Python: target SSA variable rather than Cfg node

also add "INTERNAL: Do not use." also give test functions different names
2026-04-30 11:15:13 +02:00 · 2021-03-08 08:04:42 +01:00
parent 296297915c
commit b36e0d0be7
3 changed files with 14 additions and 5 deletions
--- a/python/ql/src/semmle/python/security/dataflow/ExceptionInfo.qll
+++ b/python/ql/src/semmle/python/security/dataflow/ExceptionInfo.qll
@@ -5,6 +5,8 @@ import semmle.python.dataflow.new.DataFlow
 private import semmle.python.ApiGraphs

 /**
+ * INTERNAL: Do not use.
+ *
 * A data-flow node that carries information about a raised exception.
 * Such information should rarely be exposed directly to the user.
 */
@@ -25,7 +27,10 @@ private class TracebackFunctionCall extends ExceptionInfo, DataFlow::CallCfgNode

 /** A caught exception. */
 private class CaughtException extends ExceptionInfo {
-  CaughtException() { this.asExpr() = any(ExceptStmt s).getName() }
+  CaughtException() {
+    this.asVar().getDefinition().(EssaNodeDefinition).getDefiningNode().getNode() =
+      any(ExceptStmt s).getName()
+  }
 }

 /** A call to `sys.exc_info`. */
--- a/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected
+++ b/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected
@@ -1,11 +1,15 @@
 edges
+| test.py:23:25:23:25 | SSA variable e | test.py:24:16:24:16 | ControlFlowNode for e |
 | test.py:49:15:49:36 | ControlFlowNode for Attribute() | test.py:50:29:50:31 | ControlFlowNode for err |
 | test.py:50:29:50:31 | ControlFlowNode for err | test.py:50:16:50:32 | ControlFlowNode for format_error() |
 nodes
 | test.py:16:16:16:37 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:23:25:23:25 | SSA variable e | semmle.label | SSA variable e |
+| test.py:24:16:24:16 | ControlFlowNode for e | semmle.label | ControlFlowNode for e |
 | test.py:49:15:49:36 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | test.py:50:16:50:32 | ControlFlowNode for format_error() | semmle.label | ControlFlowNode for format_error() |
 | test.py:50:29:50:31 | ControlFlowNode for err | semmle.label | ControlFlowNode for err |
 #select
 | test.py:16:16:16:37 | ControlFlowNode for Attribute() | test.py:16:16:16:37 | ControlFlowNode for Attribute() | test.py:16:16:16:37 | ControlFlowNode for Attribute() | $@ may be exposed to an external user | test.py:16:16:16:37 | ControlFlowNode for Attribute() | Error information |
+| test.py:24:16:24:16 | ControlFlowNode for e | test.py:23:25:23:25 | SSA variable e | test.py:24:16:24:16 | ControlFlowNode for e | $@ may be exposed to an external user | test.py:23:25:23:25 | SSA variable e | Error information |
 | test.py:50:16:50:32 | ControlFlowNode for format_error() | test.py:49:15:49:36 | ControlFlowNode for Attribute() | test.py:50:16:50:32 | ControlFlowNode for format_error() | $@ may be exposed to an external user | test.py:49:15:49:36 | ControlFlowNode for Attribute() | Error information |
--- a/python/ql/test/query-tests/Security/CWE-209/test.py
+++ b/python/ql/test/query-tests/Security/CWE-209/test.py
@@ -16,16 +16,16 @@ def server_bad():
        return traceback.format_exc()  #$ exceptionInfo

 # BAD
-@app.route('/bad/clearly')
-def server_bad():
+@app.route('/bad/direct')
+def server_bad_direct():
    try:
        do_computation()
    except Exception as e:  #$ exceptionInfo
        return e

 # BAD
-@app.route('/bad/also')
-def server_bad():
+@app.route('/bad/traceback')
+def server_bad_traceback():
    try:
        do_computation()
    except Exception as e:  #$ exceptionInfo