Open
Description
Hello, I am trying to create a few dataflow queries for python and I noticed that the Dataflow module is unable to do taint tracking through indirect calls.
def test1(arg : str):
print(f"test1 {arg}")
def test2(arg : str):
print(f"test2 {arg}")
funcmap = {
"test1" : test1,
"test2" : test2}
funclist = [test1, test2]
def foo(arg1 : str, arg2 : int):
global funclist, funclist
func_name = None
if arg2 == 1:
func_name = "test1"
out = 0
else:
func_name = "test2"
out = 1
funcmap[func_name](arg1)
funclist[out](arg1)
foo("hello", 1)
foo("world", 2)Here, when I try to track flows from foo -> test1 or test2. The dataflow module can't find them.
Here is the query that I was using -
module MyConfiguration implements DataFlow::ConfigSig {
private DataFlow::ParameterNode funcSourceCall() {
exists(Function func |
func.getName() = "foo" |
result.getParameter() in [func.getArg(0)]
)
}
private DataFlow::ParameterNode funcSinkCall() {
exists(Function func |
func.getName() = "test2" |
result.getParameter() in [func.getArg(0)]
)
}
predicate isSource(DataFlow::Node source) {
source = funcSourceCall()
}
predicate isSink(DataFlow::Node sink) {
sink = funcSinkCall()
}
}
module RemoteToFileFlow = TaintTracking::Global<MyConfiguration>;
from DataFlow::Node src, DataFlow::Node sink
where RemoteToFileFlow::flow(src, sink)
select sink.asExpr(), src, sink, "Src to Sink" Is this not supported by CodeQL (or maybe I am doing something wrong)? if so - is there a hackish way I can enable tracking - maybe by modifying the Control Flow Graph?