Merge branch 'main' into python-model-django-sources

2025-12-20 02:44:30 +01:00 · 2020-10-20 15:38:20 +02:00
parent 80adbdfbc1 17155b64f5
commit c8441dc4fb
299 changed files with 35592 additions and 8575 deletions
--- a/python/ql/src/experimental/dataflow/internal/DataFlowImpl.qll
+++ b/python/ql/src/experimental/dataflow/internal/DataFlowImpl.qll
--- a/python/ql/src/experimental/dataflow/internal/DataFlowImpl2.qll
+++ b/python/ql/src/experimental/dataflow/internal/DataFlowImpl2.qll
--- a/python/ql/src/experimental/dataflow/internal/DataFlowImplCommon.qll
+++ b/python/ql/src/experimental/dataflow/internal/DataFlowImplCommon.qll
@@ -2,6 +2,30 @@ private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
 import Cached

+/**
+ * The cost limits for the `AccessPathFront` to `AccessPathApprox` expansion.
+ *
+ * `apLimit` bounds the acceptable fan-out, and `tupleLimit` bounds the
+ * estimated per-`AccessPathFront` tuple cost. Access paths exceeding both of
+ * these limits are represented with lower precision during pruning.
+ */
+predicate accessPathApproxCostLimits(int apLimit, int tupleLimit) {
+  apLimit = 10 and
+  tupleLimit = 10000
+}
+
+/**
+ * The cost limits for the `AccessPathApprox` to `AccessPath` expansion.
+ *
+ * `apLimit` bounds the acceptable fan-out, and `tupleLimit` bounds the
+ * estimated per-`AccessPathApprox` tuple cost. Access paths exceeding both of
+ * these limits are represented with lower precision.
+ */
+predicate accessPathCostLimits(int apLimit, int tupleLimit) {
+  apLimit = 5 and
+  tupleLimit = 1000
+}
+
 cached
 private module Cached {
  /**
--- a/python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll
+++ b/python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll
@@ -798,6 +798,29 @@ predicate jumpStep(Node nodeFrom, Node nodeTo) {
  or
  // Module variable write
  nodeFrom = nodeTo.(ModuleVariableNode).getAWrite()
+  or
+  // Read of module attribute:
+  exists(AttrRead r, ModuleValue mv |
+    r.getObject().asCfgNode().pointsTo(mv) and
+    module_export(mv.getScope(), r.getAttributeName(), nodeFrom) and
+    nodeTo = r
+  )
+}
+
+/**
+ * Holds if the module `m` defines a name `name` by assigning `defn` to it. This is an
+ * overapproximation, as `name` may not in fact be exported (e.g. by defining an `__all__` that does
+ * not include `name`).
+ */
+private predicate module_export(Module m, string name, CfgNode defn) {
+  exists(EssaVariable v |
+    v.getName() = name and
+    v.getAUse() = m.getANormalExit()
+  |
+    defn.getNode() = v.getDefinition().(AssignmentDefinition).getValue()
+    or
+    defn.getNode() = v.getDefinition().(ArgumentRefinement).getArgument()
+  )
 }

 //--------