Python: Clarify SensitiveAttributeAccess

The comment about imports was placed wrong. I also realized we didn't
even have a single test-case for
`this.(DataFlow::AttrRead).getAttributeNameExpr() = sensitiveLookupStringConst(classification)`
so I added that (notice that this is only `getattr(foo, x)` and not
`getattr(foo, "password")`)

Author: RasmusWL

python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll

@@ -153,10 +153,12 @@ private module SensitiveDataModeling {
     SensitiveDataClassification classification;
 
     SensitiveAttributeAccess() {
-      nameIndicatesSensitiveData(this.(DataFlow::AttrRead).getAttributeName(), classification)
-      or
+      // Things like `foo.<sensitive-name>` or `from <module> import <sensitive-name>`
       // I considered excluding any `from ... import something_sensitive`, but then realized that
       // we should flag up `form ... import password as ...` as a password
+      nameIndicatesSensitiveData(this.(DataFlow::AttrRead).getAttributeName(), classification)
+      or
+      // Things like `getattr(foo, <reference-to-string>)`
       this.(DataFlow::AttrRead).getAttributeNameExpr() = sensitiveLookupStringConst(classification)
     }
 

python/ql/test/experimental/dataflow/sensitive-data/test.py

@@ -29,6 +29,9 @@ def encrypt_password(pwd):
 foo.secret # $ SensitiveDataSource=secret
 foo.username # $ SensitiveDataSource=id
 
+getattr(foo, "password") # $ SensitiveDataSource=password
+x = "password"
+getattr(foo, x) # $ SensitiveDataSource=password
 
 # based on variable/parameter names
 def my_func(password): # $ SensitiveDataSource=password