Python: Fixup modeling of os.open

2026-04-26 09:15:12 +02:00 · 2024-08-13 14:57:24 +02:00
parent d245db54a1
commit 7483075b7e
3 changed files with 11 additions and 6 deletions
--- a/python/ql/lib/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -338,7 +338,7 @@ module StdlibPrivate {
   * Modeling of path related functions in the `os` module.
   * Wrapped in QL module to make it easy to fold/unfold.
   */
-  private module OsFileSystemAccessModeling {
+  module OsFileSystemAccessModeling {
    /**
     * A call to the `os.fsencode` function.
     *
@@ -395,7 +395,7 @@ module StdlibPrivate {
     *
     * See https://docs.python.org/3/library/os.html#os.open
     */
-    private class OsOpenCall extends FileSystemAccess::Range, DataFlow::CallCfgNode {
+    class OsOpenCall extends FileSystemAccess::Range, DataFlow::CallCfgNode {
      OsOpenCall() { this = os().getMember("open").getACall() }

      override DataFlow::Node getAPathArgument() {
@@ -1501,7 +1501,12 @@ module StdlibPrivate {
  private class OpenCall extends FileSystemAccess::Range, Stdlib::FileLikeObject::InstanceSource,
    ThreatModelSource::Range, DataFlow::CallCfgNode
  {
-    OpenCall() { this = getOpenFunctionRef().getACall() }
+    OpenCall() {
+      this = getOpenFunctionRef().getACall() and
+      // when analyzing stdlib code for os.py we wrongly assume that `os.open` is an
+      // alias of the builtins `open` function
+      not this instanceof OsFileSystemAccessModeling::OsOpenCall
+    }

    override DataFlow::Node getAPathArgument() {
      result in [this.getArg(0), this.getArgByName("file")]
--- a/python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py
+++ b/python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py
@@ -87,8 +87,8 @@ def test_fspath():
        os.fspath(path=TAINTED_STRING), # $ tainted
    )

-os.open("path", os.O_RDONLY) # $ getAPathArgument="path" SPURIOUS: threatModelSource[file]=os.open(..)
-os.open(path="path", flags=os.O_RDONLY) # $ getAPathArgument="path" SPURIOUS: threatModelSource[file]=os.open(..)
+os.open("path", os.O_RDONLY) # $ getAPathArgument="path"
+os.open(path="path", flags=os.O_RDONLY) # $ getAPathArgument="path"

 os.access("path", os.R_OK) # $ getAPathArgument="path"
 os.access(path="path", mode=os.R_OK) # $ getAPathArgument="path"
--- a/python/ql/test/library-tests/frameworks/stdlib/threat_models.py
+++ b/python/ql/test/library-tests/frameworks/stdlib/threat_models.py
@@ -58,7 +58,7 @@ ensure_tainted(
    open("foo").readline(), # $ tainted threatModelSource[file]=open(..) getAPathArgument="foo"
    open("foo").readlines(), # $ tainted threatModelSource[file]=open(..) getAPathArgument="foo"

-    os.read(os.open("foo"), 1024), # $ tainted threatModelSource[file]=os.read(..) SPURIOUS: threatModelSource[file]=os.open(..) getAPathArgument="foo"
+    os.read(os.open("foo"), 1024), # $ tainted threatModelSource[file]=os.read(..) getAPathArgument="foo"
 )

 ########################################