-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #18037 from joefarebrother/pythob-test-global-capture
Python: Add some test cases for flow involving global and captured variables
- Loading branch information
Showing
3 changed files
with
125 additions
and
0 deletions.
There are no files selected for viewing
4 changes: 4 additions & 0 deletions
4
python/ql/test/library-tests/dataflow/global-or-captured-vars/test.expected
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
argumentToEnsureNotTaintedNotMarkedAsSpurious | ||
untaintedArgumentToEnsureTaintedNotMarkedAsMissing | ||
testFailures | ||
failures |
118 changes: 118 additions & 0 deletions
118
python/ql/test/library-tests/dataflow/global-or-captured-vars/test.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,118 @@ | ||
import threading | ||
import time | ||
|
||
# Test 1 | ||
# TP - Flow is tracked through a global variable | ||
foo1 = None | ||
|
||
def bar1(): | ||
time.sleep(1) | ||
ensure_tainted(foo1) # $tainted | ||
|
||
# The intent of these tests is to test how dataflow is handled through shared state accessed by different threads; | ||
# but the presense or absense of the actual call to start a thread does not affect the results (there is no special modelling for Thread) | ||
# threading.Thread(target=bar).start() | ||
|
||
foo1 = TAINTED_STRING | ||
|
||
# Test 2 | ||
# FN - Flow is *not* tracked through an access path on a global variable | ||
foo2 = [] | ||
|
||
def bar2(): | ||
time.sleep(1) | ||
ensure_tainted(foo2[0]) # $MISSING:tainted | ||
|
||
threading.Thread(target=bar2).start() | ||
|
||
foo2.append(TAINTED_STRING) | ||
|
||
# Test 3 | ||
# FN - Flow is not found even when there is a direct call | ||
foo3 = [] | ||
|
||
def bar3(): | ||
time.sleep(1) | ||
ensure_tainted(foo2[0]) # $MISSING:tainted | ||
|
||
foo3.append(TAINTED_STRING) | ||
bar3() | ||
|
||
# Tast 4 | ||
# TP - Sanity check: Flow is found through a ListElement directly without a call | ||
foo4 = [] | ||
foo4.append(TAINTED_STRING) | ||
ensure_tainted(foo4[0]) # $tainted | ||
|
||
# Test 5 | ||
# FN - Flow is *not* tracked through a shared captured but non-global variable | ||
def test5(): | ||
foo5 = None | ||
|
||
def bar5(): | ||
time.sleep(1) | ||
ensure_tainted(foo5) # $MISSING:tainted | ||
|
||
threading.Thread(target=bar5).start() # Only the presense of this thread call makes this an FN rather than a TN | ||
|
||
foo5 = TAINTED_STRING | ||
|
||
# Test 6 | ||
# TP - Flow is tracked through a shared captured but non-global variable with a direct call | ||
def test6(): | ||
foo6 = [] | ||
|
||
def bar6(): | ||
time.sleep(1) | ||
ensure_tainted(foo6[0]) # $tainted | ||
|
||
foo6.append(TAINTED_STRING) | ||
bar6() | ||
|
||
|
||
# Test 7 | ||
# FN - Flow is *not* found through an access path on a global variable that's also used as a parameter | ||
# We'd like to cover this case in order to be able to cover this CVE: https://github.com/github/codeql-python-CVE-coverage/issues/3176 | ||
|
||
foo7 = [] | ||
|
||
def bar7(): | ||
time.sleep(1) | ||
ensure_tainted(foo7[0]) # $MISSING: tainted | ||
|
||
def baz7(loc_foo): | ||
loc_foo.append(TAINTED_STRING) | ||
|
||
threading.Thread(target=bar7).start() | ||
|
||
baz7(foo7) | ||
|
||
# Test 8 | ||
# FN - Flow is also *not* found in the above case through a direct call | ||
|
||
foo8 = [] | ||
|
||
def bar8(): | ||
time.sleep(1) | ||
ensure_tainted(foo8[0]) # $MISSING: tainted | ||
|
||
def baz8(loc_foo): | ||
loc_foo.append(TAINTED_STRING) | ||
|
||
baz8(foo8) | ||
bar8() | ||
|
||
# Test 9 | ||
# TP - Flow is found in the above case when the variable is captured rather than global | ||
|
||
def test9(): | ||
foo9 = [] | ||
def bar9(): | ||
time.sleep(1) | ||
ensure_tainted(foo9[0]) # $tainted | ||
|
||
def baz9(loc_foo): | ||
loc_foo.append(TAINTED_STRING) | ||
|
||
baz9(foo9) | ||
bar9() |
3 changes: 3 additions & 0 deletions
3
python/ql/test/library-tests/dataflow/global-or-captured-vars/test.ql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
import python | ||
import experimental.meta.InlineTaintTest | ||
import MakeInlineTaintTest<TestTaintTrackingConfig> |