mirror of
https://github.com/github/codeql.git
synced 2026-04-25 08:45:14 +02:00
Docs: Update Python
This commit is contained in:
Shati Patel
@@ -1,12 +1,12 @@
|
||||
Tutorial: Control flow analysis
|
||||
===============================
|
||||
|
||||
In order to analyze the `Control-flow graph <http://en.wikipedia.org/wiki/Control_flow_graph>`__ of a ``Scope`` we can use the two QL classes ``ControlFlowNode`` and ``BasicBlock``. These classes allow you to ask such questions as "can you reach point A from point B?" or "Is it possible to reach point B *without* going through point A?". To report results we use the class ``AstNode``, which represents a syntactic element and corresponds to the source code - allowing the results of the query to be more easily understood.
|
||||
To analyze the `Control-flow graph <http://en.wikipedia.org/wiki/Control_flow_graph>`__ of a ``Scope`` we can use the two CodeQL classes ``ControlFlowNode`` and ``BasicBlock``. These classes allow you to ask such questions as "can you reach point A from point B?" or "Is it possible to reach point B *without* going through point A?". To report results we use the class ``AstNode``, which represents a syntactic element and corresponds to the source code - allowing the results of the query to be more easily understood.
|
||||
|
||||
The ``ControlFlowNode`` class
|
||||
-----------------------------
|
||||
|
||||
The ``ControlFlowNode`` class represents nodes in the control flow graph. There is a one-to-many relation between AST nodes and control flow nodes. Each syntactic element, the ``AstNode,`` maps to zero, one or many ``ControlFlowNode`` classes, but each ControlFlowNode maps to exactly one ``AstNode``.
|
||||
The ``ControlFlowNode`` class represents nodes in the control flow graph. There is a one-to-many relation between AST nodes and control flow nodes. Each syntactic element, the ``AstNode,`` maps to zero, one, or many ``ControlFlowNode`` classes, but each ``ControlFlowNode`` maps to exactly one ``AstNode``.
|
||||
|
||||
To show why this complex relation is required consider the following Python code:
|
||||
|
||||
@@ -21,7 +21,7 @@ To show why this complex relation is required consider the following Python code
|
||||
|
||||
There are many paths through the above code. There are three different paths through the call to ``close_resource();`` one normal path, one path that breaks out of the loop, and one path where an exception is raised by ``might_raise()``. (An annotated flow graph can be seen :doc:`here <control-flow-graph>`.)
|
||||
|
||||
The simplest use of the ``ControlFlowNode`` and ``AstNode`` classes is to find unreachable code. There is one ``ControlFlowNode`` per path through any ``AstNode`` and any ``AstNode`` that is unreachable has no paths flowing through it; therefore any ``AstNode`` without a corresponding ``ControlFlowNode`` is unreachable.
|
||||
The simplest use of the ``ControlFlowNode`` and ``AstNode`` classes is to find unreachable code. There is one ``ControlFlowNode`` per path through any ``AstNode`` and any ``AstNode`` that is unreachable has no paths flowing through it. Therefore, any ``AstNode`` without a corresponding ``ControlFlowNode`` is unreachable.
|
||||
|
||||
**Unreachable AST nodes**
|
||||
|
||||
@@ -103,5 +103,5 @@ Combining these conditions we get:
|
||||
What next?
|
||||
----------
|
||||
|
||||
- Experiment with the worked examples in the QL for Python tutorial topic: :doc:`Taint tracking and data flow analysis in Python <taint-tracking>`.
|
||||
- Experiment with the worked examples in the tutorial topic :doc:`Taint tracking and data flow analysis in Python <taint-tracking>`.
|
||||
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
|
||||
|
||||
@@ -1,14 +1,14 @@
|
||||
Tutorial: Functions
|
||||
===================
|
||||
|
||||
This example uses the standard QL class ``Function`` (see :doc:`Introducing the Python libraries <introduce-libraries-python>`).
|
||||
This example uses the standard CodeQL class ``Function`` (see :doc:`Introducing the Python libraries <introduce-libraries-python>`).
