github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Python taint-tracking: make sure all features of legacy extensions are supported.

This commit is contained in:
Mark Shannon 2019-08-15 12:57:24 +01:00
Родитель 64c160b75c
Коммит c7ec5690a5
19 изменённых файлов: 390 добавлений и 299 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

37
python/ql/src/semmle/python/dataflow/Configuration.qll
Просмотреть файл

@ -37,13 +37,24 @@ module TaintTracking {
* Holds if `source` is a source of taint of `kind` that is relevant
* for this configuration.
*/
predicate isSource(DataFlow::Node source, TaintKind kind) { none() }
predicate isSource(DataFlow::Node node, TaintKind kind) {
exists(TaintSource source |
this.isSource(source) and
node.asCfgNode() = source and
source.isSourceOf(kind)
)
}
/**
* Holds if `sink` is a sink of taint of `kind` that is relevant
* for this configuration.
*/
predicate isSink(DataFlow::Node sink, TaintKind kind) { none() }
predicate isSink(DataFlow::Node node, TaintKind kind) {
exists(TaintSink sink |
node.asCfgNode() = sink and
sink.sinks(kind)
)
}
/**
* Holds if `src -> dest` should be considered as a flow edge
@ -60,12 +71,30 @@ module TaintTracking {
predicate isBarrier(DataFlow::Node node) { none() }
predicate isBarrier(DataFlow::Node node, TaintKind kind) { none() }
predicate isBarrier(DataFlow::Node node, TaintKind kind) {
exists(Sanitizer sanitizer |
this.isSanitizer(sanitizer)
|
sanitizer.sanitizingNode(kind, node.asCfgNode())
or
sanitizer.sanitizingEdge(kind, node.asVariable())
or
sanitizer.sanitizingSingleEdge(kind, node.asVariable())
or
sanitizer.sanitizingDefinition(kind, node.asVariable())
or
exists(MethodCallsiteRefinement call, FunctionObject callee |
call = node.asVariable().getDefinition() and
callee.getACall() = call.getCall() and
sanitizer.sanitizingCall(kind, callee)
)
)
}
/**
* Holds if flow from `src` to `dest` is prohibited.
*/
predicate isBarrierEdge(DataFlow::Node src, DataFlow::Node trg) { none() }
predicate isBarrierEdge(DataFlow::Node src, DataFlow::Node dest) { none() }
/**
* Holds if control flow from `test` along the `isTrue` edge is prohibited.

128
python/ql/src/semmle/python/dataflow/Implementation.qll
Просмотреть файл

@ -238,29 +238,13 @@ class TaintTrackingImplementation extends string {
predicate flowSource(DataFlow::Node node, TaintTrackingContext context, AttributePath path, TaintKind kind) {
context = TNoParam() and path = TNoAttribute() and
(
this.(TaintTracking::Configuration).isSource(node, kind)
or
exists(TaintSource source |
this.(TaintTracking::Configuration).isSource(source) and
node.asCfgNode() = source and
source.isSourceOf(kind)
)
)
this.(TaintTracking::Configuration).isSource(node, kind)
}
predicate flowSink(DataFlow::Node node, AttributePath path, TaintKind kind) {
path = TNoAttribute() and
(
this.(TaintTracking::Configuration).isSink(node, kind)
or
exists(TaintSink sink |
this.(TaintTracking::Configuration).isSink(sink) and
node.asCfgNode() = sink and
sink.sinks(kind)
)
)
this.(TaintTracking::Configuration).isSink(node, kind)
}
predicate isPathSource(TaintTrackingNode source) {
@ -293,28 +277,6 @@ class TaintTrackingImplementation extends string {
)
}
predicate flowBarrier(DataFlow::Node node, TaintKind kind) {
this.(TaintTracking::Configuration).isBarrier(node, kind)
or
exists(Sanitizer sanitizer |
this.(TaintTracking::Configuration).isSanitizer(sanitizer)
|
sanitizer.sanitizingNode(kind, node.asCfgNode())
or
sanitizer.sanitizingDefinition(kind, node.asVariable().getDefinition())
or
exists(MethodCallsiteRefinement call, FunctionObject callee |
call = node.asVariable().getDefinition() and
callee.getACall() = call.getCall() and
sanitizer.sanitizingCall(kind, callee)
)
or
sanitizer.sanitizingEdge(kind, node.asVariable().getDefinition())
or
sanitizer.sanitizingSingleEdge(kind, node.asVariable().getDefinition())
)
}
/** Gets the boolean value that `test` evaluates to when `use` is tainted with `kind`
* and `test` and `use` are part of a test in a branch.
*/
@ -334,9 +296,14 @@ class TaintTrackingImplementation extends string {
Filters::isinstance(test, c, use) and
c.pointsTo(cls)
|
kind.getType().getASuperType() = cls and result = true
exists(ClassValue scls |
scls = kind.getType() |
scls.getASuperType() = cls and result = true
or
not scls.getASuperType() = cls and result = false
)
or
not kind.getType().getASuperType() = cls and result = false
not exists(kind.getType()) and result = maybe()
)
}
@ -379,7 +346,7 @@ class TaintTrackingImplementation extends string {
(
not path = TNoAttribute()
or
not this.flowBarrier(node, kind) and
not this.(TaintTracking::Configuration).isBarrier(node, kind) and
exists(DataFlow::Node srcnode, TaintKind srckind |
src = TTaintTrackingNode_(srcnode, _, _, srckind, this) and
not this.prunedEdge(srcnode, node, srckind, kind)
@ -687,15 +654,18 @@ class TaintTrackingImplementation extends string {
this.taintedExceptionCapture(src, defn, context, path, kind)
or
this.taintedScopeEntryDefinition(src, defn, context, path, kind)
or
this.taintedWith(src, defn, context, path, kind)
}
pragma [noinline]
predicate taintedPhi(TaintTrackingNode src, PhiFunction defn, TaintTrackingContext context, AttributePath path, TaintKind kind) {
exists(DataFlow::Node srcnode, BasicBlock pred, EssaVariable predvar |
exists(DataFlow::Node srcnode, BasicBlock pred, EssaVariable predvar, DataFlow::Node phi |
src = TTaintTrackingNode_(srcnode, context, path, kind, this) and
defn = phi.asVariable().getDefinition() and
predvar = defn.getInput(pred) and
not pred.unlikelySuccessor(defn.getBasicBlock()) and
not predvar.(DataFlowExtension::DataFlowVariable).prunedSuccessor(defn.getVariable()) and
not this.(TaintTracking::Configuration).isBarrierEdge(srcnode, phi) and
srcnode.asVariable() = predvar
)
}
@ -791,6 +761,14 @@ class TaintTrackingImplementation extends string {
)
}
pragma [noinline]
predicate taintedWith(TaintTrackingNode src, WithDefinition defn, TaintTrackingContext context, AttributePath path, TaintKind kind) {
exists(DataFlow::Node srcnode |
src = TTaintTrackingNode_(srcnode, context, path, kind, this) and
with_flow(_, srcnode.asCfgNode(), defn.getDefiningNode())
)
}
predicate moduleAttributeTainted(ModuleValue m, string name, TaintTrackingNode taint) {
exists(DataFlow::Node srcnode, EssaVariable var |
taint = TTaintTrackingNode_(srcnode, TNoParam(), _, _, this) and
@ -803,6 +781,13 @@ class TaintTrackingImplementation extends string {
}
/* Helper predicate for tainted_with */
private predicate with_flow(With with, ControlFlowNode contextManager, ControlFlowNode var) {
with.getContextExpr() = contextManager.getNode() and
with.getOptionalVars() = var.getNode() and
contextManager.strictlyDominates(var)
}
/* Backwards compatibility with config-less taint-tracking */
private class LegacyConfiguration extends TaintTracking::Configuration {
@ -811,20 +796,14 @@ private class LegacyConfiguration extends TaintTracking::Configuration {
this = "Semmle: Internal legacy configuration"
}
override predicate isSource(DataFlow::Node source, TaintKind kind) {
override predicate isSource(TaintSource src) {
isValid() and
exists(TaintSource src |
source.asCfgNode() = src and
src.isSourceOf(kind)
)
src = src
}
override predicate isSink(DataFlow::Node sink, TaintKind kind) {
override predicate isSink(TaintSink sink) {
isValid() and
exists(TaintSink snk |
sink.asCfgNode() = snk and
snk.sinks(kind)
)
sink = sink
}
override predicate isSanitizer(Sanitizer sanitizer) {
@ -836,6 +815,45 @@ private class LegacyConfiguration extends TaintTracking::Configuration {
not exists(TaintTracking::Configuration config | config != this)
}
override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node dest) {
isValid() and
exists(DataFlowExtension::DataFlowNode legacyExtension |
src.asCfgNode() = legacyExtension
|
dest.asCfgNode() = legacyExtension.getASuccessorNode()
or
dest.asVariable() = legacyExtension.getASuccessorVariable()
or
dest.asCfgNode() = legacyExtension.getAReturnSuccessorNode(_)
or
dest.asCfgNode() = legacyExtension.getACalleeSuccessorNode(_)
)
}
override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node dest, TaintKind srckind, TaintKind destkind) {
isValid() and
exists(DataFlowExtension::DataFlowNode legacyExtension |
src.asCfgNode() = legacyExtension
|
dest.asCfgNode() = legacyExtension.getASuccessorNode(srckind, destkind)
)
}
override predicate isBarrierEdge(DataFlow::Node src, DataFlow::Node dest) {
isValid() and
(
exists(DataFlowExtension::DataFlowVariable legacyExtension |
src.asVariable() = legacyExtension and
legacyExtension.prunedSuccessor(dest.asVariable())
)
or
exists(DataFlowExtension::DataFlowNode legacyExtension |
src.asCfgNode() = legacyExtension and
legacyExtension.prunedSuccessor(dest.asCfgNode())
)
)
}
}
module Implementation {

2
python/ql/test/library-tests/taint/config/RockPaperScissors.expected
Просмотреть файл

