Python: recover taint for % format strings

Author: yoff

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll

@@ -1012,10 +1012,21 @@ module Conversions {
     )
   }
 
+  predicate formatReadStep(Node nodeFrom, ContentSet c, Node nodeTo) {
+    // % formatting
+    exists(BinaryExprNode fmt | fmt = nodeTo.asCfgNode() |
+      fmt.getOp() instanceof Mod and
+      fmt.getRight() = nodeFrom.asCfgNode()
+    ) and
+    c instanceof TupleElementContent
+  }
+
   predicate readStep(Node nodeFrom, ContentSet c, Node nodeTo) {
     decoderReadStep(nodeFrom, c, nodeTo)
     or
     encoderReadStep(nodeFrom, c, nodeTo)
+    or
+    formatReadStep(nodeFrom, c, nodeTo)
   }
 }
 

python/ql/test/library-tests/dataflow/tainttracking/defaultAdditionalTaintStep/test_string.py

@@ -115,7 +115,7 @@ def percent_fmt():
     ensure_tainted(
         tainted_fmt % (1, 2), # $ tainted
         "%s foo bar" % ts, # $ tainted
-        "%s %s %s" % (1, 2, ts), # $ MISSING: tainted
+        "%s %s %s" % (1, 2, ts), # $ tainted
     )