codeql/python/ql/test/library-tests/frameworks/stdlib/CodeExecution.py at sauyon/java-spring-stringutils · ByteDecoder/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# without this, `eval("print(42)")` becomes invalid syntax in Python 2, since print is a
# statement
from __future__ import print_function

import sys

if sys.version_info[0] == 3:
    import builtins
if sys.version_info[0] == 2:
    import __builtin__ as builtins

exec("print(42)")  # $getCode="print(42)"
eval("print(42)")  # $getCode="print(42)"

builtins.eval("print(42)")  # $getCode="print(42)"

cmd = compile("print(42)", "<filename>", "exec")
exec(cmd)  # $getCode=cmd

cmd = builtins.compile("print(42)", "<filename>", "exec")
exec(cmd)  # $getCode=cmd

# ------------------------------------------------------------------------------
# taint related


def test_additional_taint():
    src = TAINTED_STRING

    cmd1 = compile(src, "<filename>", "exec")
    cmd2 = compile(source=src, filename="<filename>", mode="exec")
    cmd3 = builtins.compile(src, "<filename>", "exec")

    ensure_tainted(
        src,
        cmd1,
        cmd2,
        cmd3,
    )