def alternate_fields():
d = {"a": _test_source(), "b": _test_source()}
if 1 > 2:
x = d["a"]
else:
x = d["b"]
_test_sink(x)
return x
def widen_collapse_source(c):
d = {}
if c:
d["a"]["a"]["a"]["a"]["1"] = _test_source()
else:
d["a"]["a"]["a"]["a"]["2"] = _test_source()
# collapsed into a source for `d["a"]["a"]["a"]["a"]` during widening.
return d
def a_or_b():
if 1 > 2:
f = barA
else:
f = barB
f(_test_source(), 0)
f(0, _test_source())
def test_class_attr_model_tainted_directly() -> None:
# not an issue
DataClassWithClassAttributeTaintedDirectly(bad=1, benign=_test_source())
# TODO(T106922147): should be an issue but not raised
DataClassWithClassAttributeTaintedDirectly(bad=_test_source(), benign="1")
# not an issue
data_object_no_issue = DataClassWithClassAttributeTaintedDirectly(
bad=1, benign="1")
data_object_no_issue.benign = _test_source()
# is an issue and raised
data_object_issue = DataClassWithClassAttributeTaintedDirectly(bad=1,
benign="1")
data_object_issue.bad = _test_source()
def test_items():
key_is_tainted = {_test_source(): ""}
value_is_tainted = {"a": _test_source()}
for k, v in key_is_tainted.items():
# Should be an issue.
_test_sink(k)
# Should not be an issue.
_test_sink(v)
for k, v in value_is_tainted.items():
# Should not be an issue.
_test_sink(k)
# Should be an issue.
_test_sink(v)
def test_keys_and_values():
tainted_values = {"benign": ("benign", _test_source())}
# Should be an issue.
_test_sink(tainted_values.values())
# Shouldn't be an issue.
_test_sink(tainted_values.keys())
for item in tainted_values.values():
_test_sink(item[0])
tainted_keys = {_test_source(): ""}
# Should be an issue.
_test_sink(tainted_keys.keys())
# Shouldn't be an issue.
_test_sink(tainted_keys.values())
def dict_update_multiple():
x = {
"a": _test_source(),
"b": "safe",
"c": _test_source(),
"d": "safe",
"e": _test_source(),
}
x.update({
"a": "safe",
"b": _test_source(),
"c": _test_source(),
"d": "safe",
})
return x
def test_class_attr_model_tainted_in_constructor() -> None:
# not an issue
DataClassWithClassAttributeTaintedInConstructor(bad=1,
benign=_test_source())
# is an issue and raised
DataClassWithClassAttributeTaintedInConstructor(bad=_test_source(),
benign="1")
# not an issue
data_object_no_issue = DataClassWithClassAttributeTaintedInConstructor(
bad=1, benign="1")
data_object_no_issue.benign = _test_source()
# should be an issue but not raised
data_object_issue = DataClassWithClassAttributeTaintedInConstructor(
bad=1, benign="1")
data_object_issue.bad = _test_source()
def setters_are_simulated() -> None:
x = SetterMutatesValue()
# Expect no issue
_test_sink(x.p)
x.p = _test_source()
# x.p should now have an issue
_test_sink(x.p)
def test_union_property_attribute_source():
obj: Union[TaintedGetterAndSetter, RegularAttribute]
if 1 > 2:
obj = TaintedGetterAndSetter()
else:
obj = RegularAttribute(_test_source())
return obj.my_property
def test_return_overrides_finally():
try:
# TODO(T106611060): We should discard the source here,
# since the return in `finally` overrides it.
return _test_source()
finally:
return "hello"
def lists_of_dictionary_iteration_is_precise():
list_of_dicts = [{
"with_feature": _test_source(),
"without_feature": 0
} for x in []]
for dict in list_of_dicts:
_test_sink(dict["with_feature"])
_test_sink(dict["without_feature"])
def no_issue_fixpoint_sanitize_sources():
if 1 > 2:
x = a_source()
return sanitize_a_sink_tito(x)
else:
x = _test_source()
y = sanitize_a_sink_tito(x)
return sanitize_b_sink_tito(y)
def test_within_try_to_finally():
x = None
try:
x = _test_source()
return none_throws(x)
finally:
# TODO(T106611060): We do not find the issue here.
_test_sink(x)
def test_except_to_finally():
x = None
try:
return none_throws(x)
except:
x = _test_source()
finally:
_test_sink(x)
def sanitize_test_all_sources_attribute():
if 1 > 2:
x = a_source()
elif 2 > 3:
x = b_source()
else:
x = _test_source()
c = C_sanitized_all_sources(x)
_test_sink(c.attribute)
def sanitize_test_all_sources_instance():
if 1 > 2:
x = a_source()
elif 2 > 3:
x = b_source()
else:
x = _test_source()
c = C_sanitized_all_sources(x)
_test_sink(c.instance)
def test1_alarm4(foo):
# via-type:int, via-type:str, via-type:typing.Annotated[str]
c = Test1_C(_test_source())
foo = c.x
if 1:
foo = c.y
elif 2:
foo = c.z
_test_sink(foo)
def test2_alarm4(foo):
# via-type:Dict[str, int], via-type:List[str], via-type:float
c = Test2_C(_test_source())
foo = c.x
if 1:
foo = c.y
elif 2:
foo = c.z
_test_sink(foo)
def locals_to_sink():
# No issue before assigning.
_test_sink(locals()["x"])
x = _test_source()
_test_sink(locals()["x"])
_test_sink(locals()["y"])
# We properly handle named parameters through `**`.
named_sink(**locals())
def format_source():
x = _test_source()
return "a {}".format(x)
def through_iadd():
a = _test_source()
b = ""
b += a
_test_sink(b)
def maybe_rhs(b: bool):
if b:
a = _test_source()
else:
a = concatenate_rhs(_test_source())
_test_sink(a)
def either(b: bool):
if b:
a = concatenate_lhs(_test_source())
else:
a = concatenate_rhs(_test_source())
_test_sink(a)
def bad_2():
a = concatenate_rhs(_test_source())
_test_sink(a)
def bad_1():
a = concatenate_lhs(_test_source())
_test_sink(a)
def test_to_subkind_sink():
x = _test_source()
inferred_sink(x)
async def async_tuple_of_bools() -> Tuple[bool, bool]:
return _test_source(), _test_source()
def returns_tainted_object() -> object:
return _test_source()
def issue_via_bool():
o = _test_source()
x = bool(o)
_test_sink(x)