Merge branch 'main' of https://github.com/github/codeql into python/remove-ssa-nodes-from-dataflow-graph

python/ql/test/experimental/dataflow/TestUtil/DataFlowConsistency.qll

@@ -1,6 +0,0 @@
-// TODO: this should be promoted to be a REAL consistency query by being placed in
-// `python/ql/consistency-queries`. For for now it resides here.
-import python
-import semmle.python.dataflow.new.DataFlow::DataFlow
-import semmle.python.dataflow.new.internal.DataFlowPrivate
-import semmle.python.dataflow.new.internal.DataFlowImplConsistency::Consistency

python/ql/test/experimental/dataflow/basic/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/basic/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/callgraph_crosstalk/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/callgraph_crosstalk/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/calls/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/calls/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/consistency/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/consistency/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/coverage/argumentPassing.py

@@ -5,6 +5,7 @@ import functools
 sys.path.append(os.path.dirname(os.path.dirname((__file__))))
 from testlib import expects
 
+SOURCE = "source"
 arg = "source"
 arg1 = "source1"
 arg2 = "source2"
@@ -269,3 +270,68 @@ def test_stararg_mixed():
     starargs_mixed(arg1, *args, *empty_args) # $ arg1
     args = (arg2, "safe")
     starargs_mixed(arg1, *empty_args, *args) # $ arg1 MISSING: arg2
+
+# ------------------------------------------------------------------------------
+# Test updating field of argument
+# ------------------------------------------------------------------------------
+
+class MyClass: pass
+
+def kwargsSideEffect(**kwargs):
+    kwargs["a"].foo = kwargs["b"]
+
+@expects(2)
+def test_kwargsSideEffect():
+    a = MyClass()
+    kwargs = {"a": a, "b": SOURCE}
+    kwargsSideEffect(**kwargs)
+    SINK(a.foo) # $ MISSING: flow
+
+    a = MyClass()
+    kwargsSideEffect(a=a, b=SOURCE)
+    SINK(a.foo) # $ MISSING: flow
+
+
+def keywordArgSideEffect(a, b):
+    a.foo = b
+
+@expects(2)
+def test_keywordArgSideEffect():
+    a = MyClass()
+    kwargs = {"a": a, "b": SOURCE}
+    keywordArgSideEffect(**kwargs)
+    SINK(a.foo) # $ MISSING: flow
+
+    a = MyClass()
+    keywordArgSideEffect(a=a, b=SOURCE)
+    SINK(a.foo) # $ flow="SOURCE, l:-1 -> a.foo"
+
+
+def starargsSideEffect(*args):
+    args[0].foo = args[1]
+
+@expects(2)
+def test_starargsSideEffect():
+    a = MyClass()
+    args = (a, SOURCE)
+    starargsSideEffect(*args)
+    SINK(a.foo) # $ MISSING: flow
+
+    a = MyClass()
+    starargsSideEffect(a, SOURCE)
+    SINK(a.foo) # $ MISSING: flow
+
+
+def positionalArgSideEffect(a, b):
+    a.foo = b
+
+@expects(2)
+def test_positionalArgSideEffect():
+    a = MyClass()
+    args = (a, SOURCE)
+    positionalArgSideEffect(*args)
+    SINK(a.foo) # $ MISSING: flow
+
+    a = MyClass()
+    positionalArgSideEffect(a, SOURCE)
+    SINK(a.foo) # $ flow="SOURCE, l:-1 -> a.foo"

python/ql/test/experimental/dataflow/coverage/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/coverage/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/def-use-flow/def_use_counts.expected

