Python: Implement new data flow interface

2025-12-16 16:53:25 +01:00 · 2024-03-11 13:26:01 +01:00
parent 02ae2d1520
commit 6c0ed28e6b
12 changed files with 25 additions and 15 deletions
--- a/python/ql/consistency-queries/DataFlowConsistency.ql
+++ b/python/ql/consistency-queries/DataFlowConsistency.ql
@@ -10,12 +10,16 @@ private import semmle.python.dataflow.new.internal.DataFlowDispatch
 private import semmle.python.dataflow.new.internal.TaintTrackingImplSpecific
 private import codeql.dataflow.internal.DataFlowImplConsistency

-private module Input implements InputSig<PythonDataFlow> {
+private module Input implements InputSig<Location, PythonDataFlow> {
  private import Private
  private import Public

  predicate postWithInFlowExclude(Node n) { n instanceof FlowSummaryNode }

+  predicate uniqueNodeLocationExclude(Node n) { n instanceof FlowSummaryNode }
+
+  predicate missingLocationExclude(Node n) { n instanceof FlowSummaryNode }
+
  predicate argHasPostUpdateExclude(ArgumentNode n) {
    // TODO: Implement post-updates for *args, see tests added in https://github.com/github/codeql/pull/14936
    exists(ArgumentPosition apos | n.argumentOf(_, apos) and apos.isStarArgs(_))
@@ -132,4 +136,4 @@ private module Input implements InputSig<PythonDataFlow> {
  }
 }

-import MakeConsistency<PythonDataFlow, PythonTaintTracking, Input>
+import MakeConsistency<Location, PythonDataFlow, PythonTaintTracking, Input>
--- a/python/ql/lib/semmle/python/ApiGraphs.qll
+++ b/python/ql/lib/semmle/python/ApiGraphs.qll
@@ -328,6 +328,9 @@ module API {
     */
    DataFlow::Node getInducingNode() { this = Impl::MkUse(result) or this = Impl::MkDef(result) }

+    /** Gets the location of this node */
+    PY::Location getLocation() { result = this.getInducingNode().getLocation() }
+
    /**
     * Holds if this element is at the specified location.
     * The location spans column `startcolumn` of line `startline` to
@@ -335,7 +338,7 @@ module API {
     * For more information, see
     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
     */
-    predicate hasLocationInfo(
+    deprecated predicate hasLocationInfo(
      string filepath, int startline, int startcolumn, int endline, int endcolumn
    ) {
      this.getInducingNode().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
--- a/python/ql/lib/semmle/python/dataflow/new/DataFlow.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/DataFlow.qll
@@ -24,6 +24,6 @@ private import python
 module DataFlow {
  private import internal.DataFlowImplSpecific
  private import codeql.dataflow.DataFlow
-  import DataFlowMake<PythonDataFlow>
+  import DataFlowMake<Location, PythonDataFlow>
  import internal.DataFlowImpl1
 }
--- a/python/ql/lib/semmle/python/dataflow/new/TaintTracking.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/TaintTracking.qll
@@ -19,6 +19,6 @@ module TaintTracking {
  private import semmle.python.dataflow.new.internal.DataFlowImplSpecific
  private import semmle.python.dataflow.new.internal.TaintTrackingImplSpecific
  private import codeql.dataflow.TaintTracking
-  import TaintFlowMake<PythonDataFlow, PythonTaintTracking>
+  import TaintFlowMake<Location, PythonDataFlow, PythonTaintTracking>
  import internal.tainttracking1.TaintTrackingImpl
 }
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll
@@ -1595,7 +1595,7 @@ class FlowSummaryNode extends Node, TFlowSummaryNode {
  override string toString() { result = this.getSummaryNode().toString() }

  // Hack to return "empty location"
-  override predicate hasLocationInfo(
+  deprecated override predicate hasLocationInfo(
    string file, int startline, int startcolumn, int endline, int endcolumn
  ) {
    file = "" and
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll
@@ -1,3 +1,4 @@
 private import DataFlowImplSpecific
 private import codeql.dataflow.internal.DataFlowImpl
-import MakeImpl<PythonDataFlow>
+private import semmle.python.Files
+import MakeImpl<Location, PythonDataFlow>
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll
@@ -1,3 +1,4 @@
 private import DataFlowImplSpecific
 private import codeql.dataflow.internal.DataFlowImplCommon
-import MakeImplCommon<PythonDataFlow>
+private import semmle.python.Files
+import MakeImplCommon<Location, PythonDataFlow>
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplSpecific.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplSpecific.qll
@@ -15,7 +15,7 @@ module Public {
  import DataFlowUtil
 }

-module PythonDataFlow implements InputSig {
+module PythonDataFlow implements InputSig<Python::Location> {
  import Private
  import Public

--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -148,6 +148,7 @@ class Node extends TNode {
  DataFlowCallable getEnclosingCallable() { result = getCallableScope(this.getScope()) }

  /** Gets the location of this node */
+  cached
  Location getLocation() { none() }

  /**
@@ -157,8 +158,7 @@ class Node extends TNode {
   * For more information, see
   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
   */
-  cached
-  predicate hasLocationInfo(
+  deprecated predicate hasLocationInfo(
    string filepath, int startline, int startcolumn, int endline, int endcolumn
  ) {
    Stages::DataFlow::ref() and
--- a/python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll
@@ -9,7 +9,7 @@ private import DataFlowImplSpecific as DataFlowImplSpecific
 private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public

-module Input implements InputSig<DataFlowImplSpecific::PythonDataFlow> {
+module Input implements InputSig<Location, DataFlowImplSpecific::PythonDataFlow> {
  class SummarizedCallableBase = string;

  ArgumentPosition callbackSelfParameterPosition() { result.isLambdaSelf() }
@@ -83,7 +83,7 @@ module Input implements InputSig<DataFlowImplSpecific::PythonDataFlow> {
  }
 }

-private import Make<DataFlowImplSpecific::PythonDataFlow, Input> as Impl
+private import Make<Location, DataFlowImplSpecific::PythonDataFlow, Input> as Impl

 private module StepsInput implements Impl::Private::StepsInputSig {
  DataFlowCall getACall(Public::SummarizedCallable sc) {
--- a/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingImplSpecific.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingImplSpecific.qll
@@ -4,7 +4,8 @@

 private import codeql.dataflow.TaintTracking
 private import DataFlowImplSpecific
+private import semmle.python.Files

-module PythonTaintTracking implements InputSig<PythonDataFlow> {
+module PythonTaintTracking implements InputSig<Location, PythonDataFlow> {
  import TaintTrackingPrivate
 }
--- a/python/ql/lib/semmle/python/internal/CachedStages.qll
+++ b/python/ql/lib/semmle/python/internal/CachedStages.qll
@@ -194,7 +194,7 @@ module Stages {
      or
      exists(any(DataFlowPublic::Node node).toString())
      or
-      any(DataFlowPublic::Node node).hasLocationInfo(_, _, _, _, _)
+      exists(any(DataFlowPublic::Node node).getLocation())
      or
      DataFlowDispatch::resolveCall(_, _, _)
      or