Python: Propagate taint through parse_qs

Author: RasmusWL

python/ql/src/semmle/python/security/strings/External.qll

@@ -22,6 +22,8 @@ abstract class ExternalStringKind extends StringKind {
         urlsplit(fromnode, tonode) and result.(ExternalUrlSplitResult).getItem() = this
         or
         urlparse(fromnode, tonode) and result.(ExternalUrlParseResult).getItem() = this
+        or
+        parse_qs(fromnode, tonode) and result.(ExternalStringDictKind).getValue() = this
     }
 }
 
@@ -181,6 +183,32 @@ private predicate urlparse(ControlFlowNode fromnode, CallNode tonode) {
     )
 }
 
+private predicate parse_qs(ControlFlowNode fromnode, CallNode tonode) {
+    // This could be implemented as `exists(FunctionValue` without the explicit six part,
+    // but then our tests will need to import +100 modules, so for now this slightly
+    // altered version gets to live on.
+    exists(Value parse_qs |
+        (
+            parse_qs = Value::named("six.moves.urllib.parse.parse_qs")
+            or
+            // Python 2
+            parse_qs = Value::named("urlparse.parse_qs")
+            or
+            // Python 2 deprecated version of `urlparse.parse_qs`
+            parse_qs = Value::named("cgi.parse_qs")
+            or
+            // Python 3
+            parse_qs = Value::named("urllib.parse.parse_qs")
+        ) and
+        tonode = parse_qs.getACall() and
+        (
+            tonode.getArg(0) = fromnode
+            or
+            tonode.getArgByName("qs") = fromnode
+        )
+    )
+}
+
 /** A kind of "taint", representing an open file-like object from an external source. */
 class ExternalFileObject extends TaintKind {
     ExternalFileObject() { this = "file[" + any(ExternalStringKind key) + "]" }

