Python: Remove imprecise container steps #2

python/ql/consistency-queries/DataFlowConsistency.ql

@@ -36,6 +36,8 @@ private module Input implements InputSig<Location, PythonDataFlow> {
     // parameter, but dataflow-consistency queries should _not_ complain about there not
     // being a post-update node for the synthetic `**kwargs` parameter.
     n instanceof SynthDictSplatParameterNode
+    or
+    Private::Conversions::readStep(n, _, _)
   }
 
   predicate uniqueParameterNodePositionExclude(DataFlowCallable c, ParameterPosition pos, Node p) {

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll

@@ -1009,6 +1009,8 @@ predicate readStep(Node nodeFrom, ContentSet c, Node nodeTo) {
   synthDictSplatParameterNodeReadStep(nodeFrom, c, nodeTo)
   or
   VariableCapture::readStep(nodeFrom, c, nodeTo)
+  or
+  Conversions::readStep(nodeFrom, c, nodeTo)
 }
 
 /** Data flows from a sequence to a subscript of the sequence. */
@@ -1064,6 +1066,57 @@ predicate attributeReadStep(Node nodeFrom, AttributeContent c, AttrRead nodeTo)
   nodeTo.accesses(nodeFrom, c.getAttribute())
 }
 
+module Conversions {
+  private import semmle.python.Concepts
+
+  predicate decoderReadStep(Node nodeFrom, ContentSet c, Node nodeTo) {
+    exists(Decoding decoding |
+      nodeFrom = decoding.getAnInput() and
+      nodeTo = decoding.getOutput()
+    ) and
+    (
+      c instanceof TupleElementContent
+      or
+      c instanceof DictionaryElementContent
+    )
+  }
+
+  predicate encoderReadStep(Node nodeFrom, ContentSet c, Node nodeTo) {
+    exists(Encoding encoding |
+      nodeFrom = encoding.getAnInput() and
+      nodeTo = encoding.getOutput()
+    ) and
+    (
+      c instanceof TupleElementContent
+      or
+      c instanceof DictionaryElementContent
+    )
+  }
+
+  predicate formatReadStep(Node nodeFrom, ContentSet c, Node nodeTo) {
+    // % formatting
+    exists(BinaryExprNode fmt | fmt = nodeTo.asCfgNode() |
+      fmt.getOp() instanceof Mod and
+      fmt.getRight() = nodeFrom.asCfgNode()
+    ) and
+    c instanceof TupleElementContent
+    or
+    // format_map
+    // see https://docs.python.org/3/library/stdtypes.html#str.format_map
+    nodeTo.(MethodCallNode).calls(_, "format_map") and
+    nodeTo.(MethodCallNode).getArg(0) = nodeFrom and
+    c instanceof DictionaryElementContent
+  }
+
+  predicate readStep(Node nodeFrom, ContentSet c, Node nodeTo) {
+    decoderReadStep(nodeFrom, c, nodeTo)
+    or
+    encoderReadStep(nodeFrom, c, nodeTo)
+    or
+    formatReadStep(nodeFrom, c, nodeTo)
+  }
+}
+
 /**
  * Holds if values stored inside content `c` are cleared at node `n`. For example,
  * any value stored inside `f` is cleared at the pre-update node associated with `x`

python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll

@@ -16,7 +16,16 @@ predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
  * of `c` at sinks and inputs to additional taint steps.
  */
 bindingset[node]
-predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() }
+predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) {
+  // We allow implicit reads of precise content
+  // imprecise content has already bubled up.
+  exists(node) and
+  (
+    c instanceof DataFlow::TupleElementContent
+    or
+    c instanceof DataFlow::DictionaryElementContent
+  )
+}
 
 private module Cached {
   /**
@@ -176,10 +185,6 @@ predicate containerStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
   or
   DataFlowPrivate::setStoreStep(nodeFrom, _, nodeTo)
   or
-  DataFlowPrivate::tupleStoreStep(nodeFrom, _, nodeTo)
-  or
-  DataFlowPrivate::dictStoreStep(nodeFrom, _, nodeTo)
-  or
   // comprehension, so there is taint-flow from `x` in `[x for x in xs]` to the
   // resulting list of the list-comprehension.
   //

