Python: More easy-to-get content flow

There are some things that should be rewritten, though, but it may involve the extractor
2025-12-20 10:46:30 +01:00 · 2020-08-04 13:54:50 +02:00
parent 9d09b4c811
commit 9312b42e79
5 changed files with 85 additions and 9 deletions
--- a/python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll
+++ b/python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll
@@ -234,8 +234,8 @@ predicate storeStep(Node nodeFrom, Content c, Node nodeTo) {
  or
  // Comprehension
  //   `[x+1 for x in l]`
-  //   nodeFrom is `x+1`
-  //   nodeTo is `[x+1 for x in l]`
+  //   nodeFrom is `x+1`, cfg node
+  //   nodeTo is `[x+1 for x in l]`, cfg node
  nodeTo.(CfgNode).getNode().getNode().(Comp).getElt() = nodeFrom.(CfgNode).getNode().getNode()
 }

@@ -245,9 +245,42 @@ predicate storeStep(Node nodeFrom, Content c, Node nodeTo) {
 predicate readStep(Node nodeFrom, Content c, Node nodeTo) {
  // Subscription
  //   `l[3]`
-  //   nodeFrom is `l`
-  //   nodeTo is `l[3]`
+  //   nodeFrom is `l`, cfg node
+  //   nodeTo is `l[3]`, cfg node
  nodeFrom.(CfgNode).getNode() = nodeTo.(CfgNode).getNode().(SubscriptNode).getObject()
+  or
+  // set.pop
+  //   `s.pop()`
+  //   nodeFrom is `s`, cfg node
+  //   nodeTo is `s.pop()`, cfg node
+  exists(CallNode call, AttrNode a |
+    call.getFunction() = a and
+    a.getName() = "pop" and // TODO: Should be made more robust, like Value::named("set.pop").getACall()
+    nodeFrom.(CfgNode).getNode() = a.getObject() and
+    nodeTo.(CfgNode).getNode() = call
+  )
+  or
+  // Comprehension
+  //   `[x+1 for x in l]`
+  //   nodeFrom is `l`, cfg node
+  //   nodeTo is `x`, essa var
+  exists(For f, Comp comp |
+    // Seems to need extractor changes to write this part properly
+    nodeFrom.(CfgNode).getNode().(SequenceNode).getNode().getParentNode() = comp and
+    colocated(f.getIter(), comp) and
+    nodeTo.(EssaNode).getVar().getDefinition().(AssignmentDefinition).getDefiningNode().getNode() = f.getTarget()
+  )
+}
+
+
+
+/** This should not be necessary */
+predicate colocated(AstNode n1, AstNode n2) {
+  n1.getLocation().getFile() = n2.getLocation().getFile() and
+  n1.getLocation().getStartLine() = n2.getLocation().getStartLine() and
+  n1.getLocation().getEndLine() = n2.getLocation().getEndLine() and
+  n1.getLocation().getStartColumn() = n2.getLocation().getStartColumn() and
+  n1.getLocation().getEndColumn() = n2.getLocation().getEndColumn()
 }

 /**
--- a/python/ql/src/experimental/dataflow/internal/DataFlowPublic.qll
+++ b/python/ql/src/experimental/dataflow/internal/DataFlowPublic.qll
@@ -33,8 +33,15 @@ class Node extends TNode {
  /** Gets the scope of this node. */
  Scope getScope() { none() }

+  private DataFlowCallable getCallableScope(Scope s) {
+    result.getScope() = s
+    or
+    not exists(DataFlowCallable c | c.getScope() = s) and
+    result = getCallableScope(s.getEnclosingScope())
+  }
+
  /** Gets the enclosing callable of this node. */
-  DataFlowCallable getEnclosingCallable() { result.getScope() = this.getScope() }
+  DataFlowCallable getEnclosingCallable() { result = getCallableScope(this.getScope()) }

  /** Gets the location of this node */
  Location getLocation() { none() }