@@ -0,0 +1,31 @@
+def_count
+| 4 |
+def
+| def_use_flow.py:10:5:10:5 | Essa node definition |
+| def_use_flow.py:17:11:17:11 | Essa node definition |
+| def_use_flow.py:19:9:19:9 | Essa node definition |
+| def_use_flow.py:21:7:21:7 | Essa node definition |
+implicit_use_count
+| 0 |
+implicit_use
+source_use_count
+| 3 |
+source_use
+| def_use_flow.py:28:15:28:15 | ControlFlowNode for x |
+| def_use_flow.py:30:13:30:13 | ControlFlowNode for x |
+| def_use_flow.py:32:11:32:11 | ControlFlowNode for x |
+def_use_edge_count
+| 12 |
+def_use_edge
+| def_use_flow.py:10:5:10:5 | SSA variable x | def_use_flow.py:28:15:28:15 | ControlFlowNode for x |
+| def_use_flow.py:10:5:10:5 | SSA variable x | def_use_flow.py:30:13:30:13 | ControlFlowNode for x |
+| def_use_flow.py:10:5:10:5 | SSA variable x | def_use_flow.py:32:11:32:11 | ControlFlowNode for x |
+| def_use_flow.py:17:11:17:11 | SSA variable x | def_use_flow.py:28:15:28:15 | ControlFlowNode for x |
+| def_use_flow.py:17:11:17:11 | SSA variable x | def_use_flow.py:30:13:30:13 | ControlFlowNode for x |
+| def_use_flow.py:17:11:17:11 | SSA variable x | def_use_flow.py:32:11:32:11 | ControlFlowNode for x |
+| def_use_flow.py:19:9:19:9 | SSA variable x | def_use_flow.py:28:15:28:15 | ControlFlowNode for x |
+| def_use_flow.py:19:9:19:9 | SSA variable x | def_use_flow.py:30:13:30:13 | ControlFlowNode for x |
+| def_use_flow.py:19:9:19:9 | SSA variable x | def_use_flow.py:32:11:32:11 | ControlFlowNode for x |
+| def_use_flow.py:21:7:21:7 | SSA variable x | def_use_flow.py:28:15:28:15 | ControlFlowNode for x |
+| def_use_flow.py:21:7:21:7 | SSA variable x | def_use_flow.py:30:13:30:13 | ControlFlowNode for x |
+| def_use_flow.py:21:7:21:7 | SSA variable x | def_use_flow.py:32:11:32:11 | ControlFlowNode for x |

python/ql/test/experimental/dataflow/def-use-flow/def_use_counts.ql

@@ -0,0 +1,47 @@
+import python
+private import semmle.python.dataflow.new.internal.DataFlowPrivate
+
+query int def_count() {
+  exists(SsaSourceVariable x | x.getName() = "x" |
+    result = count(EssaNodeDefinition def | def.getSourceVariable() = x)
+  )
+}
+
+query EssaNodeDefinition def() {
+  exists(SsaSourceVariable x | x.getName() = "x" | result.getSourceVariable() = x)
+}
+
+query int implicit_use_count() {
+  exists(SsaSourceVariable x | x.getName() = "x" | result = count(x.getAnImplicitUse()))
+}
+
+query ControlFlowNode implicit_use() {
+  exists(SsaSourceVariable x | x.getName() = "x" | result = x.getAnImplicitUse())
+}
+
+query int source_use_count() {
+  exists(SsaSourceVariable x | x.getName() = "x" | result = count(x.getASourceUse()))
+}
+
+query ControlFlowNode source_use() {
+  exists(SsaSourceVariable x | x.getName() = "x" | result = x.getASourceUse())
+}
+
+query int def_use_edge_count() {
+  exists(SsaSourceVariable x | x.getName() = "x" |
+    result =
+      count(EssaVariable v, NameNode use |
+        v.getSourceVariable() = x and
+        use = x.getAUse() and
+        LocalFlow::defToFirstUse(v, use)
+      )
+  )
+}
+
+query predicate def_use_edge(EssaVariable v, NameNode use) {
+  exists(SsaSourceVariable x | x.getName() = "x" |
+    v.getSourceVariable() = x and
+    use = x.getAUse() and
+    LocalFlow::defToFirstUse(v, use)
+  )
+}

python/ql/test/experimental/dataflow/def-use-flow/def_use_flow.py

@@ -0,0 +1,36 @@
+# This test file is inspired by
+# `csharp/ql/test/library-tests/dataflow/local/UseUseExplosion.cs`
+# but with `n=3` kept small, since we do have the explosion.
+
+cond = ...
+
+# global variables are slightly special,
+# so we go into a function scope
+def scope():
+    x = 0
+
+    if(cond > 3):
+      if(cond > 2):
+        if(cond > 1):
+           pass
+        else:
+          x = 1
+      else:
+        x = 2
+    else:
+      x = 3
+
+    if(cond > 3):
+      if(cond > 2):
+        if(cond > 1):
+           pass
+        else:
+          use(x)
+      else:
+        use(x)
+    else:
+      use(x)
+
+    def use(v):
+        # this could just be `pass` but we do not want it optimized away.
+        y = v+2

python/ql/test/experimental/dataflow/exceptions/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/exceptions/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/fieldflow/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/fieldflow/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/global-flow/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/global-flow/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/match/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/match/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/pep_328/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/pep_328/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/regression/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/regression/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/strange-essaflow/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/strange-essaflow/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/summaries-checks/dummy.py

