Python: compact types in type models

Author: yoff

docs/codeql/codeql-language-guides/customizing-library-models-for-python.rst

@@ -128,11 +128,11 @@ We could add a data extension similar to the previous one, but with the type **i
         pack: codeql/python-all
         extensible: typeModel
       data:
-        - ["invoke.Context", "invoke", "Member[context].Member[Context].Instance"]
+        - ["invoke.Context", "invoke.context.Context", ""]
 
 - The first column, **"invoke.Context"**, is the name of the type to reach.
-- The second column, **"invoke"**, is the name of the type from which to evaluate the path.
-- The third column, **"Member[context].Member[Context].Instance"**, is the access path leading from **invoke** to **invoke.Context**.
+- The second column, **"invoke.context.Context"**, is the name of the type from which to evaluate the path.
+- The third column is just an empty string, indicating that any instance of **invoke.context.Context** is also an instance of **invoke.Context**.
 
 Combining this with the sink model we added earlier, the sink in the example is detected by the model.
 

python/ql/test/library-tests/dataflow/model-summaries/InlineTaintTest.ext.yml

@@ -33,4 +33,7 @@ extensions:
       - ["foo.MS_Class", "foo", "Member[get_instance].ReturnValue"]
       - ["foo.MS_Class!", "foo", "Member[get_class].ReturnValue"]
       # Ideally this would be a consequence of the above line
-      - ["foo.MS_Class", "foo", "Member[get_class].ReturnValue.Instance"]
+      - ["foo.MS_Class", "foo", "Member[get_class].ReturnValue.Instance"]
+      - ["foo.MS_Class", "foo.MS_Factory!", "Member[get_instance].ReturnValue"]
+      - ["foo.MS_Class", "foo.MS_Factory", "Member[make].ReturnValue"]
+      - ["foo.MS_Class", "foo.Impl.MS_Class_Impl", ""]

python/ql/test/library-tests/dataflow/model-summaries/NormalDataflowTest.ext.yml

@@ -33,4 +33,7 @@ extensions:
       - ["foo.MS_Class", "foo", "Member[get_instance].ReturnValue"]
       - ["foo.MS_Class!", "foo", "Member[get_class].ReturnValue"]
       # Ideally this would be a consequence of the above line
-      - ["foo.MS_Class", "foo", "Member[get_class].ReturnValue.Instance"]
+      - ["foo.MS_Class", "foo", "Member[get_class].ReturnValue.Instance"]
+      - ["foo.MS_Class", "foo.MS_Factory!", "Member[get_instance].ReturnValue"]
+      - ["foo.MS_Class", "foo.MS_Factory", "Member[make].ReturnValue"]
+      - ["foo.MS_Class", "foo.Impl.MS_Class_Impl", ""]

python/ql/test/library-tests/dataflow/model-summaries/model_summaries.py

@@ -30,7 +30,7 @@ def SINK_F(x):
 ensure_tainted = ensure_not_tainted = print
 TAINTED_STRING = "TAINTED_STRING"
 
-from foo import MS_identity, MS_apply_lambda, MS_reversed, MS_list_map, MS_append_to_list, MS_spread, MS_spread_all
+from foo import MS_identity, MS_apply_lambda, MS_reversed, MS_list_map, MS_append_to_list, MS_spread, MS_spread_all, Impl
 
 # Simple summary
 via_identity = MS_identity(SOURCE)
@@ -122,7 +122,7 @@ def explicit_identity(x):
 SINK(a)  # $ flow="SOURCE, l:-1 -> a"
 SINK(b)  # $ flow="SOURCE, l:-2 -> b"
 
-from foo import MS_Class, MS_Class_transitive, get_instance, get_class
+from foo import MS_Class, MS_Class_transitive, get_instance, get_class, MS_Factory
 
 # Class summaries
 class_via_positional = MS_Class(SOURCE)
@@ -184,6 +184,14 @@ def __init__(y, x):
 
 SINK(returned_class().instance_method(SOURCE)[1])  # $flow="SOURCE -> returned_class().instance_method(..)[1]"
 
+fatory_instance = MS_Factory.get_instance()
+SINK(fatory_instance.instance_method(SOURCE)[1])  # $ flow="SOURCE -> fatory_instance.instance_method(..)[1]"
+
+factory = MS_Factory()
+SINK(factory.make().instance_method(SOURCE)[1])  # $ flow="SOURCE -> factory.make().instance_method(..)[1]"
+
+also_instance = Impl.MS_Class_Impl()
+SINK(also_instance.instance_method(SOURCE)[1])  # $ flow="SOURCE -> also_instance.instance_method(..)[1]"
 
 # Modeled flow-summary is not value preserving
 from json import MS_loads as json_loads