|
||||
|
||||
Finding all functions called "get..."
|
||||
-------------------------------------
|
||||
|
||||
In this example we look for all the "getters" in a program. Programmers moving to Python from Java are often tempted to write lots of getter and setter methods, rather than use properties. We might want to find those methods.
|
||||
|
||||
Using the member predicate ``Function.getName()``, we can list all of the getter functions in a snapshot:
|
||||
Using the member predicate ``Function.getName()``, we can list all of the getter functions in a database:
|
||||
|
||||
Tip
|
||||
|
||||
@@ -77,5 +77,5 @@ In a later tutorial we will see how to use the type-inference library to find ca
|
||||
What next?
|
||||
----------
|
||||
|
||||
- Experiment with the worked examples in the QL for Python tutorial topics: :doc:`Statements and expressions <statements-expressions>`, :doc:`Control flow <control-flow>`, :doc:`Points-to analysis and type inference <pointsto-type-infer>`.
|
||||
- Experiment with the worked examples in the following tutorial topics: :doc:`Statements and expressions <statements-expressions>`, :doc:`Control flow <control-flow>`, and :doc:`Points-to analysis and type inference <pointsto-type-infer>`.
|
||||
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
|
||||
|
||||
@@ -1,39 +1,35 @@
|
||||
Introducing the QL libraries for Python
|
||||
=======================================
|
||||
Introducing the CodeQL libraries for Python
|
||||
===========================================
|
||||
|
||||
These libraries have been created to help you analyze Python code, providing an object-oriented layer on top of the raw data in the snapshot database. They are written in standard QL.
|
||||
|
||||
The QL libraries all have a ``.qll`` extension, to signify that they contain QL library code but no actual queries. Each file contains a QL class or hierarchy of classes.
|
||||
|
||||
You can include all of the standard libraries by beginning each query with this statement:
|
||||
There is an extensive library for analyzing CodeQL databases extracted from Python projects. The classes in this library present the data from a database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. The library is implemented as a set of QL modules, that is, files with the extension ``.qll``. The module ``python.qll`` imports all the core Python library modules, so you can include the complete library by beginning your query with:
|
||||
|
||||
.. code-block:: ql
|
||||
|
||||
import python
|
||||
|
||||
The rest of this tutorial summarizes the contents of the standard QL libraries. We recommend that you read this and then work through the practical examples in the Python tutorials shown at the end of the page.
|
||||
The rest of this tutorial summarizes the contents of the standard libraries for Python. We recommend that you read this and then work through the practical examples in the tutorials shown at the end of the page.
|
||||
|
||||
Overview of the library
|
||||
-----------------------
|
||||
|
||||
The QL Python library incorporates a large number of classes, each class corresponding either to one kind of entity in Python source code or to an entity that can be derived form the source code using static analysis. These classes can be divided into four categories:
|
||||
The CodeQL library for Python incorporates a large number of classes. Each class corresponds either to one kind of entity in Python source code or to an entity that can be derived form the source code using static analysis. These classes can be divided into four categories:
|
||||
|
||||
- **Syntactic** - classes that represent entities in the Python source code.
|
||||
- **Control flow** - classes that represent entities from the control flow graphs.
|
||||
- **Type inference** - classes that represent the inferred values and types of entities in the Python source code.
|
||||
- **Taint tracking** - classes that represent the source, sinks and kinds of taint used to implement taint-tracking queries.
|
||||
- **Taint tracking** - classes that represent the source, sinks and kinds of taint used to implement taint-tracking queries.
|
||||
|
||||
Syntactic classes
|
||||
~~~~~~~~~~~~~~~~~
|
||||
|
||||
This part of the library represents the Python source code. The ``Module``, ``Class`` and ``Function`` classes correspond to Python modules, classes and functions respectively, collectively these are known as ``Scope`` classes. Each ``Scope`` contains a list of statements each of which is represented by a subclass of the class ``Stmt``. Statements themselves can contain other statements or expressions which are represented by subclasses of ``Expr``. Finally, there are a few additional classes for the parts of more complex expressions such as list comprehensions. Collectively these classes are subclasses of ``AstNode`` and form an `Abstract syntax tree <http://en.wikipedia.org/wiki/Abstract_syntax_tree>`__ (AST). The root of each AST is a ``Module``.
