Python: Model sensitive data from subscripts

Author: RasmusWL

python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll

@@ -126,6 +126,18 @@ private module SensitiveDataModeling {
     override SensitiveDataClassification getClassification() { result = classification }
   }
 
+  /** A subscript, where the key indicates the result will be sensitive data. */
+  class SensitiveSubscript extends SensitiveDataSource::Range {
+    SensitiveDataClassification classification;
+
+    SensitiveSubscript() {
+      this.asCfgNode().(SubscriptNode).getIndex() =
+        sensitiveLookupStringConst(classification).asCfgNode()
+    }
+
+    override SensitiveDataClassification getClassification() { result = classification }
+  }
+
   /** A call to `get` on an object, where the key indicates the result will be sensitive data. */
   class SensitiveGetCall extends SensitiveDataSource::Range, DataFlow::CallCfgNode {
     SensitiveDataClassification classification;

python/ql/test/experimental/dataflow/sensitive-data/test.py

@@ -34,7 +34,7 @@ def encrypt_password(pwd):
 print(password) # $ MISSING: SensitiveUse=password
 
 # Special handling of lookups of sensitive properties
-request.args["password"], # $ MISSING: SensitiveDataSource=password
+request.args["password"], # $ SensitiveDataSource=password
 request.args.get("password") # $ SensitiveDataSource=password
 
 x = "password"