python: add read steps for some specific functions

Author: yoff

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -4260,6 +4260,15 @@ module StdlibPrivate {
       output = "ReturnValue.ListElement" and
       preservesValue = true
       or
+      // in case we create a list from a container with precise elementt,
+      // we need to taint the list.
+      exists(DataFlow::TupleElementContent tc, int i | i = tc.getIndex() |
+        input = "Argument[0].TupleElement[" + i.toString() + "]"
+      ) and
+      // TODO: Once we have DictKeyContent, we need to transform that into taint
+      output = "ReturnValue" and
+      preservesValue = false
+      or
       input = "Argument[0]" and
       output = "ReturnValue" and
       preservesValue = false
@@ -4708,8 +4717,13 @@ module StdlibPrivate {
     override predicate propagatesFlow(string input, string output, boolean preservesValue) {
       exists(DataFlow::DictionaryElementContent dc, string key | key = dc.getKey() |
         input = "Argument[self].DictionaryElement[" + key + "]" and
-        output = "ReturnValue.ListElement" and
-        preservesValue = true
+        (
+          output = "ReturnValue.ListElement" and
+          preservesValue = true
+          or
+          output = "ReturnValue" and
+          preservesValue = false
+        )
       )
       or
       input = "Argument[self]" and
@@ -4759,8 +4773,13 @@ module StdlibPrivate {
     override predicate propagatesFlow(string input, string output, boolean preservesValue) {
       exists(DataFlow::DictionaryElementContent dc, string key | key = dc.getKey() |
         input = "Argument[self].DictionaryElement[" + key + "]" and
-        output = "ReturnValue.ListElement.TupleElement[1]" and
-        preservesValue = true
+        (
+          output = "ReturnValue.ListElement.TupleElement[1]" and
+          preservesValue = true
+          or
+          output = "ReturnValue" and
+          preservesValue = false
+        )
       )
       or
       // TODO: Add the keys to output list
@@ -4826,6 +4845,50 @@ module StdlibPrivate {
     }
   }
 
+  // ---------------------------------------------------------------------------
+  // Flow summaries for string methods
+  // ---------------------------------------------------------------------------
+  class StringManipulation extends SummarizedCallable {
+    string method_name;
+
+    StringManipulation() {
+      this = "string." + method_name and
+      method_name in [
+          "capitalize", "casefold", "center", "expandtabs", "format", "format_map", "join", "ljust",
+          "lstrip", "lower", "replace", "rjust", "rstrip", "strip", "swapcase", "title", "upper",
+          "zfill", "encode", "decode"
+        ]
+    }
+
+    override DataFlow::CallCfgNode getACall() {
+      result.(DataFlow::MethodCallNode).calls(_, method_name)
+    }
+
+    override DataFlow::ArgumentNode getACallback() {
+      result.(DataFlow::AttrRead).getAttributeName() = method_name
+    }
+
+    override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+      input = "Argument[self]" and
+      output = "ReturnValue" and
+      preservesValue = false
+      or
+      method_name = "join" and
+      exists(DataFlow::TupleElementContent tc, int i | i = tc.getIndex() |
+        input = "Argument[0].TupleElement[" + i + "]"
+      ) and
+      output = "ReturnValue" and
+      preservesValue = false
+      or
+      method_name = "format_map" and
+      exists(DataFlow::DictionaryElementContent dc, string key | key = dc.getKey() |
+        input = "Argument[0].DictionaryElement[" + key + "]"
+      ) and
+      output = "ReturnValue" and
+      preservesValue = false
+    }
+  }
+
   /**
    * A flow summary for `os.getenv` / `os.getenvb`
    *

python/ql/test/library-tests/dataflow/sensitive-data/test.py

@@ -133,4 +133,4 @@ def call_wrapper(func):
 
 # since we have taint-step from store of `password`, we will consider any item in the
 # dictionary to be a password :(
-print(_config["sleep_timer"]) # $ SPURIOUS: SensitiveUse=password
+print(_config["sleep_timer"])

python/ql/test/library-tests/dataflow/tainttracking/defaultAdditionalTaintStep/test_collections.py

@@ -22,9 +22,9 @@ def test_construction():
     ensure_tainted(
         tainted_string, # $ tainted
         tainted_list, # $ tainted
-        tainted_tuple, # $ tainted
+        tainted_tuple[0], # $ tainted
         tainted_set, # $ tainted
-        tainted_dict, # $ tainted
+        tainted_dict["key"], # $ tainted
     )
 
     ensure_tainted(
@@ -37,13 +37,22 @@ def test_construction():
         tuple(tainted_list), # $ tainted
         set(tainted_list), # $ tainted
         frozenset(tainted_list), # $ tainted
-        dict(tainted_dict), # $ tainted
+        dict(tainted_dict)["key"], # $ tainted
         dict(k = tainted_string)["k"], # $ tainted
         dict(dict(k = tainted_string))["k"], # $ tainted
         dict(["k", tainted_string]), # $ tainted
     )
 
     ensure_not_tainted(
+        tainted_tuple,
+        tainted_tuple[1],
+
+        tainted_dict,
+        tainted_dict["different_key"],
+        
+        dict(tainted_dict),
+        dict(tainted_dict)["different_key"],
+        
         dict(k = tainted_string)["k1"]
     )
 

python/ql/test/library-tests/dataflow/tainttracking/defaultAdditionalTaintStep/test_string.py

@@ -115,7 +115,7 @@ def percent_fmt():
     ensure_tainted(
         tainted_fmt % (1, 2), # $ tainted
         "%s foo bar" % ts, # $ tainted
-        "%s %s %s" % (1, 2, ts), # $ tainted
+        "%s %s %s" % (1, 2, ts), # $ MISSING: tainted
     )
 
 

python/ql/test/library-tests/dataflow/tainttracking/defaultAdditionalTaintStep/test_unpacking.py

@@ -53,7 +53,7 @@ def contrived_1():
 
     (a, b, c), (d, e, f) = tainted_list, no_taint_list
     ensure_tainted(a, b, c) # $ tainted
-    ensure_not_tainted(d, e, f) # $ SPURIOUS: tainted
+    ensure_not_tainted(d, e, f)
 
 
 def contrived_2():