Merge branch 'main' of github.com:github/codeql into SharedDataflow_FieldFlow

python/ql/src/experimental/dataflow/TypeTracker.qll

@@ -47,11 +47,11 @@ class StepSummary extends TStepSummary {
 module StepSummary {
   cached
   predicate step(Node nodeFrom, Node nodeTo, StepSummary summary) {
-    exists(Node mid | EssaFlow::essaFlowStep*(nodeFrom, mid) and smallstep(mid, nodeTo, summary))
+    exists(Node mid | typePreservingStep*(nodeFrom, mid) and smallstep(mid, nodeTo, summary))
   }
 
   predicate smallstep(Node nodeFrom, Node nodeTo, StepSummary summary) {
-    EssaFlow::essaFlowStep(nodeFrom, nodeTo) and
+    typePreservingStep(nodeFrom, nodeTo) and
     summary = LevelStep()
     or
     callStep(nodeFrom, nodeTo) and summary = CallStep()
@@ -68,6 +68,12 @@ module StepSummary {
   }
 }
 
+/** Holds if it's reasonable to expect the data flow step from `nodeFrom` to `nodeTo` to preserve types. */
+private predicate typePreservingStep(Node nodeFrom, Node nodeTo) {
+  EssaFlow::essaFlowStep(nodeFrom, nodeTo) or
+  jumpStep(nodeFrom, nodeTo)
+}
+
 /** Holds if `nodeFrom` steps to `nodeTo` by being passed as a parameter in a call. */
 predicate callStep(ArgumentNode nodeFrom, ParameterNode nodeTo) {
   // TODO: Support special methods?
@@ -111,7 +117,7 @@ predicate returnStep(ReturnNode nodeFrom, Node nodeTo) {
 predicate basicStoreStep(Node nodeFrom, Node nodeTo, string attr) {
   exists(AttributeAssignment a, Node var |
     a.getName() = attr and
-    EssaFlow::essaFlowStep*(nodeTo, var) and
+    simpleLocalFlowStep*(nodeTo, var) and
     var.asVar() = a.getInput() and
     nodeFrom.asCfgNode() = a.getValue()
   )
@@ -276,7 +282,7 @@ class TypeTracker extends TTypeTracker {
       result = this.append(summary)
     )
     or
-    EssaFlow::essaFlowStep(nodeFrom, nodeTo) and
+    typePreservingStep(nodeFrom, nodeTo) and
     result = this
   }
 }

python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll

@@ -74,23 +74,7 @@ class ReadPreUpdateNode extends NeedsSyntheticPostUpdateNode, CfgNode {
   override string label() { result = "read" }
 }
 
-/**
- * A node associated with an object after an operation that might have
- * changed its state.
- *
- * This can be either the argument to a callable after the callable returns
- * (which might have mutated the argument), or the qualifier of a field after
- * an update to the field.
- *
- * Nodes corresponding to AST elements, for example `ExprNode`s, usually refer
- * to the value before the update with the exception of `ObjectCreationNode`s,
- * which represents the value after the constructor has run.
- */
-abstract class PostUpdateNode extends Node {
-  /** Gets the node before the state update. */
-  abstract Node getPreUpdateNode();
-}
-
+/** A post-update node is synthesised for all nodes which satisfy `NeedsSyntheticPostUpdateNode`. */
 class SyntheticPostUpdateNode extends PostUpdateNode, TSyntheticPostUpdateNode {
   NeedsSyntheticPostUpdateNode pre;
 
@@ -105,6 +89,11 @@ class SyntheticPostUpdateNode extends PostUpdateNode, TSyntheticPostUpdateNode {
   override Location getLocation() { result = pre.getLocation() }
 }
 
+/**
+ * Calls to constructors are treated as post-update nodes for the synthesised argument
+ * that is mapped to the `self` parameter. That way, constructor calls represent the value of the
+ * object after the constructor (currently only `__init__`) has run.
+ */
 class ObjectCreationNode extends PostUpdateNode, NeedsSyntheticPreUpdateNode, CfgNode {
   ObjectCreationNode() { node.(CallNode) = any(ClassValue c).getACall() }
 
