Python: Handle readline, readlines for ExternalFileObject

RasmusWL · RasmusWL · commit 86630f1d6c39 · 2020-04-23T10:40:16.000+02:00
diff --git a/python/ql/src/semmle/python/security/strings/External.qll b/python/ql/src/semmle/python/security/strings/External.qll
@@ -191,7 +191,9 @@ class ExternalFileObject extends TaintKind {
     TaintKind getValue() { result = valueKind }
 
     override TaintKind getTaintOfMethodResult(string name) {
-        name = "read" and result = this.getValue()
+        name in ["read", "readline"] and result = this.getValue()
+        or
+        name = "readlines" and result.(SequenceKind).getItem() = this.getValue()
     }
 }
 
diff --git a/python/ql/test/library-tests/taint/strings/TestStep.expected b/python/ql/test/library-tests/taint/strings/TestStep.expected
@@ -68,6 +68,8 @@
 | Taint file[externally controlled string] | test.py:72 | test.py:72:20:72:31 | TAINTED_FILE |  |  -->  | Taint file[externally controlled string] | test.py:77 | test.py:77:9:77:20 | tainted_file |  |
 | Taint file[externally controlled string] | test.py:72 | test.py:72:20:72:31 | TAINTED_FILE |  |  -->  | Taint file[externally controlled string] | test.py:78 | test.py:78:27:78:38 | tainted_file |  |
 | Taint file[externally controlled string] | test.py:75 | test.py:75:9:75:20 | tainted_file |  |  -->  | Taint externally controlled string | test.py:75 | test.py:75:9:75:27 | Attribute() |  |
+| Taint file[externally controlled string] | test.py:76 | test.py:76:9:76:20 | tainted_file |  |  -->  | Taint externally controlled string | test.py:76 | test.py:76:9:76:31 | Attribute() |  |
+| Taint file[externally controlled string] | test.py:77 | test.py:77:9:77:20 | tainted_file |  |  -->  | Taint [externally controlled string] | test.py:77 | test.py:77:9:77:32 | Attribute() |  |
 | Taint json[externally controlled string] | test.py:6 | test.py:6:20:6:45 | Attribute() |  |  -->  | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |
 | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |  -->  | Taint externally controlled string | test.py:7 | test.py:7:9:7:25 | Subscript |  |
 | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |  -->  | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:25 | Subscript |  |
diff --git a/python/ql/test/library-tests/taint/strings/TestTaint.expected b/python/ql/test/library-tests/taint/strings/TestTaint.expected
@@ -24,6 +24,6 @@
 | test.py:69 | test_urlsplit_urlparse | urlsplit_res | [externally controlled string] |
 | test.py:74 | test_tainted_file | tainted_file | file[externally controlled string] |
 | test.py:75 | test_tainted_file | Attribute() | externally controlled string |
-| test.py:76 | test_tainted_file | Attribute() | NO TAINT |
-| test.py:77 | test_tainted_file | Attribute() | NO TAINT |
+| test.py:76 | test_tainted_file | Attribute() | externally controlled string |
+| test.py:77 | test_tainted_file | Attribute() | [externally controlled string] |
 | test.py:78 | test_tainted_file | ListComp | NO TAINT |

Original file line number	Diff line number	Diff line change
`@@ -191,7 +191,9 @@ class ExternalFileObject extends TaintKind {`
`191`	`191`	`TaintKind getValue() { result = valueKind }`
`192`	`192`
`193`	`193`	`override TaintKind getTaintOfMethodResult(string name) {`
`194`		`- name = "read" and result = this.getValue()`
	`194`	`+ name in ["read", "readline"] and result = this.getValue()`
	`195`	`+ or`
	`196`	`+ name = "readlines" and result.(SequenceKind).getItem() = this.getValue()`
`195`	`197`	`}`
`196`	`198`	`}`
`197`	`199`