Python points-to: Fix up matching arguments to parameters.

markshannon · markshannon · commit f543adcd3821 · 2019-04-26T16:21:46.000+01:00
diff --git a/python/ql/src/semmle/python/objects/Callables.qll b/python/ql/src/semmle/python/objects/Callables.qll
@@ -46,6 +46,10 @@ abstract class CallableObjectInternal extends ObjectInternal {
 
     CallNode getACall() { result = this.getACall(_) }
 
+    abstract NameNode getParameter(int n);
+
+    abstract NameNode getParameterByName(string name);
+
 }
 
 
@@ -132,6 +136,14 @@ class PythonFunctionObjectInternal extends CallableObjectInternal, TPythonFuncti
         )
     }
 
+    override NameNode getParameter(int n) {
+        result.getNode() = this.getScope().getArg(n)
+    }
+
+    override NameNode getParameterByName(string name) {
+        result.getNode() = this.getScope().getArgByName(name)
+    }
+
 }
 
 
@@ -229,6 +241,13 @@ class BuiltinFunctionObjectInternal extends CallableObjectInternal, TBuiltinFunc
         PointsTo::pointsTo(result.getFunction(), ctx, this, _)
     }
 
+    override NameNode getParameter(int n) {
+        none()
+    }
+
+    override NameNode getParameterByName(string name) {
+        none()
+    }
 
 }
 
@@ -289,6 +308,14 @@ class BuiltinMethodObjectInternal extends CallableObjectInternal, TBuiltinMethod
         PointsTo::pointsTo(result.getFunction(), ctx, this, _)
     }
 
+    override NameNode getParameter(int n) {
+        none()
+    }
+
+    override NameNode getParameterByName(string name) {
+        none()
+    }
+
 }
 
 class BoundMethodObjectInternal extends CallableObjectInternal, TBoundMethod {
@@ -352,6 +379,14 @@ class BoundMethodObjectInternal extends CallableObjectInternal, TBoundMethod {
         PointsTo::pointsTo(result.getFunction(), ctx, this, _)
     }
 
+    override NameNode getParameter(int n) {
+        result = this.getFunction().getParameter(n+1)
+    }
+
+    override NameNode getParameterByName(string name) {
+        result = this.getFunction().getParameterByName(name)
+    }
+
 }
 
 class ClassMethodObjectInternal extends ObjectInternal, TClassMethod {
diff --git a/python/ql/src/semmle/python/objects/ObjectAPI.qll b/python/ql/src/semmle/python/objects/ObjectAPI.qll
@@ -57,21 +57,6 @@ class Value extends TObject {
         result = this.(ObjectInternal).getSource()
     }
 
-    /** Gets the `ControlFlowNode` that will be passed as the nth argument to `this` when called at `call`.
-        This predicate will correctly handle `x.y()`, treating `x` as the zeroth argument.
-    */
-    ControlFlowNode getArgumentForCall(CallNode call, int n) {
-        // TO DO..
-        none()
-    }
-
-    /** Gets the `ControlFlowNode` that will be passed as the named argument to `this` when called at `call`.
-        This predicate will correctly handle `x.y()`, treating `x` as the self argument.
-    */
-    ControlFlowNode getNamedArgumentForCall(CallNode call, string name) {
-        // TO DO..
-        none()
-    }
 }
 
 class ModuleValue extends Value {
@@ -130,6 +115,28 @@ class CallableValue extends Value {
         result = this.(PythonFunctionObjectInternal).getScope()
     }
 
+    NameNode getParameter(int n) {
+        result = this.(CallableObjectInternal).getParameter(n)
+    }
+
+    NameNode getParameterByName(string name) {
+        result = this.(CallableObjectInternal).getParameterByName(name)
+    }
+
+    ControlFlowNode getArgumentForCall(CallNode call, NameNode param) {
+        this.getACall() = call and
+        (
+            exists(int n | call.getArg(n) = result and param = this.getParameter(n))
+            or
+            exists(string name | call.getArgByName(name) = result and param = this.getParameterByName(name))
+        )
+        or
+        exists(BoundMethodObjectInternal bm |
+            result = getArgumentForCall(call, param) and
+            this = bm.getFunction()
+        )
+    }
+
 }
 
 class ClassValue extends Value {
diff --git a/python/ql/src/semmle/python/security/TaintTracking.qll b/python/ql/src/semmle/python/security/TaintTracking.qll
@@ -1204,13 +1204,13 @@ library module TaintFlowImplementation {
         exists(ParameterDefinition def |
             def.getDefiningNode() = param and
             exists(CallableValue func, CallNode call |
-                exists(int n | argument = func.getArgumentForCall(call, n) and param.getNode() = func.getScope().getArg(n))
+                call.getFunction().pointsTo() = func and
+                callee = caller.getCallee(call) |
+                exists(int n | param = func.getParameter(n) and argument = call.getArg(n))
                 or
-                exists(string name | argument = func.getNamedArgumentForCall(call, name) and param.getNode() = func.getScope().getArgByName(name))
+                exists(string name | param = func.getParameterByName(name) and argument = call.getArgByName(name))
                 or
                 class_initializer_argument(_, _, call, func, argument, param)
-                |
-                callee = caller.getCallee(call)
             )
         )
     }
diff --git a/python/ql/src/semmle/python/types/FunctionObject.qll b/python/ql/src/semmle/python/types/FunctionObject.qll
@@ -71,14 +71,14 @@ abstract class FunctionObject extends Object {
         This predicate will correctly handle `x.y()`, treating `x` as the zeroth argument.
     */
     ControlFlowNode getArgumentForCall(CallNode call, int n) {
-        result = theCallable().getArgumentForCall(call, n)
+        result = theCallable().getArgumentForCall(call, this.getFunction().getArg(n).asName().getAFlowNode())
     }
 
