Python: Don't report mutable parameters that are in fact immutable.

Fixes #1832. In the taint sink, we add an additional check that the given control-flow node can indeed point to a value that is mutable. This takes care of the guard on the type. If and when we get around to adding configurations for all of the taint analyses, we may want to implement this as a barrier instead, pruning any steps that go through a type test where the type is not mutable.
2025-12-18 01:33:15 +01:00 · 2019-11-18 16:18:44 +01:00
parent ed4657c201
commit cac261858c
3 changed files with 42 additions and 1 deletions
--- a/python/ql/src/Functions/ModificationOfParameterWithDefault.ql
+++ b/python/ql/src/Functions/ModificationOfParameterWithDefault.ql
@@ -73,6 +73,11 @@ class MutableDefaultValue extends TaintSource {
    }
 }

+private ClassValue mutable_class() {
+    result = Value::named("list") or
+    result = Value::named("dict")
+}
+
 class Mutation extends TaintSink {
    Mutation() {
        exists(AugAssign a | a.getTarget().getAFlowNode() = this)
@@ -80,7 +85,8 @@ class Mutation extends TaintSink {
        exists(Call c, Attribute a |
            c.getFunc() = a |
            a.getObject().getAFlowNode() = this and
-            not safe_method(a.getName())
+            not safe_method(a.getName()) and
+            this.(ControlFlowNode).pointsTo().getClass() = mutable_class()
        )
    }