@ -72,9 +72,11 @@ edges
| test.py:126:13:126:25 | simple.test | test.py:130:21:130:21 | simple.test |
| test.py:128:13:128:18 | simple.test | test.py:132:14:132:14 | simple.test |
| test.py:155:20:155:38 | simple.test | test.py:156:6:156:11 | simple.test |
| test.py:159:10:159:15 | simple.test | test.py:160:14:160:14 | simple.test |
| test.py:163:9:163:14 | simple.test | test.py:165:10:165:10 | simple.test |
| test.py:178:9:178:14 | simple.test | test.py:180:14:180:14 | simple.test |
| test.py:178:9:178:14 | simple.test | test.py:186:14:186:14 | simple.test |
| test.py:195:9:195:14 | simple.test | test.py:197:14:197:14 | simple.test |
| test.py:195:9:195:14 | simple.test | test.py:199:14:199:14 | simple.test |
| test.py:208:11:208:18 | sequence of simple.test | test.py:209:14:209:16 | sequence of simple.test |
| test.py:208:12:208:17 | simple.test | test.py:208:11:208:18 | sequence of simple.test |

4
python/ql/test/library-tests/taint/config/Simple.expected
Просмотреть файл

@ -72,9 +72,11 @@ edges
| test.py:126:13:126:25 | simple.test | test.py:130:21:130:21 | simple.test |
| test.py:128:13:128:18 | simple.test | test.py:132:14:132:14 | simple.test |
| test.py:155:20:155:38 | simple.test | test.py:156:6:156:11 | simple.test |
| test.py:159:10:159:15 | simple.test | test.py:160:14:160:14 | simple.test |
| test.py:163:9:163:14 | simple.test | test.py:165:10:165:10 | simple.test |
| test.py:178:9:178:14 | simple.test | test.py:180:14:180:14 | simple.test |
| test.py:178:9:178:14 | simple.test | test.py:186:14:186:14 | simple.test |
| test.py:195:9:195:14 | simple.test | test.py:197:14:197:14 | simple.test |
| test.py:195:9:195:14 | simple.test | test.py:199:14:199:14 | simple.test |
| test.py:208:11:208:18 | sequence of simple.test | test.py:209:14:209:16 | sequence of simple.test |
| test.py:208:12:208:17 | simple.test | test.py:208:11:208:18 | sequence of simple.test |
@ -104,8 +106,10 @@ edges
| test.py:111:10:111:12 | Attribute | module.py:3:13:3:18 | simple.test | test.py:111:10:111:12 | simple.test | $@ flows to $@. | module.py:3:13:3:18 | SOURCE | simple.test | test.py:111:10:111:12 | Attribute | simple.test |
| test.py:132:14:132:14 | t | test.py:128:13:128:18 | simple.test | test.py:132:14:132:14 | simple.test | $@ flows to $@. | test.py:128:13:128:18 | SOURCE | simple.test | test.py:132:14:132:14 | t | simple.test |
| test.py:156:6:156:11 | unsafe | module.py:3:13:3:18 | simple.test | test.py:156:6:156:11 | simple.test | $@ flows to $@. | module.py:3:13:3:18 | SOURCE | simple.test | test.py:156:6:156:11 | unsafe | simple.test |
| test.py:160:14:160:14 | t | test.py:159:10:159:15 | simple.test | test.py:160:14:160:14 | simple.test | $@ flows to $@. | test.py:159:10:159:15 | SOURCE | simple.test | test.py:160:14:160:14 | t | simple.test |
| test.py:165:10:165:10 | s | test.py:163:9:163:14 | simple.test | test.py:165:10:165:10 | simple.test | $@ flows to $@. | test.py:163:9:163:14 | SOURCE | simple.test | test.py:165:10:165:10 | s | simple.test |
| test.py:180:14:180:14 | t | test.py:178:9:178:14 | simple.test | test.py:180:14:180:14 | simple.test | $@ flows to $@. | test.py:178:9:178:14 | SOURCE | simple.test | test.py:180:14:180:14 | t | simple.test |
| test.py:186:14:186:14 | t | test.py:178:9:178:14 | simple.test | test.py:186:14:186:14 | simple.test | $@ flows to $@. | test.py:178:9:178:14 | SOURCE | simple.test | test.py:186:14:186:14 | t | simple.test |
| test.py:197:14:197:14 | t | test.py:195:9:195:14 | simple.test | test.py:197:14:197:14 | simple.test | $@ flows to $@. | test.py:195:9:195:14 | SOURCE | simple.test | test.py:197:14:197:14 | t | simple.test |
| test.py:199:14:199:14 | t | test.py:195:9:195:14 | simple.test | test.py:199:14:199:14 | simple.test | $@ flows to $@. | test.py:195:9:195:14 | SOURCE | simple.test | test.py:199:14:199:14 | t | simple.test |
| test.py:214:14:214:14 | x | test.py:208:12:208:17 | simple.test | test.py:214:14:214:14 | simple.test | $@ flows to $@. | test.py:208:12:208:17 | SOURCE | simple.test | test.py:214:14:214:14 | x | simple.test |

5
python/ql/test/library-tests/taint/config/TestNode.expected
Просмотреть файл

@ -268,6 +268,9 @@
| simple.test | test.py:156 | GSSA Variable unsafe | no attribute | |
| simple.test | test.py:156 | unsafe | no attribute | |
| simple.test | test.py:159 | SOURCE | no attribute | |
| simple.test | test.py:159 | SSA variable t | no attribute | |
| simple.test | test.py:160 | SSA variable t | no attribute | |
| simple.test | test.py:160 | t | no attribute | |
| simple.test | test.py:163 | SOURCE | no attribute | |
| simple.test | test.py:163 | SSA variable s | no attribute | |
| simple.test | test.py:164 | SSA variable s | no attribute | |
@ -289,6 +292,8 @@
| simple.test | test.py:195 | SOURCE | no attribute | |
| simple.test | test.py:195 | SSA variable t | no attribute | |
| simple.test | test.py:196 | t | no attribute | |
| simple.test | test.py:197 | SSA variable t | no attribute | |
| simple.test | test.py:197 | t | no attribute | |
| simple.test | test.py:199 | SSA variable t | no attribute | |
| simple.test | test.py:199 | t | no attribute | |
| simple.test | test.py:208 | SOURCE | no attribute | |

2
python/ql/test/library-tests/taint/config/TestStep.expected
Просмотреть файл

@ -122,6 +122,7 @@
| Simple config: | simple.test | test.py:138 | SOURCE | | --> | simple.test | test.py:140 | t | |
| Simple config: | simple.test | test.py:148 | SOURCE | | --> | simple.test | test.py:149 | t | |
| Simple config: | simple.test | test.py:155 | ImportMember | | --> | simple.test | test.py:156 | unsafe | |
| Simple config: | simple.test | test.py:159 | SOURCE | | --> | simple.test | test.py:160 | t | |
| Simple config: | simple.test | test.py:163 | SOURCE | | --> | simple.test | test.py:164 | s | |
| Simple config: | simple.test | test.py:163 | SOURCE | | --> | simple.test | test.py:165 | s | |
| Simple config: | simple.test | test.py:168 | SOURCE | | --> | [simple.test] | test.py:168 | List | |
@ -131,6 +132,7 @@
| Simple config: | simple.test | test.py:178 | SOURCE | | --> | simple.test | test.py:183 | t | |
| Simple config: | simple.test | test.py:178 | SOURCE | | --> | simple.test | test.py:186 | t | |
| Simple config: | simple.test | test.py:195 | SOURCE | | --> | simple.test | test.py:196 | t | |
| Simple config: | simple.test | test.py:195 | SOURCE | | --> | simple.test | test.py:197 | t | |
| Simple config: | simple.test | test.py:195 | SOURCE | | --> | simple.test | test.py:199 | t | |
| Simple config: | simple.test | test.py:208 | SOURCE | | --> | [simple.test] | test.py:208 | List | |
| Simple config: | simple.test | test.py:209 | For | | --> | simple.test | test.py:210 | i | |

11
python/ql/test/library-tests/taint/extensions/TestNode.expected
Просмотреть файл

@ -1,8 +1,9 @@
| Taint simple.test | visitor.py:10 | arg | visitor.py:26 |
| Taint simple.test | visitor.py:13 | arg | visitor.py:26 |
| Taint simple.test | visitor.py:18 | arg | visitor.py:26 |
| Taint simple.test | visitor.py:19 | arg | visitor.py:26 |
| Taint simple.test | visitor.py:21 | arg | visitor.py:26 |
WARNING: Predicate getNode has been deprecated and may be removed in future (TestNode.ql:7,77-84)
| Taint simple.test | visitor.py:10 | arg | p2 = simple.test |
| Taint simple.test | visitor.py:13 | arg | p2 = simple.test |
| Taint simple.test | visitor.py:18 | arg | |
| Taint simple.test | visitor.py:19 | arg | |
| Taint simple.test | visitor.py:21 | arg | |
| Taint simple.test | visitor.py:26 | Attribute() | |
| Taint simple.test | visitor.py:26 | SOURCE | |
| Taint simple.test | visitor.py:27 | x | |

2
python/ql/test/library-tests/taint/extensions/TestNode.ql
Просмотреть файл

@ -4,5 +4,5 @@ import ExtensionsLib
from TaintedNode n
select n.getTrackedValue(), n.getLocation().toString(), n.getNode().getNode().toString(), n.getContext()
select "Taint " + n.getTaintKind(), n.getLocation().toString(), n.getNode().getNode().toString(), n.getContext()

14
python/ql/test/library-tests/taint/extensions/TestStep.expected
Просмотреть файл

