hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 02:13:17 +01:00
Code Issues Packages Projects Releases Wiki Activity
35,614 Commits 1,671 Branches 157 Tags
c20ee76826e10318f8f39c6fae901b743c2e8254
Commit Graph

572 Commits

Author SHA1 Message Date
yoff
1d44694280 Merge pull request #8732 from RasmusWL/dataflow-imports 
Python: Don't re-export `python` under `DataFlow::`
 2022-05-02 12:08:28 +02:00
Taus
231def026f Merge pull request #8890 from tausbn/python-add-global-attribute-writes 
Python: Add support for global attribute writes
 2022-05-02 12:03:41 +02:00
yoff
c67b06b1fd Update python/ql/test/experimental/dataflow/typetracking/attribute_tests.py 
Co-authored-by: Taus <tausbn@github.com>
 2022-05-02 11:36:58 +02:00
Taus
b4a31e572f Python: Add global attribute writes 2022-04-27 16:45:00 +00:00
Taus
f71cf2e1fc Python: Add test 2022-04-27 15:48:11 +00:00
Rasmus Wriedt Larsen
084c8eb22e Python: Don't re-export python under DataFlow:: 2022-04-20 11:42:10 +02:00
Rasmus Wriedt Larsen
5dbbd17bb2 Python: Add test to ensure we keep DataFlow imports clean 
Currently we're not in a good state :(
 2022-04-20 11:41:01 +02:00
Erik Krogh Kristensen
50bfc8eaa0 refactor uses of API::Node::getAUse() that should have been something else 2022-04-07 13:52:13 +02:00
yoff
5efc19c39d Merge pull request #7806 from erik-krogh/pyDef 
Python: Add def nodes to API graphs
 2022-03-28 08:09:14 +02:00
Taus
5a8ba6a7af Python: Fix use of singleton set 2022-03-07 18:59:49 +00:00
yoff
d953382df9 Merge pull request #7807 from RasmusWL/dataflow-improvements 
Python: Dataflow improvements
 2022-02-28 16:24:00 +01:00
Rasmus Wriedt Larsen
0e0f159891 Python: Use Python 3 for investigation tests 
Apparently there are minor differences with `test-6-max-import-depth-2`
where under Python 2 `isfile_no_problem.py` still works as before
 2022-02-28 11:33:31 +01:00
Rasmus Wriedt Larsen
01d426dc58 Python: Replace rest of from testlib import * 
I think we should write our tests in a way that puts points-to in the
best condition to resolve calls. Although this specific change did not
change much, it should help set us up for success in the future 👍
 2022-02-28 10:58:44 +01:00
Rasmus Wriedt Larsen
ead0b658d2 Python: Fix fieldflow tests by increasing max-import-depth 2022-02-28 10:58:44 +01:00
Rasmus Wriedt Larsen
a0d1cea490 Python: Add investigation of field-flow problem 
TL;DR; we used a too low value for `--max-import-depth` :(
 2022-02-28 10:58:44 +01:00
Rasmus Wriedt Larsen
f988e1f0d8 Python: Improve field-flow by removing import * 
Since that apparently impacts call graph resolution with points-to :O

Also interesting that global flow was only not working for those cases
because of the tricky ifs... still need to 100% figure out how those ifs
are messing up the analysis :|
 2022-02-25 16:01:08 +01:00
Rasmus Wriedt Larsen
999af15bd5 Python: Show unresolved calls for field-flow tests 2022-02-25 15:58:07 +01:00
yoff
8b926f6859 Merge pull request #7873 from RasmusWL/fix-attribute-taint 
Python: Fix attribute taint
 2022-02-25 15:02:24 +01:00
Rasmus Wriedt Larsen
2d0034c40d Python: Replicate global field-flow failures 2022-02-25 14:14:00 +01:00
Rasmus Wriedt Larsen
faaa63a73c Python: Ensure no cross-talk in global tests 
By giving all variables unique names

