1+ import threading
2+ import time
3+
4+ # Test 1
5+ # TP - Flow is tracked through a global variable
6+ foo1 = None
7+
8+ def bar1 ():
9+ time .sleep (1 )
10+ ensure_tainted (foo1 ) # $tainted
11+
12+ # The intent of these tests is to test how dataflow is handled through shared state accessed by different threads;
13+ # but the presense or absense of the actual call to start a thread does not affect the results (there is no special modelling for Thread)
14+ # threading.Thread(target=bar).start()
15+
16+ foo1 = TAINTED_STRING
17+
18+ # Test 2
19+ # FN - Flow is *not* tracked through an access path on a global variable
20+ foo2 = []
21+
22+ def bar2 ():
23+ time .sleep (1 )
24+ ensure_tainted (foo2 [0 ]) # $MISSING:tainted
25+
26+ threading .Thread (target = bar2 ).start ()
27+
28+ foo2 .append (TAINTED_STRING )
29+
30+ # Test 3
31+ # FN - Flow is not found even when there is a direct call
32+ foo3 = []
33+
34+ def bar3 ():
35+ time .sleep (1 )
36+ ensure_tainted (foo2 [0 ]) # $MISSING:tainted
37+
38+ foo3 .append (TAINTED_STRING )
39+ bar3 ()
40+
41+ # Tast 4
42+ # TP - Sanity check: Flow is found through a ListElement directly without a call
43+ foo4 = []
44+ foo4 .append (TAINTED_STRING )
45+ ensure_tainted (foo4 [0 ]) # $tainted
46+
47+ # Test 5
48+ # FN - Flow is *not* tracked through a shared captured but non-global variable
49+ def test5 ():
50+ foo5 = None
51+
52+ def bar5 ():
53+ time .sleep (1 )
54+ ensure_tainted (foo5 ) # $MISSING:tainted
55+
56+ threading .Thread (target = bar5 ).start () # Only the presense of this thread call makes this an FN rather than a TN
57+
58+ foo5 = TAINTED_STRING
59+
60+ # Test 6
61+ # TP - Flow is tracked through a shared captured but non-global variable with a direct call
62+ def test6 ():
63+ foo6 = []
64+
65+ def bar6 ():
66+ time .sleep (1 )
67+ ensure_tainted (foo6 [0 ]) # $tainted
68+
69+ foo6 .append (TAINTED_STRING )
70+ bar6 ()
71+
72+
73+ # Test 7
74+ # FN - Flow is *not* found through an access path on a global variable that's also used as a parameter
75+ # We'd like to cover this case in order to be able to cover this CVE: https://github.com/github/codeql-python-CVE-coverage/issues/3176
76+
77+ foo7 = []
78+
79+ def bar7 ():
80+ time .sleep (1 )
81+ ensure_tainted (foo7 [0 ]) # $MISSING: tainted
82+
83+ def baz7 (loc_foo ):
84+ loc_foo .append (TAINTED_STRING )
85+
86+ threading .Thread (target = bar7 ).start ()
87+
88+ baz7 (foo7 )
89+
90+ # Test 8
91+ # FN - Flow is also *not* found in the above case through a direct call
92+
93+ foo8 = []
94+
95+ def bar8 ():
96+ time .sleep (1 )
97+ ensure_tainted (foo8 [0 ]) # $MISSING: tainted
98+
99+ def baz8 (loc_foo ):
100+ loc_foo .append (TAINTED_STRING )
101+
102+ baz8 (foo8 )
103+ bar8 ()
104+
105+ # Test 9
106+ # TP - Flow is found in the above case when the variable is captured rather than global
107+
108+ def test9 ():
109+ foo9 = []
110+ def bar9 ():
111+ time .sleep (1 )
112+ ensure_tainted (foo9 [0 ]) # $tainted
113+
114+ def baz9 (loc_foo ):
115+ loc_foo .append (TAINTED_STRING )
116+
117+ baz9 (foo9 )
118+ bar9 ()
0 commit comments