@ -1,7 +1,9 @@
| Taint simple.test | visitor.py:10 | arg | visitor.py:26 | --> | Taint simple.test | visitor.py:13 | arg | visitor.py:26 |
| Taint simple.test | visitor.py:18 | arg | visitor.py:26 | --> | Taint simple.test | visitor.py:19 | arg | visitor.py:26 |
| Taint simple.test | visitor.py:19 | arg | visitor.py:26 | --> | Taint simple.test | visitor.py:26 | Attribute() | |
WARNING: Predicate getNode has been deprecated and may be removed in future (TestStep.ql:9,74-81)
WARNING: Predicate getNode has been deprecated and may be removed in future (TestStep.ql:11,74-81)
| Taint simple.test | visitor.py:10 | arg | p2 = simple.test | --> | Taint simple.test | visitor.py:13 | arg | p2 = simple.test |
| Taint simple.test | visitor.py:18 | arg | | --> | Taint simple.test | visitor.py:19 | arg | |
| Taint simple.test | visitor.py:19 | arg | | --> | Taint simple.test | visitor.py:26 | Attribute() | |
| Taint simple.test | visitor.py:26 | Attribute() | | --> | Taint simple.test | visitor.py:27 | x | |
| Taint simple.test | visitor.py:26 | SOURCE | | --> | Taint simple.test | visitor.py:10 | arg | visitor.py:26 |
| Taint simple.test | visitor.py:26 | SOURCE | | --> | Taint simple.test | visitor.py:18 | arg | visitor.py:26 |
| Taint simple.test | visitor.py:26 | SOURCE | | --> | Taint simple.test | visitor.py:21 | arg | visitor.py:26 |
| Taint simple.test | visitor.py:26 | SOURCE | | --> | Taint simple.test | visitor.py:10 | arg | p2 = simple.test |
| Taint simple.test | visitor.py:26 | SOURCE | | --> | Taint simple.test | visitor.py:18 | arg | |
| Taint simple.test | visitor.py:26 | SOURCE | | --> | Taint simple.test | visitor.py:21 | arg | |

4
python/ql/test/library-tests/taint/extensions/TestStep.ql
Просмотреть файл

@ -6,6 +6,6 @@ import ExtensionsLib
from TaintedNode n, TaintedNode s
where s = n.getASuccessor()
select
n.getTrackedValue(), n.getLocation().toString(), n.getNode().getNode().toString(), n.getContext(),
"Taint " + n.getTaintKind(), n.getLocation().toString(), n.getNode().getNode().toString(), n.getContext(),
" --> ",
s.getTrackedValue(), s.getLocation().toString(), s.getNode().getNode().toString(), s.getContext()
"Taint " + s.getTaintKind(), s.getLocation().toString(), s.getNode().getNode().toString(), s.getContext()

2
python/ql/test/library-tests/taint/general/ParamSource.expected
Просмотреть файл

@ -1,5 +1,3 @@
| test | carrier.py:4 | 18 | Attribute | test |
| test | carrier.py:4 | 26 | Attribute() | test |
| test | test.py:12 | 13 | arg | test |
| test | test.py:46 | 13 | arg | test |
| test | test.py:49 | 13 | arg | test |

7
python/ql/test/library-tests/taint/general/TaintLib.qll
Просмотреть файл

@ -50,6 +50,13 @@ class SimpleSanitizer extends Sanitizer {
taint instanceof SimpleTest
}
override predicate sanitizingDefinition(TaintKind taint, EssaDefinition def) {
exists(CallNode call |
def.(ArgumentRefinement).getInput().getAUse() = call.getAnArg() and
call.getFunction().(NameNode).getId() = "SANITIZE"
) and
taint instanceof SimpleTest
}
}
class BasicCustomTaint extends TaintKind {

24
python/ql/test/library-tests/taint/general/TaintSanity.ql
Просмотреть файл

@ -1,26 +1,26 @@
import python
import semmle.python.security.TaintTest
import semmle.python.dataflow.TaintTracking
import semmle.python.dataflow.Implementation
import TaintLib
from TaintFlowTest::TrackedValue taint, CallContext c, ControlFlowNode n, string what
from TaintKind taint, TaintTrackingContext c, DataFlow::Node n, string what, TaintTrackingImplementation impl
where
not exists(TaintedNode t | t.getTrackedValue() = taint and t.getNode() = n and t.getContext() = c) and
not exists(TaintedNode t | t.getTaintKind() = taint and t.getNode() = n and t.getContext() = c) and
(
TaintFlowTest::step(_, taint, c, n) and what = "missing node at end of step"
impl.flowStep(_, n, c, _, taint, _) and what = "missing node at end of step"
or
n.(TaintSource).isSourceOf(taint.(TaintFlowTest::TrackedTaint).getKind(), c) and what = "missing node for source"
impl.flowSource(n, c, _, taint) and what = "missing node for source"
)
or
exists(TaintedNode t | t.getTrackedValue() = taint and t.getNode() = n and t.getContext() = c
exists(TaintedNode t | t.getTaintKind() = taint and t.getNode() = n and t.getContext() = c
|
not TaintFlowTest::step(_, taint, c, n) and
not n.(TaintSource).isSourceOf(taint.(TaintFlowTest::TrackedTaint).getKind(), c) and what = "TaintedNode with no reason"
not impl.flowStep(_, n, c, _, taint, _) and
not impl.flowSource(n, c, _, taint) and what = "TaintedNode with no reason"
or
TaintFlowTest::step(t, taint, c, n) and what = "step ends where it starts"
impl.flowStep(t, n, c, _, taint, _) and what = "step ends where it starts"
or
TaintFlowTest::step(t, _, _, _) and not TaintFlowTest::step(_, taint, c, n) and
not n.(TaintSource).isSourceOf(taint.(TaintFlowTest::TrackedTaint).getKind(), c) and what = "No predecessor and not a source"
impl.flowStep(t, _, _, _, _, _) and not impl.flowStep(_, n, c, _, taint, _) and
not impl.flowSource(n, c, _, taint) and what = "No predecessor and not a source"
)
select n.getLocation(), taint, c, n.toString(), what

7
python/ql/test/library-tests/taint/general/TestDefn.expected
Просмотреть файл

@ -59,9 +59,15 @@
| test.py:76 | SOURCE | test.py:76 | Taint simple.test | t |
| test.py:77 | hub() | test.py:77 | Taint simple.test | t |
| test.py:85 | ImportExpr | test.py:85 | Taint .dangerous = simple.test | module |
| test.py:87 | ScopeEntryDefinition | test.py:87 | Taint .dangerous = simple.test | Function test13 |
| test.py:88 | Attribute | test.py:88 | Taint simple.test | t |
| test.py:91 | ScopeEntryDefinition | test.py:91 | Taint .dangerous = simple.test | Function test14 |
| test.py:95 | ScopeEntryDefinition | test.py:95 | Taint .dangerous = simple.test | Function test15 |
| test.py:99 | ScopeEntryDefinition | test.py:99 | Taint .dangerous = simple.test | Function test16 |
| test.py:100 | Attribute() | test.py:100 | Taint simple.test | t |
| test.py:105 | ParameterDefinition | test.py:105 | Taint .x = simple.test | arg |
| test.py:108 | ScopeEntryDefinition | test.py:108 | Taint .dangerous = simple.test | Function test17 |
| test.py:113 | ScopeEntryDefinition | test.py:113 | Taint .dangerous = simple.test | Function test18 |
| test.py:116 | hub() | test.py:116 | Taint .x = simple.test | t |
| test.py:120 | CUSTOM_SOURCE | test.py:120 | Taint basic.custom | t |
| test.py:121 | hub() | test.py:121 | Taint basic.custom | t |
@ -73,6 +79,7 @@
| test.py:148 | SOURCE | test.py:148 | Taint simple.test | t |
| test.py:149 | TAINT_FROM_ARG() | test.py:149 | Taint basic.custom | t |
| test.py:155 | ImportMember | test.py:155 | Taint simple.test | unsafe |
| test.py:159 | with | test.py:159 | Taint simple.test | t |
| test.py:163 | SOURCE | test.py:163 | Taint simple.test | s |
| test.py:168 | List | test.py:168 | Taint sequence of simple.test | l |
| test.py:169 | Dict | test.py:169 | Taint dict of simple.test | d |

1
python/ql/test/library-tests/taint/general/TestSink.expected
Просмотреть файл

@ -14,6 +14,7 @@
| rock | rockpaperscissors.py:24 | 26 | y | paper |
| scissors | rockpaperscissors.py:13 | 13 | SCISSORS | scissors |
| simple.test | carrier.py:17 | 18 | Attribute | simple.test |
| simple.test | carrier.py:25 | 26 | Attribute() | simple.test |
| simple.test | module.py:3 | 89 | t | simple.test |
| simple.test | module.py:3 | 106 | Attribute | simple.test |
| simple.test | module.py:3 | 111 | Attribute | simple.test |

