github
diff --git a/‎python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll‎
Lines changed: 45 additions & 1 deletion b/‎python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll‎
Lines changed: 45 additions & 1 deletion
diff --git a/‎python/ql/src/experimental/dataflow/internal/DataFlowPublic.qll‎
Lines changed: 16 additions & 8 deletions b/‎python/ql/src/experimental/dataflow/internal/DataFlowPublic.qll‎
Lines changed: 16 additions & 8 deletions
diff --git a/‎python/ql/test/experimental/dataflow/fieldflow/allLocalFlow.expected‎
Lines changed: 40 additions & 0 deletions b/‎python/ql/test/experimental/dataflow/fieldflow/allLocalFlow.expected‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎python/ql/test/experimental/dataflow/fieldflow/allLocalFlow.ql‎
Lines changed: 8 additions & 0 deletions b/‎python/ql/test/experimental/dataflow/fieldflow/allLocalFlow.ql‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎python/ql/test/experimental/dataflow/fieldflow/dataflow.expected‎
Lines changed: 22 additions & 0 deletions b/‎python/ql/test/experimental/dataflow/fieldflow/dataflow.expected‎
Lines changed: 22 additions & 0 deletions
@@ -361,7 +361,7 @@ class DataFlowType extends TDataFlowType {
 }
 
 /** A node that performs a type cast. */
-class CastNode extends Node {
+class CastNode extends CfgNode {
   CastNode() { none() }
 }
 
@@ -423,6 +423,8 @@ predicate storeStep(Node nodeFrom, Content c, Node nodeTo) {
   dictStoreStep(nodeFrom, c, nodeTo)
   or
   comprehensionStoreStep(nodeFrom, c, nodeTo)
+  or
+  attributeStoreStep(nodeFrom, c, nodeTo)
 }
 
 /** Data flows from an element of a list to the list. */
@@ -497,6 +499,30 @@ predicate comprehensionStoreStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
   c instanceof ListElementContent
 }
 
+/**
+ * In
+ * ```python
+ * obj.foo = x
+ * ```
+ * data flows from `x` to (the post-update node for) `obj` via assignment to `foo`.
+ */
+predicate attributeStoreStep(CfgNode nodeFrom, Content c, PostUpdateNode nodeTo) {
+  exists(AssignStmt a, Attribute attr |
+    a.getValue().getAFlowNode() = nodeFrom.getNode() and
+    a.getATarget().(Attribute) = attr and
+    attr.getName() = c.(AttributeContent).getAttribute() and
+    attr.getObject().getAFlowNode() = nodeTo.getPreUpdateNode().(CfgNode).getNode() and
+    attr.getCtx() instanceof Store
+  )
+  or
+  exists(AssignExpr ae |
+    ae.getValue().getAFlowNode() = nodeFrom.getNode() and
+    ae.getTarget().(Attribute).getName() = c.(AttributeContent).getAttribute() and
+    ae.getTarget().(Attribute).getObject().getAFlowNode() =
+      nodeTo.getPreUpdateNode().(CfgNode).getNode()
+  )
+}
+
 /**
  * Holds if data can flow from `nodeFrom` to `nodeTo` via a read of content `c`.
  */
@@ -506,6 +532,8 @@ predicate readStep(Node nodeFrom, Content c, Node nodeTo) {
   popReadStep(nodeFrom, c, nodeTo)
   or
   comprehensionReadStep(nodeFrom, c, nodeTo)
+  or
+  attributeReadStep(nodeFrom, c, nodeTo)
 }
 
 /** Data flows from a sequence to a subscript of the sequence. */
@@ -592,6 +620,22 @@ predicate comprehensionReadStep(CfgNode nodeFrom, Content c, EssaNode nodeTo) {
   )
 }
 
+/**
+ * In
+ * ```python
+ * obj.foo
+ * ```
+ * data flows from `obj` to `obj.foo` via a read from `foo`.
+ */
+predicate attributeReadStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
+  exists(Attribute attr |
+    nodeTo.asCfgNode().(AttrNode).getNode() = attr and
+    nodeFrom.asCfgNode() = attr.getObject().getAFlowNode() and
+    attr.getName() = c.(AttributeContent).getAttribute() and
+    attr.getCtx() instanceof Load
+  )
+}
+
 /**
  * Holds if values stored inside content `c` are cleared at node `n`. For example,
  * any value stored inside `f` is cleared at the pre-update node associated with `x`
 
@@ -202,20 +202,20 @@ newtype TContent =
     key = any(Keyword kw).getArg()
   } or
   /** An element of a dictionary at any key. */
-  TDictionaryElementAnyContent()
+  TDictionaryElementAnyContent() or
+  /** An object attribute. */
+  TAttributeContent(string attr) { attr = any(Attribute a).getName() }
 
 class Content extends TContent {
   /** Gets a textual representation of this element. */
   string toString() { result = "Content" }
 }
 
 class ListElementContent extends TListElementContent, Content {
-  /** Gets a textual representation of this element. */
   override string toString() { result = "List element" }
 }
 
 class SetElementContent extends TSetElementContent, Content {
-  /** Gets a textual representation of this element. */
   override string toString() { result = "Set element" }
 }
 
