Skip to content

Commit a2e8417

Browse files
RasmusWLRasmusWL
committed
Python: Use API graphs in TaintTrackingPrivate
Some of this modeling could probably go to the standard lib modeling file, but this chain of commits is already pretty feature creep :|
1 parent 53f1d23 commit a2e8417

File tree

1 file changed

+7
-12
lines changed

1 file changed

+7
-12
lines changed

python/ql/src/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll

Lines changed: 7 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ private import python
22
private import semmle.python.dataflow.new.DataFlow
33
private import semmle.python.dataflow.new.internal.DataFlowPrivate as DataFlowPrivate
44
private import semmle.python.dataflow.new.internal.TaintTrackingPublic
5+
private import semmle.python.ApiGraphs
56

67
/**
78
* Holds if `node` should be a sanitizer in all global taint flow configurations
@@ -152,15 +153,14 @@ predicate containerStep(DataFlow::CfgNode nodeFrom, DataFlow::Node nodeTo) {
152153
or
153154
// constructor call
154155
exists(DataFlow::CallCfgNode call | call = nodeTo |
155-
call.getFunction().asCfgNode().(NameNode).getId() in [
156-
"list", "set", "frozenset", "dict", "defaultdict", "tuple"
157-
] and
156+
call = API::builtin(["list", "set", "frozenset", "dict", "tuple"]).getACall() and
158157
call.getArg(0) = nodeFrom
158+
// TODO: Properly handle defaultdict/namedtuple
159159
)
160160
or
161161
// functions operating on collections
162162
exists(DataFlow::CallCfgNode call | call = nodeTo |
163-
call.getFunction().asCfgNode().(NameNode).getId() in ["sorted", "reversed", "iter", "next"] and
163+
call = API::builtin(["sorted", "reversed", "iter", "next"]).getACall() and
164164
call.getArg(0) = nodeFrom
165165
)
166166
or
@@ -187,14 +187,9 @@ predicate containerStep(DataFlow::CfgNode nodeFrom, DataFlow::Node nodeTo) {
187187
* Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to copying.
188188
*/
189189
predicate copyStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
190-
exists(CallNode call | call = nodeTo.getNode() |
191-
// Fully qualified: copy.copy, copy.deepcopy
192-
(
193-
call.getFunction().(NameNode).getId() in ["copy", "deepcopy"]
194-
or
195-
call.getFunction().(AttrNode).getObject(["copy", "deepcopy"]).(NameNode).getId() = "copy"
196-
) and
197-
call.getArg(0) = nodeFrom.getNode()
190+
exists(DataFlow::CallCfgNode call | call = nodeTo |
191+
call = API::moduleImport("copy").getMember(["copy", "deepcopy"]).getACall() and
192+
call.getArg(0) = nodeFrom
198193
)
199194
}
200195

0 commit comments

Comments
 (0)