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -4244,8 +4244,15 @@ module StdlibPrivate {
         )
         // TODO: Once we have DictKeyContent, we need to transform that into ListElementContent
       ) and
-      output = "ReturnValue.ListElement" and
-      preservesValue = true
+      (
+        // Element content is mutated into list element content
+        output = "ReturnValue.ListElement" and
+        preservesValue = true
+        or
+        // Since list content is imprecise, we also taint the list.
+        output = "ReturnValue" and
+        preservesValue = false
+      )
       or
       input = "Argument[0]" and
       output = "ReturnValue" and

python/ql/test/experimental/query-tests/Security/CWE-074-RemoteCommandExecution/RemoteCommandExecution.expected

@@ -21,9 +21,31 @@ edges
 | Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | Scrapli.py:84:36:84:38 | ControlFlowNode for cmd | provenance |  |
 | Twisted.py:13:16:13:18 | ControlFlowNode for cmd | Twisted.py:16:5:16:7 | ControlFlowNode for cmd | provenance |  |
 | Twisted.py:13:16:13:18 | ControlFlowNode for cmd | Twisted.py:24:9:24:11 | ControlFlowNode for cmd | provenance |  |
+| asyncssh.py:15:16:15:18 | ControlFlowNode for cmd | asyncssh.py:17:33:17:35 | ControlFlowNode for cmd | provenance |  |
+| netmiko.py:18:16:18:18 | ControlFlowNode for cmd | netmiko.py:20:45:20:47 | ControlFlowNode for cmd | provenance |  |
+| netmiko.py:18:16:18:18 | ControlFlowNode for cmd | netmiko.py:21:52:21:54 | ControlFlowNode for cmd | provenance |  |
+| netmiko.py:18:16:18:18 | ControlFlowNode for cmd | netmiko.py:22:52:22:54 | ControlFlowNode for cmd | provenance |  |
+| netmiko.py:18:16:18:18 | ControlFlowNode for cmd | netmiko.py:23:41:23:57 | ControlFlowNode for List | provenance |  |
+| netmiko.py:18:16:18:18 | ControlFlowNode for cmd | netmiko.py:24:48:24:50 | ControlFlowNode for cmd | provenance |  |
 | paramiko.py:15:16:15:18 | ControlFlowNode for cmd | paramiko.py:16:62:16:64 | ControlFlowNode for cmd | provenance |  |
 | paramiko.py:20:16:20:18 | ControlFlowNode for cmd | paramiko.py:21:70:21:72 | ControlFlowNode for cmd | provenance |  |
+| pexpect.py:15:16:15:18 | ControlFlowNode for cmd | pexpect.py:16:14:16:16 | ControlFlowNode for cmd | provenance |  |
+| pexpect.py:15:16:15:18 | ControlFlowNode for cmd | pexpect.py:18:18:18:20 | ControlFlowNode for cmd | provenance |  |
+| scrapli.py:13:16:13:18 | ControlFlowNode for cmd | scrapli.py:24:42:24:44 | ControlFlowNode for cmd | provenance |  |
+| scrapli.py:13:16:13:18 | ControlFlowNode for cmd | scrapli.py:27:42:27:44 | ControlFlowNode for cmd | provenance |  |
+| scrapli.py:13:16:13:18 | ControlFlowNode for cmd | scrapli.py:30:42:30:44 | ControlFlowNode for cmd | provenance |  |
+| scrapli.py:13:16:13:18 | ControlFlowNode for cmd | scrapli.py:33:42:33:44 | ControlFlowNode for cmd | provenance |  |
+| scrapli.py:13:16:13:18 | ControlFlowNode for cmd | scrapli.py:36:42:36:44 | ControlFlowNode for cmd | provenance |  |
+| scrapli.py:40:10:40:12 | ControlFlowNode for cmd | scrapli.py:51:36:51:38 | ControlFlowNode for cmd | provenance |  |
+| scrapli.py:40:10:40:12 | ControlFlowNode for cmd | scrapli.py:54:36:54:38 | ControlFlowNode for cmd | provenance |  |
+| scrapli.py:40:10:40:12 | ControlFlowNode for cmd | scrapli.py:57:36:57:38 | ControlFlowNode for cmd | provenance |  |
+| scrapli.py:40:10:40:12 | ControlFlowNode for cmd | scrapli.py:60:36:60:38 | ControlFlowNode for cmd | provenance |  |
+| scrapli.py:40:10:40:12 | ControlFlowNode for cmd | scrapli.py:63:36:63:38 | ControlFlowNode for cmd | provenance |  |
+| scrapli.py:40:10:40:12 | ControlFlowNode for cmd | scrapli.py:74:36:74:38 | ControlFlowNode for cmd | provenance |  |
+| scrapli.py:40:10:40:12 | ControlFlowNode for cmd | scrapli.py:84:36:84:38 | ControlFlowNode for cmd | provenance |  |
