Python: Support keyword overflow arguments

yoff · yoff · commit e02cfbf6b036 · 2020-09-30T11:55:27.000+02:00
diff --git a/python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll b/python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll
@@ -237,20 +237,34 @@ private Node update(Node node) {
 //
 /** Computes routing of arguments to parameters */
 module ArgumentPassing {
+  /**
+   * Gets the `n`th parameter of `callable`.
+   * If the callable has a starred parameter, say `*tuple`, that is matched with `n=-1`.
+   * If the callable has a doubly starred parameter, say `**dict`, that is matched with `n=-2`.
+   * Note that, unlike other languages, we do _not_ use -1 for the position of `self` in Python,
+   * as it is an explicit parameter at position 0.
+   */
   NameNode getParameter(CallableValue callable, int n) {
     // positional parameter
     result = callable.getParameter(n)
     or
-    // vararg
+    // starred parameter, `*tuple`
     exists(Function f |
       f = callable.getScope() and
-      n = f.getPositionalParameterCount() and
+      n = -1 and
       result = f.getVararg().getAFlowNode()
     )
+    or
+    // doubly starred parameter, `**dict`
+    exists(Function f |
+      f = callable.getScope() and
+      n = -2 and
+      result = f.getKwarg().getAFlowNode()
+    )
   }
 
   /**
-   * Gets the argument to `call` then is passed to the `n`th parameter of `callable`.
+   * Gets the argument to `call` that is passed to the `n`th parameter of `callable`.
    */
   Node getArg(CallNode call, CallableValue callable, int n) {
     call = callable.getACall() and
@@ -265,16 +279,25 @@ module ArgumentPassing {
         result = TCfgNode(call.getArgByName(argName))
       )
       or
-      // vararg
+      // argument -1 is a synthezised argument passed to the starred parameter
       exists(Function f |
         f = callable.getScope() and
         f.hasVarArg() and
-        n = f.getPositionalParameterCount() and
+        n = -1 and
         result = TPosOverflowNode(call, callable)
       )
+      or
+      // argument -2 is a synthezised argument passed to the doubly starred parameter
+      exists(Function f |
+        f = callable.getScope() and
+        f.hasKwArg() and
+        n = -2 and
+        result = TKwOverflowNode(call, callable)
+      )
     )
   }
 
+  /** Gets the control flow node that is passed as the `n`th overflow positional argument. */
   ControlFlowNode getPositionalOverflowArg(CallNode call, CallableValue callable, int n) {
     call = callable.getACall() and
     exists(Function f, int posCount, int argNr |
@@ -286,6 +309,17 @@ module ArgumentPassing {
       argNr = posCount + n
     )
   }
+
+  /** Gets the control flow node that is passed as the overflow keyword argument with key `key`. */
+  ControlFlowNode getKeywordOverflowArg(CallNode call, CallableValue callable, string key) {
+    call = callable.getACall() and
+    exists(Function f |
+      f = callable.getScope() and
+      f.hasKwArg() and
+      not exists(f.getArgByName(key)) and
+      result = call.getArgByName(key)
+    )
+  }
 }
 
 import ArgumentPassing
@@ -594,6 +628,8 @@ predicate storeStep(Node nodeFrom, Content c, Node nodeTo) {
   attributeStoreStep(nodeFrom, c, nodeTo)
   or
   posOverflowStoreStep(nodeFrom, c, nodeTo)
+  or
+  kwOverflowStoreStep(nodeFrom, c, nodeTo)
 }
 
 /** Data flows from an element of a list to the list. */
@@ -689,6 +725,10 @@ predicate attributeStoreStep(CfgNode nodeFrom, AttributeContent c, PostUpdateNod
   )
 }
 
+/**
+ * Holds if `nodeFrom` flows into the synthezised positional overflow argument (`nodeTo`)
+ * at the position indicated by `c`.
+ */
 predicate posOverflowStoreStep(CfgNode nodeFrom, TupleElementContent c, Node nodeTo) {
   exists(CallNode call, CallableValue callable, int n |
     nodeFrom.asCfgNode() = getPositionalOverflowArg(call, callable, n) and
@@ -697,6 +737,18 @@ predicate posOverflowStoreStep(CfgNode nodeFrom, TupleElementContent c, Node nod
   )
 }
 
