python: remove explicit steps

copy, pop, get, popitem

Author: yoff

python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll

@@ -190,14 +190,9 @@ predicate containerStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     call.getArg(0) = nodeFrom
   )
   or
-  // methods
+  // dict methods
   exists(DataFlow::MethodCallNode call, string methodName | call = nodeTo |
-    methodName in [
-        // general
-        "copy", "pop",
-        // dict
-        "values", "items", "get", "popitem"
-      ] and
+    methodName in ["values", "items"] and
     call.calls(nodeFrom, methodName)
   )
   or

python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_collections.py

@@ -13,7 +13,7 @@ def test_access():
     tainted_list = TAINTED_LIST
 
     ensure_tainted(
-        tainted_list.copy(), # $ tainted
+        tainted_list.copy(), # $ MISSING: tainted
     )
 
     for ((x, y, *z), a, b) in tainted_list:

python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_collections.py

@@ -103,9 +103,9 @@ def test_dict_access(x):
 
     ensure_tainted(
         tainted_dict["name"], # $ tainted
-        tainted_dict.get("name"), # $ tainted
+        tainted_dict.get("name"), # $ MISSING: tainted
         tainted_dict[x], # $ tainted
-        tainted_dict.copy(), # $ tainted
+        tainted_dict.copy(), # $ MISSING: tainted
     )
 
     for v in tainted_dict.values():

python/ql/test/library-tests/frameworks/aiohttp/taint_test.py

@@ -23,7 +23,7 @@ async def test_taint(request: web.Request): # $ requestHandler
         # dict-like for captured parts of the URL
         request.match_info, # $ tainted
         request.match_info["key"], # $ tainted
-        request.match_info.get("key"), # $ tainted
+        request.match_info.get("key"), # $ MISSING: tainted
 
         # multidict.MultiDictProxy[str] (see `multidict` framework tests)
         request.query, # $ tainted
@@ -38,7 +38,7 @@ async def test_taint(request: web.Request): # $ requestHandler
         # dict-like (readonly)
         request.cookies, # $ tainted
         request.cookies["key"], # $ tainted
-        request.cookies.get("key"), # $ tainted
+        request.cookies.get("key"), # $ MISSING: tainted
         request.cookies.keys(), # $ MISSING: tainted
         request.cookies.values(), # $ tainted
         request.cookies.items(), # $ tainted

python/ql/test/library-tests/frameworks/django-v2-v3/taint_forms.py

@@ -32,13 +32,13 @@ def clean(self):
         ensure_tainted(
             cleaned_data, # $ tainted
             cleaned_data["key"], # $ tainted
-            cleaned_data.get("key"), # $ tainted
+            cleaned_data.get("key"), # $ MISSING: tainted
         )
 
         ensure_tainted(
             self.cleaned_data, # $ tainted
             self.cleaned_data["key"], # $ tainted
-            self.cleaned_data.get("key"), # $ tainted
+            self.cleaned_data.get("key"), # $ MISSING: tainted
         )
 
     def clean_foo(self):

python/ql/test/library-tests/frameworks/django-v2-v3/taint_test.py

@@ -31,17 +31,17 @@ def test_taint(request: HttpRequest, foo, bar, baz=None):  # $requestHandler rou
         # Dict[str, str]
         request.content_params, # $ tainted
         request.content_params["key"], # $ tainted
-        request.content_params.get("key"), # $ tainted
+        request.content_params.get("key"), # $ MISSING: tainted
 
         # django.http.QueryDict
         # see https://docs.djangoproject.com/en/3.0/ref/request-response/#querydict-objects
         request.GET, # $ tainted
         request.GET["key"], # $ tainted
-        request.GET.get("key"), # $ tainted
+        request.GET.get("key"), # $ MISSING: tainted
         request.GET.getlist("key"), # $ tainted
         request.GET.getlist("key")[0], # $ tainted
-        request.GET.pop("key"), # $ tainted
-        request.GET.pop("key")[0], # $ tainted
+        request.GET.pop("key"), # $ MISSING: tainted
+        request.GET.pop("key")[0], # $ MISSING: tainted
         # key
         request.GET.popitem()[0], # $ tainted
         # values
@@ -59,7 +59,7 @@ def test_taint(request: HttpRequest, foo, bar, baz=None):  # $requestHandler rou
         # Dict[str, str]
         request.COOKIES, # $ tainted
         request.COOKIES["key"], # $ tainted
-        request.COOKIES.get("key"), # $ tainted
+        request.COOKIES.get("key"), # $ MISSING: tainted
 
