Python: Allow type tracking through comprehensions

yoff · yoff · commit 0dc036abd17a · 2024-10-03T09:31:02.000+02:00
- the subscript operator is extended to comprehensions
- the capture jump-step is extended to work for the functions generated inside comprehensions
diff --git a/python/ql/lib/semmle/python/ApiGraphs.qll b/python/ql/lib/semmle/python/ApiGraphs.qll
@@ -843,6 +843,13 @@ module API {
         ref = pred.getSubscript(_) and
         ref.asCfgNode().isLoad()
         or
+        // Subscript via comprehension
+        lbl = Label::subscript() and
+        exists(PY::Comp comp |
+          pred.asExpr() = comp.getIterable() and
+          ref.asExpr() = comp.getNthInnerLoop(0).getTarget()
+        )
+        or
         // Subclassing a node
         lbl = Label::subclass() and
         exists(PY::ClassExpr clsExpr, DataFlow::Node superclass | pred.flowsTo(superclass) |
diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll b/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll
@@ -304,7 +304,7 @@ module TypeTrackingInput implements Shared::TypeTrackingInput {
       var.hasDefiningNode(def)
     |
       nodeTo.(DataFlowPublic::ScopeEntryDefinitionNode).getDefinition() = e and
-      nodeFrom.asCfgNode() = def.getValue() and
+      nodeFrom.asCfgNode() = def and
       var.getScope().getScope*() = nodeFrom.getScope()
     )
   }
diff --git a/python/ql/test/library-tests/frameworks/stdlib/http_server.py b/python/ql/test/library-tests/frameworks/stdlib/http_server.py
@@ -30,7 +30,7 @@ def test_cgi_FieldStorage_taint():
         form['key'][0].value, # $ tainted
         form['key'][0].file, # $ tainted
         form['key'][0].filename, # $ tainted
-        [field.value for field in form['key']], # $ MISSING: tainted
+        [field.value for field in form['key']], # $ tainted
 
         # `form.getvalue('key')` will be a list, if multiple fields named "key" are provided
         form.getvalue('key'), # $ tainted
@@ -40,7 +40,7 @@ def test_cgi_FieldStorage_taint():
 
         form.getlist('key'), # $ tainted
         form.getlist('key')[0], # $ tainted
-        [field.value for field in form.getlist('key')], # $ MISSING: tainted
+        [field.value for field in form.getlist('key')], # $ tainted
     )
 
 

Original file line number	Diff line number	Diff line change
`@@ -304,7 +304,7 @@ module TypeTrackingInput implements Shared::TypeTrackingInput {`
`304`	`304`	`var.hasDefiningNode(def)`
`305`	`305`	`\|`
`306`	`306`	`nodeTo.(DataFlowPublic::ScopeEntryDefinitionNode).getDefinition() = e and`
`307`		`- nodeFrom.asCfgNode() = def.getValue() and`
	`307`	`+ nodeFrom.asCfgNode() = def and`
`308`	`308`	`var.getScope().getScope*() = nodeFrom.getScope()`
`309`	`309`	`)`
`310`	`310`	`}`