|
||||
This part of the library represents the Python source code. The ``Module``, ``Class``, and ``Function`` classes correspond to Python modules, classes, and functions respectively, collectively these are known as ``Scope`` classes. Each ``Scope`` contains a list of statements each of which is represented by a subclass of the class ``Stmt``. Statements themselves can contain other statements or expressions which are represented by subclasses of ``Expr``. Finally, there are a few additional classes for the parts of more complex expressions such as list comprehensions. Collectively these classes are subclasses of ``AstNode`` and form an `Abstract syntax tree <http://en.wikipedia.org/wiki/Abstract_syntax_tree>`__ (AST). The root of each AST is a ``Module``.
|
||||
|
||||
`Symbolic information <http://en.wikipedia.org/wiki/Symbol_table>`__ is attached to the AST in the form of variables (represented by the class ``Variable``).
|
||||
|
||||
Scope
|
||||
^^^^^
|
||||
|
||||
A Python program is a group of modules. Technically a module is just a list of statements, but we often think of it as composed of classes and functions. These top-level entities, the module, class and function are represented by the three classes (`Module <https://help.semmle.com/qldoc/python/semmle/python/Module.qll/type.Module$Module.html>`__, `Class <https://help.semmle.com/qldoc/python/semmle/python/Class.qll/type.Class$Class.html>`__ and `Function <https://help.semmle.com/qldoc/python/semmle/python/Function.qll/type.Function$Function.html>`__ which are all subclasses of ``Scope``.
|
||||
A Python program is a group of modules. Technically a module is just a list of statements, but we often think of it as composed of classes and functions. These top-level entities, the module, class, and function are represented by the three CodeQL classes (`Module <https://help.semmle.com/qldoc/python/semmle/python/Module.qll/type.Module$Module.html>`__, `Class <https://help.semmle.com/qldoc/python/semmle/python/Class.qll/type.Class$Class.html>`__ and `Function <https://help.semmle.com/qldoc/python/semmle/python/Function.qll/type.Function$Function.html>`__ which are all subclasses of ``Scope``.
|
||||
|
||||
- ``Scope``
|
||||
|
||||
@@ -65,7 +61,7 @@ A statement is represented by the `Stmt <https://help.semmle.com/qldoc/python/se
|
||||
else:
|
||||
return 0
|
||||
|
||||
The QL `For <https://help.semmle.com/qldoc/python/semmle/python/Stmts.qll/type.Stmts$For.html>`__ class representing the ``for`` statement has a number of member predicates to access its parts:
|
||||
The `For <https://help.semmle.com/qldoc/python/semmle/python/Stmts.qll/type.Stmts$For.html>`__ class representing the ``for`` statement has a number of member predicates to access its parts:
|
||||
|
||||
- ``getTarget()`` returns the ``Expr`` representing the variable ``var``.
|
||||
- ``getIter()`` returns the ``Expr`` resenting the variable ``seq``.
|
||||
@@ -98,7 +94,7 @@ As an example, to find expressions of the form ``a+2`` where the left is a simpl
|
||||
Variable
|
||||
^^^^^^^^
|
||||
|
||||
Variables are represented by the `Variable <https://help.semmle.com/qldoc/python/semmle/python/Variables.qll/type.Variables$Variable.html>`__ class in the Python QL library. There are two subclasses, ``LocalVariable`` for function-level and class-level variables and ``GlobalVariable`` for module-level variables.
|
||||
Variables are represented by the `Variable <https://help.semmle.com/qldoc/python/semmle/python/Variables.qll/type.Variables$Variable.html>`__ class in the CodeQL library. There are two subclasses, ``LocalVariable`` for function-level and class-level variables and ``GlobalVariable`` for module-level variables.