45
python/ql/test/library-tests/taint/general/TestStep.expected
Просмотреть файл

@ -3,22 +3,29 @@
| .attr = simple.test | carrier.py:10 | self | p0.attr = simple.test | --> | .attr = simple.test | carrier.py:11 | self | p0.attr = simple.test |
| .attr = simple.test | carrier.py:11 | self | p0.attr = simple.test | --> | simple.test | carrier.py:11 | Attribute | p0.attr = simple.test |
| .attr = simple.test | carrier.py:13 | arg | p0.attr = simple.test | --> | .attr = simple.test | carrier.py:14 | arg | p0.attr = simple.test |
| .attr = simple.test | carrier.py:14 | arg | p0.attr = simple.test | --> | .attr = simple.test | carrier.py:25 | hub() | |
| .attr = simple.test | carrier.py:17 | ImplicitCarrier() | | --> | .attr = simple.test | carrier.py:18 | c | |
| .attr = simple.test | carrier.py:18 | c | | --> | simple.test | carrier.py:18 | Attribute | |
| .attr = simple.test | carrier.py:25 | ImplicitCarrier() | | --> | .attr = simple.test | carrier.py:13 | arg | p0.attr = simple.test |
| .attr = simple.test | carrier.py:25 | ImplicitCarrier() | | --> | .attr = simple.test | carrier.py:25 | hub() | |
| .attr = simple.test | carrier.py:25 | hub() | | --> | .attr = simple.test | carrier.py:26 | c | |
| .attr = simple.test | carrier.py:26 | c | | --> | .attr = simple.test | carrier.py:10 | self | p0.attr = simple.test |
| .attr = simple.test | carrier.py:26 | c | | --> | simple.test | carrier.py:26 | Attribute() | |
| .dangerous = simple.test | test.py:85 | ImportExpr | | --> | .dangerous = simple.test | test.py:88 | module | |
| .dangerous = simple.test | test.py:85 | ImportExpr | | --> | .dangerous = simple.test | test.py:92 | module | |
| .dangerous = simple.test | test.py:85 | ImportExpr | | --> | .dangerous = simple.test | test.py:96 | module | |
| .dangerous = simple.test | test.py:85 | ImportExpr | | --> | .dangerous = simple.test | test.py:100 | module | |
| .dangerous = simple.test | test.py:85 | ImportExpr | | --> | .dangerous = simple.test | test.py:110 | module | |
| .dangerous = simple.test | test.py:85 | ImportExpr | | --> | .dangerous = simple.test | test.py:115 | module | |
| .dangerous = simple.test | test.py:88 | module | | --> | simple.test | test.py:88 | Attribute | |
| .dangerous = simple.test | test.py:110 | module | | --> | simple.test | test.py:110 | Attribute | |
| .dangerous = simple.test | test.py:115 | module | | --> | simple.test | test.py:115 | Attribute | |
| .x = simple.test | test.py:72 | arg | p0.x = simple.test | --> | .x = simple.test | test.py:73 | arg | p0.x = simple.test |
| .x = simple.test | test.py:73 | arg | p0.x = simple.test | --> | .x = simple.test | test.py:116 | hub() | |
| .x = simple.test | test.py:105 | arg | p0.x = simple.test | --> | .x = simple.test | test.py:106 | arg | p0.x = simple.test |
| .x = simple.test | test.py:106 | arg | p0.x = simple.test | --> | simple.test | test.py:106 | Attribute | p0.x = simple.test |
| .x = simple.test | test.py:111 | t | | --> | simple.test | test.py:111 | Attribute | |
| .x = simple.test | test.py:116 | hub() | | --> | .x = simple.test | test.py:117 | t | |
| .x = simple.test | test.py:116 | t | | --> | .x = simple.test | test.py:72 | arg | p0.x = simple.test |
| .x = simple.test | test.py:116 | t | | --> | .x = simple.test | test.py:116 | hub() | |
| .x = simple.test | test.py:117 | t | | --> | .x = simple.test | test.py:105 | arg | p0.x = simple.test |
| Command injection | sanitizer.py:9 | user_input() | | --> | Command injection | sanitizer.py:10 | x | |
| Command injection | sanitizer.py:9 | user_input() | | --> | Command injection | sanitizer.py:11 | x | |
@ -47,9 +54,9 @@
| SQL injection | sanitizer.py:31 | user_input() | | --> | SQL injection | sanitizer.py:33 | x | |
| SQL injection | sanitizer.py:31 | user_input() | | --> | SQL injection | sanitizer.py:35 | x | |
| basic.custom | test.py:72 | arg | p0 = basic.custom | --> | basic.custom | test.py:73 | arg | p0 = basic.custom |
| basic.custom | test.py:73 | arg | p0 = basic.custom | --> | basic.custom | test.py:121 | hub() | |
| basic.custom | test.py:120 | CUSTOM_SOURCE | | --> | basic.custom | test.py:121 | t | |
| basic.custom | test.py:121 | TAINT_FROM_ARG() | | --> | basic.custom | test.py:72 | arg | p0 = basic.custom |
| basic.custom | test.py:121 | TAINT_FROM_ARG() | | --> | basic.custom | test.py:121 | hub() | |
| basic.custom | test.py:121 | hub() | | --> | basic.custom | test.py:122 | t | |
| basic.custom | test.py:121 | t | | --> | basic.custom | test.py:121 | TAINT_FROM_ARG() | |
| basic.custom | test.py:126 | CUSTOM_SOURCE | | --> | basic.custom | test.py:130 | t | |
@ -59,16 +66,19 @@
| basic.custom | test.py:149 | t | | --> | basic.custom | test.py:149 | TAINT_FROM_ARG() | |
| dict of simple.test | test.py:169 | Dict | | --> | dict of simple.test | test.py:171 | d | |
| dict of simple.test | test.py:169 | Dict | | --> | dict of simple.test | test.py:175 | d | |
| dict of simple.test | test.py:171 | SSA variable y | | --> | dict of simple.test | test.py:173 | y | |
| dict of simple.test | test.py:171 | d | | --> | dict of simple.test | test.py:171 | SSA variable y | |
| dict of simple.test | test.py:173 | y | | --> | simple.test | test.py:173 | Subscript | |
| dict of simple.test | test.py:175 | d | | --> | dict of simple.test | test.py:175 | dict() | |
| explicit.carrier | carrier.py:4 | arg | p1 = explicit.carrier | --> | explicit.carrier | carrier.py:5 | arg | p1 = explicit.carrier |
| explicit.carrier | carrier.py:5 | arg | p1 = explicit.carrier | --> | .attr = explicit.carrier | carrier.py:33 | ImplicitCarrier() | |
| explicit.carrier | carrier.py:13 | arg | p0 = explicit.carrier | --> | explicit.carrier | carrier.py:14 | arg | p0 = explicit.carrier |
| explicit.carrier | carrier.py:14 | arg | p0 = explicit.carrier | --> | explicit.carrier | carrier.py:29 | hub() | |
| explicit.carrier | carrier.py:21 | TAINT_CARRIER_SOURCE | | --> | explicit.carrier | carrier.py:22 | c | |
| explicit.carrier | carrier.py:22 | c | | --> | simple.test | carrier.py:22 | Attribute() | |
| explicit.carrier | carrier.py:29 | TAINT_CARRIER_SOURCE | | --> | explicit.carrier | carrier.py:13 | arg | p0 = explicit.carrier |
| explicit.carrier | carrier.py:29 | TAINT_CARRIER_SOURCE | | --> | explicit.carrier | carrier.py:29 | hub() | |
| explicit.carrier | carrier.py:29 | hub() | | --> | explicit.carrier | carrier.py:30 | c | |
| explicit.carrier | carrier.py:30 | c | | --> | simple.test | carrier.py:30 | Attribute() | |
| explicit.carrier | carrier.py:33 | TAINT_CARRIER_SOURCE | | --> | .attr = explicit.carrier | carrier.py:33 | ImplicitCarrier() | |
| explicit.carrier | carrier.py:33 | TAINT_CARRIER_SOURCE | | --> | explicit.carrier | carrier.py:4 | arg | p1 = explicit.carrier |
| explicit.carrier | carrier.py:34 | Attribute | | --> | explicit.carrier | carrier.py:35 | x | |
| explicit.carrier | carrier.py:35 | x | | --> | simple.test | carrier.py:35 | Attribute() | |
@ -95,34 +105,36 @@
| scissors | rockpaperscissors.py:31 | x | | --> | scissors | rockpaperscissors.py:6 | arg | p0 = scissors |