@@ -0,0 +1 @@
+# an empty file, since we want the test to run on an empty db

python/ql/test/experimental/dataflow/summaries-checks/invalid-spec.ql

@@ -0,0 +1,8 @@
+import python
+import semmle.python.dataflow.new.FlowSummary
+import semmle.python.dataflow.new.internal.FlowSummaryImpl
+
+query predicate invalidSpecComponent(SummarizedCallable sc, string s, string c) {
+  (sc.propagatesFlowExt(s, _, _) or sc.propagatesFlowExt(_, s, _)) and
+  Private::External::invalidSpecComponent(s, c)
+}

python/ql/test/experimental/dataflow/summaries-checks/missing-attribute-content.ql

@@ -0,0 +1,11 @@
+import python
+import semmle.python.dataflow.new.FlowSummary
+import semmle.python.dataflow.new.internal.FlowSummaryImpl
+
+from SummarizedCallable sc, string s, string c, string attr
+where
+  (sc.propagatesFlowExt(s, _, _) or sc.propagatesFlowExt(_, s, _)) and
+  Private::External::invalidSpecComponent(s, c) and
+  c = "Attribute[" + attr + "]"
+select "The attribute \"" + attr +
+    "\" is not a valid TAttributeContent, please add it to the hardcoded list of TAttributeContent in the dataflow library."

python/ql/test/experimental/dataflow/tainttracking/basic/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/tainttracking/basic/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/tainttracking/customSanitizer/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/tainttracking/customSanitizer/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/tainttracking/generator-flow/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/tainttracking/generator-flow/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/typetracking/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/typetracking/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/dataflow/use-use-flow/read_explosion.py

@@ -0,0 +1,36 @@
+# This test file is inspired by
+# `csharp/ql/test/library-tests/dataflow/local/UseUseExplosion.cs`
+# but with `n=3` kept small, since we do have the explosion.
+
+cond = ...
+
+# global variables are slightly special,
+# so we go into a function scope
+def scope():
+    x = 0
+
+    if(cond > 3):
+      if(cond > 2):
+        if(cond > 1):
+           pass
+        else:
+          use(x)
+      else:
+        use(x)
+    else:
+      use(x)
+
+    if(cond > 3):
+      if(cond > 2):
+        if(cond > 1):
+           pass
+        else:
+          use(x)
+      else:
+        use(x)
+    else:
+      use(x)
+
+    def use(v):
+        # this could just be `pass` but we do not want it optimized away.
+        y = v+2

python/ql/test/experimental/dataflow/use-use-flow/use-use-counts.expected

@@ -0,0 +1,24 @@
+implicit_use_count
+| 0 |
+implicit_use
+source_use_count
+| 6 |
+source_use
+| read_explosion.py:17:15:17:15 | ControlFlowNode for x |
+| read_explosion.py:19:13:19:13 | ControlFlowNode for x |
+| read_explosion.py:21:11:21:11 | ControlFlowNode for x |
+| read_explosion.py:28:15:28:15 | ControlFlowNode for x |
+| read_explosion.py:30:13:30:13 | ControlFlowNode for x |
+| read_explosion.py:32:11:32:11 | ControlFlowNode for x |
+use_use_edge_count
+| 9 |
+use_use_edge
+| read_explosion.py:17:15:17:15 | ControlFlowNode for x | read_explosion.py:28:15:28:15 | ControlFlowNode for x |
+| read_explosion.py:17:15:17:15 | ControlFlowNode for x | read_explosion.py:30:13:30:13 | ControlFlowNode for x |
+| read_explosion.py:17:15:17:15 | ControlFlowNode for x | read_explosion.py:32:11:32:11 | ControlFlowNode for x |
+| read_explosion.py:19:13:19:13 | ControlFlowNode for x | read_explosion.py:28:15:28:15 | ControlFlowNode for x |
+| read_explosion.py:19:13:19:13 | ControlFlowNode for x | read_explosion.py:30:13:30:13 | ControlFlowNode for x |
+| read_explosion.py:19:13:19:13 | ControlFlowNode for x | read_explosion.py:32:11:32:11 | ControlFlowNode for x |
+| read_explosion.py:21:11:21:11 | ControlFlowNode for x | read_explosion.py:28:15:28:15 | ControlFlowNode for x |
+| read_explosion.py:21:11:21:11 | ControlFlowNode for x | read_explosion.py:30:13:30:13 | ControlFlowNode for x |
+| read_explosion.py:21:11:21:11 | ControlFlowNode for x | read_explosion.py:32:11:32:11 | ControlFlowNode for x |

