Python: Add post-update nodes to args of unresolved calls

RasmusWL · RasmusWL · commit b2ce0fcb7272 · 2022-02-04T11:51:53.000+01:00
Besides solving the problem with `setattr`, it also solved some old
problems with json library modeling (yay).
diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
@@ -126,7 +126,7 @@ module syntheticPostUpdateNode {
    * Certain arguments, such as implicit self arguments are already post-update nodes
    * and should not have an extra node synthesised.
    */
-  ArgumentNode argumentPreUpdateNode() {
+  Node argumentPreUpdateNode() {
     result = any(FunctionCall c).getArg(_)
     or
     // Avoid argument 0 of method calls as those have read post-update nodes.
@@ -136,6 +136,11 @@ module syntheticPostUpdateNode {
     or
     // Avoid argument 0 of class calls as those have non-synthetic post-update nodes.
     exists(ClassCall c, int n | n > 0 | result = c.getArg(n))
+    or
+    // any argument of any call that we have not been able to resolve
+    exists(CallNode call | not call = any(DataFlowCall c).getNode() |
+      result.(CfgNode).getNode() in [call.getArg(_), call.getArgByName(_)]
+    )
   }
 
   /** An object might have its value changed after a store. */
diff --git a/python/ql/test/experimental/dataflow/fieldflow/test.py b/python/ql/test/experimental/dataflow/fieldflow/test.py
@@ -101,13 +101,13 @@ def test_getattr():
 def test_setattr():
     myobj = MyObj(NONSOURCE)
     setattr(myobj, "foo", SOURCE)
-    SINK(myobj.foo) # $ MISSING: flow
+    SINK(myobj.foo) # $ flow="SOURCE, l:-1 -> myobj.foo"
 
 
 def test_setattr_getattr():
     myobj = MyObj(NONSOURCE)
     setattr(myobj, "foo", SOURCE)
-    SINK(getattr(myobj, "foo")) # $ MISSING: flow
+    SINK(getattr(myobj, "foo")) # $ flow="SOURCE, l:-1 -> getattr(..)"
 
 
 def test_setattr_getattr_overwrite():
diff --git a/python/ql/test/library-tests/frameworks/simplejson/taint_test.py b/python/ql/test/library-tests/frameworks/simplejson/taint_test.py
@@ -17,22 +17,22 @@ def test():
 
     # load/dump with file-like
     tainted_filelike = StringIO()
-    simplejson.dump(tainted_obj, tainted_filelike) # $ encodeFormat=JSON encodeInput=tainted_obj
+    simplejson.dump(tainted_obj, tainted_filelike) # $ encodeFormat=JSON encodeInput=tainted_obj encodeOutput=[post]tainted_filelike
 
     tainted_filelike.seek(0)
     ensure_tainted(
-        tainted_filelike, # $ MISSING: tainted
-        simplejson.load(tainted_filelike), # $ decodeOutput=simplejson.load(..) decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
+        tainted_filelike, # $ tainted
+        simplejson.load(tainted_filelike), # $ tainted decodeOutput=simplejson.load(..) decodeFormat=JSON decodeInput=tainted_filelike
     )
 
     # load/dump with file-like using keyword-args
     tainted_filelike = StringIO()
-    simplejson.dump(obj=tainted_obj, fp=tainted_filelike) # $ encodeFormat=JSON encodeInput=tainted_obj
+    simplejson.dump(obj=tainted_obj, fp=tainted_filelike) # $ encodeFormat=JSON encodeInput=tainted_obj encodeOutput=[post]tainted_filelike
 
     tainted_filelike.seek(0)
     ensure_tainted(
-        tainted_filelike, # $ MISSING: tainted
-        simplejson.load(fp=tainted_filelike), # $ decodeOutput=simplejson.load(..) decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
+        tainted_filelike, # $ tainted
+        simplejson.load(fp=tainted_filelike), # $ tainted decodeOutput=simplejson.load(..) decodeFormat=JSON decodeInput=tainted_filelike
     )
 
 # To make things runable
diff --git a/python/ql/test/library-tests/frameworks/ujson/taint_test.py b/python/ql/test/library-tests/frameworks/ujson/taint_test.py
@@ -22,12 +22,12 @@ def test():
 
     # load/dump with file-like
     tainted_filelike = StringIO()
-    ujson.dump(tainted_obj, tainted_filelike) # $ encodeFormat=JSON encodeInput=tainted_obj
+    ujson.dump(tainted_obj, tainted_filelike) # $ encodeFormat=JSON encodeInput=tainted_obj encodeOutput=[post]tainted_filelike
 
     tainted_filelike.seek(0)
     ensure_tainted(
-        tainted_filelike, # $ MISSING: tainted
-        ujson.load(tainted_filelike), # $ decodeOutput=ujson.load(..) decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
+        tainted_filelike, # $ tainted
+        ujson.load(tainted_filelike), # $ tainted decodeOutput=ujson.load(..) decodeFormat=JSON decodeInput=tainted_filelike
     )
 
     # load/dump with file-like using keyword-args does not work in `ujson`
