Python: Propagate taint through parse_qsl

Author: RasmusWL

python/ql/src/semmle/python/security/strings/External.qll

@@ -24,6 +24,8 @@ abstract class ExternalStringKind extends StringKind {
         urlparse(fromnode, tonode) and result.(ExternalUrlParseResult).getItem() = this
         or
         parse_qs(fromnode, tonode) and result.(ExternalStringDictKind).getValue() = this
+        or
+        parse_qsl(fromnode, tonode) and result.(SequenceKind).getItem().(SequenceKind).getItem() = this
     }
 }
 
@@ -209,6 +211,32 @@ private predicate parse_qs(ControlFlowNode fromnode, CallNode tonode) {
     )
 }
 
+private predicate parse_qsl(ControlFlowNode fromnode, CallNode tonode) {
+    // This could be implemented as `exists(FunctionValue` without the explicit six part,
+    // but then our tests will need to import +100 modules, so for now this slightly
+    // altered version gets to live on.
+    exists(Value parse_qsl |
+        (
+            parse_qsl = Value::named("six.moves.urllib.parse.parse_qsl")
+            or
+            // Python 2
+            parse_qsl = Value::named("urlparse.parse_qsl")
+            or
+            // Python 2 deprecated version of `urlparse.parse_qsl`
+            parse_qsl = Value::named("cgi.parse_qsl")
+            or
+            // Python 3
+            parse_qsl = Value::named("urllib.parse.parse_qsl")
+        ) and
+        tonode = parse_qsl.getACall() and
+        (
+            tonode.getArg(0) = fromnode
+            or
+            tonode.getArgByName("qs") = fromnode
+        )
+    )
+}
+
 /** A kind of "taint", representing an open file-like object from an external source. */
 class ExternalFileObject extends TaintKind {
     ExternalFileObject() { this = "file[" + any(ExternalStringKind key) + "]" }

