Python: Use dataflow instead of taint-tracking

RasmusWL · RasmusWL · commit 69c8ef9898fd · 2024-02-14T14:52:37.000+01:00
diff --git a/python/ql/src/experimental/semmle/python/security/DecompressionBomb.qll b/python/ql/src/experimental/semmle/python/security/DecompressionBomb.qll
@@ -73,8 +73,8 @@ module ZipFile {
    * ```
    */
   predicate zipFileDecompressionBombSanitizer(API::Node n) {
-    TaintTracking::localExprTaint(n.getReturn().getMember("read").getParameter(0).asSink().asExpr(),
-      any(Compare i).getASubExpression*())
+    DataFlow::localFlow(n.getReturn().getMember("read").getParameter(0).asSink(),
+      DataFlow::exprNode(any(Compare i).getASubExpression*()))
   }
 
   /**
diff --git a/python/ql/src/experimental/semmle/python/security/FileAndFormRemoteFlowSource.qll b/python/ql/src/experimental/semmle/python/security/FileAndFormRemoteFlowSource.qll
@@ -37,7 +37,7 @@ module FileAndFormRemoteFlowSource {
         exists(For f, Attribute attr |
           fastApiParam.getAValueReachableFromSource().asExpr() = f.getIter().getASubExpression*()
         |
-          TaintTracking::localExprTaint(f.getIter(), attr.getObject()) and
+          DataFlow::localFlow(DataFlow::exprNode(f.getIter()), DataFlow::exprNode(attr.getObject())) and
           attr.getName() = ["filename", "content_type", "headers", "file", "read"] and
           this.asExpr() = attr
         )

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ module FileAndFormRemoteFlowSource {`
`37`	`37`	`exists(For f, Attribute attr \|`
`38`	`38`	`fastApiParam.getAValueReachableFromSource().asExpr() = f.getIter().getASubExpression*()`
`39`	`39`	`\|`
`40`		`- TaintTracking::localExprTaint(f.getIter(), attr.getObject()) and`
	`40`	`+ DataFlow::localFlow(DataFlow::exprNode(f.getIter()), DataFlow::exprNode(attr.getObject())) and`
`41`	`41`	`attr.getName() = ["filename", "content_type", "headers", "file", "read"] and`
`42`	`42`	`this.asExpr() = attr`
`43`	`43`	`)`