python/ql/test/experimental/dataflow/use-use-flow/use-use-counts.ql

@@ -0,0 +1,37 @@
+import python
+private import semmle.python.dataflow.new.internal.DataFlowPrivate
+
+query int implicit_use_count() {
+  exists(SsaSourceVariable x | x.getName() = "x" | result = count(x.getAnImplicitUse()))
+}
+
+query ControlFlowNode implicit_use() {
+  exists(SsaSourceVariable x | x.getName() = "x" | result = x.getAnImplicitUse())
+}
+
+query int source_use_count() {
+  exists(SsaSourceVariable x | x.getName() = "x" | result = count(x.getASourceUse()))
+}
+
+query ControlFlowNode source_use() {
+  exists(SsaSourceVariable x | x.getName() = "x" | result = x.getASourceUse())
+}
+
+query int use_use_edge_count() {
+  exists(SsaSourceVariable x | x.getName() = "x" |
+    result =
+      count(NameNode use1, NameNode use2 |
+        use1 = x.getAUse() and
+        use2 = x.getAUse() and
+        LocalFlow::useToNextUse(use1, use2)
+      )
+  )
+}
+
+query predicate use_use_edge(NameNode use1, NameNode use2) {
+  exists(SsaSourceVariable x | x.getName() = "x" |
+    use1 = x.getAUse() and
+    use2 = x.getAUse() and
+    LocalFlow::useToNextUse(use1, use2)
+  )
+}

python/ql/test/experimental/dataflow/variable-capture/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/dataflow/variable-capture/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/experimental/library-tests/CallGraph/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/experimental/library-tests/CallGraph/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/library-tests/ApiGraphs/py3/dataflow-consistency.expected

@@ -1,27 +0,0 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
-storeStepIsLocal
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/library-tests/ApiGraphs/py3/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/library-tests/frameworks/django-orm/CONSISTENCY/DataFlowConsistency.expected

@@ -1,12 +1,3 @@
-uniqueEnclosingCallable
-uniqueCallEnclosingCallable
-uniqueType
-uniqueNodeLocation
-missingLocation
-uniqueNodeToString
-parameterCallable
-localFlowIsLocal
-readStepIsLocal
 storeStepIsLocal
 | testapp/orm_form_test.py:6:1:6:28 | [orm-model] Class MyModel | testapp/tests.py:83:16:83:36 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
 | testapp/orm_form_test.py:6:1:6:28 | [orm-model] Class MyModel | testapp/tests.py:84:16:84:43 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
@@ -56,20 +47,3 @@ storeStepIsLocal
 | testapp/orm_tests.py:294:1:294:29 | [orm-model] Class TestLoad | testapp/orm_tests.py:356:12:356:33 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
 | testapp/orm_tests.py:294:1:294:29 | [orm-model] Class TestLoad | testapp/orm_tests.py:363:9:363:37 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
 | testapp/tests.py:81:33:81:37 | ControlFlowNode for Str | testapp/orm_form_test.py:6:1:6:28 | [orm-model] Class MyModel | Store step does not preserve enclosing callable. |
-compatibleTypesReflexive
-unreachableNodeCCtx
-localCallNodes
-postIsNotPre
-postHasUniquePre
-uniquePostUpdate
-postIsInSameCallable
-reverseRead
-argHasPostUpdate
-postWithInFlow
-viableImplInCallContextTooLarge
-uniqueParameterNodeAtPosition
-uniqueParameterNodePosition
-uniqueContentApprox
-identityLocalStep
-missingArgumentCall
-multipleArgumentCall

