Merge branch 'main' into brodes/seh_flow_phase2_splitting_seh_edges

Author: bdrodes

go/extractor/go.mod

@@ -10,7 +10,7 @@ toolchain go1.23.1
 //    bazel mod tidy
 require (
 	golang.org/x/mod v0.22.0
-	golang.org/x/tools v0.27.0
+	golang.org/x/tools v0.28.0
 )
 
-require golang.org/x/sync v0.9.0 // indirect
+require golang.org/x/sync v0.10.0 // indirect

go/extractor/go.sum

@@ -1,6 +1,8 @@
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
 golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
-golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
-golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/tools v0.27.0 h1:qEKojBykQkQ4EynWy4S8Weg69NumxKdn40Fce3uc/8o=
-golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/tools v0.28.0 h1:WuB6qZ4RPCQo5aP3WdKZS7i595EdWqWR8vqJTlwTVK8=
+golang.org/x/tools v0.28.0/go.mod h1:dcIOrVd3mfQKTgrDVQHqCPMWy6lnhfhtX3hLXYVLfRw=

python/ql/lib/change-notes/2024-11-26-parameter-annotation-api-graph-support.md

@@ -0,0 +1,5 @@
+---
+category: feature
+---
+
+- Added support for parameter annotations in API graphs. This means that in a function definition such as `def foo(x: Bar): ...`, you can now use the `getInstanceFromAnnotation()` method to step from `Bar` to `x`. In addition to this, the `getAnInstance` method now also includes instances arising from parameter annotations.

python/ql/lib/semmle/python/ApiGraphs.qll

@@ -195,6 +195,12 @@ module API {
      */
     Node getReturn() { result = this.getASuccessor(Label::return()) }
 
+    /**
+     * Gets a node representing instances of the class represented by this node, as specified via
+     * type annotations.
+     */
+    Node getInstanceFromAnnotation() { result = this.getASuccessor(Label::annotation()) }
+
     /**
      * Gets a node representing the `i`th parameter of the function represented by this node.
      *
@@ -229,7 +235,9 @@ module API {
     /**
      * Gets a node representing an instance of the class (or a transitive subclass of the class) represented by this node.
      */
-    Node getAnInstance() { result = this.getASubclass*().getReturn() }
+    Node getAnInstance() {
+      result in [this.getASubclass*().getReturn(), this.getASubclass*().getInstanceFromAnnotation()]
+    }
 
     /**
      * Gets a node representing the result from awaiting this node.
@@ -834,6 +842,10 @@ module API {
         lbl = Label::return() and
         ref = pred.getACall()
         or
+        // Getting an instance via a type annotation
+        lbl = Label::annotation() and
+        ref = pred.getAnAnnotatedInstance()
+        or
         // Awaiting a node that is a use of `base`
         lbl = Label::await() and
         ref = pred.getAnAwaited()
@@ -1079,6 +1091,7 @@ module API {
         } or
         MkLabelSelfParameter() or
         MkLabelReturn() or
+        MkLabelAnnotation() or
         MkLabelSubclass() or
         MkLabelAwait() or
         MkLabelSubscript() or
@@ -1148,6 +1161,11 @@ module API {
         override string toString() { result = "getReturn()" }
       }
 
+      /** A label for annotations. */
+      class LabelAnnotation extends ApiLabel, MkLabelAnnotation {
+        override string toString() { result = "getAnnotatedInstance()" }
+      }
+
       /** A label that gets the subclass of a class. */
       class LabelSubclass extends ApiLabel, MkLabelSubclass {
         override string toString() { result = "getASubclass()" }
@@ -1207,6 +1225,9 @@ module API {
     /** Gets the `return` edge label. */
     LabelReturn return() { any() }
 
+    /** Gets the `annotation` edge label. */
+    LabelAnnotation annotation() { any() }
+
     /** Gets the `subclass` edge label. */
     LabelSubclass subclass() { any() }
 

python/ql/lib/semmle/python/dataflow/new/internal/LocalSources.qll

@@ -119,6 +119,11 @@ class LocalSourceNode extends Node {
    */
   CallCfgNode getACall() { Cached::call(this, result) }
 
