Python: use yield step also for taint

Using the comprehension store step meant that all comprehensions would receive taint. This because comprehension flow now goes via a callable, meaning they share the return node.
2026-04-27 09:45:15 +02:00 · 2024-09-30 13:49:01 +02:00
parent fb07a56de6
commit 7392d186bc
2 changed files with 2 additions and 27 deletions
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
@@ -168,7 +168,7 @@ private predicate synthDictSplatArgumentNodeStoreStep(
  )
 }

-private predicate yieldStoreStep(Node nodeFrom, Content c, Node nodeTo) {
+predicate yieldStoreStep(Node nodeFrom, Content c, Node nodeTo) {
  exists(Yield yield, Function func |
    nodeTo.asCfgNode() = yield.getAFlowNode() and
    nodeFrom.asCfgNode() = yield.getValue().getAFlowNode() and
@@ -885,31 +885,6 @@ predicate dictClearStep(Node node, DictionaryElementContent c) {
  )
 }

-/** Data flows from an element expression in a comprehension to the comprehension. */
-predicate comprehensionStoreStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
-  // Comprehension
-  //   `[x+1 for x in l]`
-  //   nodeFrom is `x+1`, cfg node
-  //   nodeTo is `[x+1 for x in l]`, cfg node
-  //   c denotes list or set or dictionary without index
-  //
-  // List
-  nodeTo.getNode().getNode().(ListComp).getElt() = nodeFrom.getNode().getNode() and
-  c instanceof ListElementContent
-  or
-  // Set
-  nodeTo.getNode().getNode().(SetComp).getElt() = nodeFrom.getNode().getNode() and
-  c instanceof SetElementContent
-  or
-  // Dictionary
-  nodeTo.getNode().getNode().(DictComp).getElt() = nodeFrom.getNode().getNode() and
-  c instanceof DictionaryElementAnyContent
-  or
-  // Generator
-  nodeTo.getNode().getNode().(GeneratorExp).getElt() = nodeFrom.getNode().getNode() and
-  c instanceof ListElementContent
-}
-
 /**
 * Holds if `nodeFrom` flows into the attribute `c` of `nodeTo` via an attribute assignment.
 *
--- a/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
@@ -188,7 +188,7 @@ predicate containerStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
  // TODO: once we have proper flow-summary modeling, we might not need this step any
  // longer -- but there needs to be a matching read-step for the store-step, and we
  // don't provide that right now.
-  DataFlowPrivate::comprehensionStoreStep(nodeFrom, _, nodeTo)
+  DataFlowPrivate::yieldStoreStep(nodeFrom, _, nodeTo)
 }

 /**