mirror of
https://github.com/github/codeql.git
synced 2026-06-03 04:40:14 +02:00
4ed5722e3e
Flips the Python dataflow trunk from the legacy CFG (semmle/python/Flow.qll) and legacy ESSA SSA (semmle/python/essa/*) to the new shared CFG facade (semmle.python.controlflow.internal.Cfg) and the new SSA adapter (semmle.python.dataflow.new.internal.SsaImpl), both introduced additively in the preceding PRs in this stack. This is the trunk-flip equivalent of the original draft PR #21894 (kept around as documentation), rebased on top of the four preparatory PRs: P1: Remove AstNode.getAFlowNode() and rewrite callers (#21919). P2: Qualify Flow.qll's AST references with Py:: prefix (#21920). P3: Add new shared-CFG-backed control flow graph (#21921). P4: Add new shared-SSA-backed SSA adapter (#21923). The Python dataflow library (semmle/python/dataflow/new/) now imports the new CFG facade and SSA adapter. All CFG-typed predicates (ControlFlowNode, CallNode, BasicBlock, NameNode, AttrNode, ...) are qualified with the Cfg:: prefix; SSA references switch from EssaVariable/EssaDefinition to SsaImpl::Definition/SourceVariable. GuardNode is redesigned to use the new CFG's outcome-node model (isAfterTrue / isAfterFalse) instead of the legacy ConditionBlock + flipped indirection. Only BarrierGuard<...> is preserved as public API. Framework files (Bottle, FastApi, Django, Tornado, Pyramid, Stdlib, ...) are updated to take CFG nodes from the new facade. A handful of dataflow consistency tweaks for the new CFG: - Augmented-assignment targets are treated as both load and store. - 'from X import *' produces uncertain SSA writes for unknown names. - CFG nodes are canonicalised so dataflow does not see equivalent pre/post-order pairs as distinct nodes. Two AST tweaks for the new CFG: - AstNodeImpl: omit PEP 695 type-parameter names from FunctionDefExpr / ClassDefExpr children. - ImportResolution: drop the legacy essa import. Test churn (~175 files): reblessed library- and query-test .expected files reflect slightly different CFG granularity, different toString output, and a handful of true alert deltas in security queries. Verification: all 367 lib + src + consistency-queries compile clean. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
51 lines
1.6 KiB
Plaintext
51 lines
1.6 KiB
Plaintext
/**
|
|
* Configuration to test selected data flow
|
|
* Sources in the source code are denoted by the special name `SOURCE`,
|
|
* and sinks are denoted by arguments to the special function `SINK`.
|
|
* For example, given the test code
|
|
* ```python
|
|
* def test():
|
|
* s = SOURCE
|
|
* SINK(s)
|
|
* ```
|
|
* `SOURCE` will be a source and the second occurrence of `s` will be a sink.
|
|
*
|
|
* In order to test literals, alternative sources are defined for each type:
|
|
*
|
|
* for | use
|
|
* ----------
|
|
* string | `"source"`
|
|
* integer | `42`
|
|
* float | `42.0`
|
|
* complex | `42j` (not supported yet)
|
|
*/
|
|
|
|
private import python
|
|
private import semmle.python.controlflow.internal.Cfg as Cfg
|
|
import semmle.python.dataflow.new.DataFlow
|
|
|
|
module TestConfig implements DataFlow::ConfigSig {
|
|
predicate isSource(DataFlow::Node node) {
|
|
node.(DataFlow::CfgNode).getNode().(Cfg::NameNode).getId() = "SOURCE"
|
|
or
|
|
node.(DataFlow::CfgNode).getNode().getNode().(StringLiteral).getS() = "source"
|
|
or
|
|
node.(DataFlow::CfgNode).getNode().getNode().(IntegerLiteral).getN() = "42"
|
|
or
|
|
node.(DataFlow::CfgNode).getNode().getNode().(FloatLiteral).getN() = "42.0"
|
|
// No support for complex numbers
|
|
}
|
|
|
|
predicate isSink(DataFlow::Node node) {
|
|
exists(DataFlow::CallCfgNode call |
|
|
call.getFunction().asCfgNode().(Cfg::NameNode).getId() in ["SINK", "SINK_F"] and
|
|
(node = call.getArg(_) or node = call.getArgByName(_)) and
|
|
not node = call.getArgByName("not_present_at_runtime")
|
|
)
|
|
}
|
|
|
|
predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
|
|
}
|
|
|
|
module TestFlow = DataFlow::Global<TestConfig>;
|