 | ssh2.py:15:16:15:18 | ControlFlowNode for cmd | ssh2.py:17:21:17:23 | ControlFlowNode for cmd | provenance |  |
+| twisted.py:13:16:13:18 | ControlFlowNode for cmd | twisted.py:16:5:16:7 | ControlFlowNode for cmd | provenance |  |
+| twisted.py:13:16:13:18 | ControlFlowNode for cmd | twisted.py:24:9:24:11 | ControlFlowNode for cmd | provenance |  |
 nodes
 | AsyncSsh.py:15:16:15:18 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
 | AsyncSsh.py:17:33:17:35 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
@@ -53,12 +75,40 @@ nodes
 | Twisted.py:13:16:13:18 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
 | Twisted.py:16:5:16:7 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
 | Twisted.py:24:9:24:11 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| asyncssh.py:15:16:15:18 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| asyncssh.py:17:33:17:35 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| netmiko.py:18:16:18:18 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| netmiko.py:20:45:20:47 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| netmiko.py:21:52:21:54 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| netmiko.py:22:52:22:54 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| netmiko.py:23:41:23:57 | ControlFlowNode for List | semmle.label | ControlFlowNode for List |
+| netmiko.py:24:48:24:50 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
 | paramiko.py:15:16:15:18 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
 | paramiko.py:16:62:16:64 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
 | paramiko.py:20:16:20:18 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
 | paramiko.py:21:70:21:72 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| pexpect.py:15:16:15:18 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| pexpect.py:16:14:16:16 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| pexpect.py:18:18:18:20 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| scrapli.py:13:16:13:18 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| scrapli.py:24:42:24:44 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| scrapli.py:27:42:27:44 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| scrapli.py:30:42:30:44 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| scrapli.py:33:42:33:44 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| scrapli.py:36:42:36:44 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| scrapli.py:40:10:40:12 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| scrapli.py:51:36:51:38 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| scrapli.py:54:36:54:38 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| scrapli.py:57:36:57:38 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| scrapli.py:60:36:60:38 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| scrapli.py:63:36:63:38 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| scrapli.py:74:36:74:38 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| scrapli.py:84:36:84:38 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
 | ssh2.py:15:16:15:18 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
 | ssh2.py:17:21:17:23 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| twisted.py:13:16:13:18 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| twisted.py:16:5:16:7 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| twisted.py:24:9:24:11 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
 subpaths
 #select
 | AsyncSsh.py:17:33:17:35 | ControlFlowNode for cmd | AsyncSsh.py:15:16:15:18 | ControlFlowNode for cmd | AsyncSsh.py:17:33:17:35 | ControlFlowNode for cmd | This code execution depends on a $@. | AsyncSsh.py:15:16:15:18 | ControlFlowNode for cmd | a user-provided value |
