Python: Model Python 2 only os.popen2, popen3, popen4 functions

2026-04-30 19:26:02 +02:00 · 2020-10-06 18:59:01 +02:00
parent 6ec7ab2fd9
commit 8c2f55fbd0
3 changed files with 16 additions and 10 deletions
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -32,7 +32,7 @@ private module Stdlib {
   * For example, using `attr_name = "system"` will get all uses of `os.system`.
   */
  private DataFlow::Node os_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in ["system", "popen",
+    attr_name in ["system", "popen", "popen2", "popen3", "popen4",
          // exec
          "execl", "execle", "execlp", "execlpe", "execv", "execve", "execvp", "execvpe",
          // spawn
@@ -111,14 +111,26 @@ private module Stdlib {
  }

  /**
-   * A call to `os.popen`
+   * A call to any of the `os.popen*` functions
   * See https://docs.python.org/3/library/os.html#os.popen
+   *
+   * Note that in Python 2, there are also `popen2`, `popen3`, and `popen4` functions.
+   * Although deprecated since version 2.6, they still work in 2.7.
+   * See https://docs.python.org/2.7/library/os.html#os.popen2
   */
  private class OsPopenCall extends SystemCommandExecution::Range {
-    OsPopenCall() { this.asCfgNode().(CallNode).getFunction() = os_attr("popen").asCfgNode() }
+    string name;
+
+    OsPopenCall() {
+      name in ["popen", "popen2", "popen3", "popen4"] and
+      this.asCfgNode().(CallNode).getFunction() = os_attr(name).asCfgNode()
+    }

    override DataFlow::Node getCommand() {
      result.asCfgNode() = this.asCfgNode().(CallNode).getArg(0)
+      or
+      not name = "popen" and
+      result.asCfgNode() = this.asCfgNode().(CallNode).getArgByName("cmd")
    }
  }

--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/ConceptsTest.expected
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/ConceptsTest.expected
@@ -1,9 +1,3 @@
-| SystemCommandExecution.py:4:26:4:51 | Comment # $getCommand="cmd1; cmd2" | Missing result:getCommand="cmd1; cmd2" |
-| SystemCommandExecution.py:5:26:5:51 | Comment # $getCommand="cmd1; cmd2" | Missing result:getCommand="cmd1; cmd2" |
-| SystemCommandExecution.py:6:26:6:51 | Comment # $getCommand="cmd1; cmd2" | Missing result:getCommand="cmd1; cmd2" |
-| SystemCommandExecution.py:9:30:9:55 | Comment # $getCommand="cmd1; cmd2" | Missing result:getCommand="cmd1; cmd2" |
-| SystemCommandExecution.py:10:30:10:55 | Comment # $getCommand="cmd1; cmd2" | Missing result:getCommand="cmd1; cmd2" |
-| SystemCommandExecution.py:11:30:11:55 | Comment # $getCommand="cmd1; cmd2" | Missing result:getCommand="cmd1; cmd2" |
 | SystemCommandExecution.py:19:31:19:56 | Comment # $getCommand="cmd1; cmd2" | Missing result:getCommand="cmd1; cmd2" |
 | SystemCommandExecution.py:20:35:20:60 | Comment # $getCommand="cmd1; cmd2" | Missing result:getCommand="cmd1; cmd2" |
 | SystemCommandExecution.py:26:30:26:55 | Comment # $getCommand="cmd1; cmd2" | Missing result:getCommand="cmd1; cmd2" |
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/SystemCommandExecution.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/SystemCommandExecution.py
@@ -10,7 +10,7 @@ os.popen2(cmd="cmd1; cmd2")  # $getCommand="cmd1; cmd2"
 os.popen3(cmd="cmd1; cmd2")  # $getCommand="cmd1; cmd2"
 os.popen4(cmd="cmd1; cmd2")  # $getCommand="cmd1; cmd2"

-# os.popen does not support keyword arguments
+# os.popen does not support keyword arguments, so this is a TypeError
 os.popen(cmd="cmd1; cmd2")

 ########################################