@@ -224,10 +224,9 @@ class TupleElementContent extends TTupleElementContent, Content {
 
   TupleElementContent() { this = TTupleElementContent(index) }
 
-  /** Gets the index for this tuple element */
+  /** Gets the index for this tuple element. */
   int getIndex() { result = index }
 
-  /** Gets a textual representation of this element. */
   override string toString() { result = "Tuple element at index " + index.toString() }
 }
 
@@ -236,14 +235,23 @@ class DictionaryElementContent extends TDictionaryElementContent, Content {
 
   DictionaryElementContent() { this = TDictionaryElementContent(key) }
 
-  /** Gets the index for this tuple element */
+  /** Gets the key for this dictionary element. */
   string getKey() { result = key }
 
-  /** Gets a textual representation of this element. */
   override string toString() { result = "Dictionary element at key " + key }
 }
 
 class DictionaryElementAnyContent extends TDictionaryElementAnyContent, Content {
-  /** Gets a textual representation of this element. */
   override string toString() { result = "Any dictionary element" }
 }
+
+class AttributeContent extends TAttributeContent, Content {
+  private string attr;
+
+  AttributeContent() { this = TAttributeContent(attr) }
+
+  /** Gets the name of the attribute under which this content is stored. */
+  string getAttribute() { result = attr }
+
+  override string toString() { result = "Attribute " + attr }
+}
@@ -0,0 +1,40 @@
+| test.py:0:0:0:0 | SSA variable $ | test.py:1:1:1:66 | SSA variable $ |
+| test.py:0:0:0:0 | SSA variable * | test.py:1:1:1:66 | SSA variable * |
+| test.py:6:13:6:18 | ControlFlowNode for object | test.py:12:17:12:22 | ControlFlowNode for object |
+| test.py:8:5:8:28 | ControlFlowNode for FunctionExpr | test.py:8:9:8:16 | SSA variable __init__ |
+| test.py:8:18:8:21 | SSA variable self | test.py:9:9:9:12 | ControlFlowNode for self |
+| test.py:8:18:8:21 | SSA variable self | test.py:9:9:9:16 | SSA variable self |
+| test.py:8:24:8:26 | SSA variable foo | test.py:9:20:9:22 | ControlFlowNode for foo |
+| test.py:14:5:14:23 | ControlFlowNode for FunctionExpr | test.py:14:9:14:16 | SSA variable __init__ |
+| test.py:14:18:14:21 | SSA variable self | test.py:15:9:15:12 | ControlFlowNode for self |
+| test.py:14:18:14:21 | SSA variable self | test.py:15:9:15:16 | SSA variable self |
+| test.py:17:5:17:21 | ControlFlowNode for FunctionExpr | test.py:17:9:17:14 | SSA variable getObj |
+| test.py:17:16:17:19 | SSA variable self | test.py:18:16:18:19 | ControlFlowNode for self |
+| test.py:21:12:21:14 | SSA variable obj | test.py:22:12:22:14 | ControlFlowNode for obj |
+| test.py:21:12:21:14 | SSA variable obj | test.py:23:5:23:11 | SSA variable obj |
+| test.py:21:17:21:17 | SSA variable x | test.py:23:15:23:15 | ControlFlowNode for x |
+| test.py:22:12:22:14 | ControlFlowNode for obj | test.py:23:5:23:7 | ControlFlowNode for obj |
+| test.py:22:12:22:14 | [post] ControlFlowNode for obj | test.py:23:5:23:7 | ControlFlowNode for obj |
+| test.py:27:5:27:9 | SSA variable myobj | test.py:29:5:29:25 | SSA variable myobj |
+| test.py:27:5:27:9 | SSA variable myobj | test.py:29:12:29:16 | ControlFlowNode for myobj |
+| test.py:27:13:27:23 | ControlFlowNode for MyObj() | test.py:27:5:27:9 | SSA variable myobj |
+| test.py:29:12:29:16 | ControlFlowNode for myobj | test.py:30:10:30:14 | ControlFlowNode for myobj |
+| test.py:29:12:29:16 | [post] ControlFlowNode for myobj | test.py:30:10:30:14 | ControlFlowNode for myobj |
+| test.py:34:5:34:5 | SSA variable x | test.py:38:17:38:17 | ControlFlowNode for x |
+| test.py:34:9:34:14 | ControlFlowNode for SOURCE | test.py:34:5:34:5 | SSA variable x |
+| test.py:36:5:36:5 | SSA variable a | test.py:38:5:38:5 | ControlFlowNode for a |
+| test.py:36:5:36:5 | SSA variable a | test.py:39:5:39:14 | SSA variable a |
+| test.py:36:9:36:19 | ControlFlowNode for NestedObj() | test.py:36:5:36:5 | SSA variable a |
+| test.py:38:5:38:5 | ControlFlowNode for a | test.py:39:5:39:5 | ControlFlowNode for a |
+| test.py:38:5:38:5 | [post] ControlFlowNode for a | test.py:39:5:39:5 | ControlFlowNode for a |
