hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-17 04:56:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Address review comments

Browse Source
This commit is contained in:
Tom Hvitved
2021-10-19 15:33:25 +02:00
parent ec5d8ab2db
commit dd138b0429
37 changed files with 767 additions and 727 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll
View File

@@ -244,6 +244,8 @@ private class ParamNodeEx extends NodeEx {
}
int getPosition() { this.isParameterOf(_, result) }
predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
}
private class RetNodeEx extends NodeEx {
@@ -252,8 +254,6 @@ private class RetNodeEx extends NodeEx {
ReturnPosition getReturnPosition() { result = getReturnPosition(this.asNode()) }
ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
predicate allowFlowThroughParameter() { allowFlowThroughParameterCached(this.asNode()) }
}
private predicate inBarrier(NodeEx node, Configuration config) {
@@ -727,16 +727,12 @@ private module Stage1 {
/** Holds if flow may return from `callable`. */
pragma[nomagic]
private predicate returnFlowCallableNodeCand(
DataFlowCallable callable, ReturnKindExt kind, boolean allowFlowThroughParameter,
Configuration config
DataFlowCallable callable, ReturnKindExt kind, Configuration config
) {
exists(RetNodeEx ret |
throughFlowNodeCand(ret, config) and
callable = ret.getEnclosingCallable() and
kind = ret.getKind() and
if ret.allowFlowThroughParameter()
then allowFlowThroughParameter = true
else allowFlowThroughParameter = false
kind = ret.getKind()
)
}
@@ -745,16 +741,17 @@ private module Stage1 {
* candidate for the origin of a summary.
*/
predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
exists(ReturnKindExt kind, boolean allowFlowThroughParameter |
exists(ReturnKindExt kind |
throughFlowNodeCand(p, config) and
returnFlowCallableNodeCand(c, kind, allowFlowThroughParameter, config) and
returnFlowCallableNodeCand(c, kind, config) and
p.getEnclosingCallable() = c and
exists(ap) and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameter = true
else any()
) and
exists(ap)
not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
or
p.allowParameterReturnInSelf()
)
)
}
@@ -1403,10 +1400,11 @@ private module Stage2 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then ret.allowFlowThroughParameter()
else any()
not kind.(ParamUpdateReturnKind).getPosition() = pos
or
p.allowParameterReturnInSelf()
)
)
}
@@ -2095,10 +2093,11 @@ private module Stage3 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then ret.allowFlowThroughParameter()
else any()
not kind.(ParamUpdateReturnKind).getPosition() = pos
or
p.allowParameterReturnInSelf()
)
)
}
@@ -2858,10 +2857,11 @@ private module Stage4 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then ret.allowFlowThroughParameter()
else any()
not kind.(ParamUpdateReturnKind).getPosition() = pos
or
p.allowParameterReturnInSelf()
)
)
}
@@ -2935,7 +2935,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
int getParameterPos() { p.isParameterOf(_, result) }
ParameterNode getParameterNode() { result = p.asNode() }
ParamNodeEx getParamNode() { result = p }
override string toString() { result = p + ": " + ap }
@@ -3637,10 +3637,11 @@ private predicate paramFlowsThrough(
ap = mid.getAp() and
apa = ap.getApprox() and
pos = sc.getParameterPos() and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = pos
then ret.allowFlowThroughParameter()
else any()
not kind.(ParamUpdateReturnKind).getPosition() = pos
or
sc.getParamNode().allowParameterReturnInSelf()
)
)
}