         # MultiValueDict[str, UploadedFile]
         request.FILES, # $ tainted
@@ -73,20 +73,20 @@ def test_taint(request: HttpRequest, foo, bar, baz=None):  # $requestHandler rou
         request.FILES["key"].file.read(), # $ tainted
         request.FILES["key"].read(), # $ tainted
 
-        request.FILES.get("key"), # $ tainted
-        request.FILES.get("key").name, # $ tainted
+        request.FILES.get("key"), # $ MISSING: tainted
+        request.FILES.get("key").name, # $ MISSING:tainted
         request.FILES.getlist("key"), # $ tainted
         request.FILES.getlist("key")[0], # $ tainted
         request.FILES.getlist("key")[0].name, # $ tainted
         request.FILES.dict(), # $ tainted
         request.FILES.dict()["key"], # $ tainted
         request.FILES.dict()["key"].name, # $ tainted
-        request.FILES.dict().get("key").name, # $ tainted
+        request.FILES.dict().get("key").name, # $ MISSING: tainted
 
         # Dict[str, Any]
         request.META, # $ tainted
         request.META["HTTP_USER_AGENT"], # $ tainted
-        request.META.get("HTTP_USER_AGENT"), # $ tainted
+        request.META.get("HTTP_USER_AGENT"), # $ MISSING: tainted
 
         # HttpHeaders (case insensitive dict-like)
         request.headers, # $ tainted

python/ql/test/library-tests/frameworks/flask/taint_test.py

@@ -12,7 +12,7 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
     ensure_tainted(
 
         request.environ, # $ tainted
-        request.environ.get('HTTP_AUTHORIZATION'), # $ tainted
+        request.environ.get('HTTP_AUTHORIZATION'), # $ MISSING: tainted
 
         request.path, # $ tainted
         request.full_path, # $ tainted
@@ -38,7 +38,7 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
         # By default werkzeug.datastructures.ImmutableMultiDict -- although can be changed :\
         request.args, # $ tainted
         request.args['key'], # $ tainted
-        request.args.get('key'), # $ tainted
+        request.args.get('key'), # $ MISSING: tainted
         request.args.getlist('key'), # $ tainted
 
         # werkzeug.datastructures.Authorization (a dict, with some properties)
@@ -81,17 +81,17 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
         request.files['key'].stream, # $ tainted
         request.files['key'].read(), # $ tainted
         request.files['key'].stream.read(), # $ tainted
-        request.files.get('key'), # $ tainted
-        request.files.get('key').filename, # $ tainted
-        request.files.get('key').stream, # $ tainted
+        request.files.get('key'), # $ MISSING: tainted
+        request.files.get('key').filename, # $ MISSING: tainted
+        request.files.get('key').stream, # $ MISSING: tainted
         request.files.getlist('key'), # $ tainted
         request.files.getlist('key')[0].filename, # $ tainted
         request.files.getlist('key')[0].stream, # $ tainted
 
         # By default werkzeug.datastructures.ImmutableMultiDict -- although can be changed :\
         request.form, # $ tainted
         request.form['key'], # $ tainted
-        request.form.get('key'), # $ tainted
+        request.form.get('key'), # $ MISSING: tainted
         request.form.getlist('key'), # $ tainted
 
         request.get_data(), # $ tainted
@@ -104,7 +104,7 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
         # which has same interface as werkzeug.datastructures.Headers
         request.headers, # $ tainted
         request.headers['key'], # $ tainted
-        request.headers.get('key'), # $ tainted
+        request.headers.get('key'), # $ MISSING: tainted
         request.headers.get_all('key'), # $ tainted
         request.headers.getlist('key'), # $ tainted
         # popitem returns `(key, value)`
@@ -149,13 +149,13 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
         # werkzeug.datastructures.CombinedMultiDict, which is basically just a werkzeug.datastructures.MultiDict
         request.values, # $ tainted
         request.values['key'], # $ tainted
-        request.values.get('key'), # $ tainted
+        request.values.get('key'), # $ MISSING: tainted
         request.values.getlist('key'), # $ tainted
 
