python: remove explicit dataflow steps

Author: yoff

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll

@@ -792,14 +792,10 @@ predicate defaultValueFlowStep(CfgNode nodeFrom, CfgNode nodeTo) {
 predicate readStep(Node nodeFrom, Content c, Node nodeTo) {
   subscriptReadStep(nodeFrom, c, nodeTo)
   or
-  dictReadStep(nodeFrom, c, nodeTo)
-  or
   iterableUnpackingReadStep(nodeFrom, c, nodeTo)
   or
   matchReadStep(nodeFrom, c, nodeTo)
   or
-  popReadStep(nodeFrom, c, nodeTo)
-  or
   forReadStep(nodeFrom, c, nodeTo)
   or
   attributeReadStep(nodeFrom, c, nodeTo)
@@ -832,51 +828,6 @@ predicate subscriptReadStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
   )
 }
 
-predicate dictReadStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
-  // see
-  // - https://docs.python.org/3.10/library/stdtypes.html#dict.get
-  // - https://docs.python.org/3.10/library/stdtypes.html#dict.setdefault
-  exists(MethodCallNode call |
-    call.calls(nodeFrom, ["get", "setdefault"]) and
-    call.getArg(0).asExpr().(StrConst).getText() = c.(DictionaryElementContent).getKey() and
-    nodeTo = call
-  )
-}
-
-/** Data flows from a sequence to a call to `pop` on the sequence. */
-predicate popReadStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
-  // set.pop or list.pop
-  //   `s.pop()`
-  //   nodeFrom is `s`, cfg node
-  //   nodeTo is `s.pop()`, cfg node
-  //   c denotes element of list or set
-  exists(CallNode call, AttrNode a |
-    call.getFunction() = a and
-    a.getName() = "pop" and // Should match appropriate call since we tracked a sequence here.
-    not exists(call.getAnArg()) and
-    nodeFrom.getNode() = a.getObject() and
-    nodeTo.getNode() = call and
-    (
-      c instanceof ListElementContent
-      or
-      c instanceof SetElementContent
-    )
-  )
-  or
-  // dict.pop
-  //   `d.pop("key")`
-  //   nodeFrom is `d`, cfg node
-  //   nodeTo is `d.pop("key")`, cfg node
-  //   c denotes the key `"key"`
-  exists(CallNode call, AttrNode a |
-    call.getFunction() = a and
-    a.getName() = "pop" and // Should match appropriate call since we tracked a dictionary here.
-    nodeFrom.getNode() = a.getObject() and
-    nodeTo.getNode() = call and
-    c.(DictionaryElementContent).getKey() = call.getArg(0).getNode().(StrConst).getS()
-  )
-}
-
 predicate forReadStep(CfgNode nodeFrom, Content c, Node nodeTo) {
   exists(ForTarget target |
     nodeFrom.asExpr() = target.getSource() and

python/ql/test/experimental/dataflow/coverage/test.py

@@ -123,23 +123,23 @@ def test_nested_list_display():
 # 6.2.6. Set displays
 def test_set_display():
     x = {SOURCE}
-    SINK(x.pop()) #$ flow="SOURCE, l:-1 -> x.pop()"
+    SINK(x.pop()) #$ MISSING:flow="SOURCE, l:-1 -> x.pop()"
 
 
 def test_set_comprehension():
     x = {SOURCE for y in [NONSOURCE]}
-    SINK(x.pop()) #$ flow="SOURCE, l:-1 -> x.pop()"
+    SINK(x.pop()) #$ MISSING:flow="SOURCE, l:-1 -> x.pop()"
 
 
 def test_set_comprehension_flow():
     x = {y for y in [SOURCE]}
-    SINK(x.pop()) #$ flow="SOURCE, l:-1 -> x.pop()"
+    SINK(x.pop()) #$ MISSING:flow="SOURCE, l:-1 -> x.pop()"
 
 
 def test_set_comprehension_inflow():
     l = {SOURCE}
     x = {y for y in l}
-    SINK(x.pop()) #$ flow="SOURCE, l:-2 -> x.pop()"
+    SINK(x.pop()) #$ MISSING:flow="SOURCE, l:-2 -> x.pop()"
 
 
 def test_nested_set_display():
@@ -155,7 +155,7 @@ def test_dict_display():
 
 def test_dict_display_pop():
     x = {"s": SOURCE}
-    SINK(x.pop("s")) #$ flow="SOURCE, l:-1 -> x.pop(..)"
+    SINK(x.pop("s")) #$ MISSING:flow="SOURCE, l:-1 -> x.pop(..)"
 
 
 def test_dict_comprehension():

python/ql/test/experimental/dataflow/coverage/test_builtins.py

@@ -100,19 +100,19 @@ def test_set_from_list():
     l = [SOURCE]
     s = set(l)
     v = s.pop()
-    SINK(v) #$ flow="SOURCE, l:-3 -> v"
+    SINK(v) #$ MISSING:flow="SOURCE, l:-3 -> v"
 
 def test_set_from_tuple():
     t = (SOURCE,)
     s = set(t)
     v = s.pop()
-    SINK(v) #$ flow="SOURCE, l:-3 -> v"
+    SINK(v) #$ MISSING:flow="SOURCE, l:-3 -> v"
 
 def test_set_from_set():
     s0 = {SOURCE}
     s = set(s0)
     v = s.pop()
-    SINK(v) #$ flow="SOURCE, l:-3 -> v"
+    SINK(v) #$ MISSING:flow="SOURCE, l:-3 -> v"
 
 def test_set_from_dict():
     d = {SOURCE: "val"}
@@ -149,7 +149,7 @@ def test_dict_from_dict():
 def test_list_pop():
     l = [SOURCE]
     v = l.pop()
-    SINK(v) #$ flow="SOURCE, l:-2 -> v"
+    SINK(v) #$ MISSING:flow="SOURCE, l:-2 -> v"
 
 def test_list_pop_index():
     l = [SOURCE]
@@ -178,7 +178,7 @@ def test_list_append():
 def test_set_pop():
     s = {SOURCE}
     v = s.pop()
-    SINK(v) #$ flow="SOURCE, l:-2 -> v"
+    SINK(v) #$ MISSING:flow="SOURCE, l:-2 -> v"
 
 def test_set_copy():
     s0 = {SOURCE}
@@ -218,17 +218,17 @@ def test_dict_items():
 def test_dict_pop():
     d = {'k': SOURCE}
     v = d.pop("k")
-    SINK(v) #$ flow="SOURCE, l:-2 -> v"
+    SINK(v) #$ MISSING:flow="SOURCE, l:-2 -> v"
     v1 = d.pop("k", NONSOURCE)
-    SINK_F(v1) #$ SPURIOUS: flow="SOURCE, l:-4 -> v1"
+    SINK_F(v1)
     v2 = d.pop("non-existing", SOURCE)
     SINK(v2) #$ MISSING: flow="SOURCE, l:-1 -> v2"
 
 @expects(2)
 def test_dict_get():
     d = {'k': SOURCE}
     v = d.get("k")
-    SINK(v) #$ flow="SOURCE, l:-2 -> v"
+    SINK(v) #$ MISSING:flow="SOURCE, l:-2 -> v"
     v1 = d.get("non-existing", SOURCE)
     SINK(v1) #$ MISSING: flow="SOURCE, l:-1 -> v1"
 

python/ql/test/experimental/dataflow/fieldflow/test_dict.py

@@ -35,23 +35,23 @@ def SINK_F(x):
 def test_dict_literal():
     d = {"key": SOURCE}
     SINK(d["key"])  # $ flow="SOURCE, l:-1 -> d['key']"
-    SINK(d.get("key"))  # $ flow="SOURCE, l:-2 -> d.get(..)"
+    SINK(d.get("key"))  # $ MISSING:flow="SOURCE, l:-2 -> d.get(..)"
 
 
 @expects(2) # $ unresolved_call=expects(..) unresolved_call=expects(..)(..)
 def test_dict_update():
     d = {}
     d["key"] = SOURCE
     SINK(d["key"])  # $ flow="SOURCE, l:-1 -> d['key']"
-    SINK(d.get("key"))  # $ flow="SOURCE, l:-2 -> d.get(..)"
+    SINK(d.get("key"))  # $ MISSING:flow="SOURCE, l:-2 -> d.get(..)"
 
 @expects(3) # $ unresolved_call=expects(..) unresolved_call=expects(..)(..)
 def test_dict_setdefault():
     d = {}
     x = d.setdefault("key", SOURCE)
     SINK(x)  # $ flow="SOURCE, l:-1 -> x"
     SINK(d["key"])  # $ flow="SOURCE, l:-2 -> d['key']"
-    SINK(d.setdefault("key", NONSOURCE))  # $ flow="SOURCE, l:-3 -> d.setdefault(..)"
+    SINK(d.setdefault("key", NONSOURCE))  # $ MISSING:flow="SOURCE, l:-3 -> d.setdefault(..)"
 
 @expects(2) # $ unresolved_call=expects(..) unresolved_call=expects(..)(..)
 def test_dict_override():

python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/UnsafeUnpack.expected

@@ -2,8 +2,7 @@ edges
 | UnsafeUnpack.py:5:26:5:32 | ControlFlowNode for ImportMember | UnsafeUnpack.py:5:26:5:32 | GSSA Variable request |
 | UnsafeUnpack.py:5:26:5:32 | GSSA Variable request | UnsafeUnpack.py:11:18:11:24 | ControlFlowNode for request |
 | UnsafeUnpack.py:11:18:11:24 | ControlFlowNode for request | UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute |
-| UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute | UnsafeUnpack.py:11:18:11:49 | ControlFlowNode for Attribute() |
-| UnsafeUnpack.py:11:18:11:49 | ControlFlowNode for Attribute() | UnsafeUnpack.py:17:27:17:38 | ControlFlowNode for Attribute |
+| UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute | UnsafeUnpack.py:17:27:17:38 | ControlFlowNode for Attribute |
 | UnsafeUnpack.py:17:27:17:38 | ControlFlowNode for Attribute | UnsafeUnpack.py:19:35:19:41 | ControlFlowNode for tarpath |
 | UnsafeUnpack.py:33:50:33:65 | ControlFlowNode for local_ziped_path | UnsafeUnpack.py:34:23:34:38 | ControlFlowNode for local_ziped_path |
 | UnsafeUnpack.py:47:20:47:34 | ControlFlowNode for compressed_file | UnsafeUnpack.py:48:23:48:37 | ControlFlowNode for compressed_file |
@@ -31,7 +30,6 @@ nodes
 | UnsafeUnpack.py:5:26:5:32 | GSSA Variable request | semmle.label | GSSA Variable request |
 | UnsafeUnpack.py:11:18:11:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| UnsafeUnpack.py:11:18:11:49 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | UnsafeUnpack.py:17:27:17:38 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | UnsafeUnpack.py:19:35:19:41 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
 | UnsafeUnpack.py:33:50:33:65 | ControlFlowNode for local_ziped_path | semmle.label | ControlFlowNode for local_ziped_path |