Python: Improve multidict modeling

Author: RasmusWL

python/ql/src/semmle/python/frameworks/Multidict.qll

@@ -24,6 +24,11 @@ module Multidict {
    * See https://multidict.readthedocs.io/en/stable/multidict.html#multidictproxy
    */
   module MultiDictProxy {
+    /** Gets a reference to a `MultiDictProxy` class. */
+    API::Node classRef() {
+      result = API::moduleImport("multidict").getMember(["MultiDictProxy", "CIMultiDictProxy"])
+    }
+
     /**
      * A source of instances of `multidict.MultiDictProxy`, extend this class to model
      * new instances.
@@ -37,15 +42,20 @@ module Multidict {
      */
     abstract class InstanceSource extends DataFlow::LocalSourceNode { }
 
-    /** Gets a reference to an instance of `multidict.MultiDictProxy`. */
+    /** A direct instantiation of a `MultiDictProxy` class. */
+    private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+      ClassInstantiation() { this = classRef().getACall() }
+    }
+
+    /** Gets a reference to an instance of a `MultiDictProxy` class. */
     private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
       t.start() and
       result instanceof InstanceSource
       or
       exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
     }
 
-    /** Gets a reference to an instance of `multidict.MultiDictProxy`. */
+    /** Gets a reference to an instance of a `MultiDictProxy` class. */
     DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
 
     /**
@@ -55,6 +65,12 @@ module Multidict {
      */
     class MultiDictProxyAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
       override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+        // class instantiation
+        exists(ClassInstantiation call |
+          nodeFrom = call.getArg(0) and
+          nodeTo = call
+        )
+        or
         // Methods
         //
         // TODO: When we have tools that make it easy, model these properly to handle

python/ql/test/library-tests/frameworks/aiohttp/taint_test.py

@@ -5,8 +5,7 @@ async def test_taint(request: web.Request): # $ requestHandler
     ensure_tainted(
         request, # $ tainted
 
-        # yarl.URL instances, see tests under `yarl` framework tests
-        # https://yarl.readthedocs.io/en/stable/api.html#yarl.URL
+        # yarl.URL (see `yarl` framework tests)
         request.url, # $ tainted
         request.url.human_repr(), # $ tainted
         request.rel_url, # $ tainted
@@ -25,28 +24,11 @@ async def test_taint(request: web.Request): # $ requestHandler
         request.match_info["key"], # $ tainted
         request.match_info.get("key"), # $ tainted
 
-        # multidict.MultiDictProxy[str]
-        # see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.MultiDictProxy
-        # TODO: Should have a better way to capture that we in fact _do_ model this as a
-        # an instance of the right class, and have the actual taint_test for that in a
-        # different file!
+        # multidict.MultiDictProxy[str] (see `multidict` framework tests)
         request.query, # $ tainted
-        request.query["key"], # $ tainted
-        request.query.get("key"), # $ tainted
         request.query.getone("key"), # $ tainted
-        request.query.getall("key"), # $ tainted
-        request.query.keys(), # $ MISSING: tainted
-        request.query.values(), # $ tainted
-        request.query.items(), # $ tainted
-        request.query.copy(), # $ tainted
-        list(request.query), # $ tainted
-        iter(request.query), # $ tainted
-
-        # multidict.CIMultiDictProxy[str]
-        # see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.CIMultiDictProxy
-        # TODO: Should have a better way to capture that we in fact _do_ model this as a
-        # an instance of the right class, and have the actual taint_test for that in a
-        # different file!
+
+        # multidict.CIMultiDictProxy[str] (see `multidict` framework tests)
         request.headers, # $ tainted
         request.headers.getone("key"), # $ tainted
 
@@ -99,7 +81,7 @@ async def test_taint(request: web.Request): # $ requestHandler
         # aiohttp.multipart.MultipartReader
         await request.multipart(), # $ tainted
 
-        # multidict.MultiDictProxy[str]
+        # multidict.MultiDictProxy[str] (see `multidict` framework tests)
         await request.post(), # $ tainted
         (await request.post()).getone("key"), # $ MISSING: tainted
     )

python/ql/test/library-tests/frameworks/multidict/ConceptsTest.expected

@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest

python/ql/test/library-tests/frameworks/multidict/ConceptsTest.ql

@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures

python/ql/test/library-tests/frameworks/multidict/InlineTaintTest.expected

@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest

python/ql/test/library-tests/frameworks/multidict/InlineTaintTest.ql

@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=1 --lang=3

python/ql/test/library-tests/frameworks/multidict/options

@@ -0,0 +1,41 @@
+import multidict
+
+# TODO: This is an invalid MultiDictProxy construction... but for the purpose of
+# taint-test, this should be good enough.
+mdp = multidict.MultiDictProxy(TAINTED_STRING)
+
+ensure_tainted(
+    # see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.MultiDictProxy
+
+    mdp, # $ tainted
+    mdp["key"], # $ tainted
+    mdp.get("key"), # $ tainted
+    mdp.getone("key"), # $ tainted
+    mdp.getall("key"), # $ tainted
+    mdp.keys(), # $ MISSING: tainted
+    mdp.values(), # $ tainted
+    mdp.items(), # $ tainted
+    mdp.copy(), # $ tainted
+    list(mdp), # $ tainted
+    iter(mdp), # $ tainted
+)
+
+# TODO: This is an invalid CIMultiDictProxy construction... but for the purpose of
+# taint-test, this should be good enough.
+ci_mdp = multidict.CIMultiDictProxy(TAINTED_STRING)
+
+ensure_tainted(
+    # see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.CIMultiDictProxy
+
+    ci_mdp, # $ tainted
+    ci_mdp["key"], # $ tainted
+    ci_mdp.get("key"), # $ tainted
+    ci_mdp.getone("key"), # $ tainted
+    ci_mdp.getall("key"), # $ tainted
+    ci_mdp.keys(), # $ MISSING: tainted
+    ci_mdp.values(), # $ tainted
+    ci_mdp.items(), # $ tainted
+    ci_mdp.copy(), # $ tainted
+    list(ci_mdp), # $ tainted
+    iter(ci_mdp), # $ tainted
+)