Python: Fixup modeling of os.open

Author: RasmusWL

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -338,7 +338,7 @@ module StdlibPrivate {
    * Modeling of path related functions in the `os` module.
    * Wrapped in QL module to make it easy to fold/unfold.
    */
-  private module OsFileSystemAccessModeling {
+  module OsFileSystemAccessModeling {
     /**
      * A call to the `os.fsencode` function.
      *
@@ -395,7 +395,7 @@ module StdlibPrivate {
      *
      * See https://docs.python.org/3/library/os.html#os.open
      */
-    private class OsOpenCall extends FileSystemAccess::Range, DataFlow::CallCfgNode {
+    class OsOpenCall extends FileSystemAccess::Range, DataFlow::CallCfgNode {
       OsOpenCall() { this = os().getMember("open").getACall() }
 
       override DataFlow::Node getAPathArgument() {
@@ -1501,7 +1501,12 @@ module StdlibPrivate {
   private class OpenCall extends FileSystemAccess::Range, Stdlib::FileLikeObject::InstanceSource,
     ThreatModelSource::Range, DataFlow::CallCfgNode
   {
-    OpenCall() { this = getOpenFunctionRef().getACall() }
+    OpenCall() {
+      this = getOpenFunctionRef().getACall() and
+      // when analyzing stdlib code for os.py we wrongly assume that `os.open` is an
+      // alias of the builtins `open` function
+      not this instanceof OsFileSystemAccessModeling::OsOpenCall
+    }
 
     override DataFlow::Node getAPathArgument() {
       result in [this.getArg(0), this.getArgByName("file")]

python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py

@@ -87,8 +87,8 @@ def test_fspath():
         os.fspath(path=TAINTED_STRING), # $ tainted
     )
 
-os.open("path", os.O_RDONLY) # $ getAPathArgument="path" SPURIOUS: threatModelSource[file]=os.open(..)
-os.open(path="path", flags=os.O_RDONLY) # $ getAPathArgument="path" SPURIOUS: threatModelSource[file]=os.open(..)
+os.open("path", os.O_RDONLY) # $ getAPathArgument="path"
+os.open(path="path", flags=os.O_RDONLY) # $ getAPathArgument="path"
 
 os.access("path", os.R_OK) # $ getAPathArgument="path"
 os.access(path="path", mode=os.R_OK) # $ getAPathArgument="path"

python/ql/test/library-tests/frameworks/stdlib/threat_models.py

@@ -58,7 +58,7 @@
     open("foo").readline(), # $ tainted threatModelSource[file]=open(..) getAPathArgument="foo"
     open("foo").readlines(), # $ tainted threatModelSource[file]=open(..) getAPathArgument="foo"
 
-    os.read(os.open("foo"), 1024), # $ tainted threatModelSource[file]=os.read(..) SPURIOUS: threatModelSource[file]=os.open(..) getAPathArgument="foo"
+    os.read(os.open("foo"), 1024), # $ tainted threatModelSource[file]=os.read(..) getAPathArgument="foo"
 )
 
 ########################################