Python: Support %-style formatting for MarkupSafe

RasmusWL · RasmusWL · commit c2708176b140 · 2021-06-30T14:15:41.000+02:00
diff --git a/python/ql/src/semmle/python/frameworks/MarkupSafe.qll b/python/ql/src/semmle/python/frameworks/MarkupSafe.qll
@@ -71,6 +71,16 @@ private module MarkupSafeModel {
       StringFormat() { this.calls(instance(), "format") }
     }
 
+    /** A %-style string format with `markupsafe.Markup` as the format string. */
+    class PercentStringFormat extends Markup::InstanceSource, DataFlow::CfgNode {
+      override BinaryExprNode node;
+
+      PercentStringFormat() {
+        node.getOp() instanceof Mod and
+        instance().asCfgNode() = node.getLeft()
+      }
+    }
+
     /** Taint propagation for `markupsafe.Markup`. */
     class AddtionalTaintSteps extends TaintTracking::AdditionalTaintStep {
       override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
@@ -127,4 +137,15 @@ private module MarkupSafeModel {
 
     override DataFlow::Node getOutput() { result = this }
   }
+
+  /** A escape from %-style string format with `markupsafe.Markup` as the format string. */
+  private class MarkupEscapeFromPercentStringFormat extends MarkupSafeEscape,
+    Markup::PercentStringFormat {
+    override DataFlow::Node getAnInput() {
+      result.asCfgNode() = node.getRight() and
+      not result = Markup::instance()
+    }
+
+    override DataFlow::Node getOutput() { result = this }
+  }
 }
diff --git a/python/ql/test/library-tests/frameworks/markupsafe/taint_test.py b/python/ql/test/library-tests/frameworks/markupsafe/taint_test.py
@@ -36,7 +36,7 @@ def test():
         m_unsafe + SAFE, # $ escapeInput=SAFE escapeKind=html escapeOutput=BinaryExpr MISSING: tainted
         SAFE + m_unsafe, # $ escapeInput=SAFE escapeKind=html escapeOutput=BinaryExpr MISSING: tainted
         m_unsafe.format(SAFE), # $ escapeInput=SAFE escapeKind=html escapeOutput=m_unsafe.format(..) MISSING: tainted
-        m_unsafe % SAFE, # $ tainted MISSING: escapeInput=ts escapeKind=html escapeOutput=BinaryExpr
+        m_unsafe % SAFE, # $ escapeInput=SAFE escapeKind=html escapeOutput=BinaryExpr MISSING: tainted
         m_unsafe + ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr MISSING: tainted
 
         m_safe.format(m_unsafe), # $ tainted
@@ -56,7 +56,7 @@ def test():
         m_safe + ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr
         ts + m_safe, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr
         m_safe.format(ts), # $ escapeInput=ts escapeKind=html escapeOutput=m_safe.format(..)
-        m_safe % ts, # $ SPURIOUS: tainted MISSING: escapeInput=ts escapeKind=html escapeOutput=BinaryExpr
+        m_safe % ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr
 
         escape(ts) + ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr escapeOutput=escape(..)
         escape_silent(ts) + ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr escapeOutput=escape_silent(..)
