Add additional constant checks to constant barrier gaurd

2026-05-04 05:05:12 +02:00 · 2024-09-20 12:46:10 +01:00
parent f2e943f9ba
commit 164cf27e67
1 changed files with 24 additions and 13 deletions
--- a/python/ql/lib/semmle/python/dataflow/new/BarrierGuards.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/BarrierGuards.qll
@@ -3,34 +3,45 @@
 private import python
 private import semmle.python.dataflow.new.DataFlow

-private predicate stringConstCompare(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
+private predicate constCompare(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
  exists(CompareNode cn | cn = g |
-    exists(StringLiteral str_const, Cmpop op |
+    exists(ImmutableLiteral const, Cmpop op |
      op = any(Eq eq) and branch = true
      or
      op = any(NotEq ne) and branch = false
    |
-      cn.operands(str_const.getAFlowNode(), op, node)
+      cn.operands(const.getAFlowNode(), op, node)
      or
-      cn.operands(node, op, str_const.getAFlowNode())
+      cn.operands(node, op, const.getAFlowNode())
    )
    or
-    exists(IterableNode str_const_iterable, Cmpop op |
+    exists(NameConstant const, Cmpop op |
+      op = any(Is is_) and branch = true
+      or
+      op = any(IsNot isn) and branch = false
+    |
+      cn.operands(const.getAFlowNode(), op, node)
+      or
+      cn.operands(node, op, const.getAFlowNode())
+    )
+    or
+    exists(IterableNode const_iterable, Cmpop op |
      op = any(In in_) and branch = true
      or
      op = any(NotIn ni) and branch = false
    |
-      forall(ControlFlowNode elem | elem = str_const_iterable.getAnElement() |
-        elem.getNode() instanceof StringLiteral
+      forall(ControlFlowNode elem | elem = const_iterable.getAnElement() |
+        elem.getNode() instanceof ImmutableLiteral
      ) and
-      cn.operands(node, op, str_const_iterable)
+      cn.operands(node, op, const_iterable)
    )
  )
 }

-/** A validation of unknown node by comparing with a constant string value. */
-class StringConstCompareBarrier extends DataFlow::Node {
-  StringConstCompareBarrier() {
-    this = DataFlow::BarrierGuard<stringConstCompare/3>::getABarrierNode()
-  }
+/** A validation of unknown node by comparing with a constant value. */
+class ConstCompareBarrier extends DataFlow::Node {
+  ConstCompareBarrier() { this = DataFlow::BarrierGuard<constCompare/3>::getABarrierNode() }
 }
+
+/** DEPRECATED: Use ConstCompareBarrier instead. */
+deprecated class StringConstCompareBarrier = ConstCompareBarrier;