[Bug] Taint flow not tracked when assigning to class attribute and accessing via instance in Python #5713
Description
Taint flow not tracked when assigning to class attribute and accessing via instance in Python
Description
I am testing taint analysis on a Python code snippet where a tainted value is assigned to a class attribute and then accessed via an instance of that class. Joern fails to track the taint flow from the source to the sink in this scenario.
Input Code
The file simple_object_003_T.py contains the following code:
import os
def simple_object_003_T(taint_src):
class Person:
pass
# Taint is assigned to a class attribute
Person.name = taint_src
# Create an instance of Person
person = Person()
# Access the class attribute via the instance
# This should carry the taint to the sink
taint_sink(person.name)
def taint_sink(o):
os.system(o)Steps to Reproduce
- Parse the python file using
joern-parse:joern-parse simple_object_003_T.py
- Run the following Joern script to check for taint flows:
import io.joern.dataflowengineoss.language._
import io.shiftleft.codepropertygraph.generated.nodes._
@main def main(): Unit = {
val source = cpg.method.nameExact("simple_object_003_T").parameter.nameExact("taint_src").l
val sink = cpg.call.nameExact("system").where(_.argument.code("os")).l
println(s"Source count: ${source.size}")
println(s"Sink count: ${sink.size}")
val flows = sink.reachableByFlows(source).l
if (flows.nonEmpty) {
println(s"Found ${flows.size} flows.")
flows.foreach(println)
} else {
println("No flows found.")
}
}Expected Behavior
Joern should detect a taint flow from
taint_src (parameter) → Person.name (class attribute assignment) → person.name (instance attribute access) → taint_sink → os.system.
Actual Behavior
No taint flows are found. It seems the data-flow engine does not correctly model the propagation of values from class attributes to instances when the attribute is set on the class object itself.
Environment
- Joern version: [4.0.325]
- OS: Linux