Merge pull request #6218 from tausbn/python-add-typetrackingnode · ByteDecoder/codeql@d282f6a · GitHub
Skip to content

Commit d282f6a

Browse files
authored
Merge pull request github#6218 from tausbn/python-add-typetrackingnode
Approved by RasmusWL
2 parents dd03d81 + 693a479 commit d282f6a

30 files changed

Lines changed: 154 additions & 100 deletions

python/.vscode/ql.code-snippets

Lines changed: 1 addition & 1 deletion
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
lgtm,codescanning
2+
* The `track` and `backtrack` methods on `LocalSourceNode` have been deprecated. When writing
3+
type trackers, the corresponding methods on `TypeTrackingNode` should be used instead.

python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ private string vulnerableHostname() {
2727
}
2828

2929
/** Gets a reference to a hostname that can be used to bind to all interfaces. */
30-
private DataFlow::LocalSourceNode vulnerableHostnameRef(DataFlow::TypeTracker t, string hostname) {
30+
private DataFlow::TypeTrackingNode vulnerableHostnameRef(DataFlow::TypeTracker t, string hostname) {
3131
t.start() and
3232
exists(StrConst allInterfacesStrConst | hostname = vulnerableHostname() |
3333
allInterfacesStrConst.getText() = hostname and
@@ -43,7 +43,7 @@ DataFlow::Node vulnerableHostnameRef(string hostname) {
4343
}
4444

4545
/** Gets a reference to a tuple for which the first element is a hostname that can be used to bind to all interfaces. */
46-
private DataFlow::LocalSourceNode vulnerableAddressTuple(DataFlow::TypeTracker t, string hostname) {
46+
private DataFlow::TypeTrackingNode vulnerableAddressTuple(DataFlow::TypeTracker t, string hostname) {
4747
t.start() and
4848
result.asExpr() = any(Tuple tup | tup.getElt(0) = vulnerableHostnameRef(hostname).asExpr())
4949
or

python/ql/src/Security/CWE-215/FlaskDebug.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ import semmle.python.ApiGraphs
1717
import semmle.python.frameworks.Flask
1818

1919
/** Gets a reference to a truthy literal. */
20-
private DataFlow::LocalSourceNode truthyLiteral(DataFlow::TypeTracker t) {
20+
private DataFlow::TypeTrackingNode truthyLiteral(DataFlow::TypeTracker t) {
2121
t.start() and
2222
result.asExpr().(ImmutableLiteral).booleanValue() = true
2323
or

python/ql/src/semmle/python/ApiGraphs.qll

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -512,7 +512,7 @@ module API {
512512
*
513513
* The flow from `src` to that node may be inter-procedural.
514514
*/
515-
private DataFlow::LocalSourceNode trackUseNode(
515+
private DataFlow::TypeTrackingNode trackUseNode(
516516
DataFlow::LocalSourceNode src, DataFlow::TypeTracker t
517517
) {
518518
t.start() and
@@ -530,7 +530,6 @@ module API {
530530
cached
531531
DataFlow::LocalSourceNode trackUseNode(DataFlow::LocalSourceNode src) {
532532
result = trackUseNode(src, DataFlow::TypeTracker::end()) and
533-
// We exclude module variable nodes, as these do not correspond to real uses.
534533
not result instanceof DataFlow::ModuleVariableNode
535534
}
536535

python/ql/src/semmle/python/Concepts.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -758,7 +758,7 @@ module Cryptography {
758758
/** Provides classes for modeling new key-pair generation APIs. */
759759
module KeyGeneration {
760760
/** Gets a back-reference to the keysize argument `arg` that was used to generate a new key-pair. */
761-
private DataFlow::LocalSourceNode keysizeBacktracker(
761+
private DataFlow::TypeTrackingNode keysizeBacktracker(
762762
DataFlow::TypeBackTracker t, DataFlow::Node arg
763763
) {
764764
t.start() and

python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,7 @@ private module SensitiveDataModeling {
5555
* Gets a reference to a function that is considered to be a sensitive source of
5656
* `classification`.
5757
*/
58-
private DataFlow::LocalSourceNode sensitiveFunction(
58+
private DataFlow::TypeTrackingNode sensitiveFunction(
5959
DataFlow::TypeTracker t, SensitiveDataClassification classification
6060
) {
6161
t.start() and
@@ -109,7 +109,7 @@ private module SensitiveDataModeling {
109109
*
110110
* Also see `extraStepForCalls`.
111111
*/
112-
private DataFlow::LocalSourceNode possibleSensitiveCallable(DataFlow::TypeTracker t) {
112+
private DataFlow::TypeTrackingNode possibleSensitiveCallable(DataFlow::TypeTracker t) {
113113
t.start() and
114114
result instanceof SensitiveDataSource
115115
or