|
||||
|
||||
Other source code elements
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
@@ -108,7 +104,7 @@ Although the meaning of the program is encoded by the syntactic elements, ``Scop
|
||||
Examples
|
||||
^^^^^^^^
|
||||
|
||||
Each syntactic element in Python source is recorded in the snapshot. These can be queried via the corresponding class. Let us start with a couple of simple examples.
|
||||
Each syntactic element in Python source is recorded in the CodeQL database. These can be queried via the corresponding class. Let us start with a couple of simple examples.
|
||||
|
||||
1. Finding all finally blocks
|
||||
'''''''''''''''''''''''''''''
|
||||
@@ -137,13 +133,13 @@ A block that does nothing is one that contains no statements except ``pass`` sta
|
||||
|
||||
not exists(Stmt s | s = ex.getAStmt() | not s instanceof Pass)
|
||||
|
||||
where ``ex`` is an ``ExceptStmt`` and ``Pass`` is the class representing ``pass`` statements. Instead of using the double negative, **"no**\ *statements that are*\ **not**\ *pass statements"*, this can also be expressed positively, "all statements must be pass statements." The positive form is expressed in QL using the ``forall`` quantifier:
|
||||
where ``ex`` is an ``ExceptStmt`` and ``Pass`` is the class representing ``pass`` statements. Instead of using the double negative, "**no** \ *statements that are* \ **not** \ *pass statements"*, this can also be expressed positively, *"all statements must be pass statements."* The positive form is expressed using the ``forall`` quantifier:
|
||||
|
||||
.. code-block:: ql
|
||||
|
||||
forall(Stmt s | s = ex.getAStmt() | s instanceof Pass)
|
||||
|
||||
Both forms are equivalent. Using the positive QL expression, the whole query looks like this:
|
||||
Both forms are equivalent. Using the positive expression, the whole query looks like this:
|
||||
|
||||
**Find pass-only ``except`` blocks**
|
||||
|
||||
@@ -160,9 +156,9 @@ Both forms are equivalent. Using the positive QL expression, the whole query loo
|
||||
Summary
|
||||
^^^^^^^
|
||||
|
||||
The most commonly used standard QL library classes in the syntactic part of the library are organized as follows:
|
||||
The most commonly used standard classes in the syntactic part of the library are organized as follows:
|
||||
|
||||
``Module``, ``Class``, ``Function``, ``Stmt`` and ``Expr`` - they are all subclasses of `AstNode <https://help.semmle.com/qldoc/python/semmle/python/AST.qll/type.AST$AstNode.html>`__.
|
||||
``Module``, ``Class``, ``Function``, ``Stmt``, and ``Expr`` - they are all subclasses of `AstNode <https://help.semmle.com/qldoc/python/semmle/python/AST.qll/type.AST$AstNode.html>`__.
|
||||
|
||||
Abstract syntax tree
|
||||
''''''''''''''''''''
|
||||
@@ -293,7 +289,7 @@ The classes in the control-flow part of the library are:
|
||||
Type-inference classes
|
||||
----------------------
|
||||
|
||||
The QL library for Python also supplies some classes for accessing the inferred types of values. The classes ``Value`` and ``ClassValue`` allow you to query the possible classes that an expression may have at runtime. For example, which ``ClassValue``\ s are iterable can be determined using the query:
|
||||
The CodeQL library for Python also supplies some classes for accessing the inferred types of values. The classes ``Value`` and ``ClassValue`` allow you to query the possible classes that an expression may have at runtime. For example, which ``ClassValue``\ s are iterable can be determined using the query:
|
||||
|
||||
**Find iterable "ClassValue"s**
|
||||
|
||||
@@ -321,7 +317,7 @@ These classes are explained in more detail in :doc:`Tutorial: Points-to analysis
|
||||
Taint-tracking classes
|
||||
----------------------
|
||||
|
||||
The QL library for Python also supplies classes to specify taint-tracking analyses. The ``Configuration`` class can be overrridden to specify a taint-tracking analysis, by specifying source, sinks, sanitizers and additional flow steps. For those analyses that require additional types of taint to be tracked the ``TaintKind`` class can be overridden.
