And this sample testcase:
\ndef get_input_from_stdin():\n return sys.argv[1]\n\ndef get_hardcoded_filename():\n return \"output.txt\"\n\ndef combine_input_and_hardcoded():\n user_input = get_input_from_stdin()\n return f\"{user_input}_log.txt\"\n\ndef intermediate_variable():\n part1 = get_input_from_stdin()\n part2 = \"_data\"\n filename = part1 + part2 + \".txt\"\n return filename\n\ndef filename_from_multiple_functions():\n prefix = get_input_from_stdin()\n suffix = get_hardcoded_filename()\n return prefix + \"_\" + suffix\n\ndef nested_function_call():\n def inner():\n return get_input_from_stdin()\n filename = inner() + \"_nested.txt\"\n return filename\n\n\ndef custom_open(filepath):\n with open(filepath, 'w') as f:\n f.write(\"This is a test file.\\n\")\n\ndef main():\n custom_open(get_hardcoded_filename())\n custom_open(combine_input_and_hardcoded())\n custom_open(intermediate_variable())\n custom_open(filename_from_multiple_functions())\n custom_open(nested_function_call())\n\nif __name__ == \"__main__\":\n main()As expected CodeQL returns me one path for each source Expr . However, I would like to keep only the most updated one. For instance, for the function intermediate_variable() , the result will report that all the expressions flow into the open() API, namely, part1, part2, get_input_from_stdin(), part1 + part2 and the literals . However, I would like to keep only the most updated source, which is filename .
Obviously I could solve this by checking the line number but that's no going to fly for slightly more complex scenarios. Another solution I was thinking is to have an other DataFlow tracking to check intra-procedural flows among local expressions but before doing that I'm curious if there's a more \"CodeQL\"-like way to do this. Thanks.
","upvoteCount":1,"answerCount":2,"acceptedAnswer":{"@type":"Answer","text":"Another option is to use DataFlow::Global instead of TaintTracking::Global. Then you will only get expressions that actually flow to the sink, without being modified in some way first.
-
|
Hi Everyone, Probably a silly question, but I couldn't find much around. I need to track data flow in Python scripts. The goal is to track the expressions that flow into an open() call. For now I'm using this sample query: And this sample testcase: def get_input_from_stdin():
return sys.argv[1]
def get_hardcoded_filename():
return "output.txt"
def combine_input_and_hardcoded():
user_input = get_input_from_stdin()
return f"{user_input}_log.txt"
def intermediate_variable():
part1 = get_input_from_stdin()
part2 = "_data"
filename = part1 + part2 + ".txt"
return filename
def filename_from_multiple_functions():
prefix = get_input_from_stdin()
suffix = get_hardcoded_filename()
return prefix + "_" + suffix
def nested_function_call():
def inner():
return get_input_from_stdin()
filename = inner() + "_nested.txt"
return filename
def custom_open(filepath):
with open(filepath, 'w') as f:
f.write("This is a test file.\n")
def main():
custom_open(get_hardcoded_filename())
custom_open(combine_input_and_hardcoded())
custom_open(intermediate_variable())
custom_open(filename_from_multiple_functions())
custom_open(nested_function_call())
if __name__ == "__main__":
main()As expected CodeQL returns me one path for each source Expr . However, I would like to keep only the most updated one. For instance, for the function Obviously I could solve this by checking the line number but that's no going to fly for slightly more complex scenarios. Another solution I was thinking is to have an other DataFlow tracking to check intra-procedural flows among local expressions but before doing that I'm curious if there's a more "CodeQL"-like way to do this. Thanks. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
|
👋 @elManto As far as I can tell, what you are seeing is a result of how you defined Once you restrict For example, if you restrict |
Beta Was this translation helpful? Give feedback.
-
|
Hi @redsun82 thanks for your input I understand what you say, but the problem is that I don't only want to track the user input coming from sys.argv . In your example I would end up having Second, the input flowing into |
Beta Was this translation helpful? Give feedback.
-
|
Try adding this to What this means is that source nodes also block any taint from flowing into them. So if you used to have a path "source1 -> source2 -> source3 -> sink", with this change it will only give you "source3 -> sink". |
Beta Was this translation helpful? Give feedback.
-
|
Another option is to use |
Beta Was this translation helpful? Give feedback.
-
|
Thanks moving to DataFlow::Global did most of the job :) |
Beta Was this translation helpful? Give feedback.
Another option is to use
DataFlow::Globalinstead ofTaintTracking::Global. Then you will only get expressions that actually flow to the sink, without being modified in some way first.