Merge pull request #5535 from tausbn/python-prevent-bad-TCs

Approved by yoff

python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll

@@ -1517,10 +1517,13 @@ predicate forReadStep(CfgNode nodeFrom, Content c, Node nodeTo) {
     or
     c instanceof SetElementContent
     or
-    c instanceof TupleElementContent
+    c = small_tuple()
   )
 }
 
+pragma[noinline]
+TupleElementContent small_tuple() { result.getIndex() <= 7 }
+
 /**
  * Holds if `nodeTo` is a read of an attribute (corresponding to `c`) of the object in `nodeFrom`.
  *

python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll

@@ -467,14 +467,22 @@ class BarrierGuard extends GuardNode {
   }
 }
 
+private predicate comes_from_cfgnode(Node node) {
+  exists(CfgNode first, Node second |
+    simpleLocalFlowStep(first, second) and
+    simpleLocalFlowStep*(second, node)
+  )
+}
+
 /**
  * A data flow node that is a source of local flow. This includes things like
  * - Expressions
  * - Function parameters
  */
 class LocalSourceNode extends Node {
+  cached
   LocalSourceNode() {
-    not simpleLocalFlowStep+(any(CfgNode n), this) and
+    not comes_from_cfgnode(this) and
     not this instanceof ModuleVariableNode
     or
     this = any(ModuleVariableNode mvn).getARead()
@@ -522,15 +530,12 @@ private module Cached {
    * The slightly backwards parametering ordering is to force correct indexing.
    */
   cached
-  predicate hasLocalSource(Node sink, Node source) {
-    // Declaring `source` to be a `SourceNode` currently causes a redundant check in the
-    // recursive case, so instead we check it explicitly here.
-    source = sink and
-    source instanceof LocalSourceNode
+  predicate hasLocalSource(Node sink, LocalSourceNode source) {
+    source = sink
     or
-    exists(Node mid |
-      hasLocalSource(mid, source) and
-      simpleLocalFlowStep(mid, sink)
+    exists(Node second |
+      simpleLocalFlowStep(source, second) and
+      simpleLocalFlowStep*(second, sink)
     )
   }