Python points-to: Fix up neverReturns() and return value of __import__().

markshannon · markshannon · commit 46b9ef79b42a · 2019-04-26T16:21:46.000+01:00
diff --git a/python/ql/src/semmle/python/objects/Callables.qll b/python/ql/src/semmle/python/objects/Callables.qll
@@ -52,6 +52,7 @@ abstract class CallableObjectInternal extends ObjectInternal {
 
     override int length() { none() }
 
+    abstract predicate neverReturns();
 }
 
 
@@ -146,6 +147,10 @@ class PythonFunctionObjectInternal extends CallableObjectInternal, TPythonFuncti
         result.getNode() = this.getScope().getArgByName(name)
     }
 
+
+    override predicate neverReturns() {
+        InterProceduralPointsTo::neverReturns(this.getScope())
+    }
 }
 
 
@@ -220,9 +225,11 @@ class BuiltinFunctionObjectInternal extends CallableObjectInternal, TBuiltinFunc
             or
             func = Builtin::builtin("intern") and result = Builtin::special("str")
             or
+            func = Builtin::builtin("__import__") and result = Builtin::special("ModuleType")
+            or
             /* Fix a few minor inaccuracies in the CPython analysis */ 
             ext_rettype(func, result) and not (
-                func = Builtin::builtin("__import__") and result = Builtin::special("NoneType")
+                func = Builtin::builtin("__import__")
                 or
                 func = Builtin::builtin("compile") and result = Builtin::special("NoneType")
                 or
@@ -251,6 +258,10 @@ class BuiltinFunctionObjectInternal extends CallableObjectInternal, TBuiltinFunc
         none()
     }
 
+    override predicate neverReturns() {
+        this = Module::named("sys").attr("exit")
+    }
+
 }
 
 
@@ -334,6 +345,8 @@ class BuiltinMethodObjectInternal extends CallableObjectInternal, TBuiltinMethod
         none()
     }
 
+    override predicate neverReturns() { none() }
+
 }
 
 class BoundMethodObjectInternal extends CallableObjectInternal, TBoundMethod {
@@ -405,6 +418,10 @@ class BoundMethodObjectInternal extends CallableObjectInternal, TBoundMethod {
         result = this.getFunction().getParameterByName(name)
     }
 
+    override predicate neverReturns() {
+        this.getFunction().neverReturns()
+   }
+
 }
 
 
diff --git a/python/ql/src/semmle/python/objects/ObjectAPI.qll b/python/ql/src/semmle/python/objects/ObjectAPI.qll
@@ -103,8 +103,7 @@ class CallableValue extends Value {
     }
 
     predicate neverReturns() {
-        // TO DO..
-        none()
+        this.(CallableObjectInternal).neverReturns()
     }
 
     Function getScope() {
diff --git a/python/ql/src/semmle/python/pointsto/PointsTo.qll b/python/ql/src/semmle/python/pointsto/PointsTo.qll
@@ -1022,6 +1022,23 @@ module InterProceduralPointsTo {
         BaseFlow::reaches_exit(evar)
     }
 
+    /** INTERNAL -- Use `FunctionObject.neverReturns()` instead.
+     *  Whether function `func` never returns. Slightly conservative approximation, this predicate may be false
+     * for a function that can never return. */
+    cached predicate neverReturns(Function f) {
+        /* A Python function never returns if it has no normal exits that are not dominated by a
+         * call to a function which itself never returns.
+         */
+        forall(BasicBlock exit |
+            exit = f.getANormalExit().getBasicBlock() |
+            exists(FunctionObject callee, BasicBlock call  |
+                callee.getACall().getBasicBlock() = call and
+                callee.neverReturns() and
+                call.dominates(exit)
+            )
+        )
+    }
+
 }
 
 /** Gets the `value, origin` that `f` would refer to if it has not been assigned some other value */
diff --git a/python/ql/src/semmle/python/security/TaintTracking.qll b/python/ql/src/semmle/python/security/TaintTracking.qll
@@ -1268,7 +1268,7 @@ library module TaintFlowImplementation {
                 |
                 test.getSense() = true and not exists(kind.getClass())
                 or
-                test.getSense() = true and kind.getClass().getASuperType() = cls
+                test.getSense() = true and kind.getType().getASuperType() = cls
                 or
                 test.getSense() = false and not kind.getType().getASuperType() = cls
             )

Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,7 @@ abstract class CallableObjectInternal extends ObjectInternal {`
`52`	`52`
`53`	`53`	`override int length() { none() }`
`54`	`54`
	`55`	`+ abstract predicate neverReturns();`
`55`	`56`	`}`
`56`	`57`
`57`	`58`
`@@ -146,6 +147,10 @@ class PythonFunctionObjectInternal extends CallableObjectInternal, TPythonFuncti`
`146`	`147`	`result.getNode() = this.getScope().getArgByName(name)`
`147`	`148`	`}`
`148`	`149`
	`150`	`+`
	`151`	`+ override predicate neverReturns() {`
	`152`	`+ InterProceduralPointsTo::neverReturns(this.getScope())`
	`153`	`+ }`
`149`	`154`	`}`
`150`	`155`
`151`	`156`
`@@ -220,9 +225,11 @@ class BuiltinFunctionObjectInternal extends CallableObjectInternal, TBuiltinFunc`
`220`	`225`	`or`
`221`	`226`	`func = Builtin::builtin("intern") and result = Builtin::special("str")`
`222`	`227`	`or`
	`228`	`+ func = Builtin::builtin("__import__") and result = Builtin::special("ModuleType")`
	`229`	`+ or`
`223`	`230`	`/* Fix a few minor inaccuracies in the CPython analysis */`
`224`	`231`	`ext_rettype(func, result) and not (`
`225`		`- func = Builtin::builtin("__import__") and result = Builtin::special("NoneType")`
	`232`	`+ func = Builtin::builtin("__import__")`
`226`	`233`	`or`
`227`	`234`	`func = Builtin::builtin("compile") and result = Builtin::special("NoneType")`
`228`	`235`	`or`
`@@ -251,6 +258,10 @@ class BuiltinFunctionObjectInternal extends CallableObjectInternal, TBuiltinFunc`
`251`	`258`	`none()`
`252`	`259`	`}`
`253`	`260`
	`261`	`+ override predicate neverReturns() {`
	`262`	`+ this = Module::named("sys").attr("exit")`
	`263`	`+ }`
	`264`	`+`
`254`	`265`	`}`
`255`	`266`
`256`	`267`
`@@ -334,6 +345,8 @@ class BuiltinMethodObjectInternal extends CallableObjectInternal, TBuiltinMethod`
`334`	`345`	`none()`
`335`	`346`	`}`
`336`	`347`
	`348`	`+ override predicate neverReturns() { none() }`
	`349`	`+`
`337`	`350`	`}`
`338`	`351`
`339`	`352`	`class BoundMethodObjectInternal extends CallableObjectInternal, TBoundMethod {`
`@@ -405,6 +418,10 @@ class BoundMethodObjectInternal extends CallableObjectInternal, TBoundMethod {`
`405`	`418`	`result = this.getFunction().getParameterByName(name)`
`406`	`419`	`}`
`407`	`420`
	`421`	`+ override predicate neverReturns() {`
	`422`	`+ this.getFunction().neverReturns()`
	`423`	`+ }`
	`424`	`+`
`408`	`425`	`}`
`409`	`426`
`410`	`427`
Original file line number	Diff line number	Diff line change
`@@ -103,8 +103,7 @@ class CallableValue extends Value {`
`103`	`103`	`}`
`104`	`104`
`105`	`105`	`predicate neverReturns() {`
`106`		`- // TO DO..`
`107`		`- none()`
	`106`	`+ this.(CallableObjectInternal).neverReturns()`
`108`	`107`	`}`
`109`	`108`
`110`	`109`	`Function getScope() {`
Original file line number	Diff line number	Diff line change
`@@ -1268,7 +1268,7 @@ library module TaintFlowImplementation {`
`1268`	`1268`	`\|`
`1269`	`1269`	`test.getSense() = true and not exists(kind.getClass())`
`1270`	`1270`	`or`
`1271`		`- test.getSense() = true and kind.getClass().getASuperType() = cls`
	`1271`	`+ test.getSense() = true and kind.getType().getASuperType() = cls`
`1272`	`1272`	`or`
`1273`	`1273`	`test.getSense() = false and not kind.getType().getASuperType() = cls`
`1274`	`1274`	`)`