CodeQL library for Python
codeql/python-all 1.0.3-dev (changelog, source)

Predicate SensitiveDataModeling::extraStepForCalls

Holds if the step from nodeFrom to nodeTo should be considered a taint-flow step for sensitive-data, to ensure calls are handled correctly.

To handle calls properly, while preserving a good source for path explanations, you need to include this predicate as an additional taint step in your taint-tracking configurations.

The core problem can be illustrated by the example below. If we consider the print a sink, what path and what source do we want to show? My initial approach would be to use type-tracking to propagate from the not_found.get_passwd attribute lookup, to the use of non_sensitive_name, and then create a new SensitiveDataSource::Range like SensitiveFunctionCall. Although that seems likely to work, it will also end up with a non-optimal path, which starts at bad source, and therefore doesn’t show how we figured out that non_sensitive_name could be a function that returns a password (and in cases where there is many calls to my_func it will be annoying for someone to figure this out manually).

By including this additional taint-step in the taint-tracking configuration, it’s possible to get a path explanation going from good source to the sink.

def my_func(non_sensitive_name):
    x = non_sensitive_name() # <-- bad source
    print(x) # <-- sink

import not_found
f = not_found.get_passwd # <-- good source

Import path

predicate extraStepForCalls(Node nodeFrom, CallCfgNode nodeTo)