Python: Port IllegalExceptionHandlerType.ql

A few relevant changes compared to the points-to version: - we've lost `origin`, so we can no longer point to where the illegal type lives. I opted to keep the output message the same, mirroring what we were already doing in IllegalRaise.ql. - We no longer track literal values flowing in from elsewhere, so we lost a single test result where the handled "type" is the result of calling a float-returning function. Apart from that, the only test changes are cosmetic.
2026-05-14 19:29:28 +02:00 · 2026-02-24 22:30:27 +00:00
parent c4ec331e96
commit e2eb69ce8d
2 changed files with 35 additions and 18 deletions
--- a/python/ql/src/Exceptions/IllegalExceptionHandlerType.ql
+++ b/python/ql/src/Exceptions/IllegalExceptionHandlerType.ql
@@ -12,20 +12,38 @@
 */

 import python
-private import LegacyPointsTo
+import semmle.python.dataflow.new.internal.DataFlowDispatch
+private import ExceptionTypes

-from ExceptFlowNodeWithPointsTo ex, Value t, ClassValue c, ControlFlowNode origin, string what
+/**
+ * Gets an expression used as a handler type in the `except` clause at `ex`,
+ * either directly or as an element of a tuple.
+ */
+Expr handlerExpr(ExceptStmt ex) {
+  result = ex.getType() or
+  result = ex.getType().(Tuple).getAnElt()
+}
+
+/**
+ * Gets an exception type used in the `except` clause at `ex`,
+ * where that type is not a legal exception type.
+ */
+ExceptType illegalHandlerType(ExceptStmt ex) {
+  result.getAUse().asExpr() = handlerExpr(ex) and
+  not result.isLegalExceptionType()
+}
+
+from ExceptStmt ex, string msg
 where
-  ex.handledException(t, c, origin) and
-  (
-    exists(ClassValue x | x = t |
-      not x.isLegalExceptionType() and
-      not x.failedInference(_) and
-      what = "class '" + x.getName() + "'"
-    )
-    or
-    not t instanceof ClassValue and
-    what = "instance of '" + c.getName() + "'"
+  exists(ExceptType t | t = illegalHandlerType(ex) |
+    msg =
+      "Non-exception class '" + t.getName() +
+        "' in exception handler which will never match raised exception."
  )
-select ex.getNode(),
-  "Non-exception $@ in exception handler which will never match raised exception.", origin, what
+  or
+  exists(ImmutableLiteral lit | lit = handlerExpr(ex) and not lit instanceof None |
+    msg =
+      "Non-exception class '" + DuckTyping::getClassName(lit) +
+        "' in exception handler which will never match raised exception."
+  )
+select ex, msg