| sequence of simple.test | test.py:168 | List | | --> | sequence of simple.test | test.py:170 | l | |
| sequence of simple.test | test.py:168 | List | | --> | sequence of simple.test | test.py:174 | l | |
| sequence of simple.test | test.py:170 | SSA variable x | | --> | sequence of simple.test | test.py:172 | x | |
| sequence of simple.test | test.py:170 | l | | --> | sequence of simple.test | test.py:170 | SSA variable x | |
| sequence of simple.test | test.py:172 | x | | --> | simple.test | test.py:172 | Subscript | |
| sequence of simple.test | test.py:174 | l | | --> | sequence of simple.test | test.py:174 | list() | |
| sequence of simple.test | test.py:208 | List | | --> | sequence of simple.test | test.py:209 | seq | |
| sequence of simple.test | test.py:209 | seq | | --> | simple.test | test.py:209 | For | |
| sequence of simple.test | test.py:213 | flow_in_generator() | | --> | simple.test | test.py:213 | For | |
| simple.test | carrier.py:4 | arg | p1 = simple.test | --> | simple.test | carrier.py:5 | arg | p1 = simple.test |
| simple.test | carrier.py:5 | arg | p1 = simple.test | --> | .attr = simple.test | carrier.py:17 | ImplicitCarrier() | |
| simple.test | carrier.py:5 | arg | p1 = simple.test | --> | .attr = simple.test | carrier.py:25 | ImplicitCarrier() | |
| simple.test | carrier.py:11 | Attribute | p0.attr = simple.test | --> | simple.test | carrier.py:26 | Attribute() | |
| simple.test | carrier.py:17 | SOURCE | | --> | .attr = simple.test | carrier.py:17 | ImplicitCarrier() | |
| simple.test | carrier.py:17 | SOURCE | | --> | simple.test | carrier.py:4 | arg | p1 = simple.test |
| simple.test | carrier.py:25 | SOURCE | | --> | .attr = simple.test | carrier.py:25 | ImplicitCarrier() | |
| simple.test | carrier.py:25 | SOURCE | | --> | simple.test | carrier.py:4 | arg | p1 = simple.test |
| simple.test | deep.py:2 | arg | p0 = simple.test | --> | simple.test | deep.py:3 | arg | p0 = simple.test |
| simple.test | deep.py:3 | arg | p0 = simple.test | --> | simple.test | deep.py:6 | f1() | p0 = simple.test |
| simple.test | deep.py:5 | arg | p0 = simple.test | --> | simple.test | deep.py:6 | arg | p0 = simple.test |
| simple.test | deep.py:6 | arg | p0 = simple.test | --> | simple.test | deep.py:2 | arg | p0 = simple.test |
| simple.test | deep.py:6 | f1() | p0 = simple.test | --> | simple.test | deep.py:9 | f2() | p0 = simple.test |
| simple.test | deep.py:6 | arg | p0 = simple.test | --> | simple.test | deep.py:6 | f1() | p0 = simple.test |
| simple.test | deep.py:8 | arg | p0 = simple.test | --> | simple.test | deep.py:9 | arg | p0 = simple.test |
| simple.test | deep.py:9 | arg | p0 = simple.test | --> | simple.test | deep.py:5 | arg | p0 = simple.test |
| simple.test | deep.py:9 | f2() | p0 = simple.test | --> | simple.test | deep.py:12 | f3() | p0 = simple.test |
| simple.test | deep.py:9 | arg | p0 = simple.test | --> | simple.test | deep.py:9 | f2() | p0 = simple.test |
| simple.test | deep.py:11 | arg | p0 = simple.test | --> | simple.test | deep.py:12 | arg | p0 = simple.test |
| simple.test | deep.py:12 | arg | p0 = simple.test | --> | simple.test | deep.py:8 | arg | p0 = simple.test |
| simple.test | deep.py:12 | f3() | p0 = simple.test | --> | simple.test | deep.py:15 | f4() | p0 = simple.test |
| simple.test | deep.py:12 | arg | p0 = simple.test | --> | simple.test | deep.py:12 | f3() | p0 = simple.test |
| simple.test | deep.py:14 | arg | p0 = simple.test | --> | simple.test | deep.py:15 | arg | p0 = simple.test |
| simple.test | deep.py:15 | arg | p0 = simple.test | --> | simple.test | deep.py:11 | arg | p0 = simple.test |
| simple.test | deep.py:15 | f4() | p0 = simple.test | --> | simple.test | deep.py:18 | f5() | p0 = simple.test |
| simple.test | deep.py:15 | arg | p0 = simple.test | --> | simple.test | deep.py:15 | f4() | p0 = simple.test |
| simple.test | deep.py:17 | arg | p0 = simple.test | --> | simple.test | deep.py:18 | arg | p0 = simple.test |
| simple.test | deep.py:18 | arg | p0 = simple.test | --> | simple.test | deep.py:14 | arg | p0 = simple.test |
| simple.test | deep.py:18 | f5() | p0 = simple.test | --> | simple.test | deep.py:20 | f6() | |
| simple.test | deep.py:18 | arg | p0 = simple.test | --> | simple.test | deep.py:18 | f5() | p0 = simple.test |
| simple.test | deep.py:20 | SOURCE | | --> | simple.test | deep.py:17 | arg | p0 = simple.test |
| simple.test | deep.py:20 | SOURCE | | --> | simple.test | deep.py:20 | f6() | |
| simple.test | deep.py:20 | f6() | | --> | simple.test | deep.py:22 | x | |
| simple.test | module.py:3 | SOURCE | | --> | .dangerous = simple.test | test.py:85 | ImportExpr | |
| simple.test | module.py:3 | SOURCE | | --> | .dangerous = simple.test | test.py:88 | module | |
@ -157,10 +169,10 @@
| simple.test | test.py:67 | SOURCE | | --> | simple.test | test.py:70 | t | |
| simple.test | test.py:70 | t | | --> | simple.test | test.py:49 | arg | p1 = simple.test |
| simple.test | test.py:72 | arg | p0 = simple.test | --> | simple.test | test.py:73 | arg | p0 = simple.test |
| simple.test | test.py:73 | arg | p0 = simple.test | --> | simple.test | test.py:77 | hub() | |
| simple.test | test.py:76 | SOURCE | | --> | simple.test | test.py:77 | t | |
| simple.test | test.py:77 | hub() | | --> | simple.test | test.py:78 | t | |
| simple.test | test.py:77 | t | | --> | simple.test | test.py:72 | arg | p0 = simple.test |
| simple.test | test.py:77 | t | | --> | simple.test | test.py:77 | hub() | |
| simple.test | test.py:88 | Attribute | | --> | simple.test | test.py:89 | t | |
| simple.test | test.py:100 | Attribute() | | --> | simple.test | test.py:101 | t | |
| simple.test | test.py:110 | Attribute | | --> | .x = simple.test | test.py:111 | t | |
@ -169,8 +181,8 @@
| simple.test | test.py:138 | SOURCE | | --> | simple.test | test.py:140 | t | |
| simple.test | test.py:148 | SOURCE | | --> | simple.test | test.py:149 | t | |
| simple.test | test.py:155 | ImportMember | | --> | simple.test | test.py:156 | unsafe | |
| simple.test | test.py:159 | SOURCE | | --> | simple.test | test.py:160 | t | |
| simple.test | test.py:163 | SOURCE | | --> | simple.test | test.py:164 | s | |
| simple.test | test.py:163 | SOURCE | | --> | simple.test | test.py:165 | s | |
| simple.test | test.py:168 | SOURCE | | --> | sequence of simple.test | test.py:168 | List | |
| simple.test | test.py:169 | SOURCE | | --> | dict of simple.test | test.py:169 | Dict | |
| simple.test | test.py:178 | SOURCE | | --> | simple.test | test.py:179 | t | |
@ -178,6 +190,7 @@
| simple.test | test.py:178 | SOURCE | | --> | simple.test | test.py:183 | t | |
| simple.test | test.py:178 | SOURCE | | --> | simple.test | test.py:186 | t | |
| simple.test | test.py:195 | SOURCE | | --> | simple.test | test.py:196 | t | |
| simple.test | test.py:195 | SOURCE | | --> | simple.test | test.py:197 | t | |
| simple.test | test.py:195 | SOURCE | | --> | simple.test | test.py:199 | t | |
| simple.test | test.py:203 | For | | --> | simple.test | test.py:204 | i | |
| simple.test | test.py:203 | For | | --> | simple.test | test.py:205 | i | |

