Merge pull request github#6049 from RasmusWL/jmespath

Python: Add modeling of `jmespath`

Author: RasmusWL

docs/codeql/support/reusables/frameworks.rst

@@ -164,6 +164,7 @@ Python built-in support
    fabric, Utility library
    idna, Utility library
    invoke, Utility library
+   jmespath, Utility library
    multidict, Utility library
    yarl, Utility library
    aioch, Database

python/change-notes/2021-06-09-add-jmespath-modeling.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added modeling of the PyPI package `jmespath`.

python/ql/src/semmle/python/Frameworks.qll

@@ -15,6 +15,7 @@ private import semmle.python.frameworks.Fabric
 private import semmle.python.frameworks.Flask
 private import semmle.python.frameworks.Idna
 private import semmle.python.frameworks.Invoke
+private import semmle.python.frameworks.Jmespath
 private import semmle.python.frameworks.Multidict
 private import semmle.python.frameworks.Mysql
 private import semmle.python.frameworks.MySQLdb

python/ql/src/semmle/python/frameworks/Jmespath.qll

@@ -0,0 +1,35 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `jmespath` PyPI package.
+ * See https://pypi.org/project/jmespath/.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides models for the `jmespath` PyPI package.
+ * See https://pypi.org/project/jmespath/.
+ */
+private module Jmespath {
+  class JmespathAdditionalTaintSteps extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+      exists(DataFlow::CallCfgNode call |
+        call = API::moduleImport("jmespath").getMember("search").getACall() and
+        nodeFrom in [call.getArg(1), call.getArgByName("data")] and
+        nodeTo = call
+        or
+        call =
+          API::moduleImport("jmespath")
+              .getMember("compile")
+              .getReturn()
+              .getMember("search")
+              .getACall() and
+        nodeFrom in [call.getArg(0), call.getArgByName("value")] and
+        nodeTo = call
+      )
+    }
+  }
+}

python/ql/test/library-tests/frameworks/jmespath/ConceptsTest.expected

@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest

python/ql/test/library-tests/frameworks/jmespath/ConceptsTest.ql

@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures

python/ql/test/library-tests/frameworks/jmespath/InlineTaintTest.expected

@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest

python/ql/test/library-tests/frameworks/jmespath/InlineTaintTest.ql

@@ -0,0 +1,33 @@
+import jmespath
+
+def test_taint():
+    untrusted_data = TAINTED_DICT
+
+    safe_expression = jmespath.compile("foo.bar")
+
+    ensure_tainted(
+        jmespath.search("foo.bar", untrusted_data), # $ tainted
+        jmespath.search("foo.bar", data=untrusted_data), # $ tainted
+
+        safe_expression.search(untrusted_data), # $ tainted
+        safe_expression.search(value=untrusted_data) # $ tainted
+    )
+
+    # since ```jmespath.search("{wat: `foo`}", {})``` works (and outputs a dictionary),
+    # we _could_ add a taint-step from the search expression to the output. However, it
+    # seems more likely to lead to FPs than good results, so these have deliberately not
+    # been included.
+
+    ts = TAINTED_STRING
+    safe_data = {"foo": "bar"}
+
+    unsafe_expression = jmespath.compile(ts)
+
+    ensure_not_tainted(
+        jmespath.search(ts, safe_data),
+        jmespath.search(expression=ts, data=safe_data),
+
+        unsafe_expression,
+        unsafe_expression.search(safe_data),
+        unsafe_expression.search(value=safe_data),
+    )