Python: Model stdin thread-model

RasmusWL · RasmusWL · commit 66f389a4b630 · 2024-09-10T14:32:36.000+02:00
diff --git a/python/ql/lib/semmle/python/frameworks/Stdlib.model.yml b/python/ql/lib/semmle/python/frameworks/Stdlib.model.yml
@@ -12,6 +12,9 @@ extensions:
       - ['sys', 'Member[argv]', 'commandargs']
       - ['sys', 'Member[orig_argv]', 'commandargs']
 
+      - ['sys', 'Member[stdin]', 'stdin']
+      - ['builtins', 'Member[input].ReturnValue', 'stdin']
+
       # if no argument is given, the default is to use sys.argv[1:]
       - ['argparse.ArgumentParser', 'Member[parse_args,parse_known_args].WithArity[0].ReturnValue', 'commandargs']
   - addsTo:
@@ -20,5 +23,3 @@ extensions:
     data:
       - ['argparse.ArgumentParser', 'Member[parse_args,parse_known_args]', 'Argument[0,args:]', 'ReturnValue', 'taint']
       # note: taint of attribute lookups is handled in QL
-
-      # TODO: input / read from stdin
diff --git a/python/ql/lib/semmle/python/frameworks/Stdlib.qll b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -5009,6 +5009,19 @@ module StdlibPrivate {
       nodeTo.(DataFlow::AttrRead).getObject() = nodeFrom
     }
   }
+
+  // ---------------------------------------------------------------------------
+  // sys
+  // ---------------------------------------------------------------------------
+  /**
+   * An access of `sys.stdin`/`sys.stdout`/`sys.stderr`, to get additional FileLike
+   * modeling.
+   */
+  private class SysStandardStreams extends Stdlib::FileLikeObject::InstanceSource, DataFlow::Node {
+    SysStandardStreams() {
+      this = API::moduleImport("sys").getMember(["stdin", "stdout", "stderr"]).asSource()
+    }
+  }
 }
 
 // ---------------------------------------------------------------------------
diff --git a/python/ql/test/library-tests/frameworks/stdlib/threat_models.py b/python/ql/test/library-tests/frameworks/stdlib/threat_models.py
@@ -44,8 +44,8 @@
 ########################################
 
 ensure_tainted(
-    sys.stdin.readline(), # $ MISSING: tainted threatModelSource
-    input(), # $ MISSING: tainted threatModelSource
+    sys.stdin.readline(), # $ tainted threatModelSource[stdin]=sys.stdin
+    input(), # $ tainted threatModelSource[stdin]=input()
 )
 
 ########################################

Original file line number	Diff line number	Diff line change
`@@ -5009,6 +5009,19 @@ module StdlibPrivate {`
`5009`	`5009`	`nodeTo.(DataFlow::AttrRead).getObject() = nodeFrom`
`5010`	`5010`	`}`
`5011`	`5011`	`}`
	`5012`	`+`
	`5013`	`+ // ---------------------------------------------------------------------------`
	`5014`	`+ // sys`
	`5015`	`+ // ---------------------------------------------------------------------------`
	`5016`	`+ /**`
	`5017`	+ * An access of `sys.stdin`/`sys.stdout`/`sys.stderr`, to get additional FileLike
	`5018`	`+ * modeling.`
	`5019`	`+ */`
	`5020`	`+ private class SysStandardStreams extends Stdlib::FileLikeObject::InstanceSource, DataFlow::Node {`
	`5021`	`+ SysStandardStreams() {`
	`5022`	`+ this = API::moduleImport("sys").getMember(["stdin", "stdout", "stderr"]).asSource()`
	`5023`	`+ }`
	`5024`	`+ }`
`5012`	`5025`	`}`
`5013`	`5026`
`5014`	`5027`	`// ---------------------------------------------------------------------------`
Original file line number	Diff line number	Diff line change
`@@ -44,8 +44,8 @@`
`44`	`44`	`########################################`
`45`	`45`
`46`	`46`	`ensure_tainted(`
`47`		`- sys.stdin.readline(), # $ MISSING: tainted threatModelSource`
`48`		`- input(), # $ MISSING: tainted threatModelSource`
	`47`	`+ sys.stdin.readline(), # $ tainted threatModelSource[stdin]=sys.stdin`
	`48`	`+ input(), # $ tainted threatModelSource[stdin]=input()`
`49`	`49`	`)`
`50`	`50`
`51`	`51`	`########################################`