Python: Recognize path arguments to pathlib methods

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -2539,6 +2539,56 @@ private module StdlibPrivate {
     PathLibOpenCall() { attrbuteName = "open" }
   }
 
+  /**
+   * A call to the `link_to`, `hardlink_to`, or `symlink_to` method on a `pathlib.Path` instance.
+   *
+   * See
+   * - https://docs.python.org/3/library/pathlib.html#pathlib.Path.link_to
+   * - https://docs.python.org/3/library/pathlib.html#pathlib.Path.hardlink_to
+   * - https://docs.python.org/3/library/pathlib.html#pathlib.Path.symlink_to
+   */
+  private class PathLibLinkToCall extends PathlibFileAccess, API::CallNode {
+    PathLibLinkToCall() { attrbuteName in ["link_to", "hardlink_to", "symlink_to"] }
+
+    override DataFlow::Node getAPathArgument() {
+      result = super.getAPathArgument()
+      or
+      result = this.getParameter(0, "target").getARhs()
+    }
+  }
+
+  /**
+   * A call to the `replace` or `rename` method on a `pathlib.Path` instance.
+   *
+   * See
+   * - https://docs.python.org/3/library/pathlib.html#pathlib.Path.replace
+   * - https://docs.python.org/3/library/pathlib.html#pathlib.Path.rename
+   */
+  private class PathLibReplaceCall extends PathlibFileAccess, API::CallNode {
+    PathLibReplaceCall() { attrbuteName in ["replace", "rename"] }
+
+    override DataFlow::Node getAPathArgument() {
+      result = super.getAPathArgument()
+      or
+      result = this.getParameter(0, "target").getARhs()
+    }
+  }
+
+  /**
+   * A call to the `samefile` method on a `pathlib.Path` instance.
+   *
+   * See https://docs.python.org/3/library/pathlib.html#pathlib.Path.samefile
+   */
+  private class PathLibSameFileCall extends PathlibFileAccess, API::CallNode {
+    PathLibSameFileCall() { attrbuteName = "samefile" }
+
+    override DataFlow::Node getAPathArgument() {
+      result = super.getAPathArgument()
+      or
+      result = this.getParameter(0, "other_path").getARhs()
+    }
+  }
+
   /** An additional taint steps for objects of type `pathlib.Path` */
   private class PathlibPathTaintStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {

python/ql/test/library-tests/frameworks/stdlib-py3/FileSystemAccess.py

@@ -22,14 +22,14 @@ o(name)  # $ getAPathArgument=name
 wb = p.write_bytes
 wb(b"hello")  # $ getAPathArgument=p fileWriteData=b"hello"
 
-p.link_to("target") # $ getAPathArgument=p MISSING: getAPathArgument="target"
-p.link_to(target="target") # $ getAPathArgument=p MISSING: getAPathArgument="target"
+p.link_to("target") # $ getAPathArgument=p getAPathArgument="target"
+p.link_to(target="target") # $ getAPathArgument=p getAPathArgument="target"
 
-p.samefile("other_path") # $ getAPathArgument=p MISSING: getAPathArgument="other_path"
-p.samefile(other_path="other_path") # $ getAPathArgument=p MISSING: getAPathArgument="other_path"
+p.samefile("other_path") # $ getAPathArgument=p getAPathArgument="other_path"
+p.samefile(other_path="other_path") # $ getAPathArgument=p getAPathArgument="other_path"
 
-p.rename("target") # $ getAPathArgument=p MISSING: getAPathArgument="target"
-p.rename(target="target") # $ getAPathArgument=p MISSING: getAPathArgument="target"
+p.rename("target") # $ getAPathArgument=p getAPathArgument="target"
+p.rename(target="target") # $ getAPathArgument=p getAPathArgument="target"
 
-p.replace("target") # $ getAPathArgument=p MISSING: getAPathArgument="target"
-p.replace(target="target") # $ getAPathArgument=p MISSING: getAPathArgument="target"
+p.replace("target") # $ getAPathArgument=p getAPathArgument="target"
+p.replace(target="target") # $ getAPathArgument=p getAPathArgument="target"