@@ -83,6 +133,28 @@ subpaths
 | Scrapli.py:84:36:84:38 | ControlFlowNode for cmd | Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | Scrapli.py:84:36:84:38 | ControlFlowNode for cmd | This code execution depends on a $@. | Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | a user-provided value |
 | Twisted.py:16:5:16:7 | ControlFlowNode for cmd | Twisted.py:13:16:13:18 | ControlFlowNode for cmd | Twisted.py:16:5:16:7 | ControlFlowNode for cmd | This code execution depends on a $@. | Twisted.py:13:16:13:18 | ControlFlowNode for cmd | a user-provided value |
 | Twisted.py:24:9:24:11 | ControlFlowNode for cmd | Twisted.py:13:16:13:18 | ControlFlowNode for cmd | Twisted.py:24:9:24:11 | ControlFlowNode for cmd | This code execution depends on a $@. | Twisted.py:13:16:13:18 | ControlFlowNode for cmd | a user-provided value |
+| asyncssh.py:17:33:17:35 | ControlFlowNode for cmd | asyncssh.py:15:16:15:18 | ControlFlowNode for cmd | asyncssh.py:17:33:17:35 | ControlFlowNode for cmd | This code execution depends on a $@. | asyncssh.py:15:16:15:18 | ControlFlowNode for cmd | a user-provided value |
+| netmiko.py:20:45:20:47 | ControlFlowNode for cmd | netmiko.py:18:16:18:18 | ControlFlowNode for cmd | netmiko.py:20:45:20:47 | ControlFlowNode for cmd | This code execution depends on a $@. | netmiko.py:18:16:18:18 | ControlFlowNode for cmd | a user-provided value |
+| netmiko.py:21:52:21:54 | ControlFlowNode for cmd | netmiko.py:18:16:18:18 | ControlFlowNode for cmd | netmiko.py:21:52:21:54 | ControlFlowNode for cmd | This code execution depends on a $@. | netmiko.py:18:16:18:18 | ControlFlowNode for cmd | a user-provided value |
+| netmiko.py:22:52:22:54 | ControlFlowNode for cmd | netmiko.py:18:16:18:18 | ControlFlowNode for cmd | netmiko.py:22:52:22:54 | ControlFlowNode for cmd | This code execution depends on a $@. | netmiko.py:18:16:18:18 | ControlFlowNode for cmd | a user-provided value |
+| netmiko.py:23:41:23:57 | ControlFlowNode for List | netmiko.py:18:16:18:18 | ControlFlowNode for cmd | netmiko.py:23:41:23:57 | ControlFlowNode for List | This code execution depends on a $@. | netmiko.py:18:16:18:18 | ControlFlowNode for cmd | a user-provided value |
+| netmiko.py:24:48:24:50 | ControlFlowNode for cmd | netmiko.py:18:16:18:18 | ControlFlowNode for cmd | netmiko.py:24:48:24:50 | ControlFlowNode for cmd | This code execution depends on a $@. | netmiko.py:18:16:18:18 | ControlFlowNode for cmd | a user-provided value |
 | paramiko.py:16:62:16:64 | ControlFlowNode for cmd | paramiko.py:15:16:15:18 | ControlFlowNode for cmd | paramiko.py:16:62:16:64 | ControlFlowNode for cmd | This code execution depends on a $@. | paramiko.py:15:16:15:18 | ControlFlowNode for cmd | a user-provided value |
 | paramiko.py:21:70:21:72 | ControlFlowNode for cmd | paramiko.py:20:16:20:18 | ControlFlowNode for cmd | paramiko.py:21:70:21:72 | ControlFlowNode for cmd | This code execution depends on a $@. | paramiko.py:20:16:20:18 | ControlFlowNode for cmd | a user-provided value |
+| pexpect.py:16:14:16:16 | ControlFlowNode for cmd | pexpect.py:15:16:15:18 | ControlFlowNode for cmd | pexpect.py:16:14:16:16 | ControlFlowNode for cmd | This code execution depends on a $@. | pexpect.py:15:16:15:18 | ControlFlowNode for cmd | a user-provided value |
+| pexpect.py:18:18:18:20 | ControlFlowNode for cmd | pexpect.py:15:16:15:18 | ControlFlowNode for cmd | pexpect.py:18:18:18:20 | ControlFlowNode for cmd | This code execution depends on a $@. | pexpect.py:15:16:15:18 | ControlFlowNode for cmd | a user-provided value |
+| scrapli.py:24:42:24:44 | ControlFlowNode for cmd | scrapli.py:13:16:13:18 | ControlFlowNode for cmd | scrapli.py:24:42:24:44 | ControlFlowNode for cmd | This code execution depends on a $@. | scrapli.py:13:16:13:18 | ControlFlowNode for cmd | a user-provided value |