57
python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
View File

@@ -244,6 +244,8 @@ private class ParamNodeEx extends NodeEx {
}
int getPosition() { this.isParameterOf(_, result) }
predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
}
private class RetNodeEx extends NodeEx {
@@ -252,8 +254,6 @@ private class RetNodeEx extends NodeEx {
ReturnPosition getReturnPosition() { result = getReturnPosition(this.asNode()) }
ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
predicate allowFlowThroughParameter() { allowFlowThroughParameterCached(this.asNode()) }
}
private predicate inBarrier(NodeEx node, Configuration config) {
@@ -727,16 +727,12 @@ private module Stage1 {
/** Holds if flow may return from `callable`. */
pragma[nomagic]
private predicate returnFlowCallableNodeCand(
DataFlowCallable callable, ReturnKindExt kind, boolean allowFlowThroughParameter,
Configuration config
DataFlowCallable callable, ReturnKindExt kind, Configuration config
) {
exists(RetNodeEx ret |
throughFlowNodeCand(ret, config) and
callable = ret.getEnclosingCallable() and
kind = ret.getKind() and
if ret.allowFlowThroughParameter()
then allowFlowThroughParameter = true
else allowFlowThroughParameter = false
kind = ret.getKind()
)
}
@@ -745,16 +741,17 @@ private module Stage1 {
* candidate for the origin of a summary.
*/
predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
exists(ReturnKindExt kind, boolean allowFlowThroughParameter |
exists(ReturnKindExt kind |
throughFlowNodeCand(p, config) and
returnFlowCallableNodeCand(c, kind, allowFlowThroughParameter, config) and
returnFlowCallableNodeCand(c, kind, config) and
p.getEnclosingCallable() = c and
exists(ap) and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameter = true
else any()
) and
exists(ap)
not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
or
p.allowParameterReturnInSelf()
)
)
}
@@ -1403,10 +1400,11 @@ private module Stage2 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then ret.allowFlowThroughParameter()
else any()
not kind.(ParamUpdateReturnKind).getPosition() = pos
or
p.allowParameterReturnInSelf()
)
)
}
@@ -2095,10 +2093,11 @@ private module Stage3 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then ret.allowFlowThroughParameter()
else any()
not kind.(ParamUpdateReturnKind).getPosition() = pos
or
p.allowParameterReturnInSelf()
)
)
}
@@ -2858,10 +2857,11 @@ private module Stage4 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then ret.allowFlowThroughParameter()
else any()
not kind.(ParamUpdateReturnKind).getPosition() = pos
or
p.allowParameterReturnInSelf()
)
)
}
@@ -2935,7 +2935,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
int getParameterPos() { p.isParameterOf(_, result) }
ParameterNode getParameterNode() { result = p.asNode() }
ParamNodeEx getParamNode() { result = p }
override string toString() { result = p + ": " + ap }
@@ -3637,10 +3637,11 @@ private predicate paramFlowsThrough(
ap = mid.getAp() and
apa = ap.getApprox() and
pos = sc.getParameterPos() and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = pos
then ret.allowFlowThroughParameter()
else any()
not kind.(ParamUpdateReturnKind).getPosition() = pos
or
sc.getParamNode().allowParameterReturnInSelf()
)
)
}

57
python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
View File

@@ -244,6 +244,8 @@ private class ParamNodeEx extends NodeEx {
}
int getPosition() { this.isParameterOf(_, result) }
predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
}
private class RetNodeEx extends NodeEx {
@@ -252,8 +254,6 @@ private class RetNodeEx extends NodeEx {
ReturnPosition getReturnPosition() { result = getReturnPosition(this.asNode()) }
ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
predicate allowFlowThroughParameter() { allowFlowThroughParameterCached(this.asNode()) }
}
private predicate inBarrier(NodeEx node, Configuration config) {
@@ -727,16 +727,12 @@ private module Stage1 {
/** Holds if flow may return from `callable`. */
pragma[nomagic]
private predicate returnFlowCallableNodeCand(
DataFlowCallable callable, ReturnKindExt kind, boolean allowFlowThroughParameter,
Configuration config
DataFlowCallable callable, ReturnKindExt kind, Configuration config
) {
exists(RetNodeEx ret |
throughFlowNodeCand(ret, config) and
callable = ret.getEnclosingCallable() and
kind = ret.getKind() and
if ret.allowFlowThroughParameter()
then allowFlowThroughParameter = true
else allowFlowThroughParameter = false
kind = ret.getKind()
)
}
@@ -745,16 +741,17 @@ private module Stage1 {
* candidate for the origin of a summary.
*/
predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
exists(ReturnKindExt kind, boolean allowFlowThroughParameter |
exists(ReturnKindExt kind |
throughFlowNodeCand(p, config) and
returnFlowCallableNodeCand(c, kind, allowFlowThroughParameter, config) and
returnFlowCallableNodeCand(c, kind, config) and
p.getEnclosingCallable() = c and
exists(ap) and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameter = true
else any()
) and
exists(ap)
not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
or
p.allowParameterReturnInSelf()
)
)
}
@@ -1403,10 +1400,11 @@ private module Stage2 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then ret.allowFlowThroughParameter()
else any()
not kind.(ParamUpdateReturnKind).getPosition() = pos
or
p.allowParameterReturnInSelf()
)
)
}
@@ -2095,10 +2093,11 @@ private module Stage3 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then ret.allowFlowThroughParameter()
else any()
not kind.(ParamUpdateReturnKind).getPosition() = pos
or
p.allowParameterReturnInSelf()
)
)
}
@@ -2858,10 +2857,11 @@ private module Stage4 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then ret.allowFlowThroughParameter()
else any()
not kind.(ParamUpdateReturnKind).getPosition() = pos
or
p.allowParameterReturnInSelf()
)
)
}
@@ -2935,7 +2935,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
int getParameterPos() { p.isParameterOf(_, result) }
ParameterNode getParameterNode() { result = p.asNode() }
ParamNodeEx getParamNode() { result = p }
override string toString() { result = p + ": " + ap }
@@ -3637,10 +3637,11 @@ private predicate paramFlowsThrough(
ap = mid.getAp() and
apa = ap.getApprox() and
pos = sc.getParameterPos() and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = pos
then ret.allowFlowThroughParameter()
else any()
not kind.(ParamUpdateReturnKind).getPosition() = pos
or
sc.getParamNode().allowParameterReturnInSelf()
)
)
}