+| test.py:38:17:38:17 | ControlFlowNode for x | test.py:39:22:39:22 | ControlFlowNode for x |
+| test.py:39:5:39:5 | ControlFlowNode for a | test.py:41:10:41:10 | ControlFlowNode for a |
+| test.py:39:5:39:5 | [post] ControlFlowNode for a | test.py:41:10:41:10 | ControlFlowNode for a |
+| test.py:45:5:45:7 | SSA variable obj | test.py:46:10:46:12 | ControlFlowNode for obj |
+| test.py:45:11:45:23 | ControlFlowNode for MyObj() | test.py:45:5:45:7 | SSA variable obj |
+| test.py:49:28:49:28 | SSA variable x | test.py:50:11:50:18 | SSA variable x |
+| test.py:49:28:49:28 | SSA variable x | test.py:50:17:50:17 | ControlFlowNode for x |
+| test.py:50:5:50:7 | SSA variable obj | test.py:51:9:51:11 | ControlFlowNode for obj |
+| test.py:50:11:50:18 | ControlFlowNode for MyObj() | test.py:50:5:50:7 | SSA variable obj |
+| test.py:51:5:51:5 | SSA variable a | test.py:52:12:52:12 | ControlFlowNode for a |
+| test.py:51:9:51:15 | ControlFlowNode for Attribute | test.py:51:5:51:5 | SSA variable a |
@@ -0,0 +1,8 @@
+import python
+import experimental.dataflow.DataFlow
+
+from DataFlow::Node nodeFrom, DataFlow::Node nodeTo
+where
+  DataFlow::localFlowStep(nodeFrom, nodeTo) and
+  nodeFrom.getLocation().getFile().getBaseName() = "test.py"
+select nodeFrom, nodeTo
@@ -1,3 +1,25 @@
 edges
+| test.py:29:12:29:16 | [post] ControlFlowNode for myobj [Attribute foo] | test.py:30:10:30:14 | ControlFlowNode for myobj [Attribute foo] |
+| test.py:29:19:29:24 | ControlFlowNode for SOURCE | test.py:29:12:29:16 | [post] ControlFlowNode for myobj [Attribute foo] |
+| test.py:30:10:30:14 | ControlFlowNode for myobj [Attribute foo] | test.py:30:10:30:18 | ControlFlowNode for Attribute |
+| test.py:34:9:34:14 | ControlFlowNode for SOURCE | test.py:38:17:38:17 | ControlFlowNode for x |
+| test.py:38:5:38:5 | [post] ControlFlowNode for a [Attribute obj, Attribute foo] | test.py:41:10:41:10 | ControlFlowNode for a [Attribute obj, Attribute foo] |
+| test.py:38:5:38:9 | [post] ControlFlowNode for Attribute [Attribute foo] | test.py:38:5:38:5 | [post] ControlFlowNode for a [Attribute obj, Attribute foo] |
+| test.py:38:17:38:17 | ControlFlowNode for x | test.py:38:5:38:9 | [post] ControlFlowNode for Attribute [Attribute foo] |
+| test.py:41:10:41:10 | ControlFlowNode for a [Attribute obj, Attribute foo] | test.py:41:10:41:14 | ControlFlowNode for Attribute [Attribute foo] |
+| test.py:41:10:41:14 | ControlFlowNode for Attribute [Attribute foo] | test.py:41:10:41:18 | ControlFlowNode for Attribute |
 nodes
+| test.py:29:12:29:16 | [post] ControlFlowNode for myobj [Attribute foo] | semmle.label | [post] ControlFlowNode for myobj [Attribute foo] |
+| test.py:29:19:29:24 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:30:10:30:14 | ControlFlowNode for myobj [Attribute foo] | semmle.label | ControlFlowNode for myobj [Attribute foo] |
+| test.py:30:10:30:18 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:34:9:34:14 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:38:5:38:5 | [post] ControlFlowNode for a [Attribute obj, Attribute foo] | semmle.label | [post] ControlFlowNode for a [Attribute obj, Attribute foo] |
+| test.py:38:5:38:9 | [post] ControlFlowNode for Attribute [Attribute foo] | semmle.label | [post] ControlFlowNode for Attribute [Attribute foo] |
+| test.py:38:17:38:17 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| test.py:41:10:41:10 | ControlFlowNode for a [Attribute obj, Attribute foo] | semmle.label | ControlFlowNode for a [Attribute obj, Attribute foo] |
+| test.py:41:10:41:14 | ControlFlowNode for Attribute [Attribute foo] | semmle.label | ControlFlowNode for Attribute [Attribute foo] |
+| test.py:41:10:41:18 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 #select
+| test.py:30:10:30:18 | ControlFlowNode for Attribute | test.py:29:19:29:24 | ControlFlowNode for SOURCE | test.py:30:10:30:18 | ControlFlowNode for Attribute | <message> |
+| test.py:41:10:41:18 | ControlFlowNode for Attribute | test.py:34:9:34:14 | ControlFlowNode for SOURCE | test.py:41:10:41:18 | ControlFlowNode for Attribute | <message> |