Merge from main to resolve conflicts

python/ql/lib/semmle/python/ApiGraphs.qll

@@ -328,6 +328,9 @@ module API {
      */
     DataFlow::Node getInducingNode() { this = Impl::MkUse(result) or this = Impl::MkDef(result) }
 
+    /** Gets the location of this node */
+    PY::Location getLocation() { result = this.getInducingNode().getLocation() }
+
     /**
      * Holds if this element is at the specified location.
      * The location spans column `startcolumn` of line `startline` to
@@ -335,7 +338,7 @@ module API {
      * For more information, see
      * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
      */
-    predicate hasLocationInfo(
+    deprecated predicate hasLocationInfo(
       string filepath, int startline, int startcolumn, int endline, int endcolumn
     ) {
       this.getInducingNode().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)

python/ql/lib/semmle/python/dataflow/new/DataFlow.qll

@@ -24,6 +24,6 @@ private import python
 module DataFlow {
   private import internal.DataFlowImplSpecific
   private import codeql.dataflow.DataFlow
-  import DataFlowMake<PythonDataFlow>
+  import DataFlowMake<Location, PythonDataFlow>
   import internal.DataFlowImpl1
 }

python/ql/lib/semmle/python/dataflow/new/FlowSummary.qll

@@ -2,7 +2,6 @@
 
 private import python
 private import semmle.python.dataflow.new.DataFlow
-private import semmle.python.frameworks.data.ModelsAsData
 private import semmle.python.ApiGraphs
 private import internal.FlowSummaryImpl as Impl
 private import internal.DataFlowUtil
@@ -11,6 +10,7 @@ private import internal.DataFlowPrivate
 // import all instances below
 private module Summaries {
   private import semmle.python.Frameworks
+  private import semmle.python.frameworks.data.ModelsAsData
 }
 
 deprecated class SummaryComponent = Impl::Private::SummaryComponent;
@@ -36,32 +36,3 @@ abstract class SummarizedCallable extends LibraryCallable, Impl::Public::Summari
 }
 
 deprecated class RequiredSummaryComponentStack = Impl::Private::RequiredSummaryComponentStack;
-
-private class SummarizedCallableFromModel extends SummarizedCallable {
-  string type;
-  string path;
-
-  SummarizedCallableFromModel() {
-    ModelOutput::relevantSummaryModel(type, path, _, _, _) and
-    this = type + ";" + path
-  }
-
-  override CallCfgNode getACall() { ModelOutput::resolvedSummaryBase(type, path, result) }
-
-  override ArgumentNode getACallback() {
-    exists(API::Node base |
-      ModelOutput::resolvedSummaryRefBase(type, path, base) and
-      result = base.getAValueReachableFromSource()
-    )
-  }
-
-  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-    exists(string kind | ModelOutput::relevantSummaryModel(type, path, input, output, kind) |
-      kind = "value" and
-      preservesValue = true
-      or
-      kind = "taint" and
-      preservesValue = false
-    )
-  }
-}

python/ql/lib/semmle/python/dataflow/new/TaintTracking.qll

@@ -19,6 +19,6 @@ module TaintTracking {
   private import semmle.python.dataflow.new.internal.DataFlowImplSpecific
   private import semmle.python.dataflow.new.internal.TaintTrackingImplSpecific
   private import codeql.dataflow.TaintTracking
-  import TaintFlowMake<PythonDataFlow, PythonTaintTracking>
+  import TaintFlowMake<Location, PythonDataFlow, PythonTaintTracking>
   import internal.tainttracking1.TaintTrackingImpl
 }

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll

@@ -57,6 +57,9 @@ newtype TParameterPosition =
     // parameter positions available.
     FlowSummaryImpl::ParsePositions::isParsedPositionalArgumentPosition(_, index)
   } or
+  TPositionalParameterLowerBoundPosition(int pos) {
+    FlowSummaryImpl::ParsePositions::isParsedArgumentLowerBoundPosition(_, pos)
+  } or
   TKeywordParameterPosition(string name) {
     name = any(Parameter p).getName()
     or
@@ -91,6 +94,9 @@ class ParameterPosition extends TParameterPosition {
   /** Holds if this position represents a positional parameter at (0-based) `index`. */
   predicate isPositional(int index) { this = TPositionalParameterPosition(index) }
 
