python: Add reverse flow in some patterns

Particularly in value and literal patterns. This is getting a little bit into the guards aspect of matching. We could similarly add reverse flow in terms of sub-patterns storing to a sequence pattern, a flow step from alternatives to an-or-pattern, etc.. It does not seem too likely that sources are embedded in patterns to begin with, but for secrets perhaps? It is illustrated by the literal test. The value test still fails. I believe we miss flow in general from the static attribute.
2025-12-17 17:23:36 +01:00 · 2022-01-27 15:20:23 +01:00
parent cb52ab669e
commit b93c04bb79
2 changed files with 41 additions and 9 deletions
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
@@ -1595,10 +1595,10 @@ import IterableUnpacking
 *
 * - as pattern: subject flows to alias as well as to the interior pattern
 * - or pattern: subject flows to each alternative
- * - literal pattern: no flow
+ * - literal pattern: flow from the literal to the pattern, to add information
 * - capture pattern: subject flows to the variable
 * - wildcard pattern: no flow
- * - value pattern: no flow
+ * - value pattern: flow from the value to the pattern, to add information
 * - sequence pattern: each element reads from subject at the associated index
 * - star pattern: subject flows to the variable, possibly via a conversion
 * - mapping pattern: each value reads from subject at the associated key
@@ -1636,14 +1636,16 @@ module MatchUnpacking {
   */
  predicate matchAsFlowStep(Node nodeFrom, Node nodeTo) {
    exists(MatchAsPattern subject, Name alias | alias = subject.getAlias() |
+      // We make the subject flow to the interior pattern via the alis.
+      // That way, information can propagate from the interior pattern to the alias.
+      //
+      // the subject flows to the interior pattern
      nodeFrom.asCfgNode().getNode() = subject and
-      (
-        // the subject flows to the alias
-        nodeTo.asVar().getDefinition().(PatternAliasDefinition).getDefiningNode().getNode() = alias
-        or
-        // the subject flows to the interior pattern
-        nodeTo.asCfgNode().getNode() = subject.getPattern()
-      )
+      nodeTo.asCfgNode().getNode() = subject.getPattern()
+      or
+      // the interior pattern flows to the alias
+      nodeFrom.asCfgNode().getNode() = subject.getPattern() and
+      nodeTo.asVar().getDefinition().(PatternAliasDefinition).getDefiningNode().getNode() = alias
    )
  }

@@ -1658,6 +1660,17 @@ module MatchUnpacking {
    )
  }

+  /**
+   * literal pattern: flow from the literal to the pattern, to add information
+   * syntax (toplevel): `case literal:`
+   */
+  predicate matchLiteralFlowStep(Node nodeFrom, Node nodeTo) {
+    exists(MatchLiteralPattern pattern, Expr literal | literal = pattern.getLiteral() |
+      nodeFrom.asExpr() = literal and
+      nodeTo.asCfgNode().getNode() = pattern
+    )
+  }
+
  /**
   * capture pattern: subject flows to the variable
   * syntax (toplevel): `case var:`
@@ -1669,6 +1682,17 @@ module MatchUnpacking {
    )
  }

+  /**
+   * value pattern: flow from the value to the pattern, to add information
+   * syntax (toplevel): `case Dotted.value:`
+   */
+  predicate matchValueFlowStep(Node nodeFrom, Node nodeTo) {
+    exists(MatchValuePattern pattern, Expr value | value = pattern.getValue() |
+      nodeFrom.asExpr() = value and
+      nodeTo.asCfgNode().getNode() = pattern
+    )
+  }
+
  /**
   * sequence pattern: each element reads from subject at the associated index
   * syntax (toplevel): `case [a, b]:`
@@ -1814,8 +1838,12 @@ module MatchUnpacking {
    or
    matchOrFlowStep(nodeFrom, nodeTo)
    or
+    matchLiteralFlowStep(nodeFrom, nodeTo)
+    or
    matchCaptureFlowStep(nodeFrom, nodeTo)
    or
+    matchValueFlowStep(nodeFrom, nodeTo)
+    or
    matchMappingFlowStep(nodeFrom, nodeTo)
  }