python/ql/test/library-tests/frameworks/django-orm/dataflow-consistency.ql

@@ -1,2 +0,0 @@
-import python
-import experimental.dataflow.TestUtil.DataFlowConsistency

python/ql/test/library-tests/frameworks/django-v2-v3/routing_test.py

@@ -150,3 +150,40 @@ class UnknownViewSubclass(UnknownViewSuperclass):
 urlpatterns = [
     path("UnknownViewSubclass/", UnknownViewSubclass.as_view()),  # $ routeSetup="UnknownViewSubclass/"
 ]
+
+################################################################################
+# Routing to *args and **kwargs
+################################################################################
+
+def kwargs_param(request, **kwargs): # $ requestHandler routedParameter=kwargs
+    ensure_tainted(
+        kwargs, # $ tainted
+        kwargs["foo"], # $ tainted
+        kwargs["bar"]  # $ tainted
+    )
+
+    ensure_tainted(request) # $ tainted
+
+
+def star_args_param(request, *args): # $ requestHandler routedParameter=args
+    ensure_tainted(
+        args, # $ tainted
+        args[0], # $ tainted
+        args[1], # $ tainted
+    )
+    ensure_tainted(request) # $ tainted
+
+
+def star_args_param_check(request, foo, bar): # $ requestHandler routedParameter=foo routedParameter=bar
+    ensure_tainted(
+        foo, # $ tainted
+        bar, # $ tainted
+    )
+    ensure_tainted(request) # $ tainted
+
+
+urlpatterns = [
+    path("test-kwargs_param/<foo>/<bar>", kwargs_param),  # $ routeSetup="test-kwargs_param/<foo>/<bar>"
+    re_path("test-star_args_param/([^/]+)/(.+)", star_args_param),  # $ routeSetup="test-star_args_param/([^/]+)/(.+)"
+    re_path("test-star_args_param_check/([^/]+)/(.+)", star_args_param_check),  # $ routeSetup="test-star_args_param_check/([^/]+)/(.+)"
+]

python/ql/test/library-tests/frameworks/django/CONSISTENCY/DataFlowConsistency.expected

@@ -0,0 +1,13 @@
+storeStepIsLocal
+| SqlExecution.py:16:1:16:25 | [orm-model] Class User | SqlExecution.py:21:5:21:32 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
+| SqlExecution.py:16:1:16:25 | [orm-model] Class User | SqlExecution.py:23:5:23:45 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
+| SqlExecution.py:16:1:16:25 | [orm-model] Class User | SqlExecution.py:24:5:24:55 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
+| SqlExecution.py:16:1:16:25 | [orm-model] Class User | SqlExecution.py:25:5:25:49 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
+| SqlExecution.py:16:1:16:25 | [orm-model] Class User | SqlExecution.py:27:5:27:52 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
+| SqlExecution.py:16:1:16:25 | [orm-model] Class User | SqlExecution.py:28:5:28:46 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
+| SqlExecution.py:16:1:16:25 | [orm-model] Class User | SqlExecution.py:30:5:30:34 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
+| SqlExecution.py:16:1:16:25 | [orm-model] Class User | SqlExecution.py:31:5:31:92 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
+| SqlExecution.py:16:1:16:25 | [orm-model] Class User | SqlExecution.py:34:5:34:34 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
+| SqlExecution.py:16:1:16:25 | [orm-model] Class User | SqlExecution.py:37:5:37:33 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
+| SqlExecution.py:16:1:16:25 | [orm-model] Class User | SqlExecution.py:37:5:37:59 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
+| SqlExecution.py:16:1:16:25 | [orm-model] Class User | SqlExecution.py:37:5:37:77 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |

python/ql/test/library-tests/frameworks/rest_framework/CONSISTENCY/DataFlowConsistency.expected