@@ -195,10 +184,28 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
   // If there is ESSA-flow out of a node `node`, we want flow
   // both out of `node` and any post-update node of `node`.
   exists(Node node |
-    not node.(EssaNode).getVar() instanceof GlobalSsaVariable and
-    not nodeTo.(EssaNode).getVar() instanceof GlobalSsaVariable and
     EssaFlow::essaFlowStep(node, nodeTo) and
-    nodeFrom = update(node)
+    nodeFrom = update(node) and
+    (
+      not node instanceof EssaNode or
+      not nodeTo instanceof EssaNode or
+      localEssaStep(node, nodeTo)
+    )
+  )
+}
+
+/**
+ * Holds if there is an Essa flow step from `nodeFrom` to `nodeTo` that does not switch between
+ * local and global SSA variables.
+ */
+private predicate localEssaStep(EssaNode nodeFrom, EssaNode nodeTo) {
+  EssaFlow::essaFlowStep(nodeFrom, nodeTo) and
+  (
+    nodeFrom.getVar() instanceof GlobalSsaVariable and
+    nodeTo.getVar() instanceof GlobalSsaVariable
+    or
+    not nodeFrom.getVar() instanceof GlobalSsaVariable and
+    not nodeTo.getVar() instanceof GlobalSsaVariable
   )
 }
 
@@ -221,7 +228,61 @@ private Node update(Node node) {
 /**
  * A DataFlowCallable is any callable value.
  */
-class DataFlowCallable = CallableValue;
+newtype TDataFlowCallable =
+  TCallableValue(CallableValue callable) or
+  TModule(Module m)
+
+/** Represents a callable. */
+abstract class DataFlowCallable extends TDataFlowCallable {
+  /** Gets a textual representation of this element. */
+  abstract string toString();
+
+  /** Gets a call to this callable. */
+  abstract CallNode getACall();
+
+  /** Gets the scope of this callable */
+  abstract Scope getScope();
+
+  /** Gets the specified parameter of this callable */
+  abstract NameNode getParameter(int n);
+
+  /** Gets the name of this callable. */
+  abstract string getName();
+}
+
+/** A class representing a callable value. */
+class DataFlowCallableValue extends DataFlowCallable, TCallableValue {
+  CallableValue callable;
+
+  DataFlowCallableValue() { this = TCallableValue(callable) }
+
+  override string toString() { result = callable.toString() }
+
+  override CallNode getACall() { result = callable.getACall() }
+
+  override Scope getScope() { result = callable.getScope() }
+
+  override NameNode getParameter(int n) { result = callable.getParameter(n) }
+
+  override string getName() { result = callable.getName() }
+}
+
+/** A class representing the scope in which a `ModuleVariableNode` appears. */
+class DataFlowModuleScope extends DataFlowCallable, TModule {
+  Module mod;
+
+  DataFlowModuleScope() { this = TModule(mod) }
+
+  override string toString() { result = mod.toString() }
+
+  override CallNode getACall() { none() }
+
+  override Scope getScope() { result = mod }
+
+  override NameNode getParameter(int n) { none() }
+
+  override string getName() { result = mod.getName() }
+}
 
 newtype TDataFlowCall =
   TCallNode(CallNode call) { call = any(CallableValue c).getACall() } or
@@ -288,7 +349,7 @@ class ClassCall extends DataFlowCall, TClassCall {
 
   override DataFlowCallable getCallable() {
     exists(CallableValue callable |
-      result = callable and
+      result = TCallableValue(callable) and
       c.getScope().getInitMethod() = callable.getScope()
     )
   }
@@ -308,7 +369,9 @@ class SpecialCall extends DataFlowCall, TSpecialCall {
 
   override ControlFlowNode getNode() { result = special }
 
-  override DataFlowCallable getCallable() { result = special.getResolvedSpecialMethod() }
+  override DataFlowCallable getCallable() {
+    result = TCallableValue(special.getResolvedSpecialMethod())
+  }
 
   override DataFlowCallable getEnclosingCallable() {
     result.getScope() = special.getNode().getScope()
@@ -417,21 +480,11 @@ string ppReprType(DataFlowType t) { none() }
  * taken into account.
  */
 predicate jumpStep(Node nodeFrom, Node nodeTo) {
-  // As we have ESSA variables for global variables,
-  // we include ESSA flow steps involving global variables.
-  (
-    nodeFrom.(EssaNode).getVar() instanceof GlobalSsaVariable
-    or
-    nodeTo.(EssaNode).getVar() instanceof GlobalSsaVariable
-  ) and
-  (
-    EssaFlow::essaFlowStep(nodeFrom, nodeTo)
-    or
-    // As jump steps do not respect chronology,
-    // we add jump steps for each def-use pair.
-    nodeFrom.asVar() instanceof GlobalSsaVariable and
-    nodeTo.asCfgNode() = nodeFrom.asVar().getASourceUse()
-  )
+  // Module variable read
+  nodeFrom.(ModuleVariableNode).getARead() = nodeTo
+  or
+  // Module variable write
+  nodeFrom = nodeTo.(ModuleVariableNode).getAWrite()
 }
 
