Improve check for containment in with statement

2025-12-16 16:53:25 +01:00 · 2025-09-09 11:26:17 +01:00
parent 0b293eaba5
commit e382f7cd43
2 changed files with 8 additions and 2 deletions
--- a/python/ql/src/Resources/FileNotAlwaysClosedQuery.qll
+++ b/python/ql/src/Resources/FileNotAlwaysClosedQuery.qll
@@ -88,6 +88,12 @@ class WithStatement extends FileClose {
  With w;

  WithStatement() { this.asExpr() = w.getContextExpr() }
+
+  override predicate guardsExceptions(DataFlow::CfgNode fileRaises) {
+    super.guardsExceptions(fileRaises)
+    or
+    w.getBody().contains(fileRaises.asExpr())
+  }
 }

 /** Holds if an exception may be raised at `raises` if `file` is a file object. */
--- a/python/ql/test/query-tests/Resources/FileNotAlwaysClosed/resources_test.py
+++ b/python/ql/test/query-tests/Resources/FileNotAlwaysClosed/resources_test.py
@@ -151,7 +151,7 @@ def not_closed17():
 #With statement will close the fp
 def closed18(path):
    try:
-        f18 = open(path) # $SPURIOUS: Alert # Dataflow appears to not detect this with statement as guarding the exceptions produced by the `read()` call.
+        f18 = open(path) # $Alert 
    except IOError as ex:
        print(ex)
        raise ex
@@ -301,7 +301,7 @@ def closed30(path):
    # - NotWrapper is treated as a wrapper class as a file handle is passed to it 
    # - thing.do_something() is treated as a call that can raise an exception while a file is open
    # - this call is treated as occurring after the open but not as being guarded by the with statement, as it is in the same basic block
-    # - - this behaviour has been changed fixing the FP
+    # - - this behavior has been changed fixing the FP

    with open(path) as fp: # No longer spurious alert here.
        thing = NotWrapper(fp)