Add taint analysis support

[ericwb]

Is your feature request related to a problem? Please describe. Need to add a taint feature to detect tainted input being passed to various functions.

Describe the solution you'd like Rather than showing results of various calls that indicate possible injection, the analysis needs to be smarter about the confidence in the injection by inspecting the potential taint from outsider input.

Describe alternatives you've considered Each call to a injection vulnerable function can be flagged as a result, but this can be very unreliable.

Additional context Example functions that could benefit from taint analysis:

• logging - Log injection
  • https://docs.python.org/3/library/logging.html
  • https://docs.aws.amazon.com/codeguru/detector-library/python/log-injection/
• eval
• exec
• shlex
• shutil
• subprocess
  • https://docs.python.org/3/library/subprocess.html
• module injection
  • https://docs.aws.amazon.com/codeguru/detector-library/python/module-injection/
• yaml.load, json.load, etc
• open redirect
  • https://www.pythonkitchen.com/how-prevent-open-redirect-vulnerab-flask/
  • https://cwe.mitre.org/data/definitions/601.html

Also, see "taint": Value obtained from user input. In SARIF 3.38.8

Love this idea? Give it a 👍. We prioritize fulfilling features with the most 👍.

[ericwb]

• A digest can be added to another string. In which case, need to use something like taint analysis

• Symbol table can store tainted variables

  • If taint, provide a source field
    • raw_input()
    • Hmac.digest()
  • The rule would predefine sources of taint
  • Targets or sinks might be
    • == operator for hmac.digest
    • Injection vulnerable functions

[ericwb]

• Insecure Random
  • Warning - The pseudo-random generators of this module should not be used for security purposes. For security or cryptographic uses, see the secrets module.
    • A form of taint source. Use as tainted input for security calls