Merge pull request github#5517 from tausbn/python-prevent-potentially-bad-join-order

yoff · web-flow · commit 716e0f1404aa · 2021-03-25T18:14:47.000+01:00
Python: Prevent potentially bad join order
diff --git a/python/ql/src/semmle/python/objects/Classes.qll b/python/ql/src/semmle/python/objects/Classes.qll
@@ -61,8 +61,8 @@ abstract class ClassObjectInternal extends ObjectInternal {
   pragma[noinline]
   override predicate binds(ObjectInternal instance, string name, ObjectInternal descriptor) {
     instance = this and
-    PointsToInternal::attributeRequired(this, name) and
-    this.lookup(name, descriptor, _) and
+    PointsToInternal::attributeRequired(this, pragma[only_bind_into](name)) and
+    this.lookup(pragma[only_bind_into](name), descriptor, _) and
     descriptor.isDescriptor() = true
   }
 
diff --git a/python/ql/src/semmle/python/objects/Constants.qll b/python/ql/src/semmle/python/objects/Constants.qll
@@ -34,9 +34,11 @@ abstract class ConstantObjectInternal extends ObjectInternal {
 
   pragma[noinline]
   override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) {
-    PointsToInternal::attributeRequired(this, name) and
+    PointsToInternal::attributeRequired(pragma[only_bind_into](this), pragma[only_bind_into](name)) and
     exists(ObjectInternal cls_attr, CfgOrigin attr_orig |
-      this.getClass().(ClassObjectInternal).lookup(name, cls_attr, attr_orig) and
+      this.getClass()
+          .(ClassObjectInternal)
+          .lookup(pragma[only_bind_into](name), cls_attr, attr_orig) and
       cls_attr.isDescriptor() = true and
       cls_attr.descriptorGetInstance(this, value, origin)
     )
diff --git a/python/ql/src/semmle/python/objects/Instances.qll b/python/ql/src/semmle/python/objects/Instances.qll
@@ -30,18 +30,19 @@ abstract class InstanceObject extends ObjectInternal {
 
   pragma[noinline]
   private predicate classAttribute(string name, ObjectInternal cls_attr) {
-    PointsToInternal::attributeRequired(this, name) and
-    this.getClass().(ClassObjectInternal).lookup(name, cls_attr, _)
+    PointsToInternal::attributeRequired(this, pragma[only_bind_into](name)) and
+    this.getClass().(ClassObjectInternal).lookup(pragma[only_bind_into](name), cls_attr, _)
   }
 
   pragma[noinline]
   private predicate selfAttribute(string name, ObjectInternal value, CfgOrigin origin) {
-    PointsToInternal::attributeRequired(this, name) and
+    PointsToInternal::attributeRequired(this, pragma[only_bind_into](name)) and
     exists(EssaVariable self, PythonFunctionObjectInternal init, Context callee |
       this.initializer(init, callee) and
       self_variable_reaching_init_exit(self) and
       self.getScope() = init.getScope() and
-      AttributePointsTo::variableAttributePointsTo(self, callee, name, value, origin)
+      AttributePointsTo::variableAttributePointsTo(self, callee, pragma[only_bind_into](name),
+        value, origin)
     )
   }
 
@@ -316,9 +317,11 @@ class UnknownInstanceInternal extends TUnknownInstance, ObjectInternal {
 
   pragma[noinline]
   override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) {
-    PointsToInternal::attributeRequired(this, name) and
+    PointsToInternal::attributeRequired(this, pragma[only_bind_into](name)) and
     exists(ObjectInternal cls_attr, CfgOrigin attr_orig |
-      this.getClass().(ClassObjectInternal).lookup(name, cls_attr, attr_orig)
+      this.getClass()
+          .(ClassObjectInternal)
+          .lookup(pragma[only_bind_into](name), cls_attr, attr_orig)
     |
       cls_attr.isDescriptor() = false and value = cls_attr and origin = attr_orig
       or
@@ -456,8 +459,8 @@ class SuperInstance extends TSuperInstance, ObjectInternal {
   /* Helper for `attribute` */
   pragma[noinline]
   private predicate attribute_descriptor(string name, ObjectInternal cls_attr, CfgOrigin attr_orig) {
-    PointsToInternal::attributeRequired(this, name) and
-    this.lookup(name, cls_attr, attr_orig)
+    PointsToInternal::attributeRequired(this, pragma[only_bind_into](name)) and
+    this.lookup(pragma[only_bind_into](name), cls_attr, attr_orig)
   }
 
   private predicate lookup(string name, ObjectInternal value, CfgOrigin origin) {
diff --git a/python/ql/src/semmle/python/pointsto/PointsTo.qll b/python/ql/src/semmle/python/pointsto/PointsTo.qll
@@ -524,6 +524,7 @@ module PointsToInternal {
     )
   }
 
+  pragma[noinline]
   private boolean ssa_filter_definition_bool(
     PyEdgeRefinement def, PointsToContext context, ObjectInternal value, ControlFlowNode origin
   ) {
diff --git a/python/ql/src/semmle/python/pointsto/PointsToContext.qll b/python/ql/src/semmle/python/pointsto/PointsToContext.qll
@@ -184,7 +184,11 @@ class PointsToContext extends TPointsToContext {
 
   /** Holds if this context can apply to the CFG node `n`. */
   pragma[inline]
-  predicate appliesTo(ControlFlowNode n) { this.appliesToScope(n.getScope()) }
+  predicate appliesTo(ControlFlowNode n) {
+    exists(Scope s |
+      this.appliesToScope(pragma[only_bind_into](s)) and pragma[only_bind_into](s) = n.getScope()
+    )
+  }
 
   /** Holds if this context is a call context. */
   predicate isCall() { this = TCallContext(_, _, _) }

Original file line number	Diff line number	Diff line change
`@@ -524,6 +524,7 @@ module PointsToInternal {`
`524`	`524`	`)`
`525`	`525`	`}`
`526`	`526`
	`527`	`+ pragma[noinline]`
`527`	`528`	`private boolean ssa_filter_definition_bool(`
`528`	`529`	`PyEdgeRefinement def, PointsToContext context, ObjectInternal value, ControlFlowNode origin`
`529`	`530`	`) {`