@@ -0,0 +1,4 @@
+storeStepIsLocal
+| testapp/models.py:6:1:6:24 | [orm-model] Class Foo | testapp/views.py:14:16:14:32 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
+| testapp/models.py:11:1:11:24 | [orm-model] Class Bar | testapp/views.py:19:16:19:32 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
+| testapp/models.py:11:1:11:24 | [orm-model] Class Bar | testapp/views.py:23:16:23:32 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |

python/ql/test/library-tests/frameworks/rest_framework/taint_test.py

@@ -1,5 +1,6 @@
 from rest_framework.decorators import api_view, parser_classes
 from rest_framework.views import APIView
+from rest_framework.viewsets import ModelViewSet
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.parsers import JSONParser
@@ -89,7 +90,7 @@ def test_taint(request: Request, routed_param): # $ requestHandler routedParamet
 
 
 class MyClass(APIView):
-    def initial(self, request, *args, **kwargs): # $ requestHandler
+    def initial(self, request, *args, **kwargs): # $ requestHandler routedParameter=kwargs
         # this method will be called before processing any request
         ensure_tainted(request) # $ tainted
 
@@ -107,12 +108,31 @@ class MyClass(APIView):
 
         return Response("ok") # $ HttpResponse
 
+# Viewsets
+# see https://www.django-rest-framework.org/api-guide/viewsets/
+
+class MyModelViewSet(ModelViewSet):
+    def retrieve(self, request, routed_param): # $ requestHandler routedParameter=routed_param
+        ensure_tainted(
+            request, # $ tainted
+            request.GET, # $ tainted
+            request.GET.get("pk"), # $ tainted
+            request.data # $ tainted
+        )
+
+        ensure_tainted(routed_param) # $ tainted
+
+        # same as for standard Django view
+        ensure_tainted(self.args, self.kwargs) # $ tainted
+
+        return Response("retrieve") # $ HttpResponse
 
 
 # fake setup, you can't actually run this
 urlpatterns = [
     path("test-taint/<routed_param>", test_taint),  # $ routeSetup="test-taint/<routed_param>"
     path("ClassView/<routed_param>", MyClass.as_view()), # $ routeSetup="ClassView/<routed_param>"
+    path("MyModelViewSet/<routed_param>", MyModelViewSet.as_view()) # $ routeSetup="MyModelViewSet/<routed_param>"
 ]
 
 # tests with no route-setup, but we can still tell that these are using Django REST

python/ql/test/library-tests/frameworks/stdlib/test_re.py

@@ -0,0 +1,82 @@
+import re
+
+ts = TAINTED_STRING
+
+pat = ... # some pattern
+compiled_pat = re.compile(pat)
+
+# see https://docs.python.org/3/library/re.html#functions
+ensure_not_tainted(
+    # returns Match object, which is tested properly below. (note: with the flow summary
+    # modeling, objects containing tainted values are not themselves tainted).
+    re.search(pat, ts),
+    re.match(pat, ts),
+    re.fullmatch(pat, ts),
+
+    compiled_pat.search(ts),
+    compiled_pat.match(ts),
+    compiled_pat.fullmatch(ts),
+)
+
+# Match object
+tainted_match = re.match(pat, ts)
+safe_match = re.match(pat, "safe")
+ensure_tainted(
+    tainted_match.expand("Hello \1"), # $ tainted
+    safe_match.expand(ts), # $ tainted
+    tainted_match.group(), # $ tainted
+    tainted_match.group(1, 2), # $ tainted
+    tainted_match.group(1, 2)[0], # $ tainted
+    tainted_match[0], # $ tainted
+    tainted_match["key"], # $ tainted
+
+    tainted_match.groups()[0], # $ tainted
+    tainted_match.groupdict()["key"], # $ tainted
+
+    re.match(pat, ts).string, # $ tainted
+    re.match(ts, "safe").re.pattern, # $ tainted
+
+    compiled_pat.match(ts).string, # $ tainted
+    re.compile(ts).match("safe").re.pattern, # $ tainted
+)
+ensure_not_tainted(
+    safe_match.expand("Hello \1"),
+    safe_match.group(),
+
+    re.match(pat, "safe").re,
+    re.match(pat, "safe").string,
+)
+
+ensure_tainted(
+    # other functions not returning Match objects
+    re.split(pat, ts), # $ tainted
+    re.split(pat, ts)[0], # $ tainted
+
+    re.findall(pat, ts), # $ tainted
+    re.findall(pat, ts)[0], # $ tainted
+
+    re.finditer(pat, ts), # $ tainted
+    [x for x in re.finditer(pat, ts)], # $ tainted
+
+    re.sub(pat, repl="safe", string=ts), # $ tainted
+    re.sub(pat, repl=lambda m: ..., string=ts), # $ tainted
+    re.sub(pat, repl=ts, string="safe"), # $ tainted
+    re.sub(pat, repl=lambda m: ts, string="safe"), # $ tainted
+
+    # same for compiled patterns
+    compiled_pat.split(ts), # $ tainted
+    compiled_pat.split(ts)[0], # $ tainted
+    # ...
+
+    # user-controlled compiled pattern
+    re.compile(ts), # $ tainted
+    re.compile(ts).pattern, # $ tainted
+)
+
+ensure_not_tainted(
+    re.subn(pat, repl="safe", string=ts),
+    re.subn(pat, repl="safe", string=ts)[1], # // the number of substitutions made
+)
+ensure_tainted(
+    re.subn(pat, repl="safe", string=ts)[0], # $ tainted // the string
+)

