Merge pull request #4056 from yoff/SharedDataflow_ParameterTests

Python: Shared dataflow, parameter routing tests

python/ql/test/experimental/dataflow/coverage/argumentRouting1.ql

@@ -0,0 +1,30 @@
+import experimental.dataflow.DataFlow
+
+/**
+ * A configuration to check routing of arguments through magic methods.
+ */
+class ArgumentRoutingConfig extends DataFlow::Configuration {
+  ArgumentRoutingConfig() { this = "ArgumentRoutingConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    exists(AssignmentDefinition def |
+      def.getVariable() = node.(DataFlow::EssaNode).getVar() and
+      def.getValue().(DataFlow::DataFlowCall).getCallable().getName().matches("With\\_%")
+    ) and
+    node.(DataFlow::EssaNode).getVar().getName().matches("with\\_%")
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(CallNode call |
+      call.getFunction().(NameNode).getId() = "SINK1" and
+      node.(DataFlow::CfgNode).getNode() = call.getAnArg()
+    )
+  }
+}
+
+from DataFlow::Node source, DataFlow::Node sink
+where
+  source.getLocation().getFile().getBaseName() = "classes.py" and
+  sink.getLocation().getFile().getBaseName() = "classes.py" and
+  exists(ArgumentRoutingConfig cfg | cfg.hasFlow(source, sink))
+select source, sink

python/ql/test/experimental/dataflow/coverage/argumentRouting2.ql

@@ -0,0 +1,26 @@
+import experimental.dataflow.DataFlow
+
+/**
+ * A configuration to check routing of arguments through magic methods.
+ */
+class ArgumentRoutingConfig extends DataFlow::Configuration {
+  ArgumentRoutingConfig() { this = "ArgumentRoutingConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    node.(DataFlow::CfgNode).getNode().(NameNode).getId() = "arg2"
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(CallNode call |
+      call.getFunction().(NameNode).getId() = "SINK2" and
+      node.(DataFlow::CfgNode).getNode() = call.getAnArg()
+    )
+  }
+}
+
+from DataFlow::Node source, DataFlow::Node sink
+where
+  source.getLocation().getFile().getBaseName() = "classes.py" and
+  sink.getLocation().getFile().getBaseName() = "classes.py" and
+  exists(ArgumentRoutingConfig cfg | cfg.hasFlow(source, sink))
+select source, sink

python/ql/test/experimental/dataflow/coverage/argumentRouting3.ql

@@ -0,0 +1,26 @@
+import experimental.dataflow.DataFlow
+
+/**
+ * A configuration to check routing of arguments through magic methods.
+ */
+class ArgumentRoutingConfig extends DataFlow::Configuration {
+  ArgumentRoutingConfig() { this = "ArgumentRoutingConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    node.(DataFlow::CfgNode).getNode().(NameNode).getId() = "arg3"
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(CallNode call |
+      call.getFunction().(NameNode).getId() = "SINK3" and
+      node.(DataFlow::CfgNode).getNode() = call.getAnArg()
+    )
+  }
+}
+
+from DataFlow::Node source, DataFlow::Node sink
+where
+  source.getLocation().getFile().getBaseName() = "classes.py" and
+  sink.getLocation().getFile().getBaseName() = "classes.py" and
+  exists(ArgumentRoutingConfig cfg | cfg.hasFlow(source, sink))
+select source, sink

python/ql/test/experimental/dataflow/coverage/argumentRouting4.ql

@@ -0,0 +1,26 @@
+import experimental.dataflow.DataFlow
+
+/**
+ * A configuration to check routing of arguments through magic methods.
+ */
+class ArgumentRoutingConfig extends DataFlow::Configuration {
+  ArgumentRoutingConfig() { this = "ArgumentRoutingConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    node.(DataFlow::CfgNode).getNode().(NameNode).getId() = "arg4"
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(CallNode call |
+      call.getFunction().(NameNode).getId() = "SINK4" and
+      node.(DataFlow::CfgNode).getNode() = call.getAnArg()
+    )
+  }
+}
+
+from DataFlow::Node source, DataFlow::Node sink
+where
+  source.getLocation().getFile().getBaseName() = "classes.py" and
+  sink.getLocation().getFile().getBaseName() = "classes.py" and
+  exists(ArgumentRoutingConfig cfg | cfg.hasFlow(source, sink))
+select source, sink

python/ql/test/experimental/dataflow/coverage/classesCallGraph.expected

@@ -1,6 +1,6 @@
-| classes.py:19:12:19:31 | ControlFlowNode for Attribute() | classes.py:19:12:19:31 | ControlFlowNode for Attribute() |
-| classes.py:174:7:174:22 | ControlFlowNode for set() | classes.py:174:7:174:22 | ControlFlowNode for set() |
-| classes.py:178:7:178:28 | ControlFlowNode for frozenset() | classes.py:178:7:178:28 | ControlFlowNode for frozenset() |
-| classes.py:182:7:182:26 | ControlFlowNode for dict() | classes.py:182:7:182:26 | ControlFlowNode for dict() |
-| classes.py:303:28:303:51 | ControlFlowNode for dict() | classes.py:303:28:303:51 | ControlFlowNode for dict() |
-| classes.py:466:12:466:24 | ControlFlowNode for Attribute() | classes.py:466:12:466:24 | ControlFlowNode for Attribute() |
+| classes.py:32:12:32:31 | ControlFlowNode for Attribute() | classes.py:32:12:32:31 | ControlFlowNode for Attribute() |
+| classes.py:212:7:212:22 | ControlFlowNode for set() | classes.py:212:7:212:22 | ControlFlowNode for set() |
+| classes.py:216:7:216:28 | ControlFlowNode for frozenset() | classes.py:216:7:216:28 | ControlFlowNode for frozenset() |
+| classes.py:220:7:220:26 | ControlFlowNode for dict() | classes.py:220:7:220:26 | ControlFlowNode for dict() |
+| classes.py:369:27:369:50 | ControlFlowNode for dict() | classes.py:369:27:369:50 | ControlFlowNode for dict() |
+| classes.py:563:12:563:24 | ControlFlowNode for Attribute() | classes.py:563:12:563:24 | ControlFlowNode for Attribute() |

python/ql/test/experimental/dataflow/coverage/classesCallGraph.ql

@@ -1,4 +1,29 @@
-import experimental.dataflow.callGraphConfig
+import experimental.dataflow.DataFlow
+
+/**
+ * A configuration to find the call graph edges.
+ */
+class CallGraphConfig extends DataFlow::Configuration {
+  CallGraphConfig() { this = "CallGraphConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    node instanceof DataFlow::ReturnNode
+    or
+    // These sources should allow for the non-standard call syntax
+    node instanceof DataFlow::ArgumentNode
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    node instanceof DataFlow::OutNode
+    or
+    node instanceof DataFlow::ParameterNode and
+    // exclude parameters to the SINK-functions
+    not exists(DataFlow::DataFlowCallable c |
+      node.(DataFlow::ParameterNode).isParameterOf(c, _) and
+      c.getName().matches("SINK_")
+    )
+  }
+}
 
 from DataFlow::Node source, DataFlow::Node sink
 where
@@ -8,3 +33,4 @@ where
 select source, sink
 // Ideally, we would just have 1-step paths either from argument to parameter
 // or from return to call. This gives a bit more, so should be rewritten.
+// We should also consider splitting this into two, one for each direction.