python/ql/test/library-tests/taint/strings/TestStep.expected

@@ -1,5 +1,5 @@
-| Taint [externally controlled string] | test.py:67 | test.py:67:20:67:43 | urlsplit() |  |  -->  | Taint [externally controlled string] | test.py:69 | test.py:69:10:69:21 | urlsplit_res |  |
-| Taint [externally controlled string] | test.py:68 | test.py:68:20:68:43 | urlparse() |  |  -->  | Taint [externally controlled string] | test.py:69 | test.py:69:24:69:35 | urlparse_res |  |
+| Taint [externally controlled string] | test.py:67 | test.py:67:9:67:32 | urlsplit() |  |  -->  | Taint [externally controlled string] | test.py:70 | test.py:70:10:70:10 | a |  |
+| Taint [externally controlled string] | test.py:68 | test.py:68:9:68:32 | urlparse() |  |  -->  | Taint [externally controlled string] | test.py:70 | test.py:70:13:70:13 | b |  |
 | Taint exception.info | test.py:44 | test.py:44:22:44:26 | taint | p1 = exception.info |  -->  | Taint exception.info | test.py:45 | test.py:45:17:45:21 | taint | p1 = exception.info |
 | Taint exception.info | test.py:45 | test.py:45:17:45:21 | taint | p1 = exception.info |  -->  | Taint exception.info | test.py:45 | test.py:45:12:45:22 | func() | p1 = exception.info |
 | Taint exception.info | test.py:45 | test.py:45:17:45:21 | taint | p1 = exception.info |  -->  | Taint exception.info | test.py:52 | test.py:52:19:52:21 | arg | p0 = exception.info |
@@ -58,10 +58,12 @@
 | Taint externally controlled string | test.py:57 | test.py:57:11:57:41 | cross_over() |  |  -->  | Taint externally controlled string | test.py:58 | test.py:58:10:58:12 | res |  |
 | Taint externally controlled string | test.py:57 | test.py:57:38:57:40 | ext |  |  -->  | Taint externally controlled string | test.py:44 | test.py:44:22:44:26 | taint | p1 = externally controlled string |
 | Taint externally controlled string | test.py:57 | test.py:57:38:57:40 | ext |  |  -->  | Taint externally controlled string | test.py:57 | test.py:57:11:57:41 | cross_over() |  |
-| Taint externally controlled string | test.py:66 | test.py:66:22:66:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:67 | test.py:67:29:67:42 | tainted_string |  |
-| Taint externally controlled string | test.py:66 | test.py:66:22:66:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:68 | test.py:68:29:68:42 | tainted_string |  |
-| Taint externally controlled string | test.py:67 | test.py:67:29:67:42 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:67 | test.py:67:20:67:43 | urlsplit() |  |
-| Taint externally controlled string | test.py:68 | test.py:68:29:68:42 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:68 | test.py:68:20:68:43 | urlparse() |  |
+| Taint externally controlled string | test.py:66 | test.py:66:22:66:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:67 | test.py:67:18:67:31 | tainted_string |  |
+| Taint externally controlled string | test.py:66 | test.py:66:22:66:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:68 | test.py:68:18:68:31 | tainted_string |  |
+| Taint externally controlled string | test.py:66 | test.py:66:22:66:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:69 | test.py:69:18:69:31 | tainted_string |  |
+| Taint externally controlled string | test.py:67 | test.py:67:18:67:31 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:67 | test.py:67:9:67:32 | urlsplit() |  |
+| Taint externally controlled string | test.py:68 | test.py:68:18:68:31 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:68 | test.py:68:9:68:32 | urlparse() |  |
+| Taint externally controlled string | test.py:69 | test.py:69:18:69:31 | tainted_string |  |  -->  | Taint {externally controlled string} | test.py:69 | test.py:69:9:69:32 | parse_qs() |  |
 | Taint json[externally controlled string] | test.py:6 | test.py:6:20:6:45 | Attribute() |  |  -->  | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |
 | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |  -->  | Taint externally controlled string | test.py:7 | test.py:7:9:7:25 | Subscript |  |
 | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |  -->  | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:25 | Subscript |  |
@@ -74,3 +76,4 @@
 | Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:9 | b |  |  -->  | Taint externally controlled string | test.py:9 | test.py:9:9:9:14 | Subscript |  |
 | Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:9 | b |  |  -->  | Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:14 | Subscript |  |
 | Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:14 | Subscript |  |  -->  | Taint json[externally controlled string] | test.py:10 | test.py:10:16:10:16 | c |  |
+| Taint {externally controlled string} | test.py:69 | test.py:69:9:69:32 | parse_qs() |  |  -->  | Taint {externally controlled string} | test.py:70 | test.py:70:16:70:16 | c |  |

python/ql/test/library-tests/taint/strings/TestTaint.expected

@@ -20,5 +20,6 @@
 | test.py:42 | test_str2 | c | externally controlled string |
 | test.py:50 | test_exc_info | res | exception.info |
 | test.py:58 | test_untrusted | res | externally controlled string |
-| test.py:69 | test_urlsplit_urlparse | urlparse_res | [externally controlled string] |
-| test.py:69 | test_urlsplit_urlparse | urlsplit_res | [externally controlled string] |
+| test.py:70 | test_urlsplit_urlparse | a | [externally controlled string] |
+| test.py:70 | test_urlsplit_urlparse | b | [externally controlled string] |
+| test.py:70 | test_urlsplit_urlparse | c | {externally controlled string} |

python/ql/test/library-tests/taint/strings/test.py

@@ -60,10 +60,11 @@ def test_untrusted():
 def exc_untrusted_call(arg):
     return arg
 
-from six.moves.urllib.parse import urlsplit, urlparse
+from six.moves.urllib.parse import urlsplit, urlparse, parse_qs
 
 def test_urlsplit_urlparse():
     tainted_string = TAINTED_STRING
-    urlsplit_res = urlsplit(tainted_string)
-    urlparse_res = urlparse(tainted_string)
-    test(urlsplit_res, urlparse_res)
+    a = urlsplit(tainted_string)
+    b = urlparse(tainted_string)
+    c = parse_qs(tainted_string)
+    test(a, b, c)