+  /** Holds if this position represents any positional parameter starting from position `pos`. */
+  predicate isPositionalLowerBound(int pos) { this = TPositionalParameterLowerBoundPosition(pos) }
+
   /** Holds if this position represents a keyword parameter named `name`. */
   predicate isKeyword(string name) { this = TKeywordParameterPosition(name) }
 
@@ -123,6 +129,8 @@ class ParameterPosition extends TParameterPosition {
     or
     exists(int index | this.isPositional(index) and result = "position " + index)
     or
+    exists(int pos | this.isPositionalLowerBound(pos) and result = "position " + pos + "..")
+    or
     exists(string name | this.isKeyword(name) and result = "keyword " + name)
     or
     exists(int index | this.isStarArgs(index) and result = "*args at " + index)
@@ -211,6 +219,10 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
   or
   exists(int index | ppos.isPositional(index) and apos.isPositional(index))
   or
+  exists(int index1, int index2 |
+    ppos.isPositionalLowerBound(index1) and apos.isPositional(index2) and index2 >= index1
+  )
+  or
   exists(string name | ppos.isKeyword(name) and apos.isKeyword(name))
   or
   exists(int index | ppos.isStarArgs(index) and apos.isStarArgs(index))
@@ -360,6 +372,10 @@ abstract class DataFlowFunction extends DataFlowCallable, TFunction {
       result.getParameter() = func.getArg(index + this.positionalOffset())
     )
     or
+    exists(int index1, int index2 | ppos.isPositionalLowerBound(index1) and index2 >= index1 |
+      result.getParameter() = func.getArg(index2 + this.positionalOffset())
+    )
+    or
     exists(string name | ppos.isKeyword(name) | result.getParameter() = func.getArgByName(name))
     or
     // `*args`
@@ -1595,7 +1611,7 @@ class FlowSummaryNode extends Node, TFlowSummaryNode {
   override string toString() { result = this.getSummaryNode().toString() }
 
   // Hack to return "empty location"
-  override predicate hasLocationInfo(
+  deprecated override predicate hasLocationInfo(
     string file, int startline, int startcolumn, int endline, int endcolumn
   ) {
     file = "" and

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll

@@ -1,3 +1,4 @@
 private import DataFlowImplSpecific
 private import codeql.dataflow.internal.DataFlowImpl
-import MakeImpl<PythonDataFlow>
+private import semmle.python.Files
+import MakeImpl<Location, PythonDataFlow>

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll

@@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
+  int accessPathLimit() { result = 5 }
+
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll

@@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
+  int accessPathLimit() { result = 5 }
+
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll

@@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
+  int accessPathLimit() { result = 5 }
+
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll

@@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
+  int accessPathLimit() { result = 5 }
+
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll

@@ -1,3 +1,4 @@
 private import DataFlowImplSpecific
 private import codeql.dataflow.internal.DataFlowImplCommon
-import MakeImplCommon<PythonDataFlow>
+private import semmle.python.Files
+import MakeImplCommon<Location, PythonDataFlow>

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplSpecific.qll

@@ -15,7 +15,7 @@ module Public {
   import DataFlowUtil
 }
 
-module PythonDataFlow implements InputSig {
+module PythonDataFlow implements InputSig<Python::Location> {
   import Private
   import Public
 

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll

@@ -148,6 +148,7 @@ class Node extends TNode {
   DataFlowCallable getEnclosingCallable() { result = getCallableScope(this.getScope()) }
 
   /** Gets the location of this node */
+  cached
   Location getLocation() { none() }
 
   /**
@@ -157,8 +158,7 @@ class Node extends TNode {
    * For more information, see
    * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
    */
-  cached
-  predicate hasLocationInfo(
+  deprecated predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
     Stages::DataFlow::ref() and

python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll

@@ -9,7 +9,7 @@ private import DataFlowImplSpecific as DataFlowImplSpecific
 private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
 
-module Input implements InputSig<DataFlowImplSpecific::PythonDataFlow> {
+module Input implements InputSig<Location, DataFlowImplSpecific::PythonDataFlow> {
   class SummarizedCallableBase = string;
 
