Python points-to/taint-tracking: Fix up flow into __init__ methods.

markshannon · markshannon · commit 3b42f3cea3a8 · 2019-04-26T16:21:46.000+01:00
diff --git a/python/ql/src/semmle/python/objects/Classes.qll b/python/ql/src/semmle/python/objects/Classes.qll
@@ -97,9 +97,8 @@ class PythonClassObjectInternal extends ClassObjectInternal, TPythonClassObject
 
     override predicate calleeAndOffset(Function scope, int paramOffset) {
         exists(PythonFunctionObjectInternal init |
-            // TO DO... Lookup init...
-            none() |
-            init.getScope() = scope and paramOffset = 1
+            this.lookup("__init__", init, _) and
+            init.calleeAndOffset(scope, paramOffset-1)
         )
     }
 
diff --git a/python/ql/src/semmle/python/objects/ObjectAPI.qll b/python/ql/src/semmle/python/objects/ObjectAPI.qll
@@ -146,5 +146,9 @@ class ClassValue extends Value {
         result = Types::getMro(this).getAnItem()
     }
 
+    Value lookup(string name) {
+        this.(ClassObjectInternal).lookup(name, result, _)
+    }
+
 }
 
diff --git a/python/ql/src/semmle/python/security/TaintTracking.qll b/python/ql/src/semmle/python/security/TaintTracking.qll
@@ -1069,7 +1069,7 @@ library module TaintFlowImplementation {
     predicate self_init_end_transfer(EssaVariable self, CallContext callee, CallNode call, CallContext caller) {
         exists(ClassValue cls, Function init |
             call.getFunction().pointsTo(cls) and
-            init = cls.attr("__init__").(CallableValue).getScope() and
+            init = cls.lookup("__init__").(CallableValue).getScope() and
             self.getSourceVariable().(Variable).isSelf() and self.getScope() = init
             |
             callee = caller.getCallee(call)
@@ -1218,7 +1218,7 @@ library module TaintFlowImplementation {
     pragma [noinline]
     predicate class_initializer_argument(ClassValue cls, int n, CallNode call, CallableValue func, ControlFlowNode argument, NameNode param) {
         call.getFunction().pointsTo(cls) and
-        cls.attr("__init__") = func and
+        cls.lookup("__init__") = func and
         call.getArg(n) = argument and
         param.getNode() = func.getScope().getArg(n+1)
     }
@@ -1510,7 +1510,7 @@ class CallContext extends TCallContext {
         exists(ClassValue cls,CallNode call |
             this = TCalleeContext(call, _, _) and
             call.getFunction().pointsTo(cls) and
-            s = cls.attr("__init__").(CallableValue).getScope() and
+            s = cls.lookup("__init__").(CallableValue).getScope() and
             call.getFunction().pointsTo(cls)
         )
     }
diff --git a/python/ql/src/semmle/python/types/ClassObject.qll b/python/ql/src/semmle/python/types/ClassObject.qll
@@ -108,7 +108,7 @@ class ClassObject extends Object {
       Will include attributes of super-classes */
     Object lookupAttribute(string name) {
         exists(Value val |
-            theClass().attribute(name, val, _) and
+            theClass().lookup(name, val, _) and
             result = val.getSource()
         )
     }
@@ -135,7 +135,7 @@ class ClassObject extends Object {
     /** Whether the named attribute refers to the object, class and origin */
     predicate attributeRefersTo(string name, Object obj, ClassObject cls, ControlFlowNode origin) {
         exists(Value val, CfgOrigin valorig |
-            theClass().attribute(name, val, valorig) and
+            theClass().lookup(name, val, valorig) and
             obj = val.getSource() and
             cls = val.getClass().getSource() and
             origin = valorig.toCfgNode()

Original file line number	Diff line number	Diff line change
`@@ -97,9 +97,8 @@ class PythonClassObjectInternal extends ClassObjectInternal, TPythonClassObject`
`97`	`97`
`98`	`98`	`override predicate calleeAndOffset(Function scope, int paramOffset) {`
`99`	`99`	`exists(PythonFunctionObjectInternal init \|`
`100`		`- // TO DO... Lookup init...`
`101`		`- none() \|`
`102`		`- init.getScope() = scope and paramOffset = 1`
	`100`	`+ this.lookup("__init__", init, _) and`
	`101`	`+ init.calleeAndOffset(scope, paramOffset-1)`
`103`	`102`	`)`
`104`	`103`	`}`
`105`	`104`
Original file line number	Diff line number	Diff line change
`@@ -146,5 +146,9 @@ class ClassValue extends Value {`
`146`	`146`	`result = Types::getMro(this).getAnItem()`
`147`	`147`	`}`
`148`	`148`
	`149`	`+ Value lookup(string name) {`
	`150`	`+ this.(ClassObjectInternal).lookup(name, result, _)`
	`151`	`+ }`
	`152`	`+`
`149`	`153`	`}`
`150`	`154`