388
python/ql/test/library-tests/taint/general/TestVar.expected
Просмотреть файл

@ -1,193 +1,195 @@
| carrier.py:4 | arg_0 | carrier.py:4 | Taint explicit.carrier | arg |
| carrier.py:4 | arg_0 | carrier.py:4 | Taint simple.test | arg |
| carrier.py:5 | self_1 | carrier.py:5 | Attribute 'attr' taint explicit.carrier | self |
| carrier.py:5 | self_1 | carrier.py:5 | Attribute 'attr' taint simple.test | self |
| carrier.py:13 | arg_0 | carrier.py:13 | Attribute 'attr' taint simple.test | arg |
| carrier.py:13 | arg_0 | carrier.py:13 | Taint explicit.carrier | arg |
| carrier.py:17 | c_0 | carrier.py:17 | Attribute 'attr' taint simple.test | ImplicitCarrier() |
| carrier.py:21 | c_0 | carrier.py:21 | Taint explicit.carrier | TAINT_CARRIER_SOURCE |
| carrier.py:22 | c_1 | carrier.py:21 | Taint explicit.carrier | TAINT_CARRIER_SOURCE |
| carrier.py:25 | c_0 | carrier.py:25 | Attribute 'attr' taint simple.test | hub() |
| carrier.py:29 | c_0 | carrier.py:29 | Taint explicit.carrier | hub() |
| carrier.py:30 | c_1 | carrier.py:29 | Taint explicit.carrier | hub() |
| carrier.py:33 | c_0 | carrier.py:33 | Attribute 'attr' taint explicit.carrier | ImplicitCarrier() |
| carrier.py:34 | x_0 | carrier.py:34 | Taint explicit.carrier | Attribute |
| carrier.py:35 | x_1 | carrier.py:34 | Taint explicit.carrier | Attribute |
| deep.py:2 | arg_0 | deep.py:2 | Taint simple.test | arg |
| deep.py:5 | arg_0 | deep.py:5 | Taint simple.test | arg |
| deep.py:6 | arg_1 | deep.py:5 | Taint simple.test | arg |
| deep.py:8 | arg_0 | deep.py:8 | Taint simple.test | arg |
| deep.py:9 | arg_1 | deep.py:8 | Taint simple.test | arg |
| deep.py:11 | arg_0 | deep.py:11 | Taint simple.test | arg |
| deep.py:12 | arg_1 | deep.py:11 | Taint simple.test | arg |
| deep.py:14 | arg_0 | deep.py:14 | Taint simple.test | arg |
| deep.py:15 | arg_1 | deep.py:14 | Taint simple.test | arg |
| deep.py:17 | arg_0 | deep.py:17 | Taint simple.test | arg |
| deep.py:18 | arg_1 | deep.py:17 | Taint simple.test | arg |
| deep.py:20 | x_1 | deep.py:20 | Taint simple.test | f6() |
| module.py:3 | dangerous_0 | module.py:3 | Taint simple.test | SOURCE |
| rockpaperscissors.py:3 | arg_0 | rockpaperscissors.py:3 | Taint scissors | arg |
| rockpaperscissors.py:6 | arg_0 | rockpaperscissors.py:6 | Taint paper | arg |
| rockpaperscissors.py:6 | arg_0 | rockpaperscissors.py:6 | Taint rock | arg |
| rockpaperscissors.py:6 | arg_0 | rockpaperscissors.py:6 | Taint scissors | arg |
| rockpaperscissors.py:9 | arg_0 | rockpaperscissors.py:9 | Taint paper | arg |
| rockpaperscissors.py:9 | arg_0 | rockpaperscissors.py:9 | Taint scissors | arg |
| rockpaperscissors.py:19 | x_0 | rockpaperscissors.py:19 | Taint rock | ROCK |
| rockpaperscissors.py:20 | x_1 | rockpaperscissors.py:19 | Taint rock | ROCK |
| rockpaperscissors.py:20 | y_0 | rockpaperscissors.py:20 | Taint scissors | Attribute() |
| rockpaperscissors.py:21 | y_1 | rockpaperscissors.py:20 | Taint scissors | Attribute() |
| rockpaperscissors.py:24 | x_0 | rockpaperscissors.py:24 | Taint rock | ROCK |
| rockpaperscissors.py:25 | x_1 | rockpaperscissors.py:24 | Taint rock | ROCK |
| rockpaperscissors.py:25 | y_0 | rockpaperscissors.py:25 | Taint paper | Attribute() |
| rockpaperscissors.py:26 | y_1 | rockpaperscissors.py:25 | Taint paper | Attribute() |
| rockpaperscissors.py:29 | x_0 | rockpaperscissors.py:29 | Taint scissors | SCISSORS |
| rockpaperscissors.py:30 | x_1 | rockpaperscissors.py:29 | Taint scissors | SCISSORS |
| rockpaperscissors.py:30 | y_0 | rockpaperscissors.py:30 | Taint paper | Attribute() |
| rockpaperscissors.py:31 | x_2 | rockpaperscissors.py:29 | Taint scissors | SCISSORS |
| rockpaperscissors.py:32 | y_1 | rockpaperscissors.py:30 | Taint paper | Attribute() |
| sanitizer.py:3 | arg_0 | sanitizer.py:3 | Taint Command injection | arg |
| sanitizer.py:3 | arg_0 | sanitizer.py:3 | Taint SQL injection | arg |
| sanitizer.py:5 | arg_0 | sanitizer.py:5 | Taint Command injection | arg |
| sanitizer.py:5 | arg_0 | sanitizer.py:5 | Taint SQL injection | arg |
| sanitizer.py:8 | x_5 | sanitizer.py:9 | Taint Command injection | user_input() |
| sanitizer.py:8 | x_5 | sanitizer.py:9 | Taint SQL injection | user_input() |
| sanitizer.py:9 | x_0 | sanitizer.py:9 | Taint Command injection | user_input() |
| sanitizer.py:9 | x_0 | sanitizer.py:9 | Taint SQL injection | user_input() |
| sanitizer.py:11 | x_1 | sanitizer.py:9 | Taint Command injection | user_input() |
| sanitizer.py:11 | x_2 | sanitizer.py:9 | Taint Command injection | user_input() |
| sanitizer.py:13 | x_3 | sanitizer.py:9 | Taint Command injection | user_input() |
| sanitizer.py:13 | x_3 | sanitizer.py:9 | Taint SQL injection | user_input() |
| sanitizer.py:13 | x_4 | sanitizer.py:9 | Taint Command injection | user_input() |
| sanitizer.py:13 | x_4 | sanitizer.py:9 | Taint SQL injection | user_input() |
| sanitizer.py:15 | x_5 | sanitizer.py:16 | Taint Command injection | user_input() |
| sanitizer.py:15 | x_5 | sanitizer.py:16 | Taint SQL injection | user_input() |
| sanitizer.py:16 | x_0 | sanitizer.py:16 | Taint Command injection | user_input() |
| sanitizer.py:16 | x_0 | sanitizer.py:16 | Taint SQL injection | user_input() |
| sanitizer.py:18 | x_1 | sanitizer.py:16 | Taint SQL injection | user_input() |
| sanitizer.py:18 | x_2 | sanitizer.py:16 | Taint SQL injection | user_input() |
| sanitizer.py:20 | x_3 | sanitizer.py:16 | Taint Command injection | user_input() |
| sanitizer.py:20 | x_3 | sanitizer.py:16 | Taint SQL injection | user_input() |
| sanitizer.py:20 | x_4 | sanitizer.py:16 | Taint Command injection | user_input() |
| sanitizer.py:20 | x_4 | sanitizer.py:16 | Taint SQL injection | user_input() |
| sanitizer.py:23 | x_5 | sanitizer.py:24 | Taint Command injection | user_input() |
| sanitizer.py:23 | x_5 | sanitizer.py:24 | Taint SQL injection | user_input() |
| sanitizer.py:24 | x_0 | sanitizer.py:24 | Taint Command injection | user_input() |
| sanitizer.py:24 | x_0 | sanitizer.py:24 | Taint SQL injection | user_input() |
| sanitizer.py:26 | x_1 | sanitizer.py:24 | Taint Command injection | user_input() |
| sanitizer.py:26 | x_1 | sanitizer.py:24 | Taint SQL injection | user_input() |
| sanitizer.py:26 | x_2 | sanitizer.py:24 | Taint Command injection | user_input() |
| sanitizer.py:26 | x_2 | sanitizer.py:24 | Taint SQL injection | user_input() |
| sanitizer.py:28 | x_3 | sanitizer.py:24 | Taint Command injection | user_input() |
| sanitizer.py:28 | x_3 | sanitizer.py:24 | Taint SQL injection | user_input() |
| sanitizer.py:28 | x_4 | sanitizer.py:24 | Taint Command injection | user_input() |
| sanitizer.py:28 | x_4 | sanitizer.py:24 | Taint SQL injection | user_input() |
| sanitizer.py:30 | x_5 | sanitizer.py:31 | Taint Command injection | user_input() |
| sanitizer.py:30 | x_5 | sanitizer.py:31 | Taint SQL injection | user_input() |
| sanitizer.py:31 | x_0 | sanitizer.py:31 | Taint Command injection | user_input() |
| sanitizer.py:31 | x_0 | sanitizer.py:31 | Taint SQL injection | user_input() |
| sanitizer.py:33 | x_1 | sanitizer.py:31 | Taint Command injection | user_input() |
| sanitizer.py:33 | x_1 | sanitizer.py:31 | Taint SQL injection | user_input() |
| sanitizer.py:33 | x_2 | sanitizer.py:31 | Taint Command injection | user_input() |
| sanitizer.py:33 | x_2 | sanitizer.py:31 | Taint SQL injection | user_input() |
| sanitizer.py:35 | x_3 | sanitizer.py:31 | Taint Command injection | user_input() |
| sanitizer.py:35 | x_3 | sanitizer.py:31 | Taint SQL injection | user_input() |
| sanitizer.py:35 | x_4 | sanitizer.py:31 | Taint Command injection | user_input() |
| sanitizer.py:35 | x_4 | sanitizer.py:31 | Taint SQL injection | user_input() |
| test.py:6 | s_0 | test.py:6 | Taint simple.test | SOURCE |
| test.py:7 | s_1 | test.py:6 | Taint simple.test | SOURCE |
| test.py:12 | arg_0 | test.py:12 | Taint simple.test | arg |
| test.py:13 | arg_1 | test.py:12 | Taint simple.test | arg |
| test.py:16 | t_0 | test.py:16 | Taint simple.test | source() |
| test.py:17 | t_1 | test.py:16 | Taint simple.test | source() |
| test.py:20 | t_0 | test.py:20 | Taint simple.test | SOURCE |
| test.py:21 | t_1 | test.py:20 | Taint simple.test | SOURCE |
| test.py:24 | t_0 | test.py:24 | Taint simple.test | source() |
| test.py:25 | t_1 | test.py:24 | Taint simple.test | source() |
| test.py:31 | t_2 | test.py:31 | Taint simple.test | SOURCE |
| test.py:37 | t_0 | test.py:37 | Taint simple.test | SOURCE |
| test.py:41 | t_1 | test.py:37 | Taint simple.test | SOURCE |
| test.py:46 | arg_0 | test.py:46 | Taint simple.test | arg |
| test.py:47 | arg_1 | test.py:46 | Taint simple.test | arg |
| test.py:49 | arg_0 | test.py:49 | Taint simple.test | arg |
| test.py:49 | arg_2 | test.py:49 | Taint simple.test | arg |
| test.py:51 | arg_1 | test.py:49 | Taint simple.test | arg |
| test.py:54 | t_0 | test.py:54 | Taint simple.test | source2() |
| test.py:55 | t_1 | test.py:54 | Taint simple.test | source2() |
| test.py:62 | t_1 | test.py:62 | Taint simple.test | SOURCE |
| test.py:63 | t_2 | test.py:62 | Taint simple.test | SOURCE |
| test.py:67 | t_0 | test.py:67 | Taint simple.test | SOURCE |
| test.py:70 | t_2 | test.py:67 | Taint simple.test | SOURCE |