   ArgumentPosition callbackSelfParameterPosition() { result.isLambdaSelf() }
@@ -27,6 +27,11 @@ module Input implements InputSig<DataFlowImplSpecific::PythonDataFlow> {
       result = i.toString()
     )
     or
+    exists(int i |
+      pos.isPositionalLowerBound(i) and
+      result = i + ".."
+    )
+    or
     exists(string name |
       pos.isKeyword(name) and
       result = name + ":"
@@ -83,7 +88,7 @@ module Input implements InputSig<DataFlowImplSpecific::PythonDataFlow> {
   }
 }
 
-private import Make<DataFlowImplSpecific::PythonDataFlow, Input> as Impl
+private import Make<Location, DataFlowImplSpecific::PythonDataFlow, Input> as Impl
 
 private module StepsInput implements Impl::Private::StepsInputSig {
   DataFlowCall getACall(Public::SummarizedCallable sc) {
@@ -195,6 +200,11 @@ module ParsePositions {
     i = AccessPath::parseInt(c)
   }
 
+  predicate isParsedArgumentLowerBoundPosition(string c, int i) {
+    isArgBody(c) and
+    i = AccessPath::parseLowerBound(c)
+  }
+
   predicate isParsedKeywordArgumentPosition(string c, string argName) {
     isArgBody(c) and
     c = argName + ":"

python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingImplSpecific.qll

@@ -4,7 +4,8 @@
 
 private import codeql.dataflow.TaintTracking
 private import DataFlowImplSpecific
+private import semmle.python.Files
 
-module PythonTaintTracking implements InputSig<PythonDataFlow> {
+module PythonTaintTracking implements InputSig<Location, PythonDataFlow> {
   import TaintTrackingPrivate
 }

python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll

@@ -195,6 +195,8 @@ predicate copyStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
     call = API::moduleImport("copy").getMember(["copy", "deepcopy"]).getACall() and
     call.getArg(0) = nodeFrom
   )
+  or
+  nodeTo.(DataFlow::MethodCallNode).calls(nodeFrom, "copy")
 }
 
 /**

python/ql/lib/semmle/python/frameworks/data/ModelsAsData.qll

@@ -17,7 +17,7 @@ import Shared::ModelOutput as ModelOutput
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.ApiGraphs
-private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.dataflow.new.FlowSummary
 
 /**
  * A remote flow source originating from a CSV source row.
@@ -28,20 +28,31 @@ private class RemoteFlowSourceFromCsv extends RemoteFlowSource {
   override string getSourceType() { result = "Remote flow (from model)" }
 }
 
-/**
- * Like `ModelOutput::summaryStep` but with API nodes mapped to data-flow nodes.
- */
-private predicate summaryStepNodes(DataFlow::Node pred, DataFlow::Node succ, string kind) {
-  exists(API::Node predNode, API::Node succNode |
-    Specific::summaryStep(predNode, succNode, kind) and
-    pred = predNode.asSink() and
-    succ = succNode.asSource()
-  )
-}
+private class SummarizedCallableFromModel extends SummarizedCallable {
+  string type;
+  string path;
 
-/** Taint steps induced by summary models of kind `taint`. */
-private class TaintStepFromSummary extends TaintTracking::AdditionalTaintStep {
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    summaryStepNodes(pred, succ, "taint")
+  SummarizedCallableFromModel() {
+    ModelOutput::relevantSummaryModel(type, path, _, _, _) and
+    this = type + ";" + path
+  }
+
+  override DataFlow::CallCfgNode getACall() { ModelOutput::resolvedSummaryBase(type, path, result) }
+
+  override DataFlow::ArgumentNode getACallback() {
+    exists(API::Node base |
+      ModelOutput::resolvedSummaryRefBase(type, path, base) and
+      result = base.getAValueReachableFromSource()
+    )
+  }
+
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+    exists(string kind | ModelOutput::relevantSummaryModel(type, path, input, output, kind) |
+      kind = "value" and
+      preservesValue = true
+      or
+      kind = "taint" and
+      preservesValue = false
+    )
   }
 }

python/ql/lib/semmle/python/internal/CachedStages.qll

@@ -194,7 +194,7 @@ module Stages {
       or
       exists(any(DataFlowPublic::Node node).toString())
       or
-      any(DataFlowPublic::Node node).hasLocationInfo(_, _, _, _, _)
+      exists(any(DataFlowPublic::Node node).getLocation())
       or
       DataFlowDispatch::resolveCall(_, _, _)
       or