Python: Include all assignments in data flow paths

Like Ruby did in https://github.com/github/codeql/pull/12566
2026-04-25 08:45:14 +02:00 · 2023-07-13 16:42:24 +02:00
parent 9bd5694c3f
commit 46af77c1af
2 changed files with 20 additions and 14 deletions
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
@@ -513,15 +513,21 @@ class CastNode extends Node {
 * explanations.
 */
 predicate neverSkipInPathGraph(Node n) {
-  // We include read- and store steps here to force them to be
-  // shown in path explanations.
-  // This hack is necessary, because we have included some of these
-  // steps as default taint steps, making them be suppressed in path
-  // explanations.
-  // We should revert this once, we can remove this steps from the
-  // default taint steps; this should be possible once we have
-  // implemented flow summaries and recursive content.
-  readStep(_, _, n) or storeStep(_, _, n)
+  // NOTE: We could use RHS of a definition, but since we have use-use flow, in an
+  // example like
+  // ```py
+  // x = SOURCE()
+  // if <cond>:
+  //     y = x
+  // SINK(x)
+  // ```
+  // we would end up saying that the path MUST not skip the x in `y = x`, which is just
+  // annoying and doesn't help the path explanation become clearer.
+  n.asVar() instanceof EssaDefinition and
+  // For a parameter we have flow from ControlFlowNode to SSA node, and then onwards
+  // with use-use flow, and since the CFN is already part of the path graph, we don't
+  // want to force showing the SSA node as well.
+  not n.asVar() instanceof ParameterDefinition
 }

 /**
--- a/python/ql/test/experimental/dataflow/path-graph/test.py
+++ b/python/ql/test/experimental/dataflow/path-graph/test.py
@@ -1,7 +1,7 @@
 def assign():
    x = SOURCE # $ path-node

-    y = x
+    y = x # $ path-node

    SINK(y) # $ path-node

@@ -10,7 +10,7 @@ def aug_assign():
    x = SOURCE # $ path-node
    z = ""

-    z += x
+    z += x # $ path-node

    SINK(z) # $ path-node

@@ -41,7 +41,7 @@ def attribute():
    x = X()
    x.attr = SOURCE # $ path-node

-    y = x
+    y = x # $ path-node

    SINK(y.attr) # $ path-node

@@ -81,7 +81,7 @@ def test_tuple():
 def test_with():
    x = SOURCE # $ path-node

-    with x as y:
+    with x as y: # $ path-node

        SINK(y) # $ path-node

@@ -91,6 +91,6 @@ def test_match():

    match x:

-        case y:
+        case y: # $ path-node

            SINK(y) # $ path-node