Python: Exclude synthetic generator functions from DataFlowCallable

Author: RasmusWL

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll

@@ -254,7 +254,14 @@ abstract class LibraryCallable extends string {
 }
 
 newtype TDataFlowCallable =
-  TFunction(Function func) or
+  TFunction(Function func) {
+    // For generators/list-comprehensions we create a synthetic function. In the
+    // points-to call-graph these were not considered callable, and instead we added
+    // data-flow steps (read/write) for these. As an easy solution for now, we do the
+    // same to keep things easy to reason about (and therefore exclude things that do
+    // not have a definition)
+    exists(func.getDefinition())
+  } or
   /** see QLDoc for `DataFlowModuleScope` for why we need this. */
   TModule(Module m) or
   TLibraryCallable(LibraryCallable callable)

python/ql/test/experimental/dataflow/coverage/localFlow.expected

@@ -8,4 +8,10 @@
 | test.py:187:1:187:53 | GSSA Variable SINK | test.py:189:5:189:8 | ControlFlowNode for SINK |
 | test.py:187:1:187:53 | GSSA Variable SOURCE | test.py:188:25:188:30 | ControlFlowNode for SOURCE |
 | test.py:188:5:188:5 | SSA variable x | test.py:189:10:189:10 | ControlFlowNode for x |
+| test.py:188:9:188:68 | ControlFlowNode for .0 | test.py:188:9:188:68 | SSA variable .0 |
 | test.py:188:9:188:68 | ControlFlowNode for ListComp | test.py:188:5:188:5 | SSA variable x |
+| test.py:188:9:188:68 | SSA variable .0 | test.py:188:9:188:68 | ControlFlowNode for .0 |
+| test.py:188:16:188:16 | SSA variable v | test.py:188:45:188:45 | ControlFlowNode for v |
+| test.py:188:40:188:40 | SSA variable u | test.py:188:56:188:56 | ControlFlowNode for u |
+| test.py:188:51:188:51 | SSA variable z | test.py:188:67:188:67 | ControlFlowNode for z |
+| test.py:188:62:188:62 | SSA variable y | test.py:188:10:188:10 | ControlFlowNode for y |

python/ql/test/experimental/dataflow/enclosing-callable/EnclosingCallable.expected

@@ -15,10 +15,10 @@
 | generator.py:0:0:0:0 | Module generator | generator.py:1:1:1:23 | ControlFlowNode for FunctionExpr |
 | generator.py:0:0:0:0 | Module generator | generator.py:1:5:1:18 | ControlFlowNode for generator_func |
 | generator.py:1:1:1:23 | Function generator_func | generator.py:1:20:1:21 | ControlFlowNode for xs |
+| generator.py:1:1:1:23 | Function generator_func | generator.py:2:12:2:26 | ControlFlowNode for .0 |
+| generator.py:1:1:1:23 | Function generator_func | generator.py:2:12:2:26 | ControlFlowNode for .0 |
 | generator.py:1:1:1:23 | Function generator_func | generator.py:2:12:2:26 | ControlFlowNode for ListComp |
+| generator.py:1:1:1:23 | Function generator_func | generator.py:2:13:2:13 | ControlFlowNode for Yield |
+| generator.py:1:1:1:23 | Function generator_func | generator.py:2:13:2:13 | ControlFlowNode for x |
+| generator.py:1:1:1:23 | Function generator_func | generator.py:2:19:2:19 | ControlFlowNode for x |
 | generator.py:1:1:1:23 | Function generator_func | generator.py:2:24:2:25 | ControlFlowNode for xs |
-| generator.py:2:12:2:26 | Function listcomp | generator.py:2:12:2:26 | ControlFlowNode for .0 |
-| generator.py:2:12:2:26 | Function listcomp | generator.py:2:12:2:26 | ControlFlowNode for .0 |
-| generator.py:2:12:2:26 | Function listcomp | generator.py:2:13:2:13 | ControlFlowNode for Yield |
-| generator.py:2:12:2:26 | Function listcomp | generator.py:2:13:2:13 | ControlFlowNode for x |
-| generator.py:2:12:2:26 | Function listcomp | generator.py:2:19:2:19 | ControlFlowNode for x |

python/ql/test/experimental/dataflow/tainttracking/generator-flow/test_taint.py

@@ -31,7 +31,7 @@ def test_non_source():
     ensure_not_tainted(x)
 
     x = generator_helper(NONSOURCE)
-    ensure_not_tainted(x) # $ SPURIOUS: tainted
+    ensure_not_tainted(x)
 
     x = generator_helper_wo_source_use(NONSOURCE)
     ensure_not_tainted(x)