Add tests for Format String Specifier

Summary: # Facebook Followup to the improvements yangdanny97 made here D56836356 Reviewed By: arthaud Differential Revision: D57415547 fbshipit-source-id: 97db082069aecd487a578ed072eb51de33f68c37
facebook · May 17, 2024 · e235132 · e235132
1 parent 0768845
commit e235132
Show file tree

Hide file tree

Showing 3 changed files with 155 additions and 0 deletions.
diff --git a/source/interprocedural_analyses/taint/test/integration/format.py b/source/interprocedural_analyses/taint/test/integration/format.py
@@ -30,3 +30,17 @@ def sink_in_format(arg):
 def issue_in_format():
  taint = _test_source()
  return f"{_test_sink(taint)} is bad"
+
+
+def source_in_format_specifier():
+ value = ""
+ return f"{value:{_test_source()}}"
+
+
+def sink_in_format_specifier(value, argument):
+ f"{value:{_test_sink(argument)}}"
+
+
+def issue_in_format_specifier():
+ value = ""
+ f"{value:{_test_sink(_test_source())}}"
diff --git a/source/interprocedural_analyses/taint/test/integration/format.py.cg b/source/interprocedural_analyses/taint/test/integration/format.py.cg
@@ -2,8 +2,11 @@
 Call dependencies
 format.$toplevel (fun) -> []
 format.issue_in_format (fun) -> [<format-string> (object) _test_sink (fun) _test_source (fun) object.__repr__ (method)]
+format.issue_in_format_specifier (fun) -> [<format-string> (object) _test_sink (fun) _test_source (fun) object.__repr__ (method) str.__str__ (method)]
 format.sink_in_format (fun) -> [<format-string> (object) _test_sink (fun) object.__repr__ (method)]
+format.sink_in_format_specifier (fun) -> [<format-string> (object) _test_sink (fun) object.__repr__ (method) str.__str__ (method)]
 format.sink_via_format (fun) -> [<format-string> (object) _test_sink (fun)]
 format.source_in_format (fun) -> [<format-string> (object) _test_source (fun)]
+format.source_in_format_specifier (fun) -> [<format-string> (object) _test_source (fun) str.__str__ (method)]
 format.source_via_format (fun) -> [<format-string> (object) _test_source (fun)]
 format.tito_via_format (fun) -> [<format-string> (object)]
diff --git a/source/interprocedural_analyses/taint/test/integration/format.py.models b/source/interprocedural_analyses/taint/test/integration/format.py.models
@@ -1,4 +1,71 @@
 @generated
+{
+ "kind": "issue",
+ "data": {
+ "callable": "format.issue_in_format_specifier",
+ "callable_line": 44,
+ "code": 5002,
+ "line": 46,
+ "start": 25,
+ "end": 39,
+ "filename": "format.py",
+ "message": "Data from [Test] source(s) may reach [Test] sink(s)",
+ "traces": [
+ {
+ "name": "forward",
+ "roots": [
+ {
+ "kinds": [
+ {
+ "features": [ { "always-via": "special_source" } ],
+ "leaves": [
+ { "name": "_test_source", "port": "leaf:return" }
+ ],
+ "kind": "Test"
+ }
+ ],
+ "origin": {
+ "filename": "format.py",
+ "line": 46,
+ "start": 25,
+ "end": 39
+ }
+ }
+ ]
+ },
+ {
+ "name": "backward",
+ "roots": [
+ {
+ "kinds": [
+ {
+ "features": [ { "always-via": "special_sink" } ],
+ "leaves": [ { "name": "_test_sink", "port": "leaf:arg" } ],
+ "kind": "Test"
+ }
+ ],
+ "origin": {
+ "filename": "format.py",
+ "line": 46,
+ "start": 25,
+ "end": 39
+ }
+ }
+ ]
+ }
+ ],
+ "features": [
+ { "always-via": "special_source" }, { "always-via": "special_sink" }
+ ],
+ "sink_handle": {
+ "kind": "Call",
+ "callee": "_test_sink",
+ "index": 0,
+ "parameter": "formal(arg)"
+ },
+ "master_handle": "format.issue_in_format_specifier:5002:0:Call|_test_sink|0|formal(arg):539f62facb86a7b839eb74cb3d169c7a"
+ }
+}
 {
  "kind": "model",
  "data": {
@@ -337,6 +404,36 @@
  ]
  }
 }
+{
+ "kind": "model",
+ "data": {
+ "callable": "format.sink_in_format_specifier",
+ "filename": "format.py",
+ "callable_line": 40,
+ "sinks": [
+ {
+ "port": "formal(argument, position=1)",
+ "taint": [
+ {
+ "kinds": [
+ {
+ "features": [ { "always-via": "special_sink" } ],
+ "leaves": [ { "name": "_test_sink", "port": "leaf:arg" } ],
+ "kind": "Test"
+ }
+ ],
+ "origin": {
+ "filename": "format.py",
+ "line": 41,
+ "start": 25,
+ "end": 33
+ }
+ }
+ ]
+ }
+ ]
+ }
+}
 {
  "kind": "model",
  "data": {
@@ -407,6 +504,47 @@
  ]
  }
 }
+{
+ "kind": "model",
+ "data": {
+ "callable": "format.source_in_format_specifier",
+ "filename": "format.py",
+ "callable_line": 35,
+ "sources": [
+ {
+ "port": "result",
+ "taint": [
+ {
+ "kinds": [
+ {
+ "features": [ { "always-via": "special_source" } ],
+ "leaves": [
+ { "name": "_test_source", "port": "leaf:return" }
+ ],
+ "kind": "Test"
+ }
+ ],
+ "local_features": [
+ { "always-via": "obscure:model" },
+ { "always-via": "format-string" },
+ { "always-via": "tito" }
+ ],
+ "tito_positions": [
+ { "line": 37, "start": 11, "end": 38 },
+ { "line": 37, "start": 21, "end": 35 }
+ ],
+ "origin": {
+ "filename": "format.py",
+ "line": 37,
+ "start": 21,
+ "end": 35
+ }
+ }
+ ]
+ }
+ ]
+ }
+}
 {
  "kind": "model",
  "data": {