Python: Model additional flow steps for the lxml framework #18185
Conversation
joefarebrother
force-pushed
the
python-lxml
branch
2 times, most recently
from
652a9ca to
b523be2
Compare
joefarebrother
force-pushed
the
python-lxml
branch
from
b523be2 to
5c8ef28
Compare
joefarebrother
changed the title
There was a problem hiding this comment.
Copilot reviewed 2 out of 5 changed files in this pull request and generated no suggestions.
Files not reviewed (3)
- python/ql/lib/semmle/python/frameworks/Lxml.qll: Language not supported
- python/ql/test/library-tests/frameworks/lxml/InlineTaintTest.expected: Language not supported
- python/ql/test/library-tests/frameworks/lxml/InlineTaintTest.ql: Language not supported
Comments skipped due to low confidence (16)
python/ql/test/library-tests/frameworks/lxml/taint_test.py:50
- The taint tracking is missing through the call to
list. Ensure the test case covers this scenario to verify taint propagation.
list(elem.findall("b"))[0].text, # $ MISSING:tainted # Type tracking is not followed through call to `list`
python/ql/test/library-tests/frameworks/lxml/taint_test.py:54
- The taint tracking is missing through the call to
nextonelem.getiterator(). Ensure the test case covers this scenario to verify taint propagation.
next(elem.getiterator()).text, # $ MISSING:tainted
python/ql/test/library-tests/frameworks/lxml/taint_test.py:62
- The taint tracking is missing through the call to
nextonelem.iter(). Ensure the test case covers this scenario to verify taint propagation.
next(elem.iter()).text, # $ MISSING:tainted
python/ql/test/library-tests/frameworks/lxml/taint_test.py:64
- The taint tracking is missing through the call to
nextonelem[0].iterancestors(). Ensure the test case covers this scenario to verify taint propagation.
next(elem[0].iterancestors()).text, # $ MISSING:tainted
python/ql/test/library-tests/frameworks/lxml/taint_test.py:66
- The taint tracking is missing through the call to
nextonelem.iterchildren(). Ensure the test case covers this scenario to verify taint propagation.
next(elem.iterchildren()).text, # $ MISSING:tainted
python/ql/test/library-tests/frameworks/lxml/taint_test.py:68
- The taint tracking is missing through the call to
nextonelem.iterdescendants(). Ensure the test case covers this scenario to verify taint propagation.
next(elem.iterdescendants()).text, # $ MISSING:tainted
python/ql/test/library-tests/frameworks/lxml/taint_test.py:70
- The taint tracking is missing through the call to
nextonelem.iterfind("b"). Ensure the test case covers this scenario to verify taint propagation.
next(elem.iterfind("b")).text, # $ MISSING:tainted
python/ql/test/library-tests/frameworks/lxml/taint_test.py:72
- The taint tracking is missing through the call to
nextonelem[0].itersiblings(). Ensure the test case covers this scenario to verify taint propagation.
next(elem[0].itersiblings()).text, # $ MISSING:tainted
python/ql/test/library-tests/frameworks/lxml/taint_test.py:82
- The taint tracking is missing for
ch.textin the for loop. Ensure the test case covers this scenario to verify taint propagation.
ch.text # $ MISSING: tainted # API node getASubscript() appears to not consider things like for loops
python/ql/test/library-tests/frameworks/lxml/taint_test.py:93
- The taint tracking is missing through the call to
nextontree.getiterator(). Ensure the test case covers this scenario to verify taint propagation.
next(tree.getiterator()).text, # $ MISSING:tainted
python/ql/test/library-tests/frameworks/lxml/taint_test.py:95
- The taint tracking is missing through the call to
nextontree.iter(). Ensure the test case covers this scenario to verify taint propagation.
next(tree.iter()).text, # $ MISSING:tainted
python/ql/test/library-tests/frameworks/lxml/taint_test.py:97
- The taint tracking is missing through the call to
nextontree.iterfind("b"). Ensure the test case covers this scenario to verify taint propagation.
next(tree.iterfind("b")).text, # $ MISSING:tainted
python/ql/test/library-tests/frameworks/lxml/taint_test.py:109
- The taint tracking is missing for
elem2.textfrom the tuple return value. Ensure the test case covers this scenario to verify taint propagation.
elem2.text, # $ MISSING:tainted # Type is not tracked to the tuple return value
python/ql/test/library-tests/frameworks/lxml/taint_test.py:110
- The taint tracking is missing for
elem3.textfrom the tuple return value. Ensure the test case covers this scenario to verify taint propagation.
elem3.text, # $ MISSING:tainted
python/ql/test/library-tests/frameworks/lxml/taint_test.py:119
- The taint tracking is missing for
tree2.getroot(). Ensure the test case covers this scenario to verify taint propagation.
tree2.getroot() # $ MISSING:tainted
python/ql/test/library-tests/frameworks/lxml/taint_test.py:126
- The taint tracking is missing for
el.textin the iterparse loop. Ensure the test case covers this scenario to verify taint propagation.
el.text, # $ MISSING:tainted
Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more
| override string getFormat() { result = "XML" } | ||
| } | ||
| // TODO: ElementTree.write can write to a file-like object; should that be a flow step? | ||
| // It also can accept a filepath which could be a path injection sink. |
There was a problem hiding this comment.
Perhaps we can add that as a sink directly by extending the right concept? (Probably out of scope for this PR)
| elem.get("at"), # $ tainted | ||
| elem.getchildren()[0].text, # $ tainted | ||
| elem.getiterator(), # $ tainted | ||
| next(elem.getiterator()).text, # $ MISSING:tainted |
There was a problem hiding this comment.
next is currently modeled as a flow summary, but not a "simple" one, so we cannot type track through it (it uses type tracking to identify the calls).
There was a problem hiding this comment.
Is there anything we could expect to be able to type track through these cases of methods returning iterators?
(list(X)[0] doesn't work; and neither do for loops as one of the other tests here shows)
There was a problem hiding this comment.
Hm, it looks like all uses of getACallSimple are in test summaries, so probably not..
|
|
||
| ensure_tainted( | ||
| func2(tree), # $ tainted | ||
| func2(tree).text, # $ MISSING:tainted - type tracking not tracked through flow preserving calls |
There was a problem hiding this comment.
This is surprising, should that be func2(tree).getroot().text?
There was a problem hiding this comment.
It should; fixed. However the flow is still missing.
There was a problem hiding this comment.
Interesting, we should probably look into that at some point..
| func2(tree).text, # $ MISSING:tainted - type tracking not tracked through flow preserving calls | ||
| func3(tree).text, # $ MISSING:tainted - this includes if there is a type hint annotation on the return | ||
| typing.cast(ET.ElementTree, tree), # $ tainted | ||
| typing.cast(ET.ElementTree, tree).text, # $ MISSING:tainted - this includes for flow summary models |
There was a problem hiding this comment.
It will only work for "simple" summaries; those that do not use type tracking to identify calls. (And, again, is .text the right test here? I do not see tree.text being tainted.)
Co-authored-by: yoff <[email protected]>
Models additional flow steps for
ElementandElementTreeobjects from thelxml.etreemodule, to track taint through parsed XML elements.