Python: model copy.deepcopy as a value step

2026-04-26 17:25:19 +02:00 · 2024-06-25 14:53:06 +02:00
parent 501cda4e8c
commit bc551174f9
2 changed files with 2 additions and 14 deletions
--- a/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
@@ -46,8 +46,6 @@ private module Cached {
      or
      containerStep(nodeFrom, nodeTo)
      or
-      copyStep(nodeFrom, nodeTo)
-      or
      DataFlowPrivate::forReadStep(nodeFrom, _, nodeTo)
      or
      DataFlowPrivate::iterableUnpackingReadStep(nodeFrom, _, nodeTo)
@@ -191,18 +189,6 @@ predicate containerStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
  DataFlowPrivate::comprehensionStoreStep(nodeFrom, _, nodeTo)
 }

-/**
- * Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to copying.
- */
-predicate copyStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
-  exists(DataFlow::CallCfgNode call | call = nodeTo |
-    call = API::moduleImport("copy").getMember(["copy", "deepcopy"]).getACall() and
-    call.getArg(0) = nodeFrom
-  )
-  or
-  nodeTo.(DataFlow::MethodCallNode).calls(nodeFrom, "copy")
-}
-
 /**
 * Holds if taint can flow from `nodeFrom` to `nodeTo` with an `await`-step,
 * such that the whole expression `await x` is tainted if `x` is tainted.
--- a/python/ql/lib/semmle/python/frameworks/Stdlib/StdLib.model.yml
+++ b/python/ql/lib/semmle/python/frameworks/Stdlib/StdLib.model.yml
@@ -13,6 +13,8 @@ extensions:
      pack: codeql/python-all
      extensible: summaryModel
    data:
+      # See https://docs.python.org/3/library/copy.html#copy.deepcopy
+      - ["copy", "Member[copy,deepcopy]", "Argument[0,x:]", "ReturnValue", "value"]
      # See See https://docs.python.org/3/library/fnmatch.html#fnmatch.filter
      - ["fnmatch", "Member[filter]", "Argument[0,names:].ListElement", "ReturnValue.ListElement", "value"]
      - ["fnmatch", "Member[filter]", "Argument[0,names:]", "ReturnValue", "taint"]