Python: Sync in changes to SummaryTypeTracker.qll

2026-04-25 08:45:14 +02:00 · 2023-10-30 10:52:07 +01:00
parent 14cfb82a8c
commit bf3fb685ad
2 changed files with 36 additions and 25 deletions
--- a/python/ql/lib/semmle/python/dataflow/new/internal/SummaryTypeTracker.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/SummaryTypeTracker.qll
@@ -74,7 +74,7 @@ signature module Input {

  // Relating nodes to summaries
  /** Gets a dataflow node respresenting the argument of `call` indicated by `arg`. */
-  Node argumentOf(Node call, SummaryComponent arg);
+  Node argumentOf(Node call, SummaryComponent arg, boolean isOutput);

  /** Gets a dataflow node respresenting the parameter of `callable` indicated by `param`. */
  Node parameterOf(Node callable, SummaryComponent param);
@@ -224,11 +224,14 @@ module SummaryFlow<Input I> implements Output<I> {
   * as specified by `component`.
   */
  bindingset[call, component]
-  private I::Node evaluateSummaryComponentLocal(I::Node call, I::SummaryComponent component) {
-    result = I::argumentOf(call, component)
+  private I::Node evaluateSummaryComponentLocal(
+    I::Node call, I::SummaryComponent component, boolean isOutput
+  ) {
+    result = I::argumentOf(call, component, isOutput)
    or
    component = I::return() and
-    result = call
+    result = call and
+    isOutput = true
  }

  /**
@@ -280,27 +283,34 @@ module SummaryFlow<Input I> implements Output<I> {
   */
  pragma[nomagic]
  private I::Node evaluateSummaryComponentStackLocal(
-    I::SummarizedCallable callable, I::Node call, I::SummaryComponentStack stack
+    I::SummarizedCallable callable, I::Node call, I::SummaryComponentStack stack, boolean isOutput
  ) {
    exists(I::SummaryComponent component |
      dependsOnSummaryComponentStackLeaf(callable, component) and
      stack = I::singleton(component) and
      call = I::callTo(callable) and
-      result = evaluateSummaryComponentLocal(call, component)
+      result = evaluateSummaryComponentLocal(call, component, isOutput)
    )
    or
-    exists(I::Node prev, I::SummaryComponent head, I::SummaryComponentStack tail |
-      prev = evaluateSummaryComponentStackLocal(callable, call, tail) and
+    exists(
+      I::Node prev, I::SummaryComponent head, I::SummaryComponentStack tail, boolean isOutput0
+    |
+      prev = evaluateSummaryComponentStackLocal(callable, call, tail, isOutput0) and
      dependsOnSummaryComponentStackConsLocal(callable, pragma[only_bind_into](head),
        pragma[only_bind_out](tail)) and
      stack = I::push(pragma[only_bind_out](head), pragma[only_bind_out](tail))
    |
-      result = I::parameterOf(prev, head)
+      result = I::parameterOf(prev, head) and
+      isOutput0 = false and
+      isOutput = true
      or
-      result = I::returnOf(prev, head)
+      result = I::returnOf(prev, head) and
+      isOutput0 = false and
+      isOutput = false
      or
      componentLevelStep(head) and
-      result = prev
+      result = prev and
+      isOutput = isOutput0
    )
  }

@@ -312,8 +322,8 @@ module SummaryFlow<Input I> implements Output<I> {
    |
      callable.propagatesFlow(input, output, true) and
      call = I::callTo(callable) and
-      nodeFrom = evaluateSummaryComponentStackLocal(callable, call, input) and
-      nodeTo = evaluateSummaryComponentStackLocal(callable, call, output)
+      nodeFrom = evaluateSummaryComponentStackLocal(callable, call, input, false) and
+      nodeTo = evaluateSummaryComponentStackLocal(callable, call, output, true)
    )
  }

@@ -325,8 +335,8 @@ module SummaryFlow<Input I> implements Output<I> {
      hasLoadSummary(callable, content, pragma[only_bind_into](input),
        pragma[only_bind_into](output)) and
      call = I::callTo(callable) and
-      nodeFrom = evaluateSummaryComponentStackLocal(callable, call, input) and
-      nodeTo = evaluateSummaryComponentStackLocal(callable, call, output)
+      nodeFrom = evaluateSummaryComponentStackLocal(callable, call, input, false) and
+      nodeTo = evaluateSummaryComponentStackLocal(callable, call, output, true)
    )
  }

@@ -338,8 +348,8 @@ module SummaryFlow<Input I> implements Output<I> {
      hasStoreSummary(callable, content, pragma[only_bind_into](input),
        pragma[only_bind_into](output)) and
      call = I::callTo(callable) and
-      nodeFrom = evaluateSummaryComponentStackLocal(callable, call, input) and
-      nodeTo = evaluateSummaryComponentStackLocal(callable, call, output)
+      nodeFrom = evaluateSummaryComponentStackLocal(callable, call, input, false) and
+      nodeTo = evaluateSummaryComponentStackLocal(callable, call, output, true)
    )
  }

@@ -354,8 +364,8 @@ module SummaryFlow<Input I> implements Output<I> {
      hasLoadStoreSummary(callable, loadContent, storeContent, pragma[only_bind_into](input),
        pragma[only_bind_into](output)) and
      call = I::callTo(callable) and
-      nodeFrom = evaluateSummaryComponentStackLocal(callable, call, input) and
-      nodeTo = evaluateSummaryComponentStackLocal(callable, call, output)
+      nodeFrom = evaluateSummaryComponentStackLocal(callable, call, input, false) and
+      nodeTo = evaluateSummaryComponentStackLocal(callable, call, output, true)
    )
  }

@@ -369,8 +379,8 @@ module SummaryFlow<Input I> implements Output<I> {
      hasWithoutContentSummary(callable, filter, pragma[only_bind_into](input),
        pragma[only_bind_into](output)) and
      call = I::callTo(callable) and
-      nodeFrom = evaluateSummaryComponentStackLocal(callable, call, input) and
-      nodeTo = evaluateSummaryComponentStackLocal(callable, call, output)
+      nodeFrom = evaluateSummaryComponentStackLocal(callable, call, input, false) and
+      nodeTo = evaluateSummaryComponentStackLocal(callable, call, output, true)
    )
  }

@@ -384,8 +394,8 @@ module SummaryFlow<Input I> implements Output<I> {
      hasWithContentSummary(callable, filter, pragma[only_bind_into](input),
        pragma[only_bind_into](output)) and
      call = I::callTo(callable) and
-      nodeFrom = evaluateSummaryComponentStackLocal(callable, call, input) and
-      nodeTo = evaluateSummaryComponentStackLocal(callable, call, output)
+      nodeFrom = evaluateSummaryComponentStackLocal(callable, call, input, false) and
+      nodeTo = evaluateSummaryComponentStackLocal(callable, call, output, true)
    )
  }
 }
--- a/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackerSpecific.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackerSpecific.qll
@@ -214,10 +214,11 @@ private module SummaryTypeTrackerInput implements SummaryTypeTracker::Input {
  predicate return = FlowSummary::SummaryComponent::return/0;

  // Relating nodes to summaries
-  Node argumentOf(Node call, SummaryComponent arg) {
+  Node argumentOf(Node call, SummaryComponent arg, boolean isPostUpdate) {
    exists(DataFlowDispatch::ParameterPosition pos |
      arg = FlowSummary::SummaryComponent::argument(pos) and
-      argumentPositionMatch(call, result, pos)
+      argumentPositionMatch(call, result, pos) and
+      isPostUpdate = [false, true] // todo: implement when/if Python uses post-update nodes in type tracking
    )
  }