Python: Deprecate StringDictKind

RasmusWL · RasmusWL · commit b083c015208a · 2020-05-29T12:06:57.000+02:00
This QL

```codeql
import python
import semmle.python.dataflow.TaintTracking
import semmle.python.security.strings.Untrusted

from CollectionKind ck
where
    ck.(DictKind).getMember() instanceof StringKind
    or
    ck.getMember().(DictKind).getMember() instanceof StringKind
select ck, ck.getAQlClass(), ck.getMember().getAQlClass()
```

generates these 6 results.

```
1	{externally controlled string}          ExternalStringDictKind	UntrustedStringKind
2	{externally controlled string}	        StringDictKind	        UntrustedStringKind
3	[{externally controlled string}]	SequenceKind	        ExternalStringDictKind
4	[{externally controlled string}]	SequenceKind	        StringDictKind
5	{{externally controlled string}}	DictKind	        ExternalStringDictKind
6	{{externally controlled string}}	DictKind	        StringDictKind
```

StringDictKind was only used in *one* place in our library code. As illustrated
above, it pollutes our set of TaintKinds. Effectively, every time we make a
flow-step for dictionaries with tainted strings as values, we do it TWICE --
once for ExternalStringDictKind, and once for StringDictKind... that is just a
waste.
diff --git a/python/ql/src/semmle/python/security/strings/Basic.qll b/python/ql/src/semmle/python/security/strings/Basic.qll
@@ -107,7 +107,11 @@ private predicate os_path_join(ControlFlowNode fromnode, CallNode tonode) {
     tonode.getAnArg() = fromnode
 }
 
-/** A kind of "taint", representing a dictionary mapping str->"taint" */
-class StringDictKind extends DictKind {
+/**
+ * A kind of "taint", representing a dictionary mapping str->"taint"
+ *
+ * DEPRECATED: Use `ExternalStringKind` instead.
+ */
+deprecated class StringDictKind extends DictKind {
     StringDictKind() { this.getValue() instanceof StringKind }
 }
diff --git a/python/ql/src/semmle/python/web/turbogears/Response.qll b/python/ql/src/semmle/python/web/turbogears/Response.qll
@@ -27,5 +27,5 @@ class ControllerMethodTemplatedReturnValue extends HttpResponseTaintSink {
         )
     }
 
-    override predicate sinks(TaintKind kind) { kind instanceof StringDictKind }
+    override predicate sinks(TaintKind kind) { kind instanceof ExternalStringDictKind }
 }

Original file line number	Diff line number	Diff line change
`@@ -107,7 +107,11 @@ private predicate os_path_join(ControlFlowNode fromnode, CallNode tonode) {`
`107`	`107`	`tonode.getAnArg() = fromnode`
`108`	`108`	`}`
`109`	`109`
`110`		`-/** A kind of "taint", representing a dictionary mapping str->"taint" */`
`111`		`-class StringDictKind extends DictKind {`
	`110`	`+/**`
	`111`	`+ * A kind of "taint", representing a dictionary mapping str->"taint"`
	`112`	`+ *`
	`113`	+ * DEPRECATED: Use `ExternalStringKind` instead.
	`114`	`+ */`
	`115`	`+deprecated class StringDictKind extends DictKind {`
`112`	`116`	`StringDictKind() { this.getValue() instanceof StringKind }`
`113`	`117`	`}`
Original file line number	Diff line number	Diff line change
`@@ -27,5 +27,5 @@ class ControllerMethodTemplatedReturnValue extends HttpResponseTaintSink {`
`27`	`27`	`)`
`28`	`28`	`}`
`29`	`29`
`30`		`- override predicate sinks(TaintKind kind) { kind instanceof StringDictKind }`
	`30`	`+ override predicate sinks(TaintKind kind) { kind instanceof ExternalStringDictKind }`
`31`	`31`	`}`