I also added a comment with the function name from the normal tests, so
its' easily visible what these tests are testing
 2022-02-25 13:41:51 +01:00
Rasmus Wriedt Larsen
0642610ee9 Python: Global flow works when in own file??? 
This is very suspicious
 2022-02-25 13:36:00 +01:00
Rasmus Wriedt Larsen
d83a9ef8d3 Python: Fix global field-flow for validTest.py 2022-02-25 13:35:43 +01:00
Rasmus Wriedt Larsen
abe4d8da62 Python: Accept global field-flow inconsistencies 
Yikes
 2022-02-24 15:07:18 +01:00
Rasmus Wriedt Larsen
94d23f3817 Python: Also do all field-flow tests in global scope 
Notice that these tests don't pass, to show how they differ in the next
commit!
 2022-02-24 15:06:40 +01:00
Rasmus Wriedt Larsen
2da4b39844 Python: Add global field-flow tests 
I thought it was interesting that it did not propagate flow to the uses
inside the functions :O
 2022-02-24 13:15:48 +01:00
Rasmus Wriedt Larsen
d2cd77aefb Merge branch 'main' into dataflow-improvements 2022-02-21 14:49:40 +01:00
Rasmus Wriedt Larsen
9d81fd3b95 Python: Improve sanitizer/guards tests 
Based on review conversation
 2022-02-18 14:12:41 +01:00
Rasmus Wriedt Larsen
7aa559f4aa Python: Restore dataflow consistency queries 2022-02-18 13:47:29 +01:00
Rasmus Wriedt Larsen
c5b6fb37b7 Python: Clean up NormalDataflowTest.qll 2022-02-18 13:47:29 +01:00
Rasmus Wriedt Larsen
67ca14876a Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-02-18 13:47:07 +01:00
Rasmus Wriedt Larsen
a8edd44a3c Python: Update .expected 2022-02-08 11:12:34 +01:00
Rasmus Wriedt Larsen
b276b2d48c Python: Clean up taint steps for attributes 2022-02-07 13:12:31 +01:00
Rasmus Wriedt Larsen
59160eeb24 Python: Add test showing taint for attr store 
In `x.arg = TAINTED_STRING` there is a store step to the attribute `arg`
of `x`. In our taint modeling, we allow _any_ store step with the code
below. This means that we also say there is a taint-step directly from
`TAINTED_STRING` to `x` :|

```codeql
  // construction by literal
  // TODO: Not limiting the content argument here feels like a BIG hack, but we currently get nothing for free :|
  DataFlowPrivate::storeStep(nodeFrom, _, nodeTo)
```
 2022-02-07 13:12:28 +01:00
Rasmus Wriedt Larsen
b2ce0fcb72 Python: Add post-update nodes to args of unresolved calls 
Besides solving the problem with `setattr`, it also solved some old
problems with json library modeling (yay).
 2022-02-04 11:51:53 +01:00
Erik Krogh Kristensen
52ca0d168b move API-graph tests out of the experimental test folder 2022-02-03 23:10:37 +01:00
Rasmus Wriedt Larsen
5cd08b8e8c Python: Ignore .isAbsent() from ClassCall 
This means that DataFlowCall is only for resolvable calls, which might not seem
like a big thing in itself, but enables the next commit to actually work :P
 2022-02-03 14:58:30 +01:00
Rasmus Wriedt Larsen
a5c2341204 Python: Add simple test of DataFlowCall 
Notice the strange thing with treating `mypkg.foo(42)` as a ClassCall,
but completely ignoring `mypkg.subpkg.bar(43)` -- due to having the two
`ClassValue`s:

