[python] SRC -> SINK1 -> SINK2 problem

[Sim4n6]

Hi,

I have the following simple case I cannot implement using QL syntax, please.

source1 flows to sink1. The sink1 in turn flows to sink2. 

Can I combine two TaintTracking configurations? I mean something like

import semmle.python.dataflow.new.TaintTracking


class Config1 extends TaintTracking::Configuration 

  override predicate isSource(DataFlow::Node source) { source instanceof source1 }

  override predicate isSink(DataFlow::Node sink) { sink instanceof sink1 }
}

class Config2 extends TaintTracking::Configuration 

  override predicate isSource(DataFlow::Node source) { exists(config1 cfg, DataFlow::Node src | cfg.hasFlow(src, source)) }

  override predicate isSink(DataFlow::Node sink) { sink instanceof sink2 }
}

from Config2 config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink, source, sink, "Str"

But the problem with such implementation is Non-monotonic recursion error at hasFlow()

Please, how do you suggest that I proceed ?

[Sim4n6]

The idea of using isAdditionalTaintStep() may be plausible but I need it to be a required additional step not an optional one.

[Sim4n6]

A simpler solution would be to use two separate configurations and restraint in the where to link the config1 sink to config2 source.

[jketema]

It's not possible to extend TaintTracking::Configuration twice in the same query. If you need two configurations then you'll need to import TaintTracking2 and use TaintTracking2::Configuration:

import semmle.python.dataflow.new.TaintTracking
import semmle.python.dataflow.new.TaintTracking2

class Config1 extends TaintTracking::Configuration 

  override predicate isSource(DataFlow::Node source) { source instanceof Source1 }

  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink1 }
}

class Config2 extends TaintTracking2::Configuration 

  override predicate isSource(DataFlow::Node source) { any(Config1 cfg).hasFlow(_, source) }

  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink2 }
}

from Config2 config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink, source, sink, "Str"

Alternatively, your isAdditionalTaintStep idea can be achieved using flow states:

class State1 extends DataFlow::FlowState {
  State1() { this = "State1" }
}

class State2 extends DataFlow::FlowState {
  State2() { this = "State2" }
}

class Config extends TaintTracking::Configuration 

  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
    source instanceof Source1 and
    state instanceof State1
  }

  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
    sink instanceof Sink2 and
    state instanceof State2
  }

  override predicate isAdditionalTaintStep(
    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2, DataFlow::FlowState state2
  ) {
    node1 instanceof Sink1 and
    state1 instanceof State1 and
    node2 instanceof Source2 and
    state2 instanceof State2 and
  }
}

[Sim4n6]

• I will try the two configurations with TaintTracking2 use.
• I don't really understand the state use. Could you please elaborate a bit?

[jketema]

I don't really understand the state use. Could you please elaborate a bit?

Basically you combine the two configurations into one by assigning a state to dataflow node. The source here comes from your original Config1 and is assigned State1. The sink here comes from your original Config2 and can only be reached when you are in State2. This leaves to define the point where we switch from State1 to State2 along a dataflow path. This we do using isAdditionalTaintStep when we detect we reached a sink of your original Config1.

[Sim4n6]

Thank you very much for the explanation

[Sim4n6]

The flowState is really an elegeant way to handle this, thank you