 //--------

python/ql/src/experimental/dataflow/internal/DataFlowPublic.qll

@@ -26,7 +26,9 @@ newtype TNode =
   /** A synthetic node representing the value of an object before a state change */
   TSyntheticPreUpdateNode(NeedsSyntheticPreUpdateNode post) or
   /** A synthetic node representing the value of an object after a state change */
-  TSyntheticPostUpdateNode(NeedsSyntheticPostUpdateNode pre)
+  TSyntheticPostUpdateNode(NeedsSyntheticPostUpdateNode pre) or
+  /** A node representing a global (module-level) variable in a specific module */
+  TModuleVariableNode(Module m, GlobalVariable v) { v.getScope() = m and v.escapes() }
 
 /**
  * An element, viewed as a node in a data flow graph. Either an SSA variable
@@ -151,6 +153,89 @@ class ParameterNode extends EssaNode {
   override DataFlowCallable getEnclosingCallable() { this.isParameterOf(result, _) }
 }
 
+/**
+ * A node associated with an object after an operation that might have
+ * changed its state.
+ *
+ * This can be either the argument to a callable after the callable returns
+ * (which might have mutated the argument), or the qualifier of a field after
+ * an update to the field.
+ *
+ * Nodes corresponding to AST elements, for example `ExprNode`s, usually refer
+ * to the value before the update with the exception of `ObjectCreationNode`s,
+ * which represents the value after the constructor has run.
+ */
+abstract class PostUpdateNode extends Node {
+  /** Gets the node before the state update. */
+  abstract Node getPreUpdateNode();
+}
+
+/**
+ * A data flow node corresponding to a module-level (global) variable that is accessed outside of the module scope.
+ *
+ * Global variables may appear twice in the data flow graph, as both `EssaNode`s and
+ * `ModuleVariableNode`s. The former is used to represent data flow between global variables as it
+ * occurs during module initialization, and the latter is used to represent data flow via global
+ * variable reads and writes during run-time.
+ *
+ * It is possible for data to flow from assignments made at module initialization time to reads made
+ * at run-time, but not vice versa. For example, there will be flow from `SOURCE` to `SINK` in the
+ * following snippet:
+ *
+ * ```python
+ * g = SOURCE
+ *
+ * def foo():
+ *     SINK(g)
+ * ```
+ * but not the other way round:
+ *
+ * ```python
+ * SINK(g)
+ *
+ * def bar()
+ *     global g
+ *     g = SOURCE
+ * ```
+ *
+ * Data flow through `ModuleVariableNode`s is represented as `jumpStep`s, and so any write of a
+ * global variable can flow to any read of the same variable.
+ */
+class ModuleVariableNode extends Node, TModuleVariableNode {
+  Module mod;
+  GlobalVariable var;
+
+  ModuleVariableNode() { this = TModuleVariableNode(mod, var) }
+
+  override Scope getScope() { result = mod }
+
+  override string toString() {
+    result = "ModuleVariableNode for " + var.toString() + " in " + mod.toString()
+  }
+
+  /** Gets the module in which this variable appears. */
+  Module getModule() { result = mod }
+
+  /** Gets the global variable corresponding to this node. */
+  GlobalVariable getVariable() { result = var }
+
+  /** Gets a node that reads this variable. */
+  Node getARead() {
+    result.asCfgNode() = var.getALoad().getAFlowNode() and
+    // Ignore reads that happen when the module is imported. These are only executed once.
+    not result.getScope() = mod
+  }
+
+  /** Gets an `EssaNode` that corresponds to an assignment of this global variable. */
+  EssaNode getAWrite() {
+    result.asVar().getDefinition().(EssaNodeDefinition).definedBy(var, any(DefinitionNode defn))
+  }
+
+  override DataFlowCallable getEnclosingCallable() { result.(DataFlowModuleScope).getScope() = mod }
+
+  override Location getLocation() { result = mod.getLocation() }
+}
+
 /**
  * A node that controls whether other nodes are evaluated.
  */

python/ql/src/experimental/dataflow/internal/DataFlowUtil.qll

@@ -2,7 +2,7 @@
  * Contains utility functions for writing data flow queries
  */
 
-import DataFlowPrivate
+private import DataFlowPrivate
 import DataFlowPublic
 
 /**