+  /**
+   * Gets a node that has this node as its annotation.
+   */
+  Node getAnAnnotatedInstance() { Cached::annotatedInstance(this, result) }
+
   /**
    * Gets an awaited value from this node.
    */
@@ -275,6 +280,17 @@ private module Cached {
     )
   }
 
+  cached
+  predicate annotatedInstance(LocalSourceNode node, Node instance) {
+    exists(ExprNode n | node.flowsTo(n) |
+      instance.asCfgNode().getNode() =
+        any(AnnAssign ann | ann.getAnnotation() = n.asExpr()).getTarget()
+      or
+      instance.asCfgNode().getNode() =
+        any(Parameter p | p.getAnnotation() = n.asCfgNode().getNode())
+    )
+  }
+
   /**
    * Holds if `node` flows to a value that, when awaited, results in `awaited`.
    */

python/ql/test/library-tests/ApiGraphs/py3/test_annotations.py

@@ -0,0 +1,25 @@
+from types import AssignmentAnnotation, ParameterAnnotation
+
+def test_annotated_assignment():
+    local_x : AssignmentAnnotation = create_x() #$ MISSING: use=moduleImport("types").getMember("AssignmentAnnotation")
+    local_x #$ MISSING: use=moduleImport("types").getMember("AssignmentAnnotation").getAnnotatedInstance()
+
+global_x : AssignmentAnnotation #$ use=moduleImport("types").getMember("AssignmentAnnotation")
+global_x #$ MISSING: use=moduleImport("types").getMember("AssignmentAnnotation").getAnnotatedInstance()
+
+def test_parameter_annotation(parameter_y: ParameterAnnotation): #$ use=moduleImport("types").getMember("ParameterAnnotation")
+    parameter_y #$ use=moduleImport("types").getMember("ParameterAnnotation").getAnnotatedInstance()
+
+type Alias = AssignmentAnnotation
+
+global_z : Alias #$ MISSING: use=moduleImport("types").getMember("AssignmentAnnotation")
+global_z #$ MISSING: use=moduleImport("types").getMember("AssignmentAnnotation").getAnnotatedInstance()
+
+def test_parameter_alias(parameter_z: Alias): #$ MISSING: use=moduleImport("types").getMember("AssignmentAnnotation")
+    parameter_z #$ MISSING: use=moduleImport("types").getMember("AssignmentAnnotation").getAnnotatedInstance()
+
+# local type aliases
+def test_local_type_alias():
+    type LocalAlias = AssignmentAnnotation
+    local_alias : LocalAlias = create_value() #$ MISSING: use=moduleImport("types").getMember("AssignmentAnnotation")
+    local_alias #$ MISSING: use=moduleImport("types").getMember("AssignmentAnnotation").getAnnotatedInstance()

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -623,6 +623,15 @@ private class StructFieldContent extends Content, TStructFieldContent {
   override string toString() { result = s.toString() + "." + field_.toString() }
 }
 
+/**
+ * An element in an array.
+ */
+final class ArrayElementContent extends Content, TArrayElement {
+  ArrayElementContent() { this = TArrayElement() }
+
+  override string toString() { result = "array[]" }
+}
+
 /**
  * Content stored at a position in a tuple.
  *
@@ -656,7 +665,7 @@ abstract class ContentSet extends TContentSet {
   abstract Content getAReadContent();
 }
 
-final private class SingletonContentSet extends ContentSet, TSingletonContentSet {
+final class SingletonContentSet extends ContentSet, TSingletonContentSet {
   private Content c;
 
