Python: Recognize keyword arguments for os.*spawn* calls

Author: RasmusWL

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -492,7 +492,13 @@ private module StdlibPrivate {
       )
     }
 
-    override DataFlow::Node getCommand() { result = this.getArg(1) }
+    override DataFlow::Node getCommand() {
+      result = this.getArg(1)
+      or
+      // `file` keyword argument only valid for the `v` variants, but this
+      // over-approximation is not hurting anyone, and is easy to implement.
+      result = this.getArgByName("file")
+    }
   }
 
   /**
@@ -502,7 +508,7 @@ private module StdlibPrivate {
   private class OsPosixSpawnCall extends SystemCommandExecution::Range, DataFlow::CallCfgNode {
     OsPosixSpawnCall() { this = os().getMember(["posix_spawn", "posix_spawnp"]).getACall() }
 
-    override DataFlow::Node getCommand() { result = this.getArg(0) }
+    override DataFlow::Node getCommand() { result in [this.getArg(0), this.getArgByName("path")] }
   }
 
   /** An additional taint step for calls to `os.path.join` */

python/ql/test/library-tests/frameworks/stdlib/SystemCommandExecution.py

@@ -69,17 +69,17 @@ def os_members():
 # unlike os.exec*, some os.spawn* functions is usable with keyword arguments. However,
 # despite the docs using both `file` and `path` as the parameter name, you actually need
 # to use `file` in all cases.
-os.spawnv(mode=os.P_WAIT, file="path", args=["<progname>", "arg0"])  # $ MISSING: getCommand="path" getAPathArgument="path"
-os.spawnve(mode=os.P_WAIT, file="path", args=["<progname>", "arg0"], env=env)  # $ MISSING: getCommand="path" getAPathArgument="path"
-os.spawnvp(mode=os.P_WAIT, file="file", args=["<progname>", "arg0"])  # $ MISSING: getCommand="file" getAPathArgument="file"
-os.spawnvpe(mode=os.P_WAIT, file="file", args=["<progname>", "arg0"], env=env)  # $ MISSING: getCommand="file" getAPathArgument="file"
+os.spawnv(mode=os.P_WAIT, file="path", args=["<progname>", "arg0"])  # $ getCommand="path" MISSING: getAPathArgument="path"
+os.spawnve(mode=os.P_WAIT, file="path", args=["<progname>", "arg0"], env=env)  # $ getCommand="path" MISSING: getAPathArgument="path"
+os.spawnvp(mode=os.P_WAIT, file="file", args=["<progname>", "arg0"])  # $ getCommand="file" MISSING: getAPathArgument="file"
+os.spawnvpe(mode=os.P_WAIT, file="file", args=["<progname>", "arg0"], env=env)  # $ getCommand="file" MISSING: getAPathArgument="file"
 
 # `posix_spawn` Added in Python 3.8
 os.posix_spawn("path", ["<progname>", "arg0"], env)  # $ getCommand="path" MISSING: getAPathArgument="path"
-os.posix_spawn(path="path", argv=["<progname>", "arg0"], env=env)  # $ MISSING: getCommand="path" getAPathArgument="path"
+os.posix_spawn(path="path", argv=["<progname>", "arg0"], env=env)  # $ getCommand="path" MISSING: getAPathArgument="path"
 
 os.posix_spawnp("path", ["<progname>", "arg0"], env)  # $ getCommand="path" MISSING: getAPathArgument="path"
-os.posix_spawnp(path="path", argv=["<progname>", "arg0"], env=env)  # $ MISSING: getCommand="path" getAPathArgument="path"
+os.posix_spawnp(path="path", argv=["<progname>", "arg0"], env=env)  # $ getCommand="path" MISSING: getAPathArgument="path"
 
 ########################################