Python: Approximate **arg -> **param

yoff · yoff · commit b0ed7af897a9 · 2020-09-30T15:54:12.000+02:00
diff --git a/python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll b/python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll
@@ -279,15 +279,15 @@ module ArgumentPassing {
         result = TCfgNode(call.getArgByName(argName))
       )
       or
-      // argument -1 is a synthezised argument passed to the starred parameter
+      // a synthezised argument passed to the starred parameter (at position -1)
       exists(Function f |
         f = callable.getScope() and
         f.hasVarArg() and
         n = -1 and
         result = TPosOverflowNode(call, callable)
       )
       or
-      // argument -2 is a synthezised argument passed to the doubly starred parameter
+      // a synthezised argument passed to the doubly starred parameter (at position -2)
       exists(Function f |
         f = callable.getScope() and
         f.hasKwArg() and
@@ -300,6 +300,11 @@ module ArgumentPassing {
         call_unpacks(call, callable, name, n) and
         result = TKwUnpacked(call, callable, name)
       )
+      or
+      // Dict argument is passed to the doubly starred parameter (at position -2).
+      // This is an overaaproximation, not removing unpacked arguments.
+      n = -2 and
+      result = TCfgNode(call.getNode().getKwargs().getAFlowNode())
     )
   }
 
@@ -332,6 +337,7 @@ module ArgumentPassing {
    * It will then be passed to the `n`th parameter of `callable`.
    */
   predicate call_unpacks(CallNode call, CallableValue callable, string name, int n) {
+    call = callable.getACall() and
     exists(Function f |
       f = callable.getScope() and
       not exists(call.getArg(n)) and // no positional arguement available
@@ -893,8 +899,7 @@ predicate attributeReadStep(CfgNode nodeFrom, AttributeContent c, CfgNode nodeTo
  * synthezised unpacked argument with the name indicated by `c`.
  */
 predicate kwUnpackReadStep(CfgNode nodeFrom, DictionaryElementContent c, Node nodeTo) {
-  exists(CallNode call, CallableValue callable, string name, int n |
-    call_unpacks(call, callable, name, n) and
+  exists(CallNode call, CallableValue callable, string name |
     nodeFrom.asCfgNode() = call.getNode().getKwargs().getAFlowNode() and
     nodeTo = TKwUnpacked(call, callable, name) and
     name = c.getKey()
diff --git a/python/ql/src/experimental/dataflow/internal/DataFlowPublic.qll b/python/ql/src/experimental/dataflow/internal/DataFlowPublic.qll
@@ -37,7 +37,11 @@ newtype TNode =
   TKwOverflowNode(CallNode call, CallableValue callable) {
     exists(getKeywordOverflowArg(call, callable, _))
   } or
-  /** A node representing an unpacked element of a dictionary argument. */
+  /**
+   * A node representing an unpacked element of a dictionary argument.
+   * That is, `call` contains argument `**{"foo": bar}` which is passed
+   * to parameter `foo` of `callable.
+   */
   TKwUnpacked(CallNode call, CallableValue callable, string name) {
     call_unpacks(call, callable, name, _)
   }
diff --git a/python/ql/test/experimental/dataflow/coverage/argumentPassing.py b/python/ql/test/experimental/dataflow/coverage/argumentPassing.py
@@ -122,7 +122,7 @@ def grab_foo_bar_baz(foo, **kwargs):
 def grab_bar_baz(bar, **kwargs):
     SINK2(bar)
     try:
-        SINK2(kwargs["bar"])
+        SINK2(kwargs["bar"])  # FP
     except:
         print("OK")
     grab_baz(**kwargs)
diff --git a/python/ql/test/experimental/dataflow/coverage/argumentRouting1.expected b/python/ql/test/experimental/dataflow/coverage/argumentRouting1.expected
@@ -6,14 +6,14 @@
 | argumentPassing.py:98:27:98:30 | ControlFlowNode for arg1 | argumentPassing.py:90:11:90:11 | ControlFlowNode for a |
 | argumentPassing.py:99:27:99:30 | ControlFlowNode for arg1 | argumentPassing.py:90:11:90:11 | ControlFlowNode for a |
 | argumentPassing.py:111:28:111:31 | ControlFlowNode for arg1 | argumentPassing.py:103:11:103:11 | ControlFlowNode for a |
-| argumentPassing.py:133:46:133:49 | ControlFlowNode for arg1 | argumentPassing.py:118:11:118:13 | ControlFlowNode for foo |
-| argumentPassing.py:141:14:141:17 | ControlFlowNode for arg1 | argumentPassing.py:139:15:139:15 | ControlFlowNode for a |
