python: Add reverse flow in some patterns

Particularly in value and literal patterns.
This is getting a little bit into the guards aspect of matching.
We could similarly add reverse flow in terms of
sub-patterns storing to a sequence pattern,
a flow step from alternatives to an-or-pattern, etc..
It does not seem too likely that sources are embedded in patterns
to begin with, but for secrets perhaps?

It is illustrated by the literal test. The value test still fails.
I believe we miss flow in general from the static attribute.

Author: yoff

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll

@@ -1595,10 +1595,10 @@ import IterableUnpacking
  *
  * - as pattern: subject flows to alias as well as to the interior pattern
  * - or pattern: subject flows to each alternative
- * - literal pattern: no flow
+ * - literal pattern: flow from the literal to the pattern, to add information
  * - capture pattern: subject flows to the variable
  * - wildcard pattern: no flow
- * - value pattern: no flow
+ * - value pattern: flow from the value to the pattern, to add information
  * - sequence pattern: each element reads from subject at the associated index
  * - star pattern: subject flows to the variable, possibly via a conversion
  * - mapping pattern: each value reads from subject at the associated key
@@ -1636,14 +1636,16 @@ module MatchUnpacking {
    */
   predicate matchAsFlowStep(Node nodeFrom, Node nodeTo) {
     exists(MatchAsPattern subject, Name alias | alias = subject.getAlias() |
+      // We make the subject flow to the interior pattern via the alis.
+      // That way, information can propagate from the interior pattern to the alias.
+      //
+      // the subject flows to the interior pattern
       nodeFrom.asCfgNode().getNode() = subject and
-      (
-        // the subject flows to the alias
-        nodeTo.asVar().getDefinition().(PatternAliasDefinition).getDefiningNode().getNode() = alias
-        or
-        // the subject flows to the interior pattern
-        nodeTo.asCfgNode().getNode() = subject.getPattern()
-      )
+      nodeTo.asCfgNode().getNode() = subject.getPattern()
+      or
+      // the interior pattern flows to the alias
+      nodeFrom.asCfgNode().getNode() = subject.getPattern() and
+      nodeTo.asVar().getDefinition().(PatternAliasDefinition).getDefiningNode().getNode() = alias
     )
   }
 
@@ -1658,6 +1660,17 @@ module MatchUnpacking {
     )
   }
 
+  /**
+   * literal pattern: flow from the literal to the pattern, to add information
+   * syntax (toplevel): `case literal:`
+   */
+  predicate matchLiteralFlowStep(Node nodeFrom, Node nodeTo) {
+    exists(MatchLiteralPattern pattern, Expr literal | literal = pattern.getLiteral() |
+      nodeFrom.asExpr() = literal and
+      nodeTo.asCfgNode().getNode() = pattern
+    )
+  }
+
   /**
    * capture pattern: subject flows to the variable
    * syntax (toplevel): `case var:`
@@ -1669,6 +1682,17 @@ module MatchUnpacking {
     )
   }
 
+  /**
+   * value pattern: flow from the value to the pattern, to add information
+   * syntax (toplevel): `case Dotted.value:`
+   */
+  predicate matchValueFlowStep(Node nodeFrom, Node nodeTo) {
+    exists(MatchValuePattern pattern, Expr value | value = pattern.getValue() |
+      nodeFrom.asExpr() = value and
+      nodeTo.asCfgNode().getNode() = pattern
+    )
+  }
+
   /**
    * sequence pattern: each element reads from subject at the associated index
    * syntax (toplevel): `case [a, b]:`
@@ -1814,8 +1838,12 @@ module MatchUnpacking {
     or
     matchOrFlowStep(nodeFrom, nodeTo)
     or
+    matchLiteralFlowStep(nodeFrom, nodeTo)
+    or
     matchCaptureFlowStep(nodeFrom, nodeTo)
     or
+    matchValueFlowStep(nodeFrom, nodeTo)
+    or
     matchMappingFlowStep(nodeFrom, nodeTo)
   }
 

python/ql/test/experimental/dataflow/match/test.py

@@ -46,6 +46,10 @@ def test_or_pattern():
             SINK(x) #$ flow="SOURCE, l:-3 -> x"
 
 # No flow for literal pattern
+def test_literal_pattern():
+    match SOURCE:
+        case 42 as x:
+            SINK(x) #$ flow="SOURCE, l:-2 -> x" flow="42, l:-1 -> x"
 
 def test_capture_pattern():
     match SOURCE: