Python: Fix test issues

Fixes the test failures that arose from making `ExtractedArgumentNode` local. For the consistency checks, we now explicitly exclude the `ExtractedArgumentNode`s (now much more plentiful due to the overapproximation) that don't have a corresponding `getCallArg` tuple. For various queries/tests using `instanceof ArgumentNode`, we instead us `isArgumentNode`, which explicitly filters out the ones for which `isArgumentOf` doesn't hold (which, again, is the case for most of the nodes in the overapproximation).
2026-02-23 18:33:42 +01:00 · 2026-01-26 15:38:25 +00:00
parent 7fccc23dbe
commit 6113d4be9e
4 changed files with 14 additions and 3 deletions
--- a/python/ql/consistency-queries/DataFlowConsistency.ql
+++ b/python/ql/consistency-queries/DataFlowConsistency.ql
@@ -26,6 +26,8 @@ private module Input implements InputSig<Location, PythonDataFlow> {
    or
    // TODO: Implement post-updates for **kwargs, see tests added in https://github.com/github/codeql/pull/14936
    exists(ArgumentPosition apos | n.argumentOf(_, apos) and apos.isDictSplat())
+    or
+    missingArgumentCallExclude(n)
  }

  predicate reverseReadExclude(Node n) {
@@ -134,6 +136,14 @@ private module Input implements InputSig<Location, PythonDataFlow> {
      other.getNode().getScope() = f
    )
  }
+
+  predicate missingArgumentCallExclude(ArgumentNode arg) {
+    // We overapproximate the argument nodes in order to not rely on the global `getCallArg`
+    // predicate.
+    // Because of this, we must exclude the cases where we have an approximation but no actual
+    // argument node.
+    arg = getCallArgApproximation() and not getCallArg(_, _, _, arg, _)
+  }
 }

 import MakeConsistency<Location, PythonDataFlow, PythonTaintTracking, Input>
--- a/python/ql/lib/utils/test/dataflow/MaximalFlowTest.qll
+++ b/python/ql/lib/utils/test/dataflow/MaximalFlowTest.qll
@@ -35,7 +35,7 @@ module MaximalFlowsConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node node) {
    exists(node.getLocation().getFile().getRelativePath()) and
    not any(CallNode c).getArg(_) = node.asCfgNode() and
-    not node instanceof DataFlow::ArgumentNode and
+    not isArgumentNode(node, _, _) and
    not node.asCfgNode().(NameNode).getId().matches("SINK%") and
    not DataFlow::localFlowStep(node, _)
  }
--- a/python/ql/lib/utils/test/dataflow/callGraphConfig.qll
+++ b/python/ql/lib/utils/test/dataflow/callGraphConfig.qll
@@ -9,7 +9,7 @@ module CallGraphConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node node) {
    node instanceof DataFlowPrivate::ReturnNode
    or
-    node instanceof DataFlow::ArgumentNode
+    DataFlowPrivate::isArgumentNode(node, _, _)
  }

  predicate isSink(DataFlow::Node node) {
--- a/python/ql/src/Classes/InitCallsSubclass/InitCallsSubclassMethod.ql
+++ b/python/ql/src/Classes/InitCallsSubclass/InitCallsSubclassMethod.ql
@@ -15,6 +15,7 @@
 import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.internal.DataFlowDispatch
+import semmle.python.dataflow.new.internal.DataFlowPrivate

 predicate initSelfCallOverridden(
  Function init, DataFlow::Node self, DataFlow::MethodCallNode call, Function target,
@@ -39,7 +40,7 @@ predicate readsFromSelf(Function method) {
    self.getParameter() = method.getArg(0) and
    DataFlow::localFlow(self, sink)
  |
-    sink instanceof DataFlow::ArgumentNode
+    isArgumentNode(sink, _, _)
    or
    sink = any(DataFlow::AttrRead a).getObject()
  )