python/ql/test/library-tests/taint/strings/TestStep.expected

@@ -1,5 +1,6 @@
-| Taint [externally controlled string] | test.py:67 | test.py:67:9:67:32 | urlsplit() |  |  -->  | Taint [externally controlled string] | test.py:70 | test.py:70:10:70:10 | a |  |
-| Taint [externally controlled string] | test.py:68 | test.py:68:9:68:32 | urlparse() |  |  -->  | Taint [externally controlled string] | test.py:70 | test.py:70:13:70:13 | b |  |
+| Taint [[externally controlled string]] | test.py:70 | test.py:70:9:70:33 | parse_qsl() |  |  -->  | Taint [[externally controlled string]] | test.py:71 | test.py:71:19:71:19 | d |  |
+| Taint [externally controlled string] | test.py:67 | test.py:67:9:67:32 | urlsplit() |  |  -->  | Taint [externally controlled string] | test.py:71 | test.py:71:10:71:10 | a |  |
+| Taint [externally controlled string] | test.py:68 | test.py:68:9:68:32 | urlparse() |  |  -->  | Taint [externally controlled string] | test.py:71 | test.py:71:13:71:13 | b |  |
 | Taint exception.info | test.py:44 | test.py:44:22:44:26 | taint | p1 = exception.info |  -->  | Taint exception.info | test.py:45 | test.py:45:17:45:21 | taint | p1 = exception.info |
 | Taint exception.info | test.py:45 | test.py:45:17:45:21 | taint | p1 = exception.info |  -->  | Taint exception.info | test.py:45 | test.py:45:12:45:22 | func() | p1 = exception.info |
 | Taint exception.info | test.py:45 | test.py:45:17:45:21 | taint | p1 = exception.info |  -->  | Taint exception.info | test.py:52 | test.py:52:19:52:21 | arg | p0 = exception.info |
@@ -61,9 +62,11 @@
 | Taint externally controlled string | test.py:66 | test.py:66:22:66:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:67 | test.py:67:18:67:31 | tainted_string |  |
 | Taint externally controlled string | test.py:66 | test.py:66:22:66:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:68 | test.py:68:18:68:31 | tainted_string |  |
 | Taint externally controlled string | test.py:66 | test.py:66:22:66:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:69 | test.py:69:18:69:31 | tainted_string |  |
+| Taint externally controlled string | test.py:66 | test.py:66:22:66:35 | TAINTED_STRING |  |  -->  | Taint externally controlled string | test.py:70 | test.py:70:19:70:32 | tainted_string |  |
 | Taint externally controlled string | test.py:67 | test.py:67:18:67:31 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:67 | test.py:67:9:67:32 | urlsplit() |  |
 | Taint externally controlled string | test.py:68 | test.py:68:18:68:31 | tainted_string |  |  -->  | Taint [externally controlled string] | test.py:68 | test.py:68:9:68:32 | urlparse() |  |
 | Taint externally controlled string | test.py:69 | test.py:69:18:69:31 | tainted_string |  |  -->  | Taint {externally controlled string} | test.py:69 | test.py:69:9:69:32 | parse_qs() |  |
+| Taint externally controlled string | test.py:70 | test.py:70:19:70:32 | tainted_string |  |  -->  | Taint [[externally controlled string]] | test.py:70 | test.py:70:9:70:33 | parse_qsl() |  |
 | Taint json[externally controlled string] | test.py:6 | test.py:6:20:6:45 | Attribute() |  |  -->  | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |
 | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |  -->  | Taint externally controlled string | test.py:7 | test.py:7:9:7:25 | Subscript |  |
 | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json |  |  -->  | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:25 | Subscript |  |
@@ -76,4 +79,4 @@
 | Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:9 | b |  |  -->  | Taint externally controlled string | test.py:9 | test.py:9:9:9:14 | Subscript |  |
 | Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:9 | b |  |  -->  | Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:14 | Subscript |  |
 | Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:14 | Subscript |  |  -->  | Taint json[externally controlled string] | test.py:10 | test.py:10:16:10:16 | c |  |
-| Taint {externally controlled string} | test.py:69 | test.py:69:9:69:32 | parse_qs() |  |  -->  | Taint {externally controlled string} | test.py:70 | test.py:70:16:70:16 | c |  |
+| Taint {externally controlled string} | test.py:69 | test.py:69:9:69:32 | parse_qs() |  |  -->  | Taint {externally controlled string} | test.py:71 | test.py:71:16:71:16 | c |  |

python/ql/test/library-tests/taint/strings/TestTaint.expected

@@ -20,6 +20,7 @@
 | test.py:42 | test_str2 | c | externally controlled string |
 | test.py:50 | test_exc_info | res | exception.info |
 | test.py:58 | test_untrusted | res | externally controlled string |
-| test.py:70 | test_urlsplit_urlparse | a | [externally controlled string] |
-| test.py:70 | test_urlsplit_urlparse | b | [externally controlled string] |
-| test.py:70 | test_urlsplit_urlparse | c | {externally controlled string} |
+| test.py:71 | test_urlsplit_urlparse | a | [externally controlled string] |
+| test.py:71 | test_urlsplit_urlparse | b | [externally controlled string] |
+| test.py:71 | test_urlsplit_urlparse | c | {externally controlled string} |
+| test.py:71 | test_urlsplit_urlparse | d | [[externally controlled string]] |

python/ql/test/library-tests/taint/strings/test.py

@@ -60,11 +60,12 @@ def test_untrusted():
 def exc_untrusted_call(arg):
     return arg
 
-from six.moves.urllib.parse import urlsplit, urlparse, parse_qs
+from six.moves.urllib.parse import urlsplit, urlparse, parse_qs, parse_qsl
 
 def test_urlsplit_urlparse():
     tainted_string = TAINTED_STRING
     a = urlsplit(tainted_string)
     b = urlparse(tainted_string)
     c = parse_qs(tainted_string)
-    test(a, b, c)
+    d = parse_qsl(tainted_string)
+    test(a, b, c, d)