Python: Improve taint tracking to account for truthiness of the taint kind.

2019-03-01 10:54:05 +00:00 · 2019-03-01 10:54:05 +00:00 · ebd9bc3cb5
--- a/python/ql/src/semmle/python/security/TaintTracking.qll
+++ b/python/ql/src/semmle/python/security/TaintTracking.qll
@ -148,6 +148,16 @@ abstract class TaintKind extends string {
        none()
    }

+    /** Gets the boolean values (may be one, neither, or both) that
+     * may result from the Python expression `bool(this)`
+     */
+    boolean booleanValue() {
+        /* Default to true as the vast majority of taint is strings and 
+         * the empty string is almost always benign.
+         */
+        result = true
+    }
+
    string repr() { result = this }

 }
@ -1190,7 +1200,8 @@ library module TaintFlowImplementation {
                sanitizer.sanitizingEdge(kind, test)
            )
            |
-            not Filters::isinstance(test.getTest(), _, var.getSourceVariable().getAUse())
+            not Filters::isinstance(test.getTest(), _, var.getSourceVariable().getAUse()) and
+            not test.getTest() = var.getSourceVariable().getAUse()
            or
            exists(ControlFlowNode c, ClassObject cls |
                Filters::isinstance(test.getTest(), c, var.getSourceVariable().getAUse())
@ -1200,6 +1211,8 @@ library module TaintFlowImplementation {
                or
                test.getSense() = false and not kind.getClass().getAnImproperSuperType() = cls
            )
+            or
+            test.getTest() = var.getSourceVariable().getAUse() and kind.booleanValue() = test.getSense()
        )
    }

--- a/python/ql/test/library-tests/taint/general/TestNode.expected
+++ b/python/ql/test/library-tests/taint/general/TestNode.expected
@ -215,6 +215,11 @@
 | Taint simple.test | test.py:169 | SOURCE |  |
 | Taint simple.test | test.py:172 | Subscript |  |
 | Taint simple.test | test.py:173 | Subscript |  |
+| Taint simple.test | test.py:178 | SOURCE |  |
+| Taint simple.test | test.py:179 | t |  |
+| Taint simple.test | test.py:180 | t |  |
+| Taint simple.test | test.py:183 | t |  |
+| Taint simple.test | test.py:186 | t |  |
 | Taint {simple.test} | test.py:169 | Dict |  |
 | Taint {simple.test} | test.py:171 | d |  |
 | Taint {simple.test} | test.py:173 | y |  |
--- a/python/ql/test/library-tests/taint/general/TestSink.expected
+++ b/python/ql/test/library-tests/taint/general/TestSink.expected
@ -32,3 +32,5 @@
 | simple.test | test.py:159 | 160 | t | simple.test |
 | simple.test | test.py:168 | 172 | Subscript | simple.test |
 | simple.test | test.py:169 | 173 | Subscript | simple.test |
+| simple.test | test.py:178 | 180 | t | simple.test |
+| simple.test | test.py:178 | 186 | t | simple.test |
--- a/python/ql/test/library-tests/taint/general/TestSource.expected
+++ b/python/ql/test/library-tests/taint/general/TestSource.expected
@ -40,3 +40,4 @@
 | test.py:163 | SOURCE | simple.test |
 | test.py:168 | SOURCE | simple.test |
 | test.py:169 | SOURCE | simple.test |
+| test.py:178 | SOURCE | simple.test |
--- a/python/ql/test/library-tests/taint/general/TestStep.expected
+++ b/python/ql/test/library-tests/taint/general/TestStep.expected
@ -173,6 +173,10 @@
 | Taint simple.test | test.py:163 | SOURCE |  |  -->  | Taint simple.test | test.py:164 | s |  |
 | Taint simple.test | test.py:168 | SOURCE |  |  -->  | Taint [simple.test] | test.py:168 | List |  |
 | Taint simple.test | test.py:169 | SOURCE |  |  -->  | Taint {simple.test} | test.py:169 | Dict |  |
+| Taint simple.test | test.py:178 | SOURCE |  |  -->  | Taint simple.test | test.py:179 | t |  |
+| Taint simple.test | test.py:178 | SOURCE |  |  -->  | Taint simple.test | test.py:180 | t |  |
+| Taint simple.test | test.py:178 | SOURCE |  |  -->  | Taint simple.test | test.py:183 | t |  |
+| Taint simple.test | test.py:178 | SOURCE |  |  -->  | Taint simple.test | test.py:186 | t |  |
 | Taint {simple.test} | test.py:169 | Dict |  |  -->  | Taint {simple.test} | test.py:171 | d |  |
 | Taint {simple.test} | test.py:169 | Dict |  |  -->  | Taint {simple.test} | test.py:175 | d |  |
 | Taint {simple.test} | test.py:171 | d |  |  -->  | Taint {simple.test} | test.py:173 | y |  |
--- a/python/ql/test/library-tests/taint/general/TestVar.expected
+++ b/python/ql/test/library-tests/taint/general/TestVar.expected
@ -177,3 +177,8 @@
 | test.py:174 | l_2 | test.py:168 | Taint [simple.test] | List |
 | test.py:175 | d2_0 | test.py:175 | Taint {simple.test} | dict() |
 | test.py:175 | d_2 | test.py:169 | Taint {simple.test} | Dict |
+| test.py:178 | t_0 | test.py:178 | Taint simple.test | SOURCE |
+| test.py:180 | t_1 | test.py:178 | Taint simple.test | SOURCE |
+| test.py:180 | t_2 | test.py:178 | Taint simple.test | SOURCE |
+| test.py:183 | t_3 | test.py:178 | Taint simple.test | SOURCE |
+| test.py:186 | t_4 | test.py:178 | Taint simple.test | SOURCE |
--- a/python/ql/test/library-tests/taint/general/test.py
+++ b/python/ql/test/library-tests/taint/general/test.py
@ -173,3 +173,14 @@ def test_update_extend(x, y):
    SINK(y["key"])
    l2 = list(l)
    d2 = dict(d)
+
+def test_truth():
+    t = SOURCE
+    if t:
+        SINK(t)
+    else:
+        SINK(t)
+    if not t:
+        SINK(t)
+    else:
+        SINK(t)