Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Starred tuple assignment #150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
KevinHock merged 4 commits into python-security:master from bcaller:starred-tuple-assign
Jul 24, 2018

Conversation

@bcaller
Copy link
Collaborator

@bcaller bcaller commented Jul 23, 2018

We can do slightly better than just assigning all of the RHS variables to all the LHS targets.

a, b = c, d should be easy to propagate taint to the correct variable for instance.

When we have starargs then we can still try to propagate taint to the variables which could potentially end up tainted.

KevinHock reacted with thumbs up emoji KevinHock reacted with hooray emoji KevinHock reacted with heart emoji
@KevinHock KevinHock self-requested a review July 23, 2018 18:18
Copy link
Collaborator

@KevinHock KevinHock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is really great code, thanks for this! :)

new_ast_node = ast.Assign(target, value)
new_ast_node.lineno = node.lineno

ast.copy_location(new_ast_node, node)
Copy link
Collaborator

@KevinHock KevinHock Jul 24, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, that's awesome.

for var in rhs_visitor.result:
remaining_variables.remove(var)

# Pair targets and values until a Starred node is reached
Copy link
Collaborator

@KevinHock KevinHock Jul 24, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Woah nice 😮

[(n.left_hand_side, n.right_hand_side_variables) for n in middle_nodes],
[('a', ['f']), ('b', ['g', 'h']), ('c', ['g', 'h']), ('d', ['f', 'i']), ('e', ['j'])],
)

Copy link
Collaborator

@KevinHock KevinHock Jul 24, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possible pep8 nit: w/r/t one line between methods of a class.

 

Try to match the targets with the values so we reduce the number of
false positives. Before, all right hand side variables were tainting all
of the left hand side variables.
a, *b = _, _, TAINT
a clean, b tainted
a, *b, c = _, _, TAINT, TAINT, _
a clean, b tainted, c clean
a, *b, c = _, *_, *TAINT, *_
a clean, b tainted, c tainted
@bcaller bcaller force-pushed the starred-tuple-assign branch from e08b8ab to 80113af Compare July 24, 2018 13:08
Copy link
Collaborator Author

bcaller commented Jul 24, 2018

Fixed. I'll try and fix travis and tox configs later because I think flake8 should've caused the build to fail.
KevinHock reacted with thumbs up emoji KevinHock reacted with hooray emoji KevinHock reacted with heart emoji

Copy link
Collaborator

Awesome, thanks again :)

@KevinHock KevinHock merged commit 6d81d91 into python-security:master Jul 24, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KevinHock KevinHock KevinHock approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AltStyle によって変換されたページ (->オリジナル) /