-| argumentPassing.py:148:19:148:22 | ControlFlowNode for arg1 | argumentPassing.py:146:15:146:15 | ControlFlowNode for a |
-| argumentPassing.py:156:15:156:18 | ControlFlowNode for arg1 | argumentPassing.py:154:19:154:22 | ControlFlowNode for Subscript |
-| argumentPassing.py:163:13:163:16 | ControlFlowNode for arg1 | argumentPassing.py:161:15:161:15 | ControlFlowNode for a |
-| argumentPassing.py:170:16:170:19 | ControlFlowNode for arg1 | argumentPassing.py:168:15:168:15 | ControlFlowNode for a |
-| argumentPassing.py:177:15:177:18 | ControlFlowNode for arg1 | argumentPassing.py:175:15:175:15 | ControlFlowNode for a |
-| argumentPassing.py:184:23:184:26 | ControlFlowNode for arg1 | argumentPassing.py:182:15:182:20 | ControlFlowNode for Subscript |
+| argumentPassing.py:137:46:137:49 | ControlFlowNode for arg1 | argumentPassing.py:118:11:118:13 | ControlFlowNode for foo |
+| argumentPassing.py:145:14:145:17 | ControlFlowNode for arg1 | argumentPassing.py:143:15:143:15 | ControlFlowNode for a |
+| argumentPassing.py:152:19:152:22 | ControlFlowNode for arg1 | argumentPassing.py:150:15:150:15 | ControlFlowNode for a |
+| argumentPassing.py:160:15:160:18 | ControlFlowNode for arg1 | argumentPassing.py:158:19:158:22 | ControlFlowNode for Subscript |
+| argumentPassing.py:167:13:167:16 | ControlFlowNode for arg1 | argumentPassing.py:165:15:165:15 | ControlFlowNode for a |
+| argumentPassing.py:174:16:174:19 | ControlFlowNode for arg1 | argumentPassing.py:172:15:172:15 | ControlFlowNode for a |
+| argumentPassing.py:181:15:181:18 | ControlFlowNode for arg1 | argumentPassing.py:179:15:179:15 | ControlFlowNode for a |
+| argumentPassing.py:188:23:188:26 | ControlFlowNode for arg1 | argumentPassing.py:186:15:186:20 | ControlFlowNode for Subscript |
 | classes.py:563:5:563:16 | SSA variable with_getitem | classes.py:557:15:557:18 | ControlFlowNode for self |
 | classes.py:578:5:578:16 | SSA variable with_setitem | classes.py:573:15:573:18 | ControlFlowNode for self |
 | classes.py:593:5:593:16 | SSA variable with_delitem | classes.py:588:15:588:18 | ControlFlowNode for self |
diff --git a/python/ql/test/experimental/dataflow/coverage/argumentRouting2.expected b/python/ql/test/experimental/dataflow/coverage/argumentRouting2.expected
@@ -2,7 +2,8 @@
 | argumentPassing.py:85:27:85:30 | ControlFlowNode for arg2 | argumentPassing.py:79:11:79:11 | ControlFlowNode for b |
 | argumentPassing.py:97:29:97:32 | ControlFlowNode for arg2 | argumentPassing.py:91:11:91:11 | ControlFlowNode for b |
 | argumentPassing.py:112:30:112:33 | ControlFlowNode for arg2 | argumentPassing.py:104:11:104:11 | ControlFlowNode for b |
-| argumentPassing.py:133:36:133:39 | ControlFlowNode for arg2 | argumentPassing.py:123:11:123:13 | ControlFlowNode for bar |
+| argumentPassing.py:137:36:137:39 | ControlFlowNode for arg2 | argumentPassing.py:123:11:123:13 | ControlFlowNode for bar |
+| argumentPassing.py:137:36:137:39 | ControlFlowNode for arg2 | argumentPassing.py:125:15:125:27 | ControlFlowNode for Subscript |
 | classes.py:565:18:565:21 | ControlFlowNode for arg2 | classes.py:556:15:556:17 | ControlFlowNode for key |
 | classes.py:581:18:581:21 | ControlFlowNode for arg2 | classes.py:572:15:572:17 | ControlFlowNode for key |
 | classes.py:595:22:595:25 | ControlFlowNode for arg2 | classes.py:587:15:587:17 | ControlFlowNode for key |
diff --git a/python/ql/test/experimental/dataflow/coverage/argumentRouting3.expected b/python/ql/test/experimental/dataflow/coverage/argumentRouting3.expected
@@ -2,4 +2,5 @@
 | argumentPassing.py:98:43:98:46 | ControlFlowNode for arg3 | argumentPassing.py:92:11:92:11 | ControlFlowNode for c |
 | argumentPassing.py:99:41:99:44 | ControlFlowNode for arg3 | argumentPassing.py:92:11:92:11 | ControlFlowNode for c |
 | argumentPassing.py:113:36:113:39 | ControlFlowNode for arg3 | argumentPassing.py:105:11:105:11 | ControlFlowNode for c |
+| argumentPassing.py:137:26:137:29 | ControlFlowNode for arg3 | argumentPassing.py:132:11:132:13 | ControlFlowNode for baz |
 | classes.py:581:26:581:29 | ControlFlowNode for arg3 | classes.py:571:15:571:19 | ControlFlowNode for value |
