177 support from import sinks #198
Conversation
* Allow trigger words to be fully qualified to reduce false positives
* This will give fully qualified names for blackboxes like flask * Improve readability by using keyword arguments
|
Please review this change carefully; It changes the contents of |
| package_name, | ||
| local_names, | ||
| import_alias_mapping, | ||
| module=(module[0], init_file_location), |
There was a problem hiding this comment.
Thank you for doing this 🙏 :) kwargs always improve readability
| uninspectable_modules.add(alias.name) # Don't repeatedly warn about this | ||
| return IgnoredNode() | ||
|
|
||
| def visit_ImportFrom(self, node): | ||
| # Is it relative? | ||
| if node.level > 0: | ||
| return self.handle_relative_import(node) | ||
| else: |
There was a problem hiding this comment.
You're definitely improving the readability of this code, thank you :) The less indentation the better
| Reassigned in: | ||
| File: examples/vulnerable_code/path_traversal_sanitised_2.py | ||
| > Line 8: image_name = ~call_1 | ||
| File: examples/vulnerable_code/path_traversal_sanitised_2.py | ||
| > Line 12: ~call_3 = ret_os.path.join(~call_4, image_name) | ||
| File: examples/vulnerable_code/path_traversal_sanitised_2.py | ||
| > reaches line 12, sink "send_file(": | ||
| ~call_2 = ret_send_file(~call_3) |
There was a problem hiding this comment.
This makes the output more readable as well, awesome job 🎉
| module, | ||
| None, |
There was a problem hiding this comment.
The main thing I'm unsure about is, why I was passing None for real_names, but it was probably wrong :)
I do remember I wrote a lot of tests in the import PRs, so I'm somewhat confident this code is well covered. (Granted it was when I was an even worse engineer than I am now 😁 ).
| @@ -482,6 +482,21 @@ def test_list_append_taints_list(self): | |||
| ) | |||
| self.assert_length(vulnerabilities, expected_length=1) | |||
|
|
|||
| def test_import_bb_or_bi_with_alias(self): | |||
Remember import aliases for built-in and black box functions.
os.systemand it will match even if the import us done usingfrom os import systemThis is an incompatible change. The labels for function calls changed (they are now fully qualified, regardless of how the function was imported).
This solves #177