Python: Add taint-tracking configuration.#1052
Conversation
…ss-talk between flows and brings the interface closer to that of the other languages.
taus-semmle
left a comment
taus-semmle
left a comment
There was a problem hiding this comment.
A few points that need to be clarified, but otherwise LGTM.
| * there are no `TaintTracking::Configuration`s. | ||
| */ | ||
| private predicate valid_sanitizer(Sanitizer sanitizer) { | ||
| forall (TaintTracking::Configuration c | c.isSanitizer(sanitizer)) |
There was a problem hiding this comment.
Isn't this much too strong, requiring the sanitizer to be part of every configuration present (or are we only allowed to have a single configuration at a time)?
I would expect the body of the predicate to be something like
not exists(TaintTracking::Configuration c)
or
exists(TaintTracking::Configuration c | c.isSanitizer(sanitizer))
There was a problem hiding this comment.
With multiple configurations, either form is wrong unless we track which configuration a taint originates from. For the case of one configuration, both forms are equivalent.
Having said that, I agree that your formulation would be less surprising should multiple configurations be present and that is what the qldoc comment suggests.
| fromnode.getContext().getCallee(call) = tocontext and | ||
| exists(DataFlowNode fromnodenode | | ||
| fromnodenode = fromnode.getNode() and | ||
| forall(TaintTracking::Configuration c | c.isExtension(fromnodenode)) |
There was a problem hiding this comment.
Same comment as for valid_sanitizer.
…ss surprising for the unlikely case of mutliple configurations.
markshannon
force-pushed
the
python-taint-tracking-configuration
branch
from
f28d8e0 to
0866f4d
Compare
…uration to match API of other languages.
markshannon
force-pushed
the
python-taint-tracking-configuration
branch
from
0866f4d to
ab23a15
Compare
taus-semmle
left a comment
taus-semmle
left a comment
There was a problem hiding this comment.
Changes look good to me. Merging.
2 participants
New configuration based interface for 1.20.
Should help avoid accidentally using extra sources and sinks via import, and brings the interface closer to that of the other languages.
It is unused for 1.20, to avoid risk of breakage.
However, it will be available for customers, will allow documentation to match code on master, and means that the documentation for writing taint-tracking queries will not need to change from 1.20 to 1.21.
This PR on master demonstrates it use:
#1051