python: improved script and new models

recpgnise flow from `*args` and `**kwargs`
github · Apr 10, 2024 · 0340529 · 0340529
1 parent ad4359e
commit 0340529
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 11 deletions.
diff --git a/python/ql/lib/ext/StdLib.model.yml b/python/ql/lib/ext/StdLib.model.yml
@@ -34,14 +34,16 @@ extensions:
       - ["html", "Member[parser].Member[HTMLParser].Subclass.Instance.Member[feed]", "Argument[0,data:]", "Argument[self]", "taint"]
       - ["imp", "Member[find_module]", "Argument[0,name:]", "ReturnValue", "taint"]
       - ["imp", "Member[find_module]", "Argument[1,path:]", "ReturnValue", "taint"]
-      - ["logging", "Member[LogRecord].Subclass.Instance.Member[getMessage]", "Argument[self]", "ReturnValue", "taint"]
       - ["logging", "Member[getLevelName]", "Argument[0,level:]", "ReturnValue", "taint"]
+      - ["logging", "Member[LogRecord].Subclass.Instance.Member[getMessage]", "Argument[self]", "ReturnValue", "taint"]
       - ["mimetypes", "Member[guess_type]", "Argument[0,url:]", "ReturnValue", "taint"]
       - ["multiprocessing", "Member[connection].Member[Listener].Subclass.Instance.Member[__init__]", "Argument[3,authkey:]", "ReturnValue", "taint"]
       - ["nturl2path", "Member[pathname2url]", "Argument[0,p:]", "ReturnValue", "taint"]
       - ["nturl2path", "Member[url2pathname]", "Argument[0,url:]", "ReturnValue", "taint"]
       - ["optparse", "Member[OptionParser].Subclass.Instance.Member[parse_args]", "Argument[0,args:]", "ReturnValue", "taint"]
       - ["pathlib", "Member[Path].Subclass.Instance.Member[__enter__]", "Argument[self]", "ReturnValue", "taint"]
+      - ["pathlib", "Member[PurePath].Subclass.Instance.Member[__fspath__]", "Argument[self]", "ReturnValue", "taint"]
+      - ["queue", "Member[Queue].Subclass.Instance.Member[put]", "Argument[0,item:]", "Argument[self]", "taint"]
       - ["random", "Member[choice]", "Argument[0,seq:]", "ReturnValue", "taint"]
       - ["random", "Member[Random].Subclass.Instance.Member[choice]", "Argument[0,seq:]", "ReturnValue", "taint"]
       - ["re", "Member[split]", "Argument[0,pattern:]", "ReturnValue", "taint"]
@@ -59,16 +61,16 @@ extensions:
       - ["textwrap", "Member[dedent]", "Argument[0,text:]", "ReturnValue", "taint"]
       - ["traceback", "Member[StackSummary].Subclass.Instance.Member[from_list]", "Argument[0,a_list:]", "ReturnValue", "taint"]
       - ["typing", "Member[cast]", "Argument[1,val:]", "ReturnValue", "taint"]
-      - ["urllib", "Member[parse].Member[quote]", "Argument[0,string:]", "ReturnValue", "taint"]
       - ["urllib", "Member[parse].Member[quote_plus]", "Argument[0,string:]", "ReturnValue", "taint"]
+      - ["urllib", "Member[parse].Member[quote]", "Argument[0,string:]", "ReturnValue", "taint"]
       - ["urllib", "Member[parse].Member[splitquery]", "Argument[0,url:]", "ReturnValue", "taint"]
-      - ["urllib", "Member[parse].Member[unquote]", "Argument[0,string:]", "ReturnValue", "taint"]
       - ["urllib", "Member[parse].Member[unquote_plus]", "Argument[0,string:]", "ReturnValue", "taint"]
+      - ["urllib", "Member[parse].Member[unquote]", "Argument[0,string:]", "ReturnValue", "taint"]
       - ["urllib", "Member[parse].Member[urlencode]", "Argument[0,query:]", "ReturnValue", "taint"]
       - ["urllib", "Member[parse].Member[urljoin]", "Argument[1,url:]", "ReturnValue", "taint"]
+      - ["urllib", "Member[request].Member[pathname2url]", "Argument[0,pathname:]", "ReturnValue", "taint"]
       - ["urllib", "Member[request].Member[Request].Subclass.Instance.Member[__init__]", "Argument[0,url:]", "ReturnValue", "taint"]
       - ["urllib", "Member[request].Member[Request].Subclass.Instance.Member[get_full_url]", "Argument[self]", "ReturnValue", "taint"]
-      - ["urllib", "Member[request].Member[pathname2url]", "Argument[0,pathname:]", "ReturnValue", "taint"]
       - ["urllib", "Member[request].Member[url2pathname]", "Argument[0,pathname:]", "ReturnValue", "taint"]
       - ["urllib", "Member[request].Member[urlretrieve]", "Argument[0,url:]", "ReturnValue", "taint"]
       - ["zipfile", "Member[CompleteDirs].Subclass.Instance.Member[namelist]", "Argument[self]", "ReturnValue", "taint"]

diff --git a/python/ql/src/meta/StdLib/FindUses.qll b/python/ql/src/meta/StdLib/FindUses.qll
@@ -90,13 +90,17 @@ string computeArgumentPath(string parameter, Function function) {
 
 pragma[inline]
 string computeReturnPath(DataFlow::Node argument, DataFlow::Node outNode) {
-  outNode.(DataFlow::CallCfgNode).getArg(_) = argument and
-  result = "ReturnValue"
-  or
-  outNode.(DataFlow::CallCfgNode).getArgByName(_) = argument and
-  result = "ReturnValue"
-  or
-  outNode.(DataFlow::MethodCallNode).getObject() = argument and
+  (
+    outNode.(DataFlow::CallCfgNode).getArg(_) = argument
+    or
+    outNode.(DataFlow::CallCfgNode).getArgByName(_) = argument
+    or
+    outNode.(DataFlow::CallCfgNode).getNode().getNode().(Call).getKwargs() = argument.asExpr()
+    or
+    outNode.(DataFlow::CallCfgNode).getNode().getNode().(Call).getStarargs() = argument.asExpr()
+    or
+    outNode.(DataFlow::MethodCallNode).getObject() = argument
+  ) and
   result = "ReturnValue"
   or
   exists(DataFlow::MethodCallNode call |