Python: use yield step also for taint

yoff · yoff · commit 7392d186bcc9 · 2024-09-30T13:49:01.000+02:00
Using the comprehension store step meant that all comprehensions would receive taint.
This because comprehension flow now goes via a callable, meaning they share the return node.
diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
@@ -168,7 +168,7 @@ private predicate synthDictSplatArgumentNodeStoreStep(
   )
 }
 
-private predicate yieldStoreStep(Node nodeFrom, Content c, Node nodeTo) {
+predicate yieldStoreStep(Node nodeFrom, Content c, Node nodeTo) {
   exists(Yield yield, Function func |
     nodeTo.asCfgNode() = yield.getAFlowNode() and
     nodeFrom.asCfgNode() = yield.getValue().getAFlowNode() and
@@ -885,31 +885,6 @@ predicate dictClearStep(Node node, DictionaryElementContent c) {
   )
 }
 
-/** Data flows from an element expression in a comprehension to the comprehension. */
-predicate comprehensionStoreStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
-  // Comprehension
-  //   `[x+1 for x in l]`
-  //   nodeFrom is `x+1`, cfg node
-  //   nodeTo is `[x+1 for x in l]`, cfg node
-  //   c denotes list or set or dictionary without index
-  //
-  // List
-  nodeTo.getNode().getNode().(ListComp).getElt() = nodeFrom.getNode().getNode() and
-  c instanceof ListElementContent
-  or
-  // Set
-  nodeTo.getNode().getNode().(SetComp).getElt() = nodeFrom.getNode().getNode() and
-  c instanceof SetElementContent
-  or
-  // Dictionary
-  nodeTo.getNode().getNode().(DictComp).getElt() = nodeFrom.getNode().getNode() and
-  c instanceof DictionaryElementAnyContent
-  or
-  // Generator
-  nodeTo.getNode().getNode().(GeneratorExp).getElt() = nodeFrom.getNode().getNode() and
-  c instanceof ListElementContent
-}
-
 /**
  * Holds if `nodeFrom` flows into the attribute `c` of `nodeTo` via an attribute assignment.
  *
diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll b/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
@@ -188,7 +188,7 @@ predicate containerStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
   // TODO: once we have proper flow-summary modeling, we might not need this step any
   // longer -- but there needs to be a matching read-step for the store-step, and we
   // don't provide that right now.
-  DataFlowPrivate::comprehensionStoreStep(nodeFrom, _, nodeTo)
+  DataFlowPrivate::yieldStoreStep(nodeFrom, _, nodeTo)
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -188,7 +188,7 @@ predicate containerStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`188`	`188`	`// TODO: once we have proper flow-summary modeling, we might not need this step any`
`189`	`189`	`// longer -- but there needs to be a matching read-step for the store-step, and we`
`190`	`190`	`// don't provide that right now.`
`191`		`- DataFlowPrivate::comprehensionStoreStep(nodeFrom, _, nodeTo)`
	`191`	`+ DataFlowPrivate::yieldStoreStep(nodeFrom, _, nodeTo)`
`192`	`192`	`}`
`193`	`193`
`194`	`194`	`/**`