   SingletonContentSet() { this = TSingletonContentSet(c) }
@@ -879,6 +888,24 @@ module RustDataFlow implements InputSig<Location> {
         node2.asExpr() = access
       )
       or
+      exists(IndexExprCfgNode arr |
+        c instanceof ArrayElementContent and
+        node1.asExpr() = arr.getBase() and
+        node2.asExpr() = arr
+      )
+      or
+      exists(ForExprCfgNode for |
+        c instanceof ArrayElementContent and
+        node1.asExpr() = for.getIterable() and
+        node2.asPat() = for.getPat()
+      )
+      or
+      exists(SlicePatCfgNode pat |
+        c instanceof ArrayElementContent and
+        node1.asPat() = pat and
+        node2.asPat() = pat.getAPat()
+      )
+      or
       exists(TryExprCfgNode try |
         node1.asExpr() = try.getExpr() and
         node2.asExpr() = try and
@@ -951,7 +978,21 @@ module RustDataFlow implements InputSig<Location> {
         node2.asExpr() = tuple
       )
       or
+      c instanceof ArrayElementContent and
+      node1.asExpr() =
+        [
+          node2.asExpr().(ArrayRepeatExprCfgNode).getRepeatOperand(),
+          node2.asExpr().(ArrayListExprCfgNode).getAnExpr()
+        ]
+      or
       tupleAssignment(node1, node2.(PostUpdateNode).getPreUpdateNode(), c)
+      or
+      exists(AssignmentExprCfgNode assignment, IndexExprCfgNode index |
+        c instanceof ArrayElementContent and
+        assignment.getLhs() = index and
+        node1.asExpr() = assignment.getRhs() and
+        node2.(PostUpdateNode).getPreUpdateNode().asExpr() = index.getBase()
+      )
     )
     or
     FlowSummaryImpl::Private::Steps::summaryStoreStep(node1.(Node::FlowSummaryNode).getSummaryNode(),
@@ -1067,7 +1108,11 @@ private module Cached {
     TPatNode(PatCfgNode p) or
     TExprPostUpdateNode(ExprCfgNode e) {
       isArgumentForCall(e, _, _) or
-      e = [any(FieldExprCfgNode access).getExpr(), any(TryExprCfgNode try).getExpr()]
+      e =
+        [
+          any(IndexExprCfgNode i).getBase(), any(FieldExprCfgNode access).getExpr(),
+          any(TryExprCfgNode try).getExpr()
+        ]
     } or
     TSsaNode(SsaImpl::DataFlowIntegration::SsaNode node) or
     TFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn)
@@ -1152,6 +1197,7 @@ private module Cached {
     TVariantFieldContent(VariantCanonicalPath v, string field) {
       field = v.getVariant().getFieldList().(RecordFieldList).getAField().getName().getText()
     } or
+    TArrayElement() or
     TTuplePositionContent(int pos) {
       pos in [0 .. max([
                 any(TuplePat pat).getNumberOfFields(),

rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll

@@ -1,10 +1,9 @@
 private import rust
 private import codeql.dataflow.TaintTracking
 private import codeql.rust.controlflow.CfgNodes
-private import DataFlowImpl
 private import codeql.rust.dataflow.FlowSummary
-private import FlowSummaryImpl as FlowSummaryImpl
 private import DataFlowImpl
+private import FlowSummaryImpl as FlowSummaryImpl
 
 module RustTaintTracking implements InputSig<Location, RustDataFlow> {
   predicate defaultTaintSanitizer(Node::Node node) { none() }
@@ -35,6 +34,15 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
         pred.asExpr() = index.getBase() and
         succ.asExpr() = index
       )
+      or
+      // Although data flow through collections is modeled using stores/reads,
+      // we also allow taint to flow out of a tainted collection. This is
+      // needed in order to support taint-tracking configurations where the
+      // source is a collection.
+      exists(SingletonContentSet cs |
+        RustDataFlow::readStep(pred, cs, succ) and
+        cs.getContent() instanceof ArrayElementContent
+      )
     )
     or
     FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(Node::FlowSummaryNode).getSummaryNode(),
@@ -46,7 +54,10 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
    * and inputs to additional taint steps.
    */
   bindingset[node]
-  predicate defaultImplicitTaintRead(Node::Node node, ContentSet c) { none() }
+  predicate defaultImplicitTaintRead(Node::Node node, ContentSet cs) {
+    exists(node) and
+    cs.(SingletonContentSet).getContent() instanceof ArrayElementContent
+  }
 
   /**
    * Holds if the additional step from `src` to `sink` should be considered in

rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll

@@ -467,7 +467,8 @@ module Impl {
       assignmentExprDescendant(mid) and
       getImmediateParent(e) = mid and
       not mid.(PrefixExpr).getOperatorName() = "*" and
-      not mid instanceof FieldExpr
+      not mid instanceof FieldExpr and
+      not mid instanceof IndexExpr
     )
   }