Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Python: Model additional flow steps for the lxml framework #18185

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Python: Model additional flow steps for the lxml framework #18185

wants to merge 9 commits into from

Conversation

joefarebrother
Copy link
Contributor

Models additional flow steps for Element and ElementTree objects from the lxml.etree module, to track taint through parsed XML elements.

@github-actions github-actions bot added the Python label Dec 2, 2024
@joefarebrother joefarebrother force-pushed the python-lxml branch 2 times, most recently from 652a9ca to b523be2 Compare December 11, 2024 12:03
@joefarebrother joefarebrother marked this pull request as ready for review December 11, 2024 14:29
@Copilot Copilot bot review requested due to automatic review settings December 11, 2024 14:29
@joefarebrother joefarebrother requested a review from a team as a code owner December 11, 2024 14:29
@joefarebrother joefarebrother changed the title [Draft] Python: Model additional flow steps for the lxml framework Python: Model additional flow steps for the lxml framework Dec 11, 2024
Copilot
Copilot AI reviewed Dec 11, 2024
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 2 out of 5 changed files in this pull request and generated no suggestions.

Files not reviewed (3)
  • python/ql/lib/semmle/python/frameworks/Lxml.qll: Language not supported
  • python/ql/test/library-tests/frameworks/lxml/InlineTaintTest.expected: Language not supported
  • python/ql/test/library-tests/frameworks/lxml/InlineTaintTest.ql: Language not supported
Comments skipped due to low confidence (16)

python/ql/test/library-tests/frameworks/lxml/taint_test.py:50

  • The taint tracking is missing through the call to list. Ensure the test case covers this scenario to verify taint propagation.
list(elem.findall("b"))[0].text,  # $ MISSING:tainted # Type tracking is not followed through call to `list`

python/ql/test/library-tests/frameworks/lxml/taint_test.py:54

  • The taint tracking is missing through the call to next on elem.getiterator(). Ensure the test case covers this scenario to verify taint propagation.
next(elem.getiterator()).text,  # $ MISSING:tainted

python/ql/test/library-tests/frameworks/lxml/taint_test.py:62

  • The taint tracking is missing through the call to next on elem.iter(). Ensure the test case covers this scenario to verify taint propagation.
next(elem.iter()).text,  # $ MISSING:tainted

python/ql/test/library-tests/frameworks/lxml/taint_test.py:64

  • The taint tracking is missing through the call to next on elem[0].iterancestors(). Ensure the test case covers this scenario to verify taint propagation.
next(elem[0].iterancestors()).text,  # $ MISSING:tainted

python/ql/test/library-tests/frameworks/lxml/taint_test.py:66

  • The taint tracking is missing through the call to next on elem.iterchildren(). Ensure the test case covers this scenario to verify taint propagation.
next(elem.iterchildren()).text, # $ MISSING:tainted

python/ql/test/library-tests/frameworks/lxml/taint_test.py:68

  • The taint tracking is missing through the call to next on elem.iterdescendants(). Ensure the test case covers this scenario to verify taint propagation.
next(elem.iterdescendants()).text,  # $ MISSING:tainted

python/ql/test/library-tests/frameworks/lxml/taint_test.py:70

  • The taint tracking is missing through the call to next on elem.iterfind("b"). Ensure the test case covers this scenario to verify taint propagation.
next(elem.iterfind("b")).text,  # $ MISSING:tainted

python/ql/test/library-tests/frameworks/lxml/taint_test.py:72

  • The taint tracking is missing through the call to next on elem[0].itersiblings(). Ensure the test case covers this scenario to verify taint propagation.
next(elem[0].itersiblings()).text,  # $ MISSING:tainted

python/ql/test/library-tests/frameworks/lxml/taint_test.py:82

  • The taint tracking is missing for ch.text in the for loop. Ensure the test case covers this scenario to verify taint propagation.
ch.text  # $ MISSING: tainted # API node getASubscript() appears to not consider things like for loops

python/ql/test/library-tests/frameworks/lxml/taint_test.py:93

  • The taint tracking is missing through the call to next on tree.getiterator(). Ensure the test case covers this scenario to verify taint propagation.
next(tree.getiterator()).text,  # $ MISSING:tainted

python/ql/test/library-tests/frameworks/lxml/taint_test.py:95

  • The taint tracking is missing through the call to next on tree.iter(). Ensure the test case covers this scenario to verify taint propagation.
next(tree.iter()).text,  # $ MISSING:tainted

python/ql/test/library-tests/frameworks/lxml/taint_test.py:97

  • The taint tracking is missing through the call to next on tree.iterfind("b"). Ensure the test case covers this scenario to verify taint propagation.
next(tree.iterfind("b")).text,  # $ MISSING:tainted

python/ql/test/library-tests/frameworks/lxml/taint_test.py:109

  • The taint tracking is missing for elem2.text from the tuple return value. Ensure the test case covers this scenario to verify taint propagation.
elem2.text,  # $ MISSING:tainted # Type is not tracked to the tuple return value

python/ql/test/library-tests/frameworks/lxml/taint_test.py:110

  • The taint tracking is missing for elem3.text from the tuple return value. Ensure the test case covers this scenario to verify taint propagation.
elem3.text,  # $ MISSING:tainted

python/ql/test/library-tests/frameworks/lxml/taint_test.py:119

  • The taint tracking is missing for tree2.getroot(). Ensure the test case covers this scenario to verify taint propagation.
tree2.getroot() # $ MISSING:tainted

python/ql/test/library-tests/frameworks/lxml/taint_test.py:126

  • The taint tracking is missing for el.text in the iterparse loop. Ensure the test case covers this scenario to verify taint propagation.
el.text, # $ MISSING:tainted

Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Python
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@joefarebrother