python/ql/src/semmle/python/dataflow/new/TypeTracker.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ class OptionalAttributeName = Internal::OptionalContentName;
2323
* It is recommended that all uses of this type are written in the following form,
2424
* for tracking some type `myType`:
2525
* ```ql
26-
* DataFlow::LocalSourceNode myType(DataFlow::TypeTracker t) {
26+
* DataFlow::TypeTrackingNode myType(DataFlow::TypeTracker t) {
2727
* t.start() and
2828
* result = < source of myType >
2929
* or

python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll

Lines changed: 56 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -36,8 +36,13 @@ class LocalSourceNode extends Node {
3636
this instanceof ExprNode and
3737
not simpleLocalFlowStep(_, this)
3838
or
39-
// Module variable nodes must be local source nodes, otherwise type trackers cannot step through
40-
// them.
39+
// We include all module variable nodes, as these act as stepping stones between writes and
40+
// reads of global variables. Without them, type tracking based on `LocalSourceNode`s would be
41+
// unable to track across global variables.
42+
//
43+
// Once the `track` and `backtrack` methods have been fully deprecated, this disjunct can be
44+
// removed, and the entire class can extend `ExprNode`. At that point, `TypeTrackingNode` should
45+
// be used for type tracking instead of `LocalSourceNode`.
4146
this instanceof ModuleVariableNode
4247
or
4348
// We explicitly include any read of a global variable, as some of these may have local flow going
@@ -98,21 +103,68 @@ class LocalSourceNode extends Node {
98103
result = this.getAnAttributeRead(methodName).getACall()
99104
}
100105

106+
/**
107+
* DEPRECATED. Use `TypeTrackingNode::track` instead.
108+
*
109+
* Gets a node that this node may flow to using one heap and/or interprocedural step.
110+
*
111+
* See `TypeTracker` for more details about how to use this.
112+
*/
113+
pragma[inline]
114+
deprecated LocalSourceNode track(TypeTracker t2, TypeTracker t) { t = t2.step(this, result) }
115+
116+
/**
117+
* DEPRECATED. Use `TypeTrackingNode::backtrack` instead.
118+
*
119+
* Gets a node that may flow into this one using one heap and/or interprocedural step.
120+
*
121+
* See `TypeBackTracker` for more details about how to use this.
122+
*/
123+
pragma[inline]
124+
deprecated LocalSourceNode backtrack(TypeBackTracker t2, TypeBackTracker t) {
125+
t2 = t.step(result, this)
126+
}
127+
}
128+
129+
/**
130+
* A node that can be used for type tracking or type back-tracking.
131+
*
132+
* All steps made during type tracking should be between instances of this class.
133+
*/
134+
class TypeTrackingNode extends Node {
135+
TypeTrackingNode() {
136+
this instanceof LocalSourceNode
137+
or
138+
this instanceof ModuleVariableNode
139+
}
140+
141+
/**
142+
* Holds if this node can flow to `nodeTo` in one or more local flow steps.
143+
*
144+
* For `ModuleVariableNode`s, the only "local" step is to the node itself.
145+
* For `LocalSourceNode`s, this is the usual notion of local flow.
146+
*/
147+
predicate flowsTo(Node node) {
148+
this instanceof ModuleVariableNode and this = node
149+
or
150+
this.(LocalSourceNode).flowsTo(node)
151+
}
152+
101153
/**
102154
* Gets a node that this node may flow to using one heap and/or interprocedural step.
103155
*
104156
* See `TypeTracker` for more details about how to use this.
105157
*/
106158
pragma[inline]
107-
LocalSourceNode track(TypeTracker t2, TypeTracker t) { t = t2.step(this, result) }
159+
TypeTrackingNode track(TypeTracker t2, TypeTracker t) { t = t2.step(this, result) }
108160

109161
/**
110162
* Gets a node that may flow into this one using one heap and/or interprocedural step.
111163
*
112164
* See `TypeBackTracker` for more details about how to use this.
113165
*/
114166
pragma[inline]
115-
LocalSourceNode backtrack(TypeBackTracker t2, TypeBackTracker t) { t2 = t.step(result, this) }
167+
TypeTrackingNode backtrack(TypeBackTracker t2, TypeBackTracker t) { t2 = t.step(result, this) }
116168
}
117169

118170
cached

python/ql/src/semmle/python/dataflow/new/internal/TypeTracker.qll

Lines changed: 13 additions & 13 deletions

0 commit comments

Comments
 (0)