Python: nicer paths

yoff · yoff · commit 2d845e3e5589 · 2023-09-29T12:02:16.000+02:00
turn "the long jump" that would end up
straight at the argument into a short jump
that ends up at the dictionary being written to.
Dataflow takes care of the rest of the path.
diff --git a/python/ql/lib/semmle/python/frameworks/PyMongo.qll b/python/ql/lib/semmle/python/frameworks/PyMongo.qll
@@ -160,7 +160,7 @@ private module PyMongo {
       dictionary =
         mongoCollection().getMember(mongoCollectionMethodName()).getACall().getParameter(0) and
       query = dictionary.getSubscript("$where").asSink() and
-      this = dictionary.asSink()
+      this = dictionary.getAValueReachingSink()
     }
 
     override DataFlow::Node getAnInput() { result = query }
@@ -190,7 +190,7 @@ private module PyMongo {
               .getASubscript*()
               .getSubscript("$function") and
         query = dictionary.getSubscript("body").asSink() and
-        this = dictionary.asSink()
+        this = dictionary.getAValueReachingSink()
       )
     }
 
@@ -221,7 +221,7 @@ private module PyMongo {
               .getASubscript*()
               .getSubscript("$accumulator") and
         query = dictionary.getSubscript(["init", "accumulate", "merge", "finalize"]).asSink() and
-        this = dictionary.asSink()
+        this = dictionary.getAValueReachingSink()
       )
     }
 
diff --git a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/NoSqlInjection.expected b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/NoSqlInjection.expected
@@ -15,13 +15,15 @@ edges
 | PoC/server.py:46:38:46:67 | ControlFlowNode for BinaryExpr | PoC/server.py:46:27:46:68 | ControlFlowNode for Dict |
 | PoC/server.py:51:5:51:10 | SSA variable author | PoC/server.py:53:17:53:70 | ControlFlowNode for BinaryExpr |
 | PoC/server.py:51:14:51:20 | ControlFlowNode for request | PoC/server.py:51:5:51:10 | SSA variable author |
-| PoC/server.py:53:17:53:70 | ControlFlowNode for BinaryExpr | PoC/server.py:60:51:60:56 | ControlFlowNode for search |
-| PoC/server.py:60:51:60:56 | ControlFlowNode for search | PoC/server.py:60:27:60:58 | ControlFlowNode for Dict |
+| PoC/server.py:52:5:52:10 | SSA variable search | PoC/server.py:60:27:60:58 | ControlFlowNode for Dict |
+| PoC/server.py:52:14:56:5 | ControlFlowNode for Dict | PoC/server.py:52:5:52:10 | SSA variable search |
+| PoC/server.py:53:17:53:70 | ControlFlowNode for BinaryExpr | PoC/server.py:52:14:56:5 | ControlFlowNode for Dict |
 | PoC/server.py:76:5:76:10 | SSA variable author | PoC/server.py:79:23:79:101 | ControlFlowNode for BinaryExpr |
 | PoC/server.py:76:14:76:20 | ControlFlowNode for request | PoC/server.py:76:5:76:10 | SSA variable author |
-| PoC/server.py:79:23:79:101 | ControlFlowNode for BinaryExpr | PoC/server.py:85:37:85:47 | ControlFlowNode for accumulator |
+| PoC/server.py:77:5:77:15 | SSA variable accumulator | PoC/server.py:83:5:83:9 | SSA variable group |
+| PoC/server.py:77:19:82:5 | ControlFlowNode for Dict | PoC/server.py:77:5:77:15 | SSA variable accumulator |
+| PoC/server.py:79:23:79:101 | ControlFlowNode for BinaryExpr | PoC/server.py:77:19:82:5 | ControlFlowNode for Dict |
 | PoC/server.py:83:5:83:9 | SSA variable group | PoC/server.py:90:29:90:47 | ControlFlowNode for Dict |
-| PoC/server.py:85:37:85:47 | ControlFlowNode for accumulator | PoC/server.py:83:5:83:9 | SSA variable group |
 | PoC/server.py:96:5:96:10 | SSA variable author | PoC/server.py:97:5:97:10 | SSA variable mapper |
 | PoC/server.py:96:14:96:20 | ControlFlowNode for request | PoC/server.py:96:5:96:10 | SSA variable author |
 | PoC/server.py:97:5:97:10 | SSA variable mapper | PoC/server.py:100:9:100:14 | ControlFlowNode for mapper |
@@ -106,13 +108,12 @@ edges
 | pymongo_test.py:52:15:52:50 | ControlFlowNode for Attribute() | pymongo_test.py:52:5:52:11 | SSA variable decoded |
 | pymongo_test.py:52:26:52:32 | ControlFlowNode for request | pymongo_test.py:52:26:52:49 | ControlFlowNode for Subscript |
 | pymongo_test.py:52:26:52:49 | ControlFlowNode for Subscript | pymongo_test.py:52:15:52:50 | ControlFlowNode for Attribute() |
-| pymongo_test.py:54:5:54:10 | SSA variable search | pymongo_test.py:59:49:59:54 | ControlFlowNode for search |
-| pymongo_test.py:55:17:55:23 | ControlFlowNode for decoded | pymongo_test.py:54:5:54:10 | SSA variable search |
-| pymongo_test.py:55:17:55:23 | ControlFlowNode for decoded | pymongo_test.py:59:49:59:54 | ControlFlowNode for search |
+| pymongo_test.py:54:5:54:10 | SSA variable search | pymongo_test.py:59:25:59:56 | ControlFlowNode for Dict |
+| pymongo_test.py:54:14:58:5 | ControlFlowNode for Dict | pymongo_test.py:54:5:54:10 | SSA variable search |
+| pymongo_test.py:55:17:55:23 | ControlFlowNode for decoded | pymongo_test.py:54:14:58:5 | ControlFlowNode for Dict |
 | pymongo_test.py:55:17:55:23 | ControlFlowNode for decoded | pymongo_test.py:61:25:61:57 | ControlFlowNode for Dict |
 | pymongo_test.py:55:17:55:23 | ControlFlowNode for decoded | pymongo_test.py:62:25:62:42 | ControlFlowNode for Dict |
 | pymongo_test.py:55:17:55:23 | ControlFlowNode for decoded | pymongo_test.py:63:25:63:31 | ControlFlowNode for decoded |
-| pymongo_test.py:59:49:59:54 | ControlFlowNode for search | pymongo_test.py:59:25:59:56 | ControlFlowNode for Dict |
 nodes
 | PoC/server.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
 | PoC/server.py:1:26:1:32 | GSSA Variable request | semmle.label | GSSA Variable request |
@@ -128,14 +129,16 @@ nodes
 | PoC/server.py:46:38:46:67 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | PoC/server.py:51:5:51:10 | SSA variable author | semmle.label | SSA variable author |
 | PoC/server.py:51:14:51:20 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| PoC/server.py:52:5:52:10 | SSA variable search | semmle.label | SSA variable search |
+| PoC/server.py:52:14:56:5 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
 | PoC/server.py:53:17:53:70 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | PoC/server.py:60:27:60:58 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
-| PoC/server.py:60:51:60:56 | ControlFlowNode for search | semmle.label | ControlFlowNode for search |
 | PoC/server.py:76:5:76:10 | SSA variable author | semmle.label | SSA variable author |
 | PoC/server.py:76:14:76:20 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| PoC/server.py:77:5:77:15 | SSA variable accumulator | semmle.label | SSA variable accumulator |
+| PoC/server.py:77:19:82:5 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
 | PoC/server.py:79:23:79:101 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | PoC/server.py:83:5:83:9 | SSA variable group | semmle.label | SSA variable group |
-| PoC/server.py:85:37:85:47 | ControlFlowNode for accumulator | semmle.label | ControlFlowNode for accumulator |
 | PoC/server.py:90:29:90:47 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
 | PoC/server.py:96:5:96:10 | SSA variable author | semmle.label | SSA variable author |
 | PoC/server.py:96:14:96:20 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
@@ -226,9 +229,9 @@ nodes
 | pymongo_test.py:52:26:52:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | pymongo_test.py:52:26:52:49 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | pymongo_test.py:54:5:54:10 | SSA variable search | semmle.label | SSA variable search |
+| pymongo_test.py:54:14:58:5 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
 | pymongo_test.py:55:17:55:23 | ControlFlowNode for decoded | semmle.label | ControlFlowNode for decoded |
 | pymongo_test.py:59:25:59:56 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
-| pymongo_test.py:59:49:59:54 | ControlFlowNode for search | semmle.label | ControlFlowNode for search |
 | pymongo_test.py:61:25:61:57 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
 | pymongo_test.py:62:25:62:42 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
 | pymongo_test.py:63:25:63:31 | ControlFlowNode for decoded | semmle.label | ControlFlowNode for decoded |