| test.py:72 | arg_0 | test.py:72 | Attribute 'x' taint simple.test | arg |
| test.py:72 | arg_0 | test.py:72 | Taint basic.custom | arg |
| test.py:72 | arg_0 | test.py:72 | Taint simple.test | arg |
| test.py:76 | t_0 | test.py:76 | Taint simple.test | SOURCE |
| test.py:77 | t_1 | test.py:77 | Taint simple.test | hub() |
| test.py:78 | t_2 | test.py:77 | Taint simple.test | hub() |
| test.py:85 | module_0 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
| test.py:87 | module_1 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
| test.py:88 | t_0 | test.py:88 | Taint simple.test | Attribute |
| test.py:89 | t_1 | test.py:88 | Taint simple.test | Attribute |
| test.py:91 | module_2 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
| test.py:95 | module_3 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
| test.py:99 | module_4 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
| test.py:100 | t_0 | test.py:100 | Taint simple.test | Attribute() |
| test.py:101 | t_1 | test.py:100 | Taint simple.test | Attribute() |
| test.py:105 | arg_0 | test.py:105 | Attribute 'x' taint simple.test | arg |
| test.py:108 | module_5 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
| test.py:110 | t_1 | test.py:110 | Attribute 'x' taint simple.test | t |
| test.py:113 | module_6 | test.py:85 | Attribute 'dangerous' taint simple.test | ImportExpr |
| test.py:115 | t_1 | test.py:115 | Attribute 'x' taint simple.test | t |
| test.py:116 | t_2 | test.py:116 | Attribute 'x' taint simple.test | hub() |
| test.py:117 | t_3 | test.py:116 | Attribute 'x' taint simple.test | hub() |
| test.py:120 | t_0 | test.py:120 | Taint basic.custom | CUSTOM_SOURCE |
| test.py:121 | t_1 | test.py:121 | Taint basic.custom | hub() |
| test.py:122 | t_2 | test.py:121 | Taint basic.custom | hub() |
| test.py:126 | t_0 | test.py:126 | Taint basic.custom | CUSTOM_SOURCE |
| test.py:128 | t_2 | test.py:128 | Taint simple.test | SOURCE |
| test.py:130 | t_1 | test.py:126 | Taint basic.custom | CUSTOM_SOURCE |
| test.py:132 | t_3 | test.py:128 | Taint simple.test | SOURCE |
| test.py:136 | t_0 | test.py:136 | Taint basic.custom | CUSTOM_SOURCE |
| test.py:138 | t_2 | test.py:138 | Taint simple.test | SOURCE |
| test.py:140 | t_3 | test.py:138 | Taint simple.test | SOURCE |
| test.py:142 | t_1 | test.py:136 | Taint basic.custom | CUSTOM_SOURCE |
| test.py:146 | t_0 | test.py:146 | Taint basic.custom | CUSTOM_SOURCE |
| test.py:148 | t_3 | test.py:148 | Taint simple.test | SOURCE |
| test.py:149 | t_1 | test.py:149 | Taint basic.custom | TAINT_FROM_ARG() |
| test.py:151 | t_2 | test.py:149 | Taint basic.custom | TAINT_FROM_ARG() |
| test.py:155 | unsafe_0 | test.py:155 | Taint simple.test | ImportMember |
| test.py:156 | unsafe_1 | test.py:155 | Taint simple.test | ImportMember |
| test.py:159 | t_0 | test.py:159 | Taint simple.test | SOURCE |
| test.py:160 | t_1 | test.py:159 | Taint simple.test | SOURCE |
| test.py:163 | s_0 | test.py:163 | Taint simple.test | SOURCE |
| test.py:168 | l_0 | test.py:168 | Taint [simple.test] | List |
| test.py:169 | d_0 | test.py:169 | Taint {simple.test} | Dict |
| test.py:170 | l_1 | test.py:168 | Taint [simple.test] | List |
| test.py:170 | x_1 | test.py:170 | Taint [simple.test] | l |
| test.py:171 | d_1 | test.py:169 | Taint {simple.test} | Dict |
| test.py:171 | y_1 | test.py:171 | Taint {simple.test} | d |
| test.py:174 | l2_0 | test.py:174 | Taint [simple.test] | list() |
| test.py:174 | l_2 | test.py:168 | Taint [simple.test] | List |
| test.py:175 | d2_0 | test.py:175 | Taint {simple.test} | dict() |
| test.py:175 | d_2 | test.py:169 | Taint {simple.test} | Dict |
| test.py:178 | t_0 | test.py:178 | Taint simple.test | SOURCE |
| test.py:180 | t_1 | test.py:178 | Taint simple.test | SOURCE |
| test.py:180 | t_2 | test.py:178 | Taint simple.test | SOURCE |
| test.py:183 | t_3 | test.py:178 | Taint simple.test | SOURCE |
| test.py:186 | t_4 | test.py:178 | Taint simple.test | SOURCE |
| test.py:189 | t_0 | test.py:189 | Taint falsey | FALSEY |
| test.py:191 | t_1 | test.py:189 | Taint falsey | FALSEY |
| test.py:194 | t_5 | test.py:195 | Taint simple.test | SOURCE |
| test.py:195 | t_0 | test.py:195 | Taint simple.test | SOURCE |
| test.py:197 | t_1 | test.py:195 | Taint simple.test | SOURCE |
| test.py:197 | t_2 | test.py:195 | Taint simple.test | SOURCE |
| test.py:199 | t_3 | test.py:195 | Taint simple.test | SOURCE |
| test.py:199 | t_4 | test.py:195 | Taint simple.test | SOURCE |
| test.py:202 | t_0 | test.py:202 | Taint iterable.simple | ITERABLE_SOURCE |
| test.py:203 | i_1 | test.py:203 | Taint simple.test | For |
| test.py:203 | i_2 | test.py:203 | Taint simple.test | For |
| test.py:208 | seq_0 | test.py:208 | Taint [simple.test] | List |
| test.py:209 | i_1 | test.py:209 | Taint simple.test | For |
| test.py:209 | i_2 | test.py:209 | Taint simple.test | For |
| test.py:213 | x_0 | test.py:213 | Taint simple.test | For |
| test.py:213 | x_1 | test.py:213 | Taint simple.test | For |
| test.py:214 | x_2 | test.py:213 | Taint simple.test | For |
| carrier.py:4 | arg_0 | carrier.py:4 | Taint explicit.carrier |
| carrier.py:4 | arg_0 | carrier.py:4 | Taint simple.test |
| carrier.py:5 | self_1 | carrier.py:5 | Taint .attr = explicit.carrier |
| carrier.py:5 | self_1 | carrier.py:5 | Taint .attr = simple.test |
| carrier.py:10 | self_0 | carrier.py:10 | Taint .attr = simple.test |
| carrier.py:13 | arg_0 | carrier.py:13 | Taint .attr = simple.test |
| carrier.py:13 | arg_0 | carrier.py:13 | Taint explicit.carrier |
| carrier.py:17 | c_0 | carrier.py:17 | Taint .attr = simple.test |
| carrier.py:21 | c_0 | carrier.py:21 | Taint explicit.carrier |
| carrier.py:22 | c_1 | carrier.py:22 | Taint explicit.carrier |
| carrier.py:25 | c_0 | carrier.py:25 | Taint .attr = simple.test |
| carrier.py:26 | c_1 | carrier.py:26 | Taint .attr = simple.test |
| carrier.py:29 | c_0 | carrier.py:29 | Taint explicit.carrier |
| carrier.py:30 | c_1 | carrier.py:30 | Taint explicit.carrier |
| carrier.py:33 | c_0 | carrier.py:33 | Taint .attr = explicit.carrier |
| carrier.py:34 | x_0 | carrier.py:34 | Taint explicit.carrier |
| carrier.py:35 | x_1 | carrier.py:35 | Taint explicit.carrier |
| deep.py:2 | arg_0 | deep.py:2 | Taint simple.test |
| deep.py:5 | arg_0 | deep.py:5 | Taint simple.test |
| deep.py:6 | arg_1 | deep.py:6 | Taint simple.test |
| deep.py:8 | arg_0 | deep.py:8 | Taint simple.test |
| deep.py:9 | arg_1 | deep.py:9 | Taint simple.test |
| deep.py:11 | arg_0 | deep.py:11 | Taint simple.test |
| deep.py:12 | arg_1 | deep.py:12 | Taint simple.test |
| deep.py:14 | arg_0 | deep.py:14 | Taint simple.test |
| deep.py:15 | arg_1 | deep.py:15 | Taint simple.test |
| deep.py:17 | arg_0 | deep.py:17 | Taint simple.test |
| deep.py:18 | arg_1 | deep.py:18 | Taint simple.test |
| deep.py:20 | x_1 | deep.py:20 | Taint simple.test |
| module.py:3 | dangerous_0 | module.py:3 | Taint simple.test |
| rockpaperscissors.py:3 | arg_0 | rockpaperscissors.py:3 | Taint scissors |
| rockpaperscissors.py:6 | arg_0 | rockpaperscissors.py:6 | Taint paper |
| rockpaperscissors.py:6 | arg_0 | rockpaperscissors.py:6 | Taint rock |
| rockpaperscissors.py:6 | arg_0 | rockpaperscissors.py:6 | Taint scissors |
| rockpaperscissors.py:9 | arg_0 | rockpaperscissors.py:9 | Taint paper |
| rockpaperscissors.py:9 | arg_0 | rockpaperscissors.py:9 | Taint scissors |
| rockpaperscissors.py:19 | x_0 | rockpaperscissors.py:19 | Taint rock |
| rockpaperscissors.py:20 | x_1 | rockpaperscissors.py:20 | Taint rock |
| rockpaperscissors.py:20 | y_0 | rockpaperscissors.py:20 | Taint scissors |
| rockpaperscissors.py:21 | y_1 | rockpaperscissors.py:21 | Taint scissors |
| rockpaperscissors.py:24 | x_0 | rockpaperscissors.py:24 | Taint rock |
| rockpaperscissors.py:25 | x_1 | rockpaperscissors.py:25 | Taint rock |
| rockpaperscissors.py:25 | y_0 | rockpaperscissors.py:25 | Taint paper |
| rockpaperscissors.py:26 | y_1 | rockpaperscissors.py:26 | Taint paper |
| rockpaperscissors.py:29 | x_0 | rockpaperscissors.py:29 | Taint scissors |
| rockpaperscissors.py:30 | x_1 | rockpaperscissors.py:30 | Taint scissors |
| rockpaperscissors.py:30 | y_0 | rockpaperscissors.py:30 | Taint paper |
| rockpaperscissors.py:31 | x_2 | rockpaperscissors.py:31 | Taint scissors |
| rockpaperscissors.py:32 | y_1 | rockpaperscissors.py:32 | Taint paper |
| sanitizer.py:3 | arg_0 | sanitizer.py:3 | Taint Command injection |
| sanitizer.py:3 | arg_0 | sanitizer.py:3 | Taint SQL injection |
| sanitizer.py:5 | arg_0 | sanitizer.py:5 | Taint Command injection |
| sanitizer.py:5 | arg_0 | sanitizer.py:5 | Taint SQL injection |
| sanitizer.py:8 | x_5 | sanitizer.py:8 | Taint Command injection |
| sanitizer.py:8 | x_5 | sanitizer.py:8 | Taint SQL injection |
| sanitizer.py:9 | x_0 | sanitizer.py:9 | Taint Command injection |
| sanitizer.py:9 | x_0 | sanitizer.py:9 | Taint SQL injection |
| sanitizer.py:11 | x_1 | sanitizer.py:11 | Taint Command injection |
| sanitizer.py:11 | x_2 | sanitizer.py:11 | Taint Command injection |
| sanitizer.py:13 | x_3 | sanitizer.py:13 | Taint Command injection |
| sanitizer.py:13 | x_3 | sanitizer.py:13 | Taint SQL injection |
| sanitizer.py:13 | x_4 | sanitizer.py:13 | Taint Command injection |
