SONARPY-2143 add check if spread args are present in torch.load (#1980)

Seppli11 · web-flow · commit 486287417cb6 · 2024-09-19T17:14:20.000+02:00
diff --git a/python-checks/src/main/java/org/sonar/python/checks/TorchLoadLeadsToUntrustedCodeExecutionCheck.java b/python-checks/src/main/java/org/sonar/python/checks/TorchLoadLeadsToUntrustedCodeExecutionCheck.java
@@ -31,6 +31,7 @@
 import org.sonar.plugins.python.api.tree.RegularArgument;
 import org.sonar.plugins.python.api.tree.Tree;
 import org.sonar.python.cfg.fixpoint.ReachingDefinitionsAnalysis;
+import org.sonar.python.checks.utils.Expressions;
 import org.sonar.python.tree.TreeUtils;
 
 @Rule(key = "S6985")
@@ -51,15 +52,17 @@ public void initialize(Context context) {
     context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, ctx -> {
       CallExpression callExpression = (CallExpression) ctx.syntaxNode();
       Symbol calleeSymbol = callExpression.calleeSymbol();
-      if (calleeSymbol != null && TORCH_LOAD.equals(calleeSymbol.fullyQualifiedName()) && isWeightsOnlyNotFoundOrSetToFalse(callExpression.arguments())) {
+      if (calleeSymbol != null && TORCH_LOAD.equals(calleeSymbol.fullyQualifiedName())
+        && isWeightsOnlyNotFoundOrSetToFalse(callExpression.arguments())) {
+
         ctx.addIssue(callExpression.callee(), MESSAGE);
       }
     });
   }
 
   private boolean isWeightsOnlyNotFoundOrSetToFalse(List<Argument> arguments) {
     RegularArgument weightsOnlyArg = TreeUtils.argumentByKeyword(WEIGHTS_ONLY, arguments);
-    if (weightsOnlyArg == null) return true;
+    if (weightsOnlyArg == null) return !Expressions.containsSpreadOperator(arguments);
     if (weightsOnlyArg.expression() instanceof Name name) {
       return PYTHON_FALSE.equals(name.name()) || isNameSetToFalse(name);
     }
diff --git a/python-checks/src/test/resources/checks/torchLoadLeadsToUntrustedCodeExecution.py b/python-checks/src/test/resources/checks/torchLoadLeadsToUntrustedCodeExecution.py
@@ -33,5 +33,11 @@ def only_one_definition():
     weights_only = False
     torch.load(model2, 'model.pth', weights_only=weights_only) #Noncompliant
 
+def spread_operator(some_dict, some_list):
+    torch.load(model2, 'model.pth', **some_dict)
+    torch.load(model2, 'model.pth', *some_list)
+    torch.load(model2, 'model.pth', weights_only=False, *some_list) #Noncompliant
+    torch.load(model2, 'model.pth', weights_only=True, *some_list)
+
 # test if no issue is raised if there is no symbol for the callee
 something[42]()