+/**
+ * Holds if `nodeFrom` flows into the synthezised keyword overflow argument (`nodeTo`)
+ * at the key indicated by `c`.
+ */
+predicate kwOverflowStoreStep(CfgNode nodeFrom, DictionaryElementContent c, Node nodeTo) {
+  exists(CallNode call, CallableValue callable, string key |
+    nodeFrom.asCfgNode() = getKeywordOverflowArg(call, callable, key) and
+    nodeTo = TKwOverflowNode(call, callable) and
+    c.getKey() = key
+  )
+}
+
 /**
  * Holds if data can flow from `nodeFrom` to `nodeTo` via a read of content `c`.
  */
diff --git a/python/ql/src/experimental/dataflow/internal/DataFlowPublic.qll b/python/ql/src/experimental/dataflow/internal/DataFlowPublic.qll
@@ -32,6 +32,10 @@ newtype TNode =
   /** A node representing the overflow positional arguments to a call. */
   TPosOverflowNode(CallNode call, CallableValue callable) {
     exists(getPositionalOverflowArg(call, callable, _))
+  } or
+  /** A node representing the overflow keyword arguments to a call. */
+  TKwOverflowNode(CallNode call, CallableValue callable) {
+    exists(getKeywordOverflowArg(call, callable, _))
   }
 
