Python: target SSA variable rather than Cfg node

yoff · yoff · commit b36e0d0be756 · 2021-03-08T08:04:42.000+01:00
also add "INTERNAL: Do not use."
also give test functions different names
diff --git a/python/ql/src/semmle/python/security/dataflow/ExceptionInfo.qll b/python/ql/src/semmle/python/security/dataflow/ExceptionInfo.qll
@@ -5,6 +5,8 @@ import semmle.python.dataflow.new.DataFlow
 private import semmle.python.ApiGraphs
 
 /**
+ * INTERNAL: Do not use.
+ *
  * A data-flow node that carries information about a raised exception.
  * Such information should rarely be exposed directly to the user.
  */
@@ -25,7 +27,10 @@ private class TracebackFunctionCall extends ExceptionInfo, DataFlow::CallCfgNode
 
 /** A caught exception. */
 private class CaughtException extends ExceptionInfo {
-  CaughtException() { this.asExpr() = any(ExceptStmt s).getName() }
+  CaughtException() {
+    this.asVar().getDefinition().(EssaNodeDefinition).getDefiningNode().getNode() =
+      any(ExceptStmt s).getName()
+  }
 }
 
 /** A call to `sys.exc_info`. */
diff --git a/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected b/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected
@@ -1,11 +1,15 @@
 edges
+| test.py:23:25:23:25 | SSA variable e | test.py:24:16:24:16 | ControlFlowNode for e |
 | test.py:49:15:49:36 | ControlFlowNode for Attribute() | test.py:50:29:50:31 | ControlFlowNode for err |
 | test.py:50:29:50:31 | ControlFlowNode for err | test.py:50:16:50:32 | ControlFlowNode for format_error() |
 nodes
 | test.py:16:16:16:37 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:23:25:23:25 | SSA variable e | semmle.label | SSA variable e |
+| test.py:24:16:24:16 | ControlFlowNode for e | semmle.label | ControlFlowNode for e |
 | test.py:49:15:49:36 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | test.py:50:16:50:32 | ControlFlowNode for format_error() | semmle.label | ControlFlowNode for format_error() |
 | test.py:50:29:50:31 | ControlFlowNode for err | semmle.label | ControlFlowNode for err |
 #select
 | test.py:16:16:16:37 | ControlFlowNode for Attribute() | test.py:16:16:16:37 | ControlFlowNode for Attribute() | test.py:16:16:16:37 | ControlFlowNode for Attribute() | $@ may be exposed to an external user | test.py:16:16:16:37 | ControlFlowNode for Attribute() | Error information |
+| test.py:24:16:24:16 | ControlFlowNode for e | test.py:23:25:23:25 | SSA variable e | test.py:24:16:24:16 | ControlFlowNode for e | $@ may be exposed to an external user | test.py:23:25:23:25 | SSA variable e | Error information |
 | test.py:50:16:50:32 | ControlFlowNode for format_error() | test.py:49:15:49:36 | ControlFlowNode for Attribute() | test.py:50:16:50:32 | ControlFlowNode for format_error() | $@ may be exposed to an external user | test.py:49:15:49:36 | ControlFlowNode for Attribute() | Error information |
diff --git a/python/ql/test/query-tests/Security/CWE-209/test.py b/python/ql/test/query-tests/Security/CWE-209/test.py
@@ -16,16 +16,16 @@ def server_bad():
         return traceback.format_exc()  #$ exceptionInfo
 
 # BAD
-@app.route('/bad/clearly')
-def server_bad():
+@app.route('/bad/direct')
+def server_bad_direct():
     try:
         do_computation()
     except Exception as e:  #$ exceptionInfo
         return e
 
 # BAD
-@app.route('/bad/also')
-def server_bad():
+@app.route('/bad/traceback')
+def server_bad_traceback():
     try:
         do_computation()
     except Exception as e:  #$ exceptionInfo