|
||||
The CodeQL library for Python also supplies classes to specify taint-tracking analyses. The ``Configuration`` class can be overridden to specify a taint-tracking analysis, by specifying source, sinks, sanitizers and additional flow steps. For those analyses that require additional types of taint to be tracked the ``TaintKind`` class can be overridden.
|
||||
|
||||
|
||||
Summary
|
||||
@@ -336,5 +332,5 @@ These classes are explained in more detail in :doc:`Tutorial: Taint tracking and
|
||||
What next?
|
||||
----------
|
||||
|
||||
- Experiment with the worked examples in the QL for Python tutorial topics: :doc:`Functions <functions>`, :doc:`Statements and expressions <statements-expressions>`, :doc:`Control flow <control-flow>`, :doc:`Points-to analysis and type inference <pointsto-type-infer>` and :doc:`Taint tracking and data flow analysis in Python <taint-tracking>`.
|
||||
- Experiment with the worked examples in the following tutorial topics: :doc:`Functions <functions>`, :doc:`Statements and expressions <statements-expressions>`, :doc:`Control flow <control-flow>`, :doc:`Points-to analysis and type inference <pointsto-type-infer>`, and :doc:`Taint tracking and data flow analysis in Python <taint-tracking>`.
|
||||
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
|
||||
|
||||
@@ -1,12 +1,12 @@
|
||||
Tutorial: Points-to analysis and type inference
|
||||
===============================================
|
||||
|
||||
This topic contains worked examples of how to write queries using the standard QL library classes for Python type inference.
|
||||
This topic contains worked examples of how to write queries using the standard CodeQL library classes for Python type inference.
|
||||
|
||||
The ``Value`` class
|
||||
--------------------
|
||||
|
||||
The ``Value`` class and its subclasses ``FunctionValue``, ``ClassValue`` and ``ModuleValue`` represent the values an expression may hold at runtime.
|
||||
The ``Value`` class and its subclasses ``FunctionValue``, ``ClassValue``, and ``ModuleValue`` represent the values an expression may hold at runtime.
|
||||
|
||||
Summary
|
||||
~~~~~~~
|
||||
@@ -201,7 +201,7 @@ There are two problems with this query:
|
||||
- It assumes that any call to something named "eval" is a call to the builtin ``eval`` function, which may result in some false positive results.
|
||||
- It assumes that ``eval`` cannot be referred to by any other name, which may result in some false negative results.
|
||||
|
||||
We can get much more accurate results using call-graph analysis. First, we can precisely identify the ``FunctionValue`` for the ``eval`` function, by using the ``Value::named`` QL predicate as follows:
|
||||
We can get much more accurate results using call-graph analysis. First, we can precisely identify the ``FunctionValue`` for the ``eval`` function, by using the ``Value::named`` predicate as follows:
|
||||
|
||||
.. code-block:: ql
|
||||
|
||||
@@ -227,9 +227,5 @@ Then we can use ``Value.getACall()`` to identify calls to the ``eval`` function,
|
||||
What next?
|
||||
----------
|
||||
|
||||
For more information on writing QL, see:
|
||||
|
||||
- `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ - an introduction to the concepts of QL.
|
||||
- :doc:`Learning QL <../../index>` - an overview of the resources for learning how to write your own QL queries.
|
||||
- `Database generation <https://lgtm.com/help/lgtm/generate-database>`__ - an overview of the process that creates a database from source code.
|
||||
- :doc:`What's in a CodeQL database? <../database>` - a description of the CodeQL database.
|
||||
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
|
||||
- Read a description of the CodeQL database in :doc:`What's in a CodeQL database? <../database>`
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
QL for Python
|
||||
=============
|
||||
CodeQL for Python
|
||||
=================
|
||||
|
||||
.. toctree::
|
||||
:glob:
|
||||
@@ -13,25 +13,25 @@ QL for Python
|
||||
taint-tracking
|
||||
pointsto-type-infer
|
||||
|
||||
The following tutorials and worked examples are designed to help you learn how to write effective and efficient QL queries for Python projects. You should work through these topics in the order displayed.