 /**
diff --git a/python/ql/test/experimental/dataflow/coverage/argumentRouting1.expected b/python/ql/test/experimental/dataflow/coverage/argumentRouting1.expected
@@ -13,6 +13,7 @@
 | argumentPassing.py:163:13:163:16 | ControlFlowNode for arg1 | argumentPassing.py:161:15:161:15 | ControlFlowNode for a |
 | argumentPassing.py:170:16:170:19 | ControlFlowNode for arg1 | argumentPassing.py:168:15:168:15 | ControlFlowNode for a |
 | argumentPassing.py:177:15:177:18 | ControlFlowNode for arg1 | argumentPassing.py:175:15:175:15 | ControlFlowNode for a |
+| argumentPassing.py:184:23:184:26 | ControlFlowNode for arg1 | argumentPassing.py:182:15:182:20 | ControlFlowNode for Subscript |
 | classes.py:563:5:563:16 | SSA variable with_getitem | classes.py:557:15:557:18 | ControlFlowNode for self |
 | classes.py:578:5:578:16 | SSA variable with_setitem | classes.py:573:15:573:18 | ControlFlowNode for self |
 | classes.py:593:5:593:16 | SSA variable with_delitem | classes.py:588:15:588:18 | ControlFlowNode for self |
diff --git a/python/ql/test/experimental/dataflow/coverage/dataflow.expected b/python/ql/test/experimental/dataflow/coverage/dataflow.expected
@@ -28,6 +28,8 @@ edges
 | datamodel.py:152:14:152:19 | ControlFlowNode for SOURCE | datamodel.py:152:5:152:8 | [post store] ControlFlowNode for self [Attribute b] |
 | datamodel.py:155:14:155:25 | ControlFlowNode for Customized() [Attribute b] | datamodel.py:159:6:159:15 | ControlFlowNode for customized [Attribute b] |
 | datamodel.py:159:6:159:15 | ControlFlowNode for customized [Attribute b] | datamodel.py:159:6:159:17 | ControlFlowNode for Attribute |
+| file://:0:0:0:0 | Data flow node [Dictionary element at key b] | test.py:397:10:397:45 | ControlFlowNode for f_extra_keyword() |
+| file://:0:0:0:0 | Data flow node [Dictionary element at key b] | test.py:487:10:487:45 | ControlFlowNode for f_extra_keyword() |
 | file://:0:0:0:0 | Data flow node [Tuple element at index 0] | test.py:389:10:389:39 | ControlFlowNode for f_extra_pos() |
 | file://:0:0:0:0 | Data flow node [Tuple element at index 0] | test.py:482:10:482:39 | ControlFlowNode for f_extra_pos() |
 | test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:42:21:42:26 | ControlFlowNode for SOURCE |
@@ -52,10 +54,12 @@ edges
 | test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:365:28:365:33 | ControlFlowNode for SOURCE |
 | test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:373:30:373:35 | ControlFlowNode for SOURCE |
 | test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:389:33:389:38 | ControlFlowNode for SOURCE |
+| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:397:39:397:44 | ControlFlowNode for SOURCE |
 | test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:442:12:442:17 | ControlFlowNode for SOURCE |
 | test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:449:28:449:33 | ControlFlowNode for SOURCE |
 | test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:463:30:463:35 | ControlFlowNode for SOURCE |
 | test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:482:33:482:38 | ControlFlowNode for SOURCE |
+| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:487:39:487:44 | ControlFlowNode for SOURCE |
 | test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:499:9:499:14 | ControlFlowNode for SOURCE |
 | test.py:20:1:20:6 | GSSA Variable SOURCE | test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test |
 | test.py:20:10:20:17 | ControlFlowNode for Str | test.py:20:1:20:6 | GSSA Variable SOURCE |
@@ -155,10 +159,12 @@ edges
 | test.py:365:28:365:33 | ControlFlowNode for SOURCE | test.py:365:10:365:34 | ControlFlowNode for second() |
 | test.py:373:30:373:35 | ControlFlowNode for SOURCE | test.py:373:10:373:36 | ControlFlowNode for second() |
 | test.py:389:33:389:38 | ControlFlowNode for SOURCE | file://:0:0:0:0 | Data flow node [Tuple element at index 0] |
+| test.py:397:39:397:44 | ControlFlowNode for SOURCE | file://:0:0:0:0 | Data flow node [Dictionary element at key b] |
 | test.py:442:12:442:17 | ControlFlowNode for SOURCE | test.py:442:10:442:18 | ControlFlowNode for f() |
 | test.py:449:28:449:33 | ControlFlowNode for SOURCE | test.py:449:10:449:34 | ControlFlowNode for second() |
 | test.py:463:30:463:35 | ControlFlowNode for SOURCE | test.py:463:10:463:36 | ControlFlowNode for second() |
 | test.py:482:33:482:38 | ControlFlowNode for SOURCE | file://:0:0:0:0 | Data flow node [Tuple element at index 0] |
+| test.py:487:39:487:44 | ControlFlowNode for SOURCE | file://:0:0:0:0 | Data flow node [Dictionary element at key b] |
 | test.py:499:9:499:14 | ControlFlowNode for SOURCE | test.py:501:10:501:10 | ControlFlowNode for a |
 | test.py:499:9:499:14 | ControlFlowNode for SOURCE | test.py:506:10:506:10 | ControlFlowNode for b |
 nodes
@@ -181,6 +187,8 @@ nodes
 | datamodel.py:155:14:155:25 | ControlFlowNode for Customized() [Attribute b] | semmle.label | ControlFlowNode for Customized() [Attribute b] |
 | datamodel.py:159:6:159:15 | ControlFlowNode for customized [Attribute b] | semmle.label | ControlFlowNode for customized [Attribute b] |
 | datamodel.py:159:6:159:17 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| file://:0:0:0:0 | Data flow node [Dictionary element at key b] | semmle.label | Data flow node [Dictionary element at key b] |
+| file://:0:0:0:0 | Data flow node [Dictionary element at key b] | semmle.label | Data flow node [Dictionary element at key b] |
