Python: Limit SensitiveDataSources to prevent _some_ cross-talk

RasmusWL · RasmusWL · commit b0309dd3212e · 2021-07-01T12:08:12.000+02:00
diff --git a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -76,26 +76,16 @@ private module SensitiveDataModeling {
   }
 
   /**
-   * Gets a reference to a string constant that, if used as the key in a lookup,
-   * indicates the presence of sensitive data with `classification`.
-   */
-  private DataFlow::LocalSourceNode sensitiveLookupStringConst(
-    DataFlow::TypeTracker t, SensitiveDataClassification classification
-  ) {
-    t.start() and
-    nameIndicatesSensitiveData(result.asExpr().(StrConst).getText(), classification)
-    or
-    exists(DataFlow::TypeTracker t2 |
-      result = sensitiveLookupStringConst(t2, classification).track(t2, t)
-    )
-  }
-
-  /**
-   * Gets a reference to a string constant that, if used as the key in a lookup,
-   * indicates the presence of sensitive data with `classification`.
+   * Gets a reference (in local scope) to a string constant that, if used as the key in
+   * a lookup, indicates the presence of sensitive data with `classification`.
    */
   DataFlow::Node sensitiveLookupStringConst(SensitiveDataClassification classification) {
-    sensitiveLookupStringConst(DataFlow::TypeTracker::end(), classification).flowsTo(result)
+    // Note: If this is implemented with type-tracking, we will get cross-talk as
+    // illustrated in python/ql/test/experimental/dataflow/sensitive-data/test.py
+    exists(DataFlow::LocalSourceNode source |
+      nameIndicatesSensitiveData(source.asExpr().(StrConst).getText(), classification) and
+      source.flowsTo(result)
+    )
   }
 
   /** A function call that is considered a source of sensitive data. */
diff --git a/python/ql/test/experimental/dataflow/sensitive-data/test.py b/python/ql/test/experimental/dataflow/sensitive-data/test.py
@@ -90,13 +90,13 @@ def my_func(password): # $ SensitiveDataSource=password
 def get_config(key):
     # Treating this as a SensitiveDataSource is questionable, since that will result in
     # _all_ calls to `get_config` being treated as giving sensitive data
-    return _configuration[key] # $ SensitiveDataSource=password
+    return _configuration[key]
 
 foo = get_config("mysql_password")
-print(foo) # $ SensitiveUse=password
+print(foo) # $ MISSING: SensitiveUse=password
 
 bar = get_config("sleep_timer")
-print(bar) # $ SPURIOUS: SensitiveUse=password
+print(bar)
 
 # Case 2: Providing function as argument
 