57
python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
View File

@@ -244,6 +244,8 @@ private class ParamNodeEx extends NodeEx {
}
int getPosition() { this.isParameterOf(_, result) }
predicate allowParameterReturnInSelf() { allowParameterReturnInSelfCached(this.asNode()) }
}
private class RetNodeEx extends NodeEx {
@@ -252,8 +254,6 @@ private class RetNodeEx extends NodeEx {
ReturnPosition getReturnPosition() { result = getReturnPosition(this.asNode()) }
ReturnKindExt getKind() { result = this.asNode().(ReturnNodeExt).getKind() }
predicate allowFlowThroughParameter() { allowFlowThroughParameterCached(this.asNode()) }
}
private predicate inBarrier(NodeEx node, Configuration config) {
@@ -727,16 +727,12 @@ private module Stage1 {
/** Holds if flow may return from `callable`. */
pragma[nomagic]
private predicate returnFlowCallableNodeCand(
DataFlowCallable callable, ReturnKindExt kind, boolean allowFlowThroughParameter,
Configuration config
DataFlowCallable callable, ReturnKindExt kind, Configuration config
) {
exists(RetNodeEx ret |
throughFlowNodeCand(ret, config) and
callable = ret.getEnclosingCallable() and
kind = ret.getKind() and
if ret.allowFlowThroughParameter()
then allowFlowThroughParameter = true
else allowFlowThroughParameter = false
kind = ret.getKind()
)
}
@@ -745,16 +741,17 @@ private module Stage1 {
* candidate for the origin of a summary.
*/
predicate parameterMayFlowThrough(ParamNodeEx p, DataFlowCallable c, Ap ap, Configuration config) {
exists(ReturnKindExt kind, boolean allowFlowThroughParameter |
exists(ReturnKindExt kind |
throughFlowNodeCand(p, config) and
returnFlowCallableNodeCand(c, kind, allowFlowThroughParameter, config) and
returnFlowCallableNodeCand(c, kind, config) and
p.getEnclosingCallable() = c and
exists(ap) and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameter = true
else any()
) and
exists(ap)
not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
or
p.allowParameterReturnInSelf()
)
)
}
@@ -1403,10 +1400,11 @@ private module Stage2 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then ret.allowFlowThroughParameter()
else any()
not kind.(ParamUpdateReturnKind).getPosition() = pos
or
p.allowParameterReturnInSelf()
)
)
}
@@ -2095,10 +2093,11 @@ private module Stage3 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then ret.allowFlowThroughParameter()
else any()
not kind.(ParamUpdateReturnKind).getPosition() = pos
or
p.allowParameterReturnInSelf()
)
)
}
@@ -2858,10 +2857,11 @@ private module Stage4 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then ret.allowFlowThroughParameter()
else any()
not kind.(ParamUpdateReturnKind).getPosition() = pos
or
p.allowParameterReturnInSelf()
)
)
}
@@ -2935,7 +2935,7 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
int getParameterPos() { p.isParameterOf(_, result) }
ParameterNode getParameterNode() { result = p.asNode() }
ParamNodeEx getParamNode() { result = p }
override string toString() { result = p + ": " + ap }
@@ -3637,10 +3637,11 @@ private predicate paramFlowsThrough(
ap = mid.getAp() and
apa = ap.getApprox() and
pos = sc.getParameterPos() and
// we don't expect a parameter to return stored in itself, unless explicitly allowed
(
if kind.(ParamUpdateReturnKind).getPosition() = pos
then ret.allowFlowThroughParameter()
else any()
not kind.(ParamUpdateReturnKind).getPosition() = pos
or
sc.getParamNode().allowParameterReturnInSelf()
)
)
}

2
python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll
View File

@@ -802,7 +802,7 @@ private module Cached {
}
cached
predicate allowFlowThroughParameterCached(Node ret) { allowFlowThroughParameter(ret) }
predicate allowParameterReturnInSelfCached(ParamNode p) { allowParameterReturnInSelf(p) }
cached
newtype TCallContext =

7
python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
View File

@@ -1665,5 +1665,8 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { no
/** Extra data-flow steps needed for lambda flow analysis. */
predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
/** Holds if flow is allowed to pass into `p` and back out again. */
predicate allowFlowThroughParameter(ParameterNode p) { none() }
/**
* Holds if flow is allowed to pass from parameter `p`, to a return
* node, and back out to `p`.
*/
predicate allowParameterReturnInSelf(ParameterNode p) { none() }