Merge branch 'main' of https://github.com/github/codeql into python/test-constructor-MaD-path

2026-04-29 10:45:15 +02:00 · 2024-05-14 14:30:18 +02:00
parent 862942f3d8 027e5e7291
commit 49ffa8bf07
630 changed files with 16548 additions and 13440 deletions
--- a/python/ql/test/library-tests/dataflow/model-summaries/InlineTaintTest.ext.yml
+++ b/python/ql/test/library-tests/dataflow/model-summaries/InlineTaintTest.ext.yml
@@ -20,4 +20,7 @@ extensions:
      - ["foo", "Member[MS_spread_all]", "Argument[0]", "ReturnValue.TupleElement[0,1]", "value"]
      - ["foo", "Member[MS_Class].Call", "Argument[0, x:]", "ReturnValue.Attribute[config]", "value"]
      - ["foo", "Member[MS_Class_transitive].Subclass.Call", "Argument[0, x:]", "ReturnValue.Attribute[config]", "value"]
+      - ["foo", "Member[MS_Class].Instance.Member[instance_method]", "Argument[self]", "ReturnValue.TupleElement[0]", "value"]
+      - ["foo", "Member[MS_Class].Instance.Member[instance_method]", "Argument[0]", "ReturnValue.TupleElement[1]", "value"]
+      - ["foo", "Member[MS_Class].Instance.Member[explicit_self]", "Argument[self:]", "ReturnValue", "value"]
      - ["json", "Member[MS_loads]", "Argument[0]", "ReturnValue", "taint"]
--- a/python/ql/test/library-tests/dataflow/model-summaries/NormalDataflowTest.ext.yml
+++ b/python/ql/test/library-tests/dataflow/model-summaries/NormalDataflowTest.ext.yml
@@ -20,4 +20,7 @@ extensions:
      - ["foo", "Member[MS_spread_all]", "Argument[0]", "ReturnValue.TupleElement[0,1]", "value"]
      - ["foo", "Member[MS_Class].Call", "Argument[0, x:]", "ReturnValue.Attribute[config]", "value"]
      - ["foo", "Member[MS_Class_transitive].Subclass.Call", "Argument[0, x:]", "ReturnValue.Attribute[config]", "value"]
+      - ["foo", "Member[MS_Class].Instance.Member[instance_method]", "Argument[self]", "ReturnValue.TupleElement[0]", "value"]
+      - ["foo", "Member[MS_Class].Instance.Member[instance_method]", "Argument[0]", "ReturnValue.TupleElement[1]", "value"]
+      - ["foo", "Member[MS_Class].Instance.Member[explicit_self]", "Argument[self:]", "ReturnValue", "value"]
      - ["json", "Member[MS_loads]", "Argument[0]", "ReturnValue", "taint"]
--- a/python/ql/test/library-tests/dataflow/model-summaries/model_summaries.py
+++ b/python/ql/test/library-tests/dataflow/model-summaries/model_summaries.py
@@ -157,6 +157,21 @@ class E(MS_Class_transitive):
 SINK(E(NONSOURCE, SOURCE).config)  # $ MISSING: flow="SOURCE -> E(..).config"
 SINK(E(x = SOURCE, y = NONSOURCE).config)  # $ flow="SOURCE -> E(..).config"

+c = MS_Class()
+a, b = c.instance_method(SOURCE)
+SINK_F(a)
+SINK(b)  # $ flow="SOURCE, l:-2 -> b"
+
+# Call the instance method on the class to expose the self argument
+x, y = MS_Class.instance_method(SOURCE, NONSOURCE)
+SINK(x)  # $ MISSING: flow="SOURCE, l:-1 -> x"
+SINK_F(y)
+
+# Call the instance method on the class to expose the self argument
+# That self argument is not referenced by `Argument[self:]`
+SINK_F(MS_Class.explicit_self(SOURCE))
+# Instead, `Argument[self:]` refers to a keyword argument named `self` (which you are allowed to do in Python)
+SINK(c.explicit_self(self = SOURCE))  # $ flow="SOURCE -> c.explicit_self(..)"

 # Modeled flow-summary is not value preserving
 from json import MS_loads as json_loads