- `Missing module attribute mypkg.foo`
- `Missing module attribute mypkg.subpkg`

But not `Missing module attribute mypkg.subpkg` with the current import
structure.
 2022-02-03 14:58:30 +01:00
Rasmus Wriedt Larsen
49b5d60229 Python: Use AttrRead/AttrWrite for attr read/store steps 
Note that this doesn't actually add the desired flow from setattr, due
to missing post-update note. This will be fixed in later commit.
 2022-02-03 14:58:30 +01:00
Rasmus Wriedt Larsen
5774459dfb Python: restrict AttrRead with AttrNode.isLoad() 2022-02-03 14:58:23 +01:00
Rasmus Wriedt Larsen
51bc6dcf7e Python: Add attributeClearStep 2022-02-02 11:19:35 +01:00
Rasmus Wriedt Larsen
d2b72a7547 Python: Expand fieldflow tests 2022-02-02 11:19:31 +01:00
Rasmus Wriedt Larsen
f6215f2300 Python: Refactor field-flow test 2022-02-01 17:59:03 +01:00
Rasmus Wriedt Larsen
cc4fe38fbd Python: Delete dedicated argumentRouting<N> tests 
I feel like they don't bring any value anymore, since we have the nice
inline expectation tests. If I'm wrong, happy to revert this commit
though.
 2022-02-01 17:51:33 +01:00
Rasmus Wriedt Larsen
54f53c828e Python: Refactor argumentRoutingTest.ql to be more generic 
I checked to see that the tests still works. If I deleted the `arg5`
annotation, it got failures:

```diff
diff --git a/python/ql/test/experimental/dataflow/coverage/argumentPassing.py b/python/ql/test/experimental/dataflow/coverage/argumentPassing.py
index e218bdde9b..71816c1e01 100644
--- a/python/ql/test/experimental/dataflow/coverage/argumentPassing.py
+++ b/python/ql/test/experimental/dataflow/coverage/argumentPassing.py
@@ -46,7 +46,7 @@ def argument_passing(
     c,
     d=arg4,  #$ arg4 func=argument_passing
     *,
-    e=arg5,  #$ arg5 func=argument_passing
+    e=arg5,
     f,
     **g,
 ):
diff --git a/python/ql/test/experimental/dataflow/coverage/argumentRoutingTest.expected b/python/ql/test/experimental/dataflow/coverage/argumentRoutingTest.expected
index e69de29bb2..22037a40c3 100644
--- a/python/ql/test/experimental/dataflow/coverage/argumentRoutingTest.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRoutingTest.expected
@@ -0,0 +1,2 @@
+| argumentPassing.py:49:7:49:10 | ControlFlowNode for arg5 | Unexpected result: arg5= |
+| argumentPassing.py:49:7:49:10 | ControlFlowNode for arg5 | Unexpected result: func=argument_passing |
```
 2022-02-01 17:50:06 +01:00
Rasmus Wriedt Larsen
76f3d74fed Python: Remove extra whitespace from argumentPassing.py 2022-02-01 17:48:16 +01:00
Rasmus Wriedt Larsen
5ee755db09 Python: Require MISSING: flow annotations for normal data-flow tests 
I had to rewrite the SINK1-SINK7 definitions, since this new requirement
complained that we had to add this `MISSING: flow` annotation :D

Doing this implementation also revealed that there was a bug, since I
did not compare files when checking for these `MISSING:` annotations. So
fixed that up in the implementation for inline taint tests as well.

(extra whitespace in argumentPassing.py to avoid changing line numbers
for other tests)
 2022-02-01 17:46:53 +01:00
Rasmus Wriedt Larsen
2bc4a60496 Python: Unify normal dataflow test setup 
I went with NormalDataflowTest to signify that if you don't know what
you're looking for, this is probably the one. I did not want to just
call it DataflowTest, since that becomes a big vague when there are also
`FlowTest.qll` and `MaximalFlowTest.qll` -- I'm open to renaming this
though 👍
 2022-02-01 17:31:31 +01:00
Rasmus Wriedt Larsen
41319607a9 Python: Use InlineExpectationsTest for field-flow tests 
I deleted the old tests, so it's very clear what tests to look for
 2022-02-01 17:31:31 +01:00
Rasmus Wriedt Larsen
d6f415bae2 Python: Run match tests if Python 3.10 or newer 
Also fixes a bug in the tests
 2022-02-01 17:31:31 +01:00
Rasmus Wriedt Larsen
a4bb0cc5d8 Python: Run tests for fieldflow/test.py 2022-02-01 15:32:07 +01:00