         # dict
         request.view_args, # $ tainted
         request.view_args['key'], # $ tainted
-        request.view_args.get('key'), # $ tainted
+        request.view_args.get('key'), # $ MISSING: tainted
     )
 
     ensure_not_tainted(
@@ -204,7 +204,7 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
         b.getlist('key'), # $ tainted
         gl('key'), # $ tainted
 
-        files.get('key').filename, # $ tainted
+        files.get('key').filename, # $ MISSING: tainted
     )
 
     # aliasing tests

python/ql/test/library-tests/frameworks/multidict/taint_test.py

@@ -9,13 +9,13 @@
 
     mdp, # $ tainted
     mdp["key"], # $ tainted
-    mdp.get("key"), # $ tainted
+    mdp.get("key"), # $ MISSING: tainted
     mdp.getone("key"), # $ tainted
     mdp.getall("key"), # $ tainted
     mdp.keys(), # $ MISSING: tainted
     mdp.values(), # $ tainted
     mdp.items(), # $ tainted
-    mdp.copy(), # $ tainted
+    mdp.copy(), # $ MISSING: tainted
     list(mdp), # $ tainted
     iter(mdp), # $ tainted
 )
@@ -29,13 +29,13 @@
 
     ci_mdp, # $ tainted
     ci_mdp["key"], # $ tainted
-    ci_mdp.get("key"), # $ tainted
+    ci_mdp.get("key"), # $ MISSING: tainted
     ci_mdp.getone("key"), # $ tainted
     ci_mdp.getall("key"), # $ tainted
     ci_mdp.keys(), # $ MISSING: tainted
     ci_mdp.values(), # $ tainted
     ci_mdp.items(), # $ tainted
-    ci_mdp.copy(), # $ tainted
+    ci_mdp.copy(), # $ MISSING: tainted
     list(ci_mdp), # $ tainted
     iter(ci_mdp), # $ tainted
 )

python/ql/test/library-tests/frameworks/requests/taint_test.py

@@ -30,15 +30,15 @@ def test_taint(): # $ requestHandler
 
         resp.links, # $ tainted
         resp.links['key'], # $ tainted
-        resp.links.get('key'), # $ tainted
+        resp.links.get('key'), # $ MISSING: tainted
 
         resp.cookies, # $ tainted
         resp.cookies['key'], # $ tainted
-        resp.cookies.get('key'), # $ tainted
+        resp.cookies.get('key'), # $ MISSING: tainted
 
         resp.headers, # $ tainted
         resp.headers['key'], # $ tainted
-        resp.headers.get('key'), # $ tainted
+        resp.headers.get('key'), # $ MISSING: tainted
     )
 
     for content_chunk in resp.iter_content():

python/ql/test/library-tests/frameworks/rest_framework/taint_test.py

@@ -31,11 +31,11 @@ def test_taint(request: Request, routed_param): # $ requestHandler routedParamet
         # alias for .GET
         request.query_params, # $ tainted
         request.query_params["key"], # $ tainted
-        request.query_params.get("key"), # $ tainted
+        request.query_params.get("key"), # $ MISSING: tainted
         request.query_params.getlist("key"), # $ tainted
         request.query_params.getlist("key")[0], # $ tainted
-        request.query_params.pop("key"), # $ tainted
-        request.query_params.pop("key")[0], # $ tainted
+        request.query_params.pop("key"), # $ MISSING: tainted
+        request.query_params.pop("key")[0], # $ MISSING: tainted
 
         # see more detailed tests of `request.user` below
         request.user, # $ tainted