Python: Make sure all imprecise taint bubbles up

yoff · yoff · commit ee96655d70ec · 2025-04-23T14:41:03.000+02:00
diff --git a/python/ql/lib/semmle/python/frameworks/Stdlib.qll b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -4157,8 +4157,15 @@ module StdlibPrivate {
         )
         // TODO: Once we have DictKeyContent, we need to transform that into ListElementContent
       ) and
-      output = "ReturnValue.ListElement" and
-      preservesValue = true
+      (
+        //Element content is mutated into list element content
+        output = "ReturnValue.ListElement" and
+        preservesValue = true
+        or
+        // Since list content is imprecise, we also taint the list.
+        output = "ReturnValue" and
+        preservesValue = false
+      )
       or
       input = "Argument[0]" and
       output = "ReturnValue" and
diff --git a/python/ql/test/library-tests/dataflow/tainttracking/defaultAdditionalTaintStep/test_collections.py b/python/ql/test/library-tests/dataflow/tainttracking/defaultAdditionalTaintStep/test_collections.py
@@ -27,14 +27,11 @@ def test_construction():
         tainted_dict, # $ tainted
     )
 
-    # There are no implicit reads for list content as it is imprecise
-    # Therefore, list content stemming from precise content does not end up on the list itself. 
     ensure_tainted(
         list(tainted_list), # $ tainted
-        list(tainted_tuple)[0], # $ tainted
+        list(tainted_tuple), # $ tainted
         list(tainted_set), # $ tainted
-        list(tainted_dict.values())[0], # $ tainted
-        list(tainted_dict.items())[0], # $ tainted
+        list(tainted_dict.values()), # $ tainted
 
         tuple(tainted_list), # $ tainted
         set(tainted_list), # $ tainted
@@ -46,7 +43,8 @@ def test_construction():
     )
 
     ensure_not_tainted(
-        dict(k = tainted_string)["k1"]
+        dict(k = tainted_string)["k1"],
+        list(tainted_dict.items()),
     )
 
 