|
||||
The following tutorials and worked examples are designed to help you learn how to write effective and efficient queries for Python projects. You should work through these topics in the order displayed.
|
||||
|
||||
- `Basic Python QL query <https://lgtm.com/help/lgtm/console/ql-python-basic-example>`__ describes how to write and run queries using LGTM.
|
||||
- `Basic Python query <https://lgtm.com/help/lgtm/console/ql-python-basic-example>`__ describes how to write and run queries using LGTM.
|
||||
|
||||
- :doc:`Introducing the QL libraries for Python <introduce-libraries-python>` an introduction to the standard QL libraries used to write queries for Python code.
|
||||
- :doc:`Introducing the CodeQL libraries for Python <introduce-libraries-python>` introduces the standard libraries used to write queries for Python code.
|
||||
|
||||
- :doc:`Tutorial: Functions <functions>` worked examples of how to write queries using the standard QL library classes for Python functions.
|
||||
- :doc:`Tutorial: Functions <functions>` demonstrates how to write queries using the standard CodeQL library classes for Python functions.
|
||||
|
||||
- :doc:`Tutorial: Statements and expressions <statements-expressions>` worked examples of how to write queries using the standard QL library classes for Python statements and expressions.
|
||||
- :doc:`Tutorial: Statements and expressions <statements-expressions>` demonstrates how to write queries using the standard CodeQL library classes for Python statements and expressions.
|
||||
|
||||
- :doc:`Tutorial: Control flow <control-flow>` worked examples of how to write queries using the standard QL library classes for Python control flow.
|
||||
- :doc:`Tutorial: Control flow <control-flow>` demonstrates how to write queries using the standard CodeQL library classes for Python control flow.
|
||||
|
||||
- :doc:`Tutorial: Points-to analysis and type inference <pointsto-type-infer>` worked examples of how to write queries using the standard QL library classes for Python type inference.
|
||||
- :doc:`Tutorial: Points-to analysis and type inference <pointsto-type-infer>` demonstrates how to write queries using the standard CodeQL library classes for Python type inference.
|
||||
|
||||
- :doc:`Taint tracking and data flow analysis in Python <taint-tracking>` worked examples of how to write queries using the standard taint tracking and data flow QL libraries for Python.
|
||||
- :doc:`Taint tracking and data flow analysis in Python <taint-tracking>` demonstrates how to write queries using the standard taint tracking and data flow libraries for Python.
|
||||
|
||||
Other resources
|
||||
---------------
|
||||
|
||||
- For examples of how to query common Python elements, see the `Python QL cookbook <https://help.semmle.com/wiki/display/CBPYTHON>`__
|
||||
- For the queries used in LGTM, display a `Python query <https://lgtm.com/search?q=language%3Apython&t=rules>`__ and click **Open in query console** to see the QL code used to find alerts
|
||||
- For more information about the Python QL library see the `QL library for Python <https://help.semmle.com/qldoc/python>`__.
|
||||
- For examples of how to query common Python elements, see the `Python cookbook <https://help.semmle.com/wiki/display/CBPYTHON>`__.
|
||||
- For the queries used in LGTM, display a `Python query <https://lgtm.com/search?q=language%3Apython&t=rules>`__ and click **Open in query console** to see the code used to find alerts.
|
||||
- For more information about the library for Python see the `CodeQL library for Python <https://help.semmle.com/qldoc/python>`__.
|
||||
|
||||
@@ -4,7 +4,7 @@ Tutorial: Statements and expressions
|
||||
Statements
|
||||
----------
|
||||
|
||||
The bulk of Python code takes the form of statements. Each different type of statement in Python is represented by a separate class in QL.
|
||||
The bulk of Python code takes the form of statements. Each different type of statement in Python is represented by a separate CodeQL class.
|
||||
|
||||
Here is the full class hierarchy:
|
||||
|
||||
@@ -165,7 +165,7 @@ The clause ``cmp.getOp(0) instanceof Is and cmp.getComparator(0) = literal`` che
|
||||
Example: Duplicates in dictionary literals
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
If there are duplicate keys in a Python dictionary, then the second key will overwrite the first, which is almost certainly a mistake. We can find these duplicates in QL, but the query is more complex than previous examples and will require us to write a ``predicate`` as a helper.
|
||||
If there are duplicate keys in a Python dictionary, then the second key will overwrite the first, which is almost certainly a mistake. We can find these duplicates with CodeQL, but the query is more complex than previous examples and will require us to write a ``predicate`` as a helper.
|
||||
|
||||
Here is the query:
|
||||
|
||||
@@ -274,5 +274,5 @@ Here is the relevant part of the class hierarchy:
|
||||
What next?
|
||||
----------
|
||||
|
||||
- Experiment with the worked examples in the QL for Python tutorial topics: :doc:`Control flow <control-flow>`, :doc:`Points-to analysis and type inference <pointsto-type-infer>`.
|
||||
- Experiment with the worked examples in the following tutorial topics: :doc:`Control flow <control-flow>` and :doc:`Points-to analysis and type inference <pointsto-type-infer>`.
|
||||
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
|
||||
|
||||
@@ -13,10 +13,10 @@ Taint tracking differs from basic data flow in that it considers non-value-prese
|
||||
For example, in the assignment ``dir = path + "/"``, if ``path`` is tainted then ``dir`` is also tainted,
|
||||
even though there is no data flow from ``path`` to ``path + "/"``.
|
||||
|
||||
Separate QL libraries have been written to handle 'normal' data flow and taint tracking in :doc:`C/C++ <../cpp/dataflow>`, :doc:`C# <../csharp/dataflow>`, :doc:`Java <../java/dataflow>`, and :doc:`JavaScript <../javascript/dataflow>`. You can access the appropriate classes and predicates that reason about these different modes of data flow by importing the appropriate QL library in your query.
|
||||
Separate CodeQL libraries have been written to handle 'normal' data flow and taint tracking in :doc:`C/C++ <../cpp/dataflow>`, :doc:`C# <../csharp/dataflow>`, :doc:`Java <../java/dataflow>`, and :doc:`JavaScript <../javascript/dataflow>`. You can access the appropriate classes and predicates that reason about these different modes of data flow by importing the appropriate library in your query.
|
||||
In Python analysis, we can use the same taint tracking library to model both 'normal' data flow and taint flow, but we are still able make the distinction between steps that preserve value and those that don't by defining additional data flow properties.
|
||||
|
||||
For further information on data flow and taint tracking in QL, see :doc:`Introduction to data flow <../intro-to-data-flow>`.
|
||||
For further information on data flow and taint tracking with CodeQL, see :doc:`Introduction to data flow <../intro-to-data-flow>`.
|
||||
|
||||
Fundamentals of taint tracking and data flow analysis
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
@@ -222,7 +222,7 @@ The ``TaintTracking::Source`` and ``TaintTracking::Sink`` classes have predicate
|
||||
...
|
||||
}
|
||||
|
||||
The ``TaintKind`` itself is just a string (a QL string, not a QL entity representing a Python string),
|
||||
The ``TaintKind`` itself is just a string (a QL string, not a CodeQL entity representing a Python string),
|
||||
which provides methods to extend flow and allow the kind of taint to change along the path.
|
||||
The ``TaintKind`` class has many predicates allowing flow to be modified.
|
||||
This simplest ``TaintKind`` does not override any predicates, meaning that it only flows as opaque data.
|
||||
@@ -254,5 +254,5 @@ which defines the simplest possible taint kind class, ``HardcodedValue``, and cu
|
||||
What next?
|
||||
----------
|
||||
|
||||
- Experiment with the worked examples in the QL for Python tutorial topics: :doc:`Control flow <control-flow>`, and :doc:`Points-to analysis and type inference <pointsto-type-infer>`.
|
||||
- Experiment with the worked examples in the following tutorial topics: :doc:`Control flow <control-flow>` and :doc:`Points-to analysis and type inference <pointsto-type-infer>`.
|
||||
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
|
||||
|
||||
Reference in New Issue
Block a user