Python points-to: Support classes created dynamically as instances of meta-class.

markshannon · markshannon · commit 2e6c3c9ee34f · 2019-04-26T16:21:46.000+01:00
diff --git a/python/ql/src/semmle/python/objects/Classes.qll b/python/ql/src/semmle/python/objects/Classes.qll
@@ -277,3 +277,53 @@ class TypeInternal extends ClassObjectInternal, TType {
     override predicate attributesUnknown() { any() }
 
 }
+
+class DynamicallyCreatedClass extends ClassObjectInternal, TDynamicClass {
+
+    override string toString() {
+        result = this.getOrigin().getNode().toString()
+    }
+
+    override ObjectInternal getClass() {
+        this = TDynamicClass(_, result, _)
+    }
+
+    override predicate callResult(PointsToContext callee, ObjectInternal obj, CfgOrigin origin) {
+        none()
+    }
+
+    override predicate callResult(ObjectInternal obj, CfgOrigin origin) {
+        none()
+    }
+
+    override predicate lookup(string name, ObjectInternal value, CfgOrigin origin) {
+        exists(ClassObjectInternal decl |
+            decl = Types::getMro(this).findDeclaringClass(name) |
+            Types::declaredAttribute(decl, name, value, origin)
+        )
+    }
+
+    override Builtin getBuiltin() {
+        none()
+    }
+
+    override ControlFlowNode getOrigin() {
+        this = TDynamicClass(result, _, _)
+    }
+
+    override predicate attributesUnknown() { any() }
+
+    override predicate introduced(ControlFlowNode node, PointsToContext context) {
+        this = TDynamicClass(node, _, context)
+    }
+
+    override predicate calleeAndOffset(Function scope, int paramOffset) {
+        none()
+    }
+
+    override boolean isComparable() { result = true }
+
+    override ClassDecl getClassDeclaration() { none() }
+
+}
+
diff --git a/python/ql/src/semmle/python/objects/TObject.qll b/python/ql/src/semmle/python/objects/TObject.qll
@@ -130,6 +130,11 @@ newtype TObject =
         PointsToInternal::pointsTo(call.getFunction(), ctx, ObjectInternal::property(), _) and
         PointsToInternal::pointsTo(call.getArg(0), ctx, getter, _)
     }
+    or
+    TDynamicClass(ControlFlowNode instantiation, ClassObjectInternal metacls, PointsToContext context) {
+        PointsToInternal::pointsTo(instantiation.(CallNode).getFunction(), context, metacls, _) and
+        Types::getMro(metacls).contains(TType())
+    }
 
 private predicate is_power_2(int n) {
     n = 1 or
diff --git a/python/ql/src/semmle/python/pointsto/PointsTo.qll b/python/ql/src/semmle/python/pointsto/PointsTo.qll
@@ -1445,7 +1445,7 @@ cached module Types {
         )
     }
 
-    cached ClassObjectInternal getBase(ClassObjectInternal cls, int n) {
+    cached ObjectInternal getBase(ClassObjectInternal cls, int n) {
         result.getBuiltin() = cls.getBuiltin().getBaseClass() and n = 0
         or
         exists(Class pycls |
diff --git a/python/ql/src/semmle/python/types/ClassObject.qll b/python/ql/src/semmle/python/types/ClassObject.qll
@@ -68,7 +68,7 @@ class ClassObject extends Object {
 
     /** Gets a super class of this class (includes transitive super classes) or this class */
     ClassObject getAnImproperSuperType() {
-        result = Types::getMro(theClass()).getAnItem().getSource()
+        result = this.getABaseType*()
     }
 
     /** Whether this class is a new style class. 

Original file line number	Diff line number	Diff line change
`@@ -1445,7 +1445,7 @@ cached module Types {`
`1445`	`1445`	`)`
`1446`	`1446`	`}`
`1447`	`1447`
`1448`		`- cached ClassObjectInternal getBase(ClassObjectInternal cls, int n) {`
	`1448`	`+ cached ObjectInternal getBase(ClassObjectInternal cls, int n) {`
`1449`	`1449`	`result.getBuiltin() = cls.getBuiltin().getBaseClass() and n = 0`
`1450`	`1450`	`or`
`1451`	`1451`	`exists(Class pycls \|`
Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@ class ClassObject extends Object {`
`68`	`68`
`69`	`69`	`/** Gets a super class of this class (includes transitive super classes) or this class */`
`70`	`70`	`ClassObject getAnImproperSuperType() {`
`71`		`- result = Types::getMro(theClass()).getAnItem().getSource()`
	`71`	`+ result = this.getABaseType*()`
`72`	`72`	`}`
`73`	`73`
`74`	`74`	`/** Whether this class is a new style class.`