Original file line number	Diff line number	Diff line change
`@@ -160,7 +160,7 @@ private module PyMongo {`
`160`	`160`	`dictionary =`
`161`	`161`	`mongoCollection().getMember(mongoCollectionMethodName()).getACall().getParameter(0) and`
`162`	`162`	`query = dictionary.getSubscript("$where").asSink() and`
`163`		`- this = dictionary.asSink()`
	`163`	`+ this = dictionary.getAValueReachingSink()`
`164`	`164`	`}`
`165`	`165`
`166`	`166`	`override DataFlow::Node getAnInput() { result = query }`
`@@ -190,7 +190,7 @@ private module PyMongo {`
`190`	`190`	`.getASubscript*()`
`191`	`191`	`.getSubscript("$function") and`
`192`	`192`	`query = dictionary.getSubscript("body").asSink() and`
`193`		`- this = dictionary.asSink()`
	`193`	`+ this = dictionary.getAValueReachingSink()`
`194`	`194`	`)`
`195`	`195`	`}`
`196`	`196`
`@@ -221,7 +221,7 @@ private module PyMongo {`
`221`	`221`	`.getASubscript*()`
`222`	`222`	`.getSubscript("$accumulator") and`
`223`	`223`	`query = dictionary.getSubscript(["init", "accumulate", "merge", "finalize"]).asSink() and`
`224`		`- this = dictionary.asSink()`
	`224`	`+ this = dictionary.getAValueReachingSink()`
`225`	`225`	`)`
`226`	`226`	`}`
`227`	`227`