Python points-to: track return values from builtin methods.

2026-04-30 11:15:13 +02:00 · 2019-04-09 16:51:00 +01:00
parent b8fb3e3e61
commit 9af7071131
1 changed files with 18 additions and 2 deletions
--- a/python/ql/src/semmle/python/objects/Callables.qll
+++ b/python/ql/src/semmle/python/objects/Callables.qll
@@ -274,9 +274,25 @@ class BuiltinMethodObjectInternal extends CallableObjectInternal, TBuiltinMethod

    override predicate callResult(PointsToContext callee, ObjectInternal obj, CfgOrigin origin) { none() }

+    pragma [noinline]
    override predicate callResult(ObjectInternal obj, CfgOrigin origin) {
-        // TO DO .. Result should be be a unknown value of a known class if the return type is known or just an unknown.
-        none()
+        exists(Builtin func, BuiltinClassObjectInternal cls |
+            func = this.getBuiltin() and
+            cls = ObjectInternal::fromBuiltin(this.getReturnType()) |
+            obj = TUnknownInstance(cls)
+            or
+            cls = ObjectInternal::noneType() and obj = ObjectInternal::none_()
+            or
+            cls = ObjectInternal::builtin("bool") and obj = ObjectInternal::bool(_)
+        ) and
+        origin = CfgOrigin::unknown()
+    }
+
+    Builtin getReturnType() {
+        exists(Builtin func |
+            func = this.getBuiltin() |
+            ext_rettype(func, result)
+        )
    }

    override ControlFlowNode getOrigin() {