     /** Gets the `ControlFlowNode` that will be passed as the named argument to `this` when called at `call`.
         This predicate will correctly handle `x.y()`, treating `x` as the self argument.
     */
     ControlFlowNode getNamedArgumentForCall(CallNode call, string name) {
-        result = theCallable().getNamedArgumentForCall(call, name)
+        result = theCallable().getArgumentForCall(call, this.getFunction().getArgByName(name).asName().getAFlowNode())
     }
 
     /** Whether this function never returns. This is an approximation.

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,10 @@ abstract class CallableObjectInternal extends ObjectInternal {`
`46`	`46`
`47`	`47`	`CallNode getACall() { result = this.getACall(_) }`
`48`	`48`
	`49`	`+ abstract NameNode getParameter(int n);`
	`50`	`+`
	`51`	`+ abstract NameNode getParameterByName(string name);`
	`52`	`+`
`49`	`53`	`}`
`50`	`54`
`51`	`55`
`@@ -132,6 +136,14 @@ class PythonFunctionObjectInternal extends CallableObjectInternal, TPythonFuncti`
`132`	`136`	`)`
`133`	`137`	`}`
`134`	`138`
	`139`	`+ override NameNode getParameter(int n) {`
	`140`	`+ result.getNode() = this.getScope().getArg(n)`
	`141`	`+ }`
	`142`	`+`
	`143`	`+ override NameNode getParameterByName(string name) {`
	`144`	`+ result.getNode() = this.getScope().getArgByName(name)`
	`145`	`+ }`
	`146`	`+`
`135`	`147`	`}`
`136`	`148`
`137`	`149`
`@@ -229,6 +241,13 @@ class BuiltinFunctionObjectInternal extends CallableObjectInternal, TBuiltinFunc`
`229`	`241`	`PointsTo::pointsTo(result.getFunction(), ctx, this, _)`
`230`	`242`	`}`
`231`	`243`
	`244`	`+ override NameNode getParameter(int n) {`
	`245`	`+ none()`
	`246`	`+ }`
	`247`	`+`
	`248`	`+ override NameNode getParameterByName(string name) {`
	`249`	`+ none()`
	`250`	`+ }`
`232`	`251`
`233`	`252`	`}`
`234`	`253`
`@@ -289,6 +308,14 @@ class BuiltinMethodObjectInternal extends CallableObjectInternal, TBuiltinMethod`
`289`	`308`	`PointsTo::pointsTo(result.getFunction(), ctx, this, _)`
`290`	`309`	`}`
`291`	`310`
	`311`	`+ override NameNode getParameter(int n) {`
	`312`	`+ none()`
	`313`	`+ }`
	`314`	`+`
	`315`	`+ override NameNode getParameterByName(string name) {`
	`316`	`+ none()`
	`317`	`+ }`
	`318`	`+`
`292`	`319`	`}`
`293`	`320`
`294`	`321`	`class BoundMethodObjectInternal extends CallableObjectInternal, TBoundMethod {`
`@@ -352,6 +379,14 @@ class BoundMethodObjectInternal extends CallableObjectInternal, TBoundMethod {`
`352`	`379`	`PointsTo::pointsTo(result.getFunction(), ctx, this, _)`
`353`	`380`	`}`
`354`	`381`
	`382`	`+ override NameNode getParameter(int n) {`
	`383`	`+ result = this.getFunction().getParameter(n+1)`
	`384`	`+ }`
	`385`	`+`
	`386`	`+ override NameNode getParameterByName(string name) {`
	`387`	`+ result = this.getFunction().getParameterByName(name)`
	`388`	`+ }`
	`389`	`+`
`355`	`390`	`}`
`356`	`391`
`357`	`392`	`class ClassMethodObjectInternal extends ObjectInternal, TClassMethod {`
Original file line number	Diff line number	Diff line change
`@@ -1204,13 +1204,13 @@ library module TaintFlowImplementation {`
`1204`	`1204`	`exists(ParameterDefinition def \|`
`1205`	`1205`	`def.getDefiningNode() = param and`
`1206`	`1206`	`exists(CallableValue func, CallNode call \|`
`1207`		`- exists(int n \| argument = func.getArgumentForCall(call, n) and param.getNode() = func.getScope().getArg(n))`
	`1207`	`+ call.getFunction().pointsTo() = func and`
	`1208`	`+ callee = caller.getCallee(call) \|`
	`1209`	`+ exists(int n \| param = func.getParameter(n) and argument = call.getArg(n))`
`1208`	`1210`	`or`
`1209`		`- exists(string name \| argument = func.getNamedArgumentForCall(call, name) and param.getNode() = func.getScope().getArgByName(name))`
	`1211`	`+ exists(string name \| param = func.getParameterByName(name) and argument = call.getArgByName(name))`
`1210`	`1212`	`or`
`1211`	`1213`	`class_initializer_argument(_, _, call, func, argument, param)`
`1212`		`- \|`
`1213`		`- callee = caller.getCallee(call)`
`1214`	`1214`	`)`
`1215`	`1215`	`)`
`1216`	`1216`	`}`