+| scrapli.py:27:42:27:44 | ControlFlowNode for cmd | scrapli.py:13:16:13:18 | ControlFlowNode for cmd | scrapli.py:27:42:27:44 | ControlFlowNode for cmd | This code execution depends on a $@. | scrapli.py:13:16:13:18 | ControlFlowNode for cmd | a user-provided value |
+| scrapli.py:30:42:30:44 | ControlFlowNode for cmd | scrapli.py:13:16:13:18 | ControlFlowNode for cmd | scrapli.py:30:42:30:44 | ControlFlowNode for cmd | This code execution depends on a $@. | scrapli.py:13:16:13:18 | ControlFlowNode for cmd | a user-provided value |
+| scrapli.py:33:42:33:44 | ControlFlowNode for cmd | scrapli.py:13:16:13:18 | ControlFlowNode for cmd | scrapli.py:33:42:33:44 | ControlFlowNode for cmd | This code execution depends on a $@. | scrapli.py:13:16:13:18 | ControlFlowNode for cmd | a user-provided value |
+| scrapli.py:36:42:36:44 | ControlFlowNode for cmd | scrapli.py:13:16:13:18 | ControlFlowNode for cmd | scrapli.py:36:42:36:44 | ControlFlowNode for cmd | This code execution depends on a $@. | scrapli.py:13:16:13:18 | ControlFlowNode for cmd | a user-provided value |
+| scrapli.py:51:36:51:38 | ControlFlowNode for cmd | scrapli.py:40:10:40:12 | ControlFlowNode for cmd | scrapli.py:51:36:51:38 | ControlFlowNode for cmd | This code execution depends on a $@. | scrapli.py:40:10:40:12 | ControlFlowNode for cmd | a user-provided value |
+| scrapli.py:54:36:54:38 | ControlFlowNode for cmd | scrapli.py:40:10:40:12 | ControlFlowNode for cmd | scrapli.py:54:36:54:38 | ControlFlowNode for cmd | This code execution depends on a $@. | scrapli.py:40:10:40:12 | ControlFlowNode for cmd | a user-provided value |
+| scrapli.py:57:36:57:38 | ControlFlowNode for cmd | scrapli.py:40:10:40:12 | ControlFlowNode for cmd | scrapli.py:57:36:57:38 | ControlFlowNode for cmd | This code execution depends on a $@. | scrapli.py:40:10:40:12 | ControlFlowNode for cmd | a user-provided value |
+| scrapli.py:60:36:60:38 | ControlFlowNode for cmd | scrapli.py:40:10:40:12 | ControlFlowNode for cmd | scrapli.py:60:36:60:38 | ControlFlowNode for cmd | This code execution depends on a $@. | scrapli.py:40:10:40:12 | ControlFlowNode for cmd | a user-provided value |
+| scrapli.py:63:36:63:38 | ControlFlowNode for cmd | scrapli.py:40:10:40:12 | ControlFlowNode for cmd | scrapli.py:63:36:63:38 | ControlFlowNode for cmd | This code execution depends on a $@. | scrapli.py:40:10:40:12 | ControlFlowNode for cmd | a user-provided value |
+| scrapli.py:74:36:74:38 | ControlFlowNode for cmd | scrapli.py:40:10:40:12 | ControlFlowNode for cmd | scrapli.py:74:36:74:38 | ControlFlowNode for cmd | This code execution depends on a $@. | scrapli.py:40:10:40:12 | ControlFlowNode for cmd | a user-provided value |
+| scrapli.py:84:36:84:38 | ControlFlowNode for cmd | scrapli.py:40:10:40:12 | ControlFlowNode for cmd | scrapli.py:84:36:84:38 | ControlFlowNode for cmd | This code execution depends on a $@. | scrapli.py:40:10:40:12 | ControlFlowNode for cmd | a user-provided value |
 | ssh2.py:17:21:17:23 | ControlFlowNode for cmd | ssh2.py:15:16:15:18 | ControlFlowNode for cmd | ssh2.py:17:21:17:23 | ControlFlowNode for cmd | This code execution depends on a $@. | ssh2.py:15:16:15:18 | ControlFlowNode for cmd | a user-provided value |
+| twisted.py:16:5:16:7 | ControlFlowNode for cmd | twisted.py:13:16:13:18 | ControlFlowNode for cmd | twisted.py:16:5:16:7 | ControlFlowNode for cmd | This code execution depends on a $@. | twisted.py:13:16:13:18 | ControlFlowNode for cmd | a user-provided value |
+| twisted.py:24:9:24:11 | ControlFlowNode for cmd | twisted.py:13:16:13:18 | ControlFlowNode for cmd | twisted.py:24:9:24:11 | ControlFlowNode for cmd | This code execution depends on a $@. | twisted.py:13:16:13:18 | ControlFlowNode for cmd | a user-provided value |