:70 | t | | | simple.test | test.py:70 | t | | --> | simple.test | test.py:49 | arg | p1 = simple.test | | simple.test | test.py:72 | arg | p0 = simple.test | --> | simple.test | test.py:73 | arg | p0 = simple.test | -| simple.test | test.py:73 | arg | p0 = simple.test | --> | simple.test | test.py:77 | hub() | | | simple.test | test.py:76 | SOURCE | | --> | simple.test | test.py:77 | t | | | simple.test | test.py:77 | hub() | | --> | simple.test | test.py:78 | t | | | simple.test | test.py:77 | t | | --> | simple.test | test.py:72 | arg | p0 = simple.test | +| simple.test | test.py:77 | t | | --> | simple.test | test.py:77 | hub() | | | simple.test | test.py:88 | Attribute | | --> | simple.test | test.py:89 | t | | | simple.test | test.py:100 | Attribute() | | --> | simple.test | test.py:101 | t | | | simple.test | test.py:110 | Attribute | | --> | .x = simple.test | test.py:111 | t | | @@ -169,8 +181,8 @@ | simple.test | test.py:138 | SOURCE | | --> | simple.test | test.py:140 | t | | | simple.test | test.py:148 | SOURCE | | --> | simple.test | test.py:149 | t | | | simple.test | test.py:155 | ImportMember | | --> | simple.test | test.py:156 | unsafe | | +| simple.test | test.py:159 | SOURCE | | --> | simple.test | test.py:160 | t | | | simple.test | test.py:163 | SOURCE | | --> | simple.test | test.py:164 | s | | -| simple.test | test.py:163 | SOURCE | | --> | simple.test | test.py:165 | s | | | simple.test | test.py:168 | SOURCE | | --> | sequence of simple.test | test.py:168 | List | | | simple.test | test.py:169 | SOURCE | | --> | dict of simple.test | test.py:169 | Dict | | | simple.test | test.py:178 | SOURCE | | --> | simple.test | test.py:179 | t | | @@ -178,6 +190,7 @@ | simple.test | test.py:178 | SOURCE | | --> | simple.test | test.py:183 | t | | | simple.test | test.py:178 | SOURCE | | --> | simple.test | test.py:186 | t | | | simple.test | test.py:195 | SOURCE | | --> | simple.test | test.py:196 | t | | +| simple.test | test.py:195 | SOURCE | | --> | simple.test | test.py:197 | t | | | simple.test | test.py:195 | SOURCE | | --> | simple.test | test.py:199 | t | | | simple.test | test.py:203 | For | | --> | simple.test | test.py:204 | i | | | simple.test | test.py:203 | For | | --> | simple.test | test.py:205 | i | | diff --git a/python/ql/test/library-tests/taint/general/TestVar.expected b/python/ql/test/library-tests/taint/general/TestVar.expected index 30f0f2759f3..db84a3cdf79 100644 --- a/python/ql/test/library-tests/taint/general/TestVar.expected +++ b/python/ql/test/library-tests/taint/general/TestVar.expected @@ -1,193 +1,195 @@ -| carrier.py:4 | arg_0 | carrier.py:4 | Taint explicit.carrier | arg | -| carrier.py:4 | arg_0 | carrier.py:4 | Taint simple.test | arg | -| carrier.py:5 | self_1 | carrier.py:5 | Attribute 'attr' taint explicit.carrier | self | -| carrier.py:5 | self_1 | carrier.py:5 | Attribute 'attr' taint simple.test | self | -| carrier.py:13 | arg_0 | carrier.py:13 | Attribute 'attr' taint simple.test | arg | -| carrier.py:13 | arg_0 | carrier.py:13 | Taint explicit.carrier | arg | -| carrier.py:17 | c_0 | carrier.py:17 | Attribute 'attr' taint simple.test | ImplicitCarrier() | -| carrier.py:21 | c_0 | carrier.py:21 | Taint explicit.carrier | TAINT_CARRIER_SOURCE | -| carrier.py:22 | c_1 | carrier.py:21 | Taint explicit.carrier | TAINT_CARRIER_SOURCE | -| carrier.py:25 | c_0 | carrier.py:25 | Attribute 'attr' taint simple.test | hub() | -| carrier.py:29 | c_0 | carrier.py:29 | Taint explicit.carrier | hub() | -| carrier.py:30 | c_1 | carrier.py:29 | Taint explicit.carrier | hub() | -| carrier.py:33 | c_0 | carrier.py:33 | Attribute 'attr' taint explicit.carrier | ImplicitCarrier() | -| carrier.py:34 | x_0 | carrier.py:34 | Taint explicit.carrier | Attribute | -| carrier.py:35 | x_1 | carrier.py:34 | Taint explicit.carrier | Attribute | -| deep.py:2 | arg_0 | deep.py:2 | Taint simple.test | arg | -| deep.py:5 | arg_0 | deep.py:5 | Taint simple.test | arg | -| deep.py:6 | arg_1 | deep.py:5 | Taint simple.test | arg | -| deep.py:8 | arg_0 | deep.py:8 | Taint simple.test | arg | -| deep.py:9 | arg_1 | deep.py:8 | Taint simple.test | arg | -| deep.py:11 | arg_0 | deep.py:11 | Taint simple.test | arg | -| deep.py:12 | arg_1 | deep.py:11 | Taint simple.test | arg | -| deep.py:14 | arg_0 | deep.py:14 | Taint simple.test | arg | -| deep.py:15 | arg_1 | deep.py:14 | Taint simple.test | arg | -| deep.py:17 | arg_0 | deep.py:17 | Taint simple.test | arg | -| deep.py:18 | arg_1 | deep.py:17 | Taint simple.test | arg | -| deep.py:20 | x_1 | deep.py:20 | Taint simple.test | f6() | -| module.py:3 | dangerous_0 | module.py:3 | Taint simple.test | SOURCE | -| rockpaperscissors.py:3 | arg_0 | rockpaperscissors.py:3 | Taint scissors | arg | -| rockpaperscissors.py:6 | arg_0 | rockpaperscissors.py:6 | Taint paper | arg | -| rockpaperscissors.py:6 | arg_0 | rockpaperscissors.py:6 | Taint rock | arg | -| rockpaperscissors.py:6 | arg_0 | rockpaperscissors.py:6 | Taint scissors | arg | -| rockpaperscissors.py:9 | arg_0 | rockpaperscissors.py:9 | Taint paper | arg | -| rockpaperscissors.py:9 | arg_0 | rockpaperscissors.py:9 | Taint scissors | arg | -| rockpaperscissors.py:19 | x_0 | rockpaperscissors.py:19 | Taint rock | ROCK | -| rockpaperscissors.py:20 | x_1 | rockpaperscissors.py:19 | Taint rock | ROCK | -| rockpaperscissors.py:20 | y_0 | rockpaperscissors.py:20 | Taint scissors | Attribute() | -| rockpaperscissors.py:21 | y_1 | rockpaperscissors.py:20 | Taint scissors | Attribute() | -| rockpaperscissors.py:24 | x_0 | rockpaperscissors.py:24 | Taint rock | ROCK | -| rockpaperscissors.py:25 | x_1 | rockpaperscissors.py:24 | Taint rock | ROCK | -| rockpaperscissors.py:25 | y_0 | rockpaperscissors.py:25 | Taint paper | Attribute() | -| rockpaperscissors.py:26 | y_1 | rockpaperscissors.py:25 | Taint paper | Attribute() | -| rockpaperscissors.py:29 | x_0 | rockpaperscissors.py:29 | Taint scissors | SCISSORS | -| rockpaperscissors.py:30 | x_1 | rockpaperscissors.py:29 | Taint scissors | SCISSORS | -| rockpaperscissors.py:30 | y_0 | rockpaperscissors.py:30 | Taint paper | Attribute() | -| rockpaperscissors.py:31 | x_2 | rockpaperscissors.py:29 | Taint scissors | SCISSORS | -| rockpaperscissors.py:32 | y_1 | rockpaperscissors.py:30 | Taint paper | Attribute() | -| sanitizer.py:3 | arg_0 | sanitizer.py:3 | Taint Command injection | arg | -| sanitizer.py:3 | arg_0 | sanitizer.py:3 | Taint SQL injection | arg | -| sanitizer.py:5 | arg_0 | sanitizer.py:5 | Taint Command injection | arg | -| sanitizer.py:5 | arg_0 | sanitizer.py:5 | Taint SQL injection | arg | -| sanitizer.py:8 | x_5 | sanitizer.py:9 | Taint Command injection | user_input() | -| sanitizer.py:8 | x_5 | sanitizer.py:9 | Taint SQL injection | user_input() | -| sanitizer.py:9 | x_0 | sanitizer.py:9 | Taint Command injection | user_input() | -| sanitizer.py:9 | x_0 | sanitizer.py:9 | Taint SQL injection | user_input() | -| sanitizer.py:11 | x_1 | sanitizer.py:9 | Taint Command injection | user_input() | -| sanitizer.py:11 | x_2 | sanitizer.py:9 | Taint Command injection | user_input() | -| sanitizer.py:13 | x_3 | sanitizer.py:9 | Taint Command injection | user_input() | -| sanitizer.py:13 | x_3 | sanitizer.py:9 | Taint SQL injection | user_input() | -| sanitizer.py:13 | x_4 | sanitizer.py:9 | Taint Command injection | user_input() | -| sanitizer.py:13 | x_4 | sanitizer.py:9 | Taint SQL injection | user_input() | -| sanitizer.py:15 | x_5 | sanitizer.py:16 | Taint Command injection | user_input() | -| sanitizer.py:15 | x_5 | sanitizer.py:16 | Taint SQL injection | user_input() | -| sanitizer.py:16 | x_0 | sanitizer.py:16 | Taint Command injection | user_input() | -| sanitizer.py:16 | x_0 | sanitizer.py:16 | Taint SQL injection | user_input() | -| sanitizer.py:18 | x_1 | sanitizer.py:16 | Taint SQL injection | user_input() | -| sanitizer.py:18 | x_2 | sanitizer.py:16 | Taint SQL injection | user_input() | -| sanitizer.py:20 | x_3 | sanitizer.py:16 | Taint Command injection | user_input() | -| sanitizer.py:20 | x_3 | sanitizer.py:16 | Taint SQL injection | user_input() | -| sanitizer.py:20 | x_4 | sanitizer.py:16 | Taint Command injection | user_input() | -| sanitizer.py:20 | x_4 | sanitizer.py:16 | Taint SQL injection | user_input() | -| sanitizer.py:23 | x_5 | sanitizer.py:24 | Taint Command injection | user_input() | -| sanitizer.py:23 | x_5 | sanitizer.py:24 | Taint SQL injection | user_input() | -| sanitizer.py:24 | x_0 | sanitizer.py:24 | Taint Command injection | user_input() | -| sanitizer.py:24 | x_0 | sanitizer.py:24 | Taint SQL injection | user_input() | -| sanitizer.py:26 | x_1 | sanitizer.py:24 | Taint Command injection | user_input() | -| sanitizer.py:26 | x_1 | sanitizer.py:24 | Taint SQL injection | user_input() | -| sanitizer.py:26 | x_2 | sanitizer.py:24 | Taint Command injection | user_input() | -| sanitizer.py:26 | x_2 | sanitizer.py:24 | Taint SQL injection | user_input() | -| sanitizer.py:28 | x_3 | sanitizer.py:24 | Taint Command injection | user_input() | -| sanitizer.py:28 | x_3 | sanitizer.py:24 | Taint SQL injection | user_input() | -| sanitizer.py:28 | x_4 | sanitizer.py:24 | Taint Command injection | user_input() | -| sanitizer.py:28 | x_4 | sanitizer.py:24 | Taint SQL injection | user_input() | -| sanitizer.py:30 | x_5 | sanitizer.py:31 | Taint Command injection | user_input() | -| sanitizer.py:30 | x_5 | sanitizer.py:31 | Taint SQL injection | user_input() | -| sanitizer.py:31 | x_0 | sanitizer.py:31 | Taint Command injection | user_input() | -| sanitizer.py:31 | x_0 | sanitizer.py:31 | Taint SQL injection | user_input() | -| sanitizer.py:33 | x_1 | sanitizer.py:31 | Taint Command injection | user_input() | -| sanitizer.py:33 | x_1 | sanitizer.py:31 | Taint SQL injection | user_input() | -| sanitizer.py:33 | x_2 | sanitizer.py:31 | Taint Command injection | user_input() | -| sanitizer.py:33 | x_2 | sanitizer.py:31 | Taint SQL injection | user_input() | -| sanitizer.py:35 | x_3 | sanitizer.py:31 | Taint Command injection | user_input() | -| sanitizer.py:35 | x_3 | sanitizer.py:31 | Taint SQL injection | user_input() | -| sanitizer.py:35 | x_4 | sanitizer.py:31 | Taint Command injection | user_input() | -| sanitizer.py:35 | x_4 | sanitizer.py:31 | Taint SQL injection | user_input() | -| test.py:6 | s_0 | test.py:6 | Taint simple.test | SOURCE | -| test.py:7 | s_1 | test.py:6 | Taint simple.test | SOURCE | -| test.py:12 | arg_0 | test.py:12 | Taint simple.test | arg | -| test.py:13 | arg_1 | test.py:12 | Taint simple.test | arg | -| test.py:16 | t_0 | test.py:16 | Taint simple.test | source() | -| test.py:17 | t_1 | test.py:16 | Taint simple.test | source() | -| test.py:20 | t_0 | test.py:20 | Taint simple.test | SOURCE | -| test.py:21 | t_1 | test.py:20 | Taint simple.test | SOURCE | -| test.py:24 | t_0 | test.py:24 | Taint simple.test | source() | -| test.py:25 | t_1 | test.py:24 | Taint simple.test | source() | -| test.py:31 | t_2 | test.py:31 | Taint simple.test | SOURCE | -| test.py:37 | t_0 | test.py:37 | Taint simple.test | SOURCE | -| test.py:41 | t_1 | test.py:37 | Taint simple.test | SOURCE | -| test.py:46 | arg_0 | test.py:46 | Taint simple.test | arg | -| test.py:47 | arg_1 | test.py:46 | Taint simple.test | arg | -| test.py:49 | arg_0 | test.py:49 | Taint simple.test | arg | -| test.py:49 | arg_2 | test.py:49 | Taint simple.test | arg | -| test.py:51 | arg_1 | test.py:49 | Taint simple.test | arg | -| test.py:54 | t_0 | test.py:54 | Taint simple.test | source2() | -| test.py:55 | t_1 | test.py:54 | Taint simple.test | source2() | -| test.py:62 | t_1 | test.py:62 | Taint simple.test | SOURCE | -| test.py:63 | t_2 | test.py:62 | Taint simple.test | SOURCE | -| test.py:67 | t_0 | test.py:67 | Taint simple.test | SOURCE | -| test.py:70 | t_2 | test.py:67 | Taint simple.test | SOURCE | -| test.py:72 | arg_0 | test.py:72 | Attribute 'x' taint simple.test | arg | -| test.py:72 | arg_0 | test.py:72 | Taint basic.custom | arg | -| test.py:72 | arg_0 | test.py:72 | Taint simple.test | arg | -| test.py:76 | t_0 | test.py:76 | Taint simple.test | SOURCE | -| test.py:77 | t_1 | test.py:77 | Taint simple.test | hub() | -| test.py:78 | t_2 | test.py:77 | Taint simple.test | hub() | -| test.py:85 | module_0 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr | -| test.py:87 | module_1 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr | -| test.py:88 | t_0 | test.py:88 | Taint simple.test | Attribute | -| test.py:89 | t_1 | test.py:88 | Taint simple.test | Attribute | -| test.py:91 | module_2 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr | -| test.py:95 | module_3 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr | -| test.py:99 | module_4 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr | -| test.py:100 | t_0 | test.py:100 | Taint simple.test | Attribute() | -| test.py:101 | t_1 | test.py:100 | Taint simple.test | Attribute() | -| test.py:105 | arg_0 | test.py:105 | Attribute 'x' taint simple.test | arg | -| test.py:108 | module_5 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr | -| test.py:110 | t_1 | test.py:110 | Attribute 'x' taint simple.test | t | -| test.py:113 | module_6 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr | -| test.py:115 | t_1 | test.py:115 | Attribute 'x' taint simple.test | t | -| test.py:116 | t_2 | test.py:116 | Attribute 'x' taint simple.test | hub() | -| test.py:117 | t_3 | test.py:116 | Attribute 'x' taint simple.test | hub() | -| test.py:120 | t_0 | test.py:120 | Taint basic.custom | CUSTOM_SOURCE | -| test.py:121 | t_1 | test.py:121 | Taint basic.custom | hub() | -| test.py:122 | t_2 | test.py:121 | Taint basic.custom | hub() | -| test.py:126 | t_0 | test.py:126 | Taint basic.custom | CUSTOM_SOURCE | -| test.py:128 | t_2 | test.py:128 | Taint simple.test | SOURCE | -| test.py:130 | t_1 | test.py:126 | Taint basic.custom | CUSTOM_SOURCE | -| test.py:132 | t_3 | test.py:128 | Taint simple.test | SOURCE | -| test.py:136 | t_0 | test.py:136 | Taint basic.custom | CUSTOM_SOURCE | -| test.py:138 | t_2 | test.py:138 | Taint simple.test | SOURCE | -| test.py:140 | t_3 | test.py:138 | Taint simple.test | SOURCE | -| test.py:142 | t_1 | test.py:136 | Taint basic.custom | CUSTOM_SOURCE | -| test.py:146 | t_0 | test.py:146 | Taint basic.custom | CUSTOM_SOURCE | -| test.py:148 | t_3 | test.py:148 | Taint simple.test | SOURCE | -| test.py:149 | t_1 | test.py:149 | Taint basic.custom | TAINT_FROM_ARG() | -| test.py:151 | t_2 | test.py:149 | Taint basic.custom | TAINT_FROM_ARG() | -| test.py:155 | unsafe_0 | test.py:155 | Taint simple.test | ImportMember | -| test.py:156 | unsafe_1 | test.py:155 | Taint simple.test | ImportMember | -| test.py:159 | t_0 | test.py:159 | Taint simple.test | SOURCE | -| test.py:160 | t_1 | test.py:159 | Taint simple.test | SOURCE | -| test.py:163 | s_0 | test.py:163 | Taint simple.test | SOURCE | -| test.py:168 | l_0 | test.py:168 | Taint [simple.test] | List | -| test.py:169 | d_0 | test.py:169 | Taint {simple.test} | Dict | -| test.py:170 | l_1 | test.py:168 | Taint [simple.test] | List | -| test.py:170 | x_1 | test.py:170 | Taint [simple.test] | l | -| test.py:171 | d_1 | test.py:169 | Taint {simple.test} | Dict | -| test.py:171 | y_1 | test.py:171 | Taint {simple.test} | d | -| test.py:174 | l2_0 | test.py:174 | Taint [simple.test] | list() | -| test.py:174 | l_2 | test.py:168 | Taint [simple.test] | List | -| test.py:175 | d2_0 | test.py:175 | Taint {simple.test} | dict() | -| test.py:175 | d_2 | test.py:169 | Taint {simple.test} | Dict | -| test.py:178 | t_0 | test.py:178 | Taint simple.test | SOURCE | -| test.py:180 | t_1 | test.py:178 | Taint simple.test | SOURCE | -| test.py:180 | t_2 | test.py:178 | Taint simple.test | SOURCE | -| test.py:183 | t_3 | test.py:178 | Taint simple.test | SOURCE | -| test.py:186 | t_4 | test.py:178 | Taint simple.test | SOURCE | -| test.py:189 | t_0 | test.py:189 | Taint falsey | FALSEY | -| test.py:191 | t_1 | test.py:189 | Taint falsey | FALSEY | -| test.py:194 | t_5 | test.py:195 | Taint simple.test | SOURCE | -| test.py:195 | t_0 | test.py:195 | Taint simple.test | SOURCE | -| test.py:197 | t_1 | test.py:195 | Taint simple.test | SOURCE | -| test.py:197 | t_2 | test.py:195 | Taint simple.test | SOURCE | -| test.py:199 | t_3 | test.py:195 | Taint simple.test | SOURCE | -| test.py:199 | t_4 | test.py:195 | Taint simple.test | SOURCE | -| test.py:202 | t_0 | test.py:202 | Taint iterable.simple | ITERABLE_SOURCE | -| test.py:203 | i_1 | test.py:203 | Taint simple.test | For | -| test.py:203 | i_2 | test.py:203 | Taint simple.test | For | -| test.py:208 | seq_0 | test.py:208 | Taint [simple.test] | List | -| test.py:209 | i_1 | test.py:209 | Taint simple.test | For | -| test.py:209 | i_2 | test.py:209 | Taint simple.test | For | -| test.py:213 | x_0 | test.py:213 | Taint simple.test | For | -| test.py:213 | x_1 | test.py:213 | Taint simple.test | For | -| test.py:214 | x_2 | test.py:213 | Taint simple.test | For | +| carrier.py:4 | arg_0 | carrier.py:4 | Taint explicit.carrier | +| carrier.py:4 | arg_0 | carrier.py:4 | Taint simple.test | +| carrier.py:5 | self_1 | carrier.py:5 | Taint .attr = explicit.carrier | +| carrier.py:5 | self_1 | carrier.py:5 | Taint .attr = simple.test | +| carrier.py:10 | self_0 | carrier.py:10 | Taint .attr = simple.test | +| carrier.py:13 | arg_0 | carrier.py:13 | Taint .attr = simple.test | +| carrier.py:13 | arg_0 | carrier.py:13 | Taint explicit.carrier | +| carrier.py:17 | c_0 | carrier.py:17 | Taint .attr = simple.test | +| carrier.py:21 | c_0 | carrier.py:21 | Taint explicit.carrier | +| carrier.py:22 | c_1 | carrier.py:22 | Taint explicit.carrier | +| carrier.py:25 | c_0 | carrier.py:25 | Taint .attr = simple.test | +| carrier.py:26 | c_1 | carrier.py:26 | Taint .attr = simple.test | +| carrier.py:29 | c_0 | carrier.py:29 | Taint explicit.carrier | +| carrier.py:30 | c_1 | carrier.py:30 | Taint explicit.carrier | +| carrier.py:33 | c_0 | carrier.py:33 | Taint .attr = explicit.carrier | +| carrier.py:34 | x_0 | carrier.py:34 | Taint explicit.carrier | +| carrier.py:35 | x_1 | carrier.py:35 | Taint explicit.carrier | +| deep.py:2 | arg_0 | deep.py:2 | Taint simple.test | +| deep.py:5 | arg_0 | deep.py:5 | Taint simple.test | +| deep.py:6 | arg_1 | deep.py:6 | Taint simple.test | +| deep.py:8 | arg_0 | deep.py:8 | Taint simple.test | +| deep.py:9 | arg_1 | deep.py:9 | Taint simple.test | +| deep.py:11 | arg_0 | deep.py:11 | Taint simple.test | +| deep.py:12 | arg_1 | deep.py:12 | Taint simple.test | +| deep.py:14 | arg_0 | deep.py:14 | Taint simple.test | +| deep.py:15 | arg_1 | deep.py:15 | Taint simple.test | +| deep.py:17 | arg_0 | deep.py:17 | Taint simple.test | +| deep.py:18 | arg_1 | deep.py:18 | Taint simple.test | +| deep.py:20 | x_1 | deep.py:20 | Taint simple.test | +| module.py:3 | dangerous_0 | module.py:3 | Taint simple.test | +| rockpaperscissors.py:3 | arg_0 | rockpaperscissors.py:3 | Taint scissors | +| rockpaperscissors.py:6 | arg_0 | rockpaperscissors.py:6 | Taint paper | +| rockpaperscissors.py:6 | arg_0 | rockpaperscissors.py:6 | Taint rock | +| rockpaperscissors.py:6 | arg_0 | rockpaperscissors.py:6 | Taint scissors | +| rockpaperscissors.py:9 | arg_0 | rockpaperscissors.py:9 | Taint paper | +| rockpaperscissors.py:9 | arg_0 | rockpaperscissors.py:9 | Taint scissors | +| rockpaperscissors.py:19 | x_0 | rockpaperscissors.py:19 | Taint rock | +| rockpaperscissors.py:20 | x_1 | rockpaperscissors.py:20 | Taint rock | +| rockpaperscissors.py:20 | y_0 | rockpaperscissors.py:20 | Taint scissors | +| rockpaperscissors.py:21 | y_1 | rockpaperscissors.py:21 | Taint scissors | +| rockpaperscissors.py:24 | x_0 | rockpaperscissors.py:24 | Taint rock | +| rockpaperscissors.py:25 | x_1 | rockpaperscissors.py:25 | Taint rock | +| rockpaperscissors.py:25 | y_0 | rockpaperscissors.py:25 | Taint paper | +| rockpaperscissors.py:26 | y_1 | rockpaperscissors.py:26 | Taint paper | +| rockpaperscissors.py:29 | x_0 | rockpaperscissors.py:29 | Taint scissors | +| rockpaperscissors.py:30 | x_1 | rockpaperscissors.py:30 | Taint scissors | +| rockpaperscissors.py:30 | y_0 | rockpaperscissors.py:30 | Taint paper | +| rockpaperscissors.py:31 | x_2 | rockpaperscissors.py:31 | Taint scissors | +| rockpaperscissors.py:32 | y_1 | rockpaperscissors.py:32 | Taint paper | +| sanitizer.py:3 | arg_0 | sanitizer.py:3 | Taint Command injection | +| sanitizer.py:3 | arg_0 | sanitizer.py:3 | Taint SQL injection | +| sanitizer.py:5 | arg_0 | sanitizer.py:5 | Taint Command injection | +| sanitizer.py:5 | arg_0 | sanitizer.py:5 | Taint SQL injection | +| sanitizer.py:8 | x_5 | sanitizer.py:8 | Taint Command injection | +| sanitizer.py:8 | x_5 | sanitizer.py:8 | Taint SQL injection | +| sanitizer.py:9 | x_0 | sanitizer.py:9 | Taint Command injection | +| sanitizer.py:9 | x_0 | sanitizer.py:9 | Taint SQL injection | +| sanitizer.py:11 | x_1 | sanitizer.py:11 | Taint Command injection | +| sanitizer.py:11 | x_2 | sanitizer.py:11 | Taint Command injection | +| sanitizer.py:13 | x_3 | sanitizer.py:13 | Taint Command injection | +| sanitizer.py:13 | x_3 | sanitizer.py:13 | Taint SQL injection | +| sanitizer.py:13 | x_4 | sanitizer.py:13 | Taint Command injection | +| sanitizer.py:13 | x_4 | sanitizer.py:13 | Taint SQL injection | +| sanitizer.py:15 | x_5 | sanitizer.py:15 | Taint Command injection | +| sanitizer.py:15 | x_5 | sanitizer.py:15 | Taint SQL injection | +| sanitizer.py:16 | x_0 | sanitizer.py:16 | Taint Command injection | +| sanitizer.py:16 | x_0 | sanitizer.py:16 | Taint SQL injection | +| sanitizer.py:18 | x_1 | sanitizer.py:18 | Taint SQL injection | +| sanitizer.py:18 | x_2 | sanitizer.py:18 | Taint SQL injection | +| sanitizer.py:20 | x_3 | sanitizer.py:20 | Taint Command injection | +| sanitizer.py:20 | x_3 | sanitizer.py:20 | Taint SQL injection | +| sanitizer.py:20 | x_4 | sanitizer.py:20 | Taint Command injection | +| sanitizer.py:20 | x_4 | sanitizer.py:20 | Taint SQL injection | +| sanitizer.py:23 | x_5 | sanitizer.py:23 | Taint Command injection | +| sanitizer.py:23 | x_5 | sanitizer.py:23 | Taint SQL injection | +| sanitizer.py:24 | x_0 | sanitizer.py:24 | Taint Command injection | +| sanitizer.py:24 | x_0 | sanitizer.py:24 | Taint SQL injection | +| sanitizer.py:26 | x_1 | sanitizer.py:26 | Taint Command injection | +| sanitizer.py:26 | x_1 | sanitizer.py:26 | Taint SQL injection | +| sanitizer.py:26 | x_2 | sanitizer.py:26 | Taint Command injection | +| sanitizer.py:26 | x_2 | sanitizer.py:26 | Taint SQL injection | +| sanitizer.py:28 | x_3 | sanitizer.py:28 | Taint Command injection | +| sanitizer.py:28 | x_3 | sanitizer.py:28 | Taint SQL injection | +| sanitizer.py:28 | x_4 | sanitizer.py:28 | Taint Command injection | +| sanitizer.py:28 | x_4 | sanitizer.py:28 | Taint SQL injection | +| sanitizer.py:30 | x_5 | sanitizer.py:30 | Taint Command injection | +| sanitizer.py:30 | x_5 | sanitizer.py:30 | Taint SQL injection | +| sanitizer.py:31 | x_0 | sanitizer.py:31 | Taint Command injection | +| sanitizer.py:31 | x_0 | sanitizer.py:31 | Taint SQL injection | +| sanitizer.py:33 | x_1 | sanitizer.py:33 | Taint Command injection | +| sanitizer.py:33 | x_1 | sanitizer.py:33 | Taint SQL injection | +| sanitizer.py:33 | x_2 | sanitizer.py:33 | Taint Command injection | +| sanitizer.py:33 | x_2 | sanitizer.py:33 | Taint SQL injection | +| sanitizer.py:35 | x_3 | sanitizer.py:35 | Taint Command injection | +| sanitizer.py:35 | x_3 | sanitizer.py:35 | Taint SQL injection | +| sanitizer.py:35 | x_4 | sanitizer.py:35 | Taint Command injection | +| sanitizer.py:35 | x_4 | sanitizer.py:35 | Taint SQL injection | +| test.py:6 | s_0 | test.py:6 | Taint simple.test | +| test.py:7 | s_1 | test.py:7 | Taint simple.test | +| test.py:12 | arg_0 | test.py:12 | Taint simple.test | +| test.py:13 | arg_1 | test.py:13 | Taint simple.test | +| test.py:16 | t_0 | test.py:16 | Taint simple.test | +| test.py:17 | t_1 | test.py:17 | Taint simple.test | +| test.py:20 | t_0 | test.py:20 | Taint simple.test | +| test.py:21 | t_1 | test.py:21 | Taint simple.test | +| test.py:24 | t_0 | test.py:24 | Taint simple.test | +| test.py:25 | t_1 | test.py:25 | Taint simple.test | +| test.py:31 | t_2 | test.py:31 | Taint simple.test | +| test.py:37 | t_0 | test.py:37 | Taint simple.test | +| test.py:41 | t_1 | test.py:41 | Taint simple.test | +| test.py:46 | arg_0 | test.py:46 | Taint simple.test | +| test.py:47 | arg_1 | test.py:47 | Taint simple.test | +| test.py:49 | arg_0 | test.py:49 | Taint simple.test | +| test.py:49 | arg_2 | test.py:49 | Taint simple.test | +| test.py:51 | arg_1 | test.py:51 | Taint simple.test | +| test.py:54 | t_0 | test.py:54 | Taint simple.test | +| test.py:55 | t_1 | test.py:55 | Taint simple.test | +| test.py:62 | t_1 | test.py:62 | Taint simple.test | +| test.py:63 | t_2 | test.py:63 | Taint simple.test | +| test.py:67 | t_0 | test.py:67 | Taint simple.test | +| test.py:70 | t_2 | test.py:70 | Taint simple.test | +| test.py:72 | arg_0 | test.py:72 | Taint .x = simple.test | +| test.py:72 | arg_0 | test.py:72 | Taint basic.custom | +| test.py:72 | arg_0 | test.py:72 | Taint simple.test | +| test.py:76 | t_0 | test.py:76 | Taint simple.test | +| test.py:77 | t_1 | test.py:77 | Taint simple.test | +| test.py:78 | t_2 | test.py:78 | Taint simple.test | +| test.py:85 | module_0 | test.py:85 | Taint .dangerous = simple.test | +| test.py:87 | module_1 | test.py:87 | Taint .dangerous = simple.test | +| test.py:88 | t_0 | test.py:88 | Taint simple.test | +| test.py:89 | t_1 | test.py:89 | Taint simple.test | +| test.py:91 | module_2 | test.py:91 | Taint .dangerous = simple.test | +| test.py:95 | module_3 | test.py:95 | Taint .dangerous = simple.test | +| test.py:99 | module_4 | test.py:99 | Taint .dangerous = simple.test | +| test.py:100 | t_0 | test.py:100 | Taint simple.test | +| test.py:101 | t_1 | test.py:101 | Taint simple.test | +| test.py:105 | arg_0 | test.py:105 | Taint .x = simple.test | +| test.py:108 | module_5 | test.py:108 | Taint .dangerous = simple.test | +| test.py:110 | t_1 | test.py:110 | Taint .x = simple.test | +| test.py:113 | module_6 | test.py:113 | Taint .dangerous = simple.test | +| test.py:115 | t_1 | test.py:115 | Taint .x = simple.test | +| test.py:116 | t_2 | test.py:116 | Taint .x = simple.test | +| test.py:117 | t_3 | test.py:117 | Taint .x = simple.test | +| test.py:120 | t_0 | test.py:120 | Taint basic.custom | +| test.py:121 | t_1 | test.py:121 | Taint basic.custom | +| test.py:122 | t_2 | test.py:122 | Taint basic.custom | +| test.py:126 | t_0 | test.py:126 | Taint basic.custom | +| test.py:128 | t_2 | test.py:128 | Taint simple.test | +| test.py:130 | t_1 | test.py:130 | Taint basic.custom | +| test.py:132 | t_3 | test.py:132 | Taint simple.test | +| test.py:136 | t_0 | test.py:136 | Taint basic.custom | +| test.py:138 | t_2 | test.py:138 | Taint simple.test | +| test.py:140 | t_3 | test.py:140 | Taint simple.test | +| test.py:142 | t_1 | test.py:142 | Taint basic.custom | +| test.py:146 | t_0 | test.py:146 | Taint basic.custom | +| test.py:148 | t_3 | test.py:148 | Taint simple.test | +| test.py:149 | t_1 | test.py:149 | Taint basic.custom | +| test.py:151 | t_2 | test.py:151 | Taint basic.custom | +| test.py:155 | unsafe_0 | test.py:155 | Taint simple.test | +| test.py:156 | unsafe_1 | test.py:156 | Taint simple.test | +| test.py:159 | t_0 | test.py:159 | Taint simple.test | +| test.py:160 | t_1 | test.py:160 | Taint simple.test | +| test.py:163 | s_0 | test.py:163 | Taint simple.test | +| test.py:168 | l_0 | test.py:168 | Taint sequence of simple.test | +| test.py:169 | d_0 | test.py:169 | Taint dict of simple.test | +| test.py:170 | l_1 | test.py:170 | Taint sequence of simple.test | +| test.py:170 | x_1 | test.py:170 | Taint sequence of simple.test | +| test.py:171 | d_1 | test.py:171 | Taint dict of simple.test | +| test.py:171 | y_1 | test.py:171 | Taint dict of simple.test | +| test.py:174 | l2_0 | test.py:174 | Taint sequence of simple.test | +| test.py:174 | l_2 | test.py:174 | Taint sequence of simple.test | +| test.py:175 | d2_0 | test.py:175 | Taint dict of simple.test | +| test.py:175 | d_2 | test.py:175 | Taint dict of simple.test | +| test.py:178 | t_0 | test.py:178 | Taint simple.test | +| test.py:180 | t_1 | test.py:180 | Taint simple.test | +| test.py:180 | t_2 | test.py:180 | Taint simple.test | +| test.py:183 | t_3 | test.py:183 | Taint simple.test | +| test.py:186 | t_4 | test.py:186 | Taint simple.test | +| test.py:189 | t_0 | test.py:189 | Taint falsey | +| test.py:191 | t_1 | test.py:191 | Taint falsey | +| test.py:194 | t_5 | test.py:194 | Taint simple.test | +| test.py:195 | t_0 | test.py:195 | Taint simple.test | +| test.py:197 | t_1 | test.py:197 | Taint simple.test | +| test.py:197 | t_2 | test.py:197 | Taint simple.test | +| test.py:199 | t_3 | test.py:199 | Taint simple.test | +| test.py:199 | t_4 | test.py:199 | Taint simple.test | +| test.py:202 | t_0 | test.py:202 | Taint iterable.simple | +| test.py:203 | i_1 | test.py:203 | Taint simple.test | +| test.py:203 | i_2 | test.py:203 | Taint simple.test | +| test.py:208 | seq_0 | test.py:208 | Taint sequence of simple.test | +| test.py:209 | i_1 | test.py:209 | Taint simple.test | +| test.py:209 | i_2 | test.py:209 | Taint simple.test | +| test.py:213 | x_0 | test.py:213 | Taint simple.test | +| test.py:213 | x_1 | test.py:213 | Taint simple.test | +| test.py:214 | x_2 | test.py:214 | Taint simple.test | diff --git a/python/ql/test/library-tests/taint/general/TestVar.ql b/python/ql/test/library-tests/taint/general/TestVar.ql index 93a90e7bd76..37d4aad8bd7 100644 --- a/python/ql/test/library-tests/taint/general/TestVar.ql +++ b/python/ql/test/library-tests/taint/general/TestVar.ql @@ -4,6 +4,6 @@ import TaintLib from EssaVariable var, TaintedNode n -where TaintFlowTest::tainted_var(var, _, n) +where n.getNode().asVariable() = var select - var.getDefinition().getLocation().toString(), var.getRepresentation(), n.getLocation().toString(), n.getTrackedValue(), n.getNode().getNode().toString() + var.getDefinition().getLocation().toString(), var.getRepresentation(), n.getLocation().toString(), "Taint " + n.toString() diff --git a/python/ql/test/library-tests/web/bottle/Taint.expected b/python/ql/test/library-tests/web/bottle/Taint.expected index 2c373492c96..2f05e06613e 100644 --- a/python/ql/test/library-tests/web/bottle/Taint.expected +++ b/python/ql/test/library-tests/web/bottle/Taint.expected @@ -1,4 +1,4 @@ -WARNING: Predicate getNode has been deprecated and may be removed in future (/home/mark/repos/ql/python/ql/test/library-tests/web/turbogears/Taint.ql:12,54-61) +WARNING: Predicate getNode has been deprecated and may be removed in future (Taint.ql:12,54-61) | ../../../query-tests/Security/lib/bottle.py:64 | LocalRequest() | bottle.request | | ../../../query-tests/Security/lib/bottle.py:64 | request | bottle.request | | ../../../query-tests/Security/lib/bottle.py:68 | url | externally controlled string |