Python: Add modeling of jmespath

RasmusWL · RasmusWL · commit fa6abea465bc · 2021-06-09T12:14:35.000+02:00
diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
@@ -162,6 +162,7 @@ Python built-in support
    fabric, Utility library
    invoke, Utility library
    idna, Utility library
+   jmespath, Utility library
    mysql-connector-python, Database
    MySQLdb, Database
    psycopg2, Database
diff --git a/python/change-notes/2021-06-09-add-jmespath-modeling.md b/python/change-notes/2021-06-09-add-jmespath-modeling.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added modeling of the PyPI package `jmespath`.
diff --git a/python/ql/src/semmle/python/Frameworks.qll b/python/ql/src/semmle/python/Frameworks.qll
@@ -12,6 +12,7 @@ private import semmle.python.frameworks.Fabric
 private import semmle.python.frameworks.Flask
 private import semmle.python.frameworks.Idna
 private import semmle.python.frameworks.Invoke
+private import semmle.python.frameworks.Jmespath
 private import semmle.python.frameworks.MysqlConnectorPython
 private import semmle.python.frameworks.MySQLdb
 private import semmle.python.frameworks.Psycopg2
diff --git a/python/ql/src/semmle/python/frameworks/Jmespath.qll b/python/ql/src/semmle/python/frameworks/Jmespath.qll
@@ -0,0 +1,35 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `jmespath` PyPI package.
+ * See https://pypi.org/project/jmespath/.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides models for the `jmespath` PyPI package.
+ * See https://pypi.org/project/jmespath/.
+ */
+private module Jmespath {
+  class JmespathAdditionalTaintSteps extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+      exists(DataFlow::CallCfgNode call |
+        call = API::moduleImport("jmespath").getMember("search").getACall() and
+        nodeFrom in [call.getArg(1), call.getArgByName("data")] and
+        nodeTo = call
+        or
+        call =
+          API::moduleImport("jmespath")
+              .getMember("compile")
+              .getReturn()
+              .getMember("search")
+              .getACall() and
+        nodeFrom in [call.getArg(0), call.getArgByName("value")] and
+        nodeTo = call
+      )
+    }
+  }
+}
diff --git a/python/ql/test/library-tests/frameworks/jmespath/taint_test.py b/python/ql/test/library-tests/frameworks/jmespath/taint_test.py
@@ -6,11 +6,11 @@ def test_idna():
     expression = jmespath.compile("foo.bar")
 
     ensure_tainted(
-        jmespath.search("foo.bar", data), # $ MISSING: tainted
-        jmespath.search("foo.bar", data=data), # $ MISSING: tainted
+        jmespath.search("foo.bar", data), # $ tainted
+        jmespath.search("foo.bar", data=data), # $ tainted
 
-        expression.search(data), # $ MISSING: tainted
-        expression.search(value=data) # $ MISSING: tainted
+        expression.search(data), # $ tainted
+        expression.search(value=data) # $ tainted
     )
 
     # since ```jmespath.search("{wat: `foo`}", {})``` works (and outputs a dictionary),

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* Added modeling of the PyPI package `jmespath`.