CodeQL to get python attribute and corresponding definition

[yuval-piiano]

Hi,

I would like to get the class definition for a python attribute usage -
e.g, for this python file:

import logging
from dataclasses import dataclass

logger = logging.getLogger(__name__)

@dataclass
class AddressData:
    address: str

ad = AddressData("my address")
logger.warning(ad.address)
intermedia_var = ad.first_name
logger.warning("first_name: %s", intermedia_var)

My actual goal if to find out usages of AdressData address field which are leaked to logs, but after upgrading Xodeql I can't get my query to work -
I can no longer connect the DataFlow::AttrRead to the class AddressData

I had this ql

import python
import semmle.python.dataflow.new.DataFlow


from DataFlow::AttrRef attr , Value mappedValue
where 
attr.getAttributeName() = "address"
and mappedValue.getAReference() = attr.getObject().asCfgNode()
select attr ,  mappedValue

which found results when I used the older version of codeql (codeql/python-all: "0.6.4" ) , but when upgrading it stopped working....
( I saw the related #6807 discussion, but the answers there don't seem to work too )
Thanks,
Yuval

[yoff]

Hi, using Value is considered old-fashion these days, I suggest you use the API graph instead.
You are facing two complications:

1. AddressData is not an externally defined class, so we have to create a new entry point. The class AddressData below does this.
2. The class is decorated, so we have to actually find the result of the decorator. The member predicate getDataclass does this.

Once this is done, any(AddressData ad).getDataclass().getReturn() will match ad = AddressData("my address") (because getReturn matches the act of instantiating the class) and we can go from there.

I have commented the code a bit, but feel free to ask further questions :-)

import python
import semmle.python.dataflow.new.DataFlow
import semmle.python.ApiGraphs

class AddressData extends API::EntryPoint {
  AddressData() { this = "AddressData" }

  override DataFlow::LocalSourceNode getASource() {
    result.asExpr().(ClassExpr).getName() = "AddressData"
  }

  // Handles the decorator `@dataclass`
  API::Node getDataclass() {
    exists(API::CallNode decorate |
      // decoration happens when invoking the `@dataclass` decorator
      decorate = API::moduleImport("dataclasses").getMember("dataclass").getACall() and
      // the first argument to the decorator is the `AddressData` class
      decorate.getArg(0) = this.getASource() and
      // the decorated class is the result of the decorator
      result = decorate.getReturn()
    )
  }
}

from API::Node address, API::CallNode warning
where
  // take the data class, instantiate it and get the `address` field
  address = any(AddressData ad).getDataclass().getReturn().getMember("address") and
  // create a logger and call `warning` (you could add a list of interesting method names here)
  warning =
    API::moduleImport("logging").getMember("getLogger").getReturn().getMember("warning").getACall() and
  // require the `address` field to be and argument to the call to `warning`
  warning.getArg(_) = address.getAValueReachableFromSource()
select warning

[yuval-piiano]

What's the way to connect a ClassExpression to attribute for a non-dataclass in a similiar way?

[yoff]

Instead of getDataclass, you simply use getASource directly (what we used to constrain the first argument of the dataclass). So it would be

address = any(AddressData ad).getASource().getReturn().getMember("address")

[yuval-piiano]

Hi,
Trying this, getting:
"getReturn() cannot be resolved for type LocalSources::LocalSourceNode"

[RasmusWL]

note: you actually need to use getANode() instead of getASource. (for anyone finding this in the future)