python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.expected

@@ -12,6 +12,15 @@ edges
 | tarslip.py:58:1:58:3 | ControlFlowNode for tar | tarslip.py:59:5:59:9 | ControlFlowNode for entry |
 | tarslip.py:58:7:58:39 | ControlFlowNode for Attribute() | tarslip.py:58:1:58:3 | ControlFlowNode for tar |
 | tarslip.py:59:5:59:9 | ControlFlowNode for entry | tarslip.py:61:21:61:25 | ControlFlowNode for entry |
+| tarslip.py:90:1:90:3 | ControlFlowNode for tar | tarslip.py:91:1:91:3 | ControlFlowNode for tar |
+| tarslip.py:90:7:90:39 | ControlFlowNode for Attribute() | tarslip.py:90:1:90:3 | ControlFlowNode for tar |
+| tarslip.py:94:1:94:3 | ControlFlowNode for tar | tarslip.py:95:5:95:9 | ControlFlowNode for entry |
+| tarslip.py:94:7:94:39 | ControlFlowNode for Attribute() | tarslip.py:94:1:94:3 | ControlFlowNode for tar |
+| tarslip.py:95:5:95:9 | ControlFlowNode for entry | tarslip.py:96:17:96:21 | ControlFlowNode for entry |
+| tarslip.py:109:1:109:3 | ControlFlowNode for tar | tarslip.py:110:1:110:3 | ControlFlowNode for tar |
+| tarslip.py:109:7:109:39 | ControlFlowNode for Attribute() | tarslip.py:109:1:109:3 | ControlFlowNode for tar |
+| tarslip.py:112:1:112:3 | ControlFlowNode for tar | tarslip.py:113:24:113:26 | ControlFlowNode for tar |
+| tarslip.py:112:7:112:39 | ControlFlowNode for Attribute() | tarslip.py:112:1:112:3 | ControlFlowNode for tar |
 nodes
 | tarslip.py:14:1:14:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar |
 | tarslip.py:14:7:14:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
@@ -31,6 +40,19 @@ nodes
 | tarslip.py:58:7:58:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | tarslip.py:59:5:59:9 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry |
 | tarslip.py:61:21:61:25 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry |
+| tarslip.py:90:1:90:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar |
+| tarslip.py:90:7:90:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| tarslip.py:91:1:91:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar |
+| tarslip.py:94:1:94:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar |
+| tarslip.py:94:7:94:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| tarslip.py:95:5:95:9 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry |
+| tarslip.py:96:17:96:21 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry |
+| tarslip.py:109:1:109:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar |
+| tarslip.py:109:7:109:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| tarslip.py:110:1:110:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar |
+| tarslip.py:112:1:112:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar |
+| tarslip.py:112:7:112:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| tarslip.py:113:24:113:26 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar |
 subpaths
 #select
 | tarslip.py:15:1:15:3 | ControlFlowNode for tar | tarslip.py:14:7:14:39 | ControlFlowNode for Attribute() | tarslip.py:15:1:15:3 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:14:7:14:39 | ControlFlowNode for Attribute() | potentially untrusted source |
@@ -38,3 +60,7 @@ subpaths
 | tarslip.py:39:17:39:21 | ControlFlowNode for entry | tarslip.py:35:7:35:39 | ControlFlowNode for Attribute() | tarslip.py:39:17:39:21 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:35:7:35:39 | ControlFlowNode for Attribute() | potentially untrusted source |
 | tarslip.py:43:24:43:26 | ControlFlowNode for tar | tarslip.py:42:7:42:39 | ControlFlowNode for Attribute() | tarslip.py:43:24:43:26 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:42:7:42:39 | ControlFlowNode for Attribute() | potentially untrusted source |
 | tarslip.py:61:21:61:25 | ControlFlowNode for entry | tarslip.py:58:7:58:39 | ControlFlowNode for Attribute() | tarslip.py:61:21:61:25 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:58:7:58:39 | ControlFlowNode for Attribute() | potentially untrusted source |
+| tarslip.py:91:1:91:3 | ControlFlowNode for tar | tarslip.py:90:7:90:39 | ControlFlowNode for Attribute() | tarslip.py:91:1:91:3 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:90:7:90:39 | ControlFlowNode for Attribute() | potentially untrusted source |
+| tarslip.py:96:17:96:21 | ControlFlowNode for entry | tarslip.py:94:7:94:39 | ControlFlowNode for Attribute() | tarslip.py:96:17:96:21 | ControlFlowNode for entry | This file extraction depends on a $@. | tarslip.py:94:7:94:39 | ControlFlowNode for Attribute() | potentially untrusted source |
+| tarslip.py:110:1:110:3 | ControlFlowNode for tar | tarslip.py:109:7:109:39 | ControlFlowNode for Attribute() | tarslip.py:110:1:110:3 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:109:7:109:39 | ControlFlowNode for Attribute() | potentially untrusted source |
+| tarslip.py:113:24:113:26 | ControlFlowNode for tar | tarslip.py:112:7:112:39 | ControlFlowNode for Attribute() | tarslip.py:113:24:113:26 | ControlFlowNode for tar | This file extraction depends on a $@. | tarslip.py:112:7:112:39 | ControlFlowNode for Attribute() | potentially untrusted source |