| sanitizer.py:13 | x_4 | sanitizer.py:13 | Taint SQL injection |
| sanitizer.py:15 | x_5 | sanitizer.py:15 | Taint Command injection |
| sanitizer.py:15 | x_5 | sanitizer.py:15 | Taint SQL injection |
| sanitizer.py:16 | x_0 | sanitizer.py:16 | Taint Command injection |
| sanitizer.py:16 | x_0 | sanitizer.py:16 | Taint SQL injection |
| sanitizer.py:18 | x_1 | sanitizer.py:18 | Taint SQL injection |
| sanitizer.py:18 | x_2 | sanitizer.py:18 | Taint SQL injection |
| sanitizer.py:20 | x_3 | sanitizer.py:20 | Taint Command injection |
| sanitizer.py:20 | x_3 | sanitizer.py:20 | Taint SQL injection |
| sanitizer.py:20 | x_4 | sanitizer.py:20 | Taint Command injection |
| sanitizer.py:20 | x_4 | sanitizer.py:20 | Taint SQL injection |
| sanitizer.py:23 | x_5 | sanitizer.py:23 | Taint Command injection |
| sanitizer.py:23 | x_5 | sanitizer.py:23 | Taint SQL injection |
| sanitizer.py:24 | x_0 | sanitizer.py:24 | Taint Command injection |
| sanitizer.py:24 | x_0 | sanitizer.py:24 | Taint SQL injection |
| sanitizer.py:26 | x_1 | sanitizer.py:26 | Taint Command injection |
| sanitizer.py:26 | x_1 | sanitizer.py:26 | Taint SQL injection |
| sanitizer.py:26 | x_2 | sanitizer.py:26 | Taint Command injection |
| sanitizer.py:26 | x_2 | sanitizer.py:26 | Taint SQL injection |
| sanitizer.py:28 | x_3 | sanitizer.py:28 | Taint Command injection |
| sanitizer.py:28 | x_3 | sanitizer.py:28 | Taint SQL injection |
| sanitizer.py:28 | x_4 | sanitizer.py:28 | Taint Command injection |
| sanitizer.py:28 | x_4 | sanitizer.py:28 | Taint SQL injection |
| sanitizer.py:30 | x_5 | sanitizer.py:30 | Taint Command injection |
| sanitizer.py:30 | x_5 | sanitizer.py:30 | Taint SQL injection |
| sanitizer.py:31 | x_0 | sanitizer.py:31 | Taint Command injection |
| sanitizer.py:31 | x_0 | sanitizer.py:31 | Taint SQL injection |
| sanitizer.py:33 | x_1 | sanitizer.py:33 | Taint Command injection |
| sanitizer.py:33 | x_1 | sanitizer.py:33 | Taint SQL injection |
| sanitizer.py:33 | x_2 | sanitizer.py:33 | Taint Command injection |
| sanitizer.py:33 | x_2 | sanitizer.py:33 | Taint SQL injection |
| sanitizer.py:35 | x_3 | sanitizer.py:35 | Taint Command injection |
| sanitizer.py:35 | x_3 | sanitizer.py:35 | Taint SQL injection |
| sanitizer.py:35 | x_4 | sanitizer.py:35 | Taint Command injection |
| sanitizer.py:35 | x_4 | sanitizer.py:35 | Taint SQL injection |
| test.py:6 | s_0 | test.py:6 | Taint simple.test |
| test.py:7 | s_1 | test.py:7 | Taint simple.test |
| test.py:12 | arg_0 | test.py:12 | Taint simple.test |
| test.py:13 | arg_1 | test.py:13 | Taint simple.test |
| test.py:16 | t_0 | test.py:16 | Taint simple.test |
| test.py:17 | t_1 | test.py:17 | Taint simple.test |
| test.py:20 | t_0 | test.py:20 | Taint simple.test |
| test.py:21 | t_1 | test.py:21 | Taint simple.test |
| test.py:24 | t_0 | test.py:24 | Taint simple.test |
| test.py:25 | t_1 | test.py:25 | Taint simple.test |
| test.py:31 | t_2 | test.py:31 | Taint simple.test |
| test.py:37 | t_0 | test.py:37 | Taint simple.test |
| test.py:41 | t_1 | test.py:41 | Taint simple.test |
| test.py:46 | arg_0 | test.py:46 | Taint simple.test |
| test.py:47 | arg_1 | test.py:47 | Taint simple.test |
| test.py:49 | arg_0 | test.py:49 | Taint simple.test |
| test.py:49 | arg_2 | test.py:49 | Taint simple.test |
| test.py:51 | arg_1 | test.py:51 | Taint simple.test |
| test.py:54 | t_0 | test.py:54 | Taint simple.test |
| test.py:55 | t_1 | test.py:55 | Taint simple.test |
| test.py:62 | t_1 | test.py:62 | Taint simple.test |
| test.py:63 | t_2 | test.py:63 | Taint simple.test |
| test.py:67 | t_0 | test.py:67 | Taint simple.test |
| test.py:70 | t_2 | test.py:70 | Taint simple.test |
| test.py:72 | arg_0 | test.py:72 | Taint .x = simple.test |
| test.py:72 | arg_0 | test.py:72 | Taint basic.custom |
| test.py:72 | arg_0 | test.py:72 | Taint simple.test |
| test.py:76 | t_0 | test.py:76 | Taint simple.test |
| test.py:77 | t_1 | test.py:77 | Taint simple.test |
| test.py:78 | t_2 | test.py:78 | Taint simple.test |
| test.py:85 | module_0 | test.py:85 | Taint .dangerous = simple.test |
| test.py:87 | module_1 | test.py:87 | Taint .dangerous = simple.test |
| test.py:88 | t_0 | test.py:88 | Taint simple.test |
| test.py:89 | t_1 | test.py:89 | Taint simple.test |
| test.py:91 | module_2 | test.py:91 | Taint .dangerous = simple.test |
| test.py:95 | module_3 | test.py:95 | Taint .dangerous = simple.test |
| test.py:99 | module_4 | test.py:99 | Taint .dangerous = simple.test |
| test.py:100 | t_0 | test.py:100 | Taint simple.test |
| test.py:101 | t_1 | test.py:101 | Taint simple.test |
| test.py:105 | arg_0 | test.py:105 | Taint .x = simple.test |
| test.py:108 | module_5 | test.py:108 | Taint .dangerous = simple.test |
| test.py:110 | t_1 | test.py:110 | Taint .x = simple.test |
| test.py:113 | module_6 | test.py:113 | Taint .dangerous = simple.test |
| test.py:115 | t_1 | test.py:115 | Taint .x = simple.test |
| test.py:116 | t_2 | test.py:116 | Taint .x = simple.test |
| test.py:117 | t_3 | test.py:117 | Taint .x = simple.test |
| test.py:120 | t_0 | test.py:120 | Taint basic.custom |
| test.py:121 | t_1 | test.py:121 | Taint basic.custom |
| test.py:122 | t_2 | test.py:122 | Taint basic.custom |
| test.py:126 | t_0 | test.py:126 | Taint basic.custom |
| test.py:128 | t_2 | test.py:128 | Taint simple.test |
| test.py:130 | t_1 | test.py:130 | Taint basic.custom |
| test.py:132 | t_3 | test.py:132 | Taint simple.test |
| test.py:136 | t_0 | test.py:136 | Taint basic.custom |
| test.py:138 | t_2 | test.py:138 | Taint simple.test |
| test.py:140 | t_3 | test.py:140 | Taint simple.test |
| test.py:142 | t_1 | test.py:142 | Taint basic.custom |
| test.py:146 | t_0 | test.py:146 | Taint basic.custom |
| test.py:148 | t_3 | test.py:148 | Taint simple.test |
| test.py:149 | t_1 | test.py:149 | Taint basic.custom |
| test.py:151 | t_2 | test.py:151 | Taint basic.custom |
| test.py:155 | unsafe_0 | test.py:155 | Taint simple.test |
| test.py:156 | unsafe_1 | test.py:156 | Taint simple.test |
| test.py:159 | t_0 | test.py:159 | Taint simple.test |
| test.py:160 | t_1 | test.py:160 | Taint simple.test |
| test.py:163 | s_0 | test.py:163 | Taint simple.test |
| test.py:168 | l_0 | test.py:168 | Taint sequence of simple.test |
| test.py:169 | d_0 | test.py:169 | Taint dict of simple.test |
| test.py:170 | l_1 | test.py:170 | Taint sequence of simple.test |
| test.py:170 | x_1 | test.py:170 | Taint sequence of simple.test |
| test.py:171 | d_1 | test.py:171 | Taint dict of simple.test |
| test.py:171 | y_1 | test.py:171 | Taint dict of simple.test |
| test.py:174 | l2_0 | test.py:174 | Taint sequence of simple.test |
| test.py:174 | l_2 | test.py:174 | Taint sequence of simple.test |
| test.py:175 | d2_0 | test.py:175 | Taint dict of simple.test |
| test.py:175 | d_2 | test.py:175 | Taint dict of simple.test |
| test.py:178 | t_0 | test.py:178 | Taint simple.test |
| test.py:180 | t_1 | test.py:180 | Taint simple.test |
| test.py:180 | t_2 | test.py:180 | Taint simple.test |
| test.py:183 | t_3 | test.py:183 | Taint simple.test |
| test.py:186 | t_4 | test.py:186 | Taint simple.test |
| test.py:189 | t_0 | test.py:189 | Taint falsey |
| test.py:191 | t_1 | test.py:191 | Taint falsey |
| test.py:194 | t_5 | test.py:194 | Taint simple.test |
| test.py:195 | t_0 | test.py:195 | Taint simple.test |
| test.py:197 | t_1 | test.py:197 | Taint simple.test |
| test.py:197 | t_2 | test.py:197 | Taint simple.test |
| test.py:199 | t_3 | test.py:199 | Taint simple.test |
| test.py:199 | t_4 | test.py:199 | Taint simple.test |
| test.py:202 | t_0 | test.py:202 | Taint iterable.simple |
| test.py:203 | i_1 | test.py:203 | Taint simple.test |
| test.py:203 | i_2 | test.py:203 | Taint simple.test |
| test.py:208 | seq_0 | test.py:208 | Taint sequence of simple.test |
| test.py:209 | i_1 | test.py:209 | Taint simple.test |
| test.py:209 | i_2 | test.py:209 | Taint simple.test |
| test.py:213 | x_0 | test.py:213 | Taint simple.test |
| test.py:213 | x_1 | test.py:213 | Taint simple.test |
| test.py:214 | x_2 | test.py:214 | Taint simple.test |

4
python/ql/test/library-tests/taint/general/TestVar.ql
Просмотреть файл

@ -4,6 +4,6 @@ import TaintLib
from EssaVariable var, TaintedNode n
where TaintFlowTest::tainted_var(var, _, n)
where n.getNode().asVariable() = var
select
var.getDefinition().getLocation().toString(), var.getRepresentation(), n.getLocation().toString(), n.getTrackedValue(), n.getNode().getNode().toString()
var.getDefinition().getLocation().toString(), var.getRepresentation(), n.getLocation().toString(), "Taint " + n.toString()

2
python/ql/test/library-tests/web/bottle/Taint.expected
Просмотреть файл

@ -1,4 +1,4 @@
WARNING: Predicate getNode has been deprecated and may be removed in future (/home/mark/repos/ql/python/ql/test/library-tests/web/turbogears/Taint.ql:12,54-61)
WARNING: Predicate getNode has been deprecated and may be removed in future (Taint.ql:12,54-61)
| ../../../query-tests/Security/lib/bottle.py:64 | LocalRequest() | bottle.request |
| ../../../query-tests/Security/lib/bottle.py:64 | request | bottle.request |
| ../../../query-tests/Security/lib/bottle.py:68 | url | externally controlled string |