Python: Add SensitiveDataSource

Author: RasmusWL

python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll

@@ -0,0 +1,66 @@
+/**
+ * Provides an extension point for for modeling sensitive data, such as secrets, certificates, or passwords.
+ * Sensitive data is can be interesting to use as data-flow sources in security queries.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+// Need to import since frameworks can extend `RemoteFlowSource::Range`
+private import semmle.python.Frameworks
+private import semmle.python.Concepts
+private import semmle.python.security.SensitiveData as OldSensitiveData
+
+/**
+ * A data flow source of sensitive data, such as secrets, certificates, or passwords.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `SensitiveDataSource::Range` instead.
+ */
+class SensitiveDataSource extends DataFlow::Node {
+  SensitiveDataSource::Range range;
+
+  SensitiveDataSource() { this = range }
+
+  /**
+   * INTERNAL: Do not use.
+   *
+   * This will be rewritten to have better types soon, and therefore should only be used internally until then.
+   *
+   * Gets the classification of the sensitive data.
+   */
+  string getClassification() { result = range.getClassification() }
+}
+
+/** Provides a class for modeling new sources of sensitive data, such as secrets, certificates, or passwords. */
+module SensitiveDataSource {
+  /**
+   * A data flow source of sensitive data, such as secrets, certificates, or passwords.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `SensitiveDataSource` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /**
+     * INTERNAL: Do not use.
+     *
+     * This will be rewritten to have better types soon, and therefore should only be used internally until then.
+     *
+     * Gets the classification of the sensitive data.
+     */
+    abstract string getClassification();
+  }
+}
+
+private class PortOfOldModeling extends SensitiveDataSource::Range {
+  OldSensitiveData::SensitiveData::Source oldSensitiveSource;
+
+  PortOfOldModeling() { this.asCfgNode() = oldSensitiveSource }
+
+  override string getClassification() {
+    exists(OldSensitiveData::SensitiveData classification |
+      oldSensitiveSource.isSourceOf(classification)
+    |
+      classification = "sensitive.data." + result
+    )
+  }
+}

python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.expected

@@ -0,0 +1,20 @@
+import python
+import semmle.python.dataflow.new.DataFlow
+import TestUtilities.InlineExpectationsTest
+import semmle.python.dataflow.new.SensitiveDataSources
+
+class SensitiveDataSourcesTest extends InlineExpectationsTest {
+  SensitiveDataSourcesTest() { this = "SensitiveDataSourcesTest" }
+
+  override string getARelevantTag() { result = "SensitiveDataSource" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(SensitiveDataSource source |
+      location = source.getLocation() and
+      element = source.toString() and
+      value = source.getClassification() and
+      tag = "SensitiveDataSource"
+    )
+  }
+}

python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql

@@ -0,0 +1,21 @@
+
+from not_found import get_passwd, account_id
+
+def get_password():
+    pass
+
+def get_secret():
+    pass
+
+def fetch_certificate():
+    pass
+
+def encrypt_password(pwd):
+    pass
+
+get_password() # $ SensitiveDataSource=password
+get_passwd() # $ SensitiveDataSource=password
+get_secret() # $ SensitiveDataSource=secret
+fetch_certificate() # $ SensitiveDataSource=certificate
+account_id() # $ SensitiveDataSource=id
+safe_to_store = encrypt_password(pwd)