Skip to content

Commit ea4761d

Browse files
committed
Python: Add tests of taint-flow for re module
1 parent 5442cdb commit ea4761d

File tree

1 file changed

+81
-0
lines changed
  • python/ql/test/library-tests/frameworks/stdlib

1 file changed

+81
-0
lines changed
Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
import re
2+
3+
ts = TAINTED_STRING
4+
5+
pat = ... # some pattern
6+
compiled_pat = re.compile(pat)
7+
8+
# see https://docs.python.org/3/library/re.html#functions
9+
ensure_tainted(
10+
# returns Match object, see below
11+
re.search(pat, ts), # $ MISSING: tainted
12+
re.match(pat, ts), # $ MISSING: tainted
13+
re.fullmatch(pat, ts), # $ MISSING: tainted
14+
15+
# other functions not returning Match objects
16+
re.split(pat, ts), # $ MISSING: tainted
17+
re.split(pat, ts)[0], # $ MISSING: tainted
18+
19+
re.findall(pat, ts), # $ MISSING: tainted
20+
21+
re.finditer(pat, ts), # $ MISSING: tainted
22+
[x for x in re.finditer(pat, ts)], # $ MISSING: tainted
23+
24+
re.sub(pat, repl="safe", string=ts), # $ MISSING: tainted
25+
re.sub(pat, repl=lambda m: ..., string=ts), # $ MISSING: tainted
26+
re.sub(pat, repl=ts, string="safe"), # $ MISSING: tainted
27+
re.sub(pat, repl=lambda m: ts, string="safe"), # $ MISSING: tainted
28+
29+
re.subn(pat, repl="safe", string=ts), # $ MISSING: tainted
30+
re.subn(pat, repl="safe", string=ts)[0], # $ MISSING: tainted // the string
31+
32+
# same for compiled patterns
33+
compiled_pat.search(ts), # $ MISSING: tainted
34+
compiled_pat.match(ts), # $ MISSING: tainted
35+
compiled_pat.fullmatch(ts), # $ MISSING: tainted
36+
37+
compiled_pat.split(ts), # $ MISSING: tainted
38+
compiled_pat.split(ts)[0], # $ MISSING: tainted
39+
40+
# ...
41+
42+
# user-controlled compiled pattern
43+
re.compile(ts), # $ tainted
44+
re.compile(ts).pattern, # $ MISSING: tainted
45+
)
46+
47+
ensure_not_tainted(
48+
re.subn(pat, repl="safe", string=ts)[1], # // the number of substitutions made
49+
)
50+
51+
# Match object
52+
tainted_match = re.match(pat, ts)
53+
safe_match = re.match(pat, "safe")
54+
ensure_tainted(
55+
tainted_match.expand("Hello \1"), # $ MISSING: tainted
56+
safe_match.expand(ts), # $ MISSING: tainted
57+
tainted_match.group(), # $ MISSING: tainted
58+
tainted_match.group(1, 2), # $ MISSING: tainted
59+
tainted_match.group(1, 2)[0], # $ MISSING: tainted
60+
tainted_match[0], # $ MISSING: tainted
61+
62+
tainted_match.groups(), # $ MISSING: tainted
63+
tainted_match.groups()[0], # $ MISSING: tainted
64+
tainted_match.groupdict(), # $ MISSING: tainted
65+
tainted_match.groupdict()["key"], # $ MISSING: tainted
66+
67+
re.match(pat, ts).string, # $ MISSING: tainted
68+
re.match(ts, "safe").re, # $ MISSING: tainted
69+
re.match(ts, "safe").re.pattern, # $ MISSING: tainted
70+
71+
compiled_pat.match(ts).string, # $ MISSING: tainted
72+
re.compile(ts).match("safe").re, # $ MISSING: tainted
73+
re.compile(ts).match("safe").re.pattern, # $ MISSING: tainted
74+
)
75+
ensure_not_tainted(
76+
safe_match.expand("Hello \1"),
77+
safe_match.group(),
78+
79+
re.match(pat, "safe").re,
80+
re.match(pat, "safe").string,
81+
)

0 commit comments

Comments
 (0)