python/ql/test/query-tests/Security/CWE-022-TarSlip/tarslip.py

@@ -82,3 +82,35 @@ tar = tarfile.open(unsafe_filename_tar)
 for entry in tar:
     if not os.path.isabs(entry.name):
         tar.extract(entry, "/tmp/unpack/")
+
+# Extraction filters
+
+extraction_filter = "fully_trusted"
+
+tar = tarfile.open(unsafe_filename_tar)
+tar.extractall(filter=extraction_filter) # unsafe
+tar.close()
+
+tar = tarfile.open(unsafe_filename_tar)
+for entry in tar:
+    tar.extract(entry, filter=extraction_filter) # unsafe
+
+extraction_filter = "data"
+
+tar = tarfile.open(unsafe_filename_tar)
+tar.extractall(filter=extraction_filter) # safe
+tar.close()
+
+tar = tarfile.open(unsafe_filename_tar)
+for entry in tar:
+    tar.extract(entry, filter=extraction_filter) # safe
+
+extraction_filter = None
+tar = tarfile.open(unsafe_filename_tar)
+tar.extractall(filter=extraction_filter) # unsafe
+
+tar = tarfile.open(unsafe_filename_tar)
+tar.extractall(members=tar, filter=extraction_filter) # unsafe
+
+tar = tarfile.open(unsafe_filename_tar)
+tar.extractall(members=safemembers(tar), filter=extraction_filter) # safe -- we assume `safemembers` makes up for the unsafe filter

python/ql/test/query-tests/Security/CWE-089-SqlInjection/CONSISTENCY/DataFlowConsistency.expected

@@ -0,0 +1,6 @@
+storeStepIsLocal
+| sql_injection.py:10:1:10:25 | [orm-model] Class User | sql_injection.py:18:9:18:80 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
+| sql_injection.py:10:1:10:25 | [orm-model] Class User | sql_injection.py:24:9:24:97 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
+| sql_injection.py:10:1:10:25 | [orm-model] Class User | sql_injection.py:25:9:25:84 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
+| sql_injection.py:10:1:10:25 | [orm-model] Class User | sql_injection.py:26:9:26:86 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |
+| sql_injection.py:10:1:10:25 | [orm-model] Class User | sql_injection.py:40:9:40:82 | ControlFlowNode for Attribute() | Store step does not preserve enclosing callable. |