 | file://:0:0:0:0 | Data flow node [Tuple element at index 0] | semmle.label | Data flow node [Tuple element at index 0] |
 | file://:0:0:0:0 | Data flow node [Tuple element at index 0] | semmle.label | Data flow node [Tuple element at index 0] |
 | test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | semmle.label | ModuleVariableNode for Global Variable SOURCE in Module test |
@@ -308,6 +316,8 @@ nodes
 | test.py:373:30:373:35 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | test.py:389:10:389:39 | ControlFlowNode for f_extra_pos() | semmle.label | ControlFlowNode for f_extra_pos() |
 | test.py:389:33:389:38 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:397:10:397:45 | ControlFlowNode for f_extra_keyword() | semmle.label | ControlFlowNode for f_extra_keyword() |
+| test.py:397:39:397:44 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | test.py:442:10:442:18 | ControlFlowNode for f() | semmle.label | ControlFlowNode for f() |
 | test.py:442:12:442:17 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | test.py:449:10:449:34 | ControlFlowNode for second() | semmle.label | ControlFlowNode for second() |
@@ -316,6 +326,8 @@ nodes
 | test.py:463:30:463:35 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | test.py:482:10:482:39 | ControlFlowNode for f_extra_pos() | semmle.label | ControlFlowNode for f_extra_pos() |
 | test.py:482:33:482:38 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:487:10:487:45 | ControlFlowNode for f_extra_keyword() | semmle.label | ControlFlowNode for f_extra_keyword() |
+| test.py:487:39:487:44 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | test.py:499:9:499:14 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | test.py:501:10:501:10 | ControlFlowNode for a | semmle.label | ControlFlowNode for a |
 | test.py:506:10:506:10 | ControlFlowNode for b | semmle.label | ControlFlowNode for b |
@@ -392,6 +404,8 @@ nodes
 | test.py:373:10:373:36 | ControlFlowNode for second() | test.py:373:30:373:35 | ControlFlowNode for SOURCE | test.py:373:10:373:36 | ControlFlowNode for second() | Flow found |
 | test.py:389:10:389:39 | ControlFlowNode for f_extra_pos() | test.py:20:10:20:17 | ControlFlowNode for Str | test.py:389:10:389:39 | ControlFlowNode for f_extra_pos() | Flow found |
 | test.py:389:10:389:39 | ControlFlowNode for f_extra_pos() | test.py:389:33:389:38 | ControlFlowNode for SOURCE | test.py:389:10:389:39 | ControlFlowNode for f_extra_pos() | Flow found |
+| test.py:397:10:397:45 | ControlFlowNode for f_extra_keyword() | test.py:20:10:20:17 | ControlFlowNode for Str | test.py:397:10:397:45 | ControlFlowNode for f_extra_keyword() | Flow found |
+| test.py:397:10:397:45 | ControlFlowNode for f_extra_keyword() | test.py:397:39:397:44 | ControlFlowNode for SOURCE | test.py:397:10:397:45 | ControlFlowNode for f_extra_keyword() | Flow found |
 | test.py:442:10:442:18 | ControlFlowNode for f() | test.py:20:10:20:17 | ControlFlowNode for Str | test.py:442:10:442:18 | ControlFlowNode for f() | Flow found |
 | test.py:442:10:442:18 | ControlFlowNode for f() | test.py:442:12:442:17 | ControlFlowNode for SOURCE | test.py:442:10:442:18 | ControlFlowNode for f() | Flow found |
 | test.py:449:10:449:34 | ControlFlowNode for second() | test.py:20:10:20:17 | ControlFlowNode for Str | test.py:449:10:449:34 | ControlFlowNode for second() | Flow found |
@@ -400,6 +414,8 @@ nodes
 | test.py:463:10:463:36 | ControlFlowNode for second() | test.py:463:30:463:35 | ControlFlowNode for SOURCE | test.py:463:10:463:36 | ControlFlowNode for second() | Flow found |
 | test.py:482:10:482:39 | ControlFlowNode for f_extra_pos() | test.py:20:10:20:17 | ControlFlowNode for Str | test.py:482:10:482:39 | ControlFlowNode for f_extra_pos() | Flow found |
 | test.py:482:10:482:39 | ControlFlowNode for f_extra_pos() | test.py:482:33:482:38 | ControlFlowNode for SOURCE | test.py:482:10:482:39 | ControlFlowNode for f_extra_pos() | Flow found |
+| test.py:487:10:487:45 | ControlFlowNode for f_extra_keyword() | test.py:20:10:20:17 | ControlFlowNode for Str | test.py:487:10:487:45 | ControlFlowNode for f_extra_keyword() | Flow found |
+| test.py:487:10:487:45 | ControlFlowNode for f_extra_keyword() | test.py:487:39:487:44 | ControlFlowNode for SOURCE | test.py:487:10:487:45 | ControlFlowNode for f_extra_keyword() | Flow found |
 | test.py:501:10:501:10 | ControlFlowNode for a | test.py:20:10:20:17 | ControlFlowNode for Str | test.py:501:10:501:10 | ControlFlowNode for a | Flow found |
 | test.py:501:10:501:10 | ControlFlowNode for a | test.py:499:9:499:14 | ControlFlowNode for SOURCE | test.py:501:10:501:10 | ControlFlowNode for a | Flow found |
 | test.py:506:10:506:10 | ControlFlowNode for b | test.py:20:10:20:17 | ControlFlowNode for Str | test.py:506:10:506:10 | ControlFlowNode for b | Flow found |
diff --git a/python/ql/test/experimental/dataflow/coverage/test.py b/python/ql/test/experimental/dataflow/coverage/test.py
@@ -394,7 +394,7 @@ def f_extra_keyword(a, **b):
 
 
 def test_call_extra_keyword():
-    SINK(f_extra_keyword(NONSOURCE, b=SOURCE))  # Flow missing
+    SINK(f_extra_keyword(NONSOURCE, b=SOURCE))
 
 
 # return the name of the first extra keyword argument
@@ -484,7 +484,7 @@ def test_lambda_extra_pos():
 
 def test_lambda_extra_keyword():
     f_extra_keyword = lambda a, **b: b["b"]
-    SINK(f_extra_keyword(NONSOURCE, b=SOURCE))  # Flow missing
+    SINK(f_extra_keyword(NONSOURCE, b=SOURCE))
 
 
 # call the function with our source as the name of the keyword arguemnt
