codeql icon indicating copy to clipboard operation
codeql copied to clipboard

Published 20 hours ago verified publisher icon github

Python: Local/Global dataflow analysis not tracing class field?

Open hksdpc255 opened this issue 1 year ago • 3 comments
trafficstars

Python

class Cls:
    def __init__(self) -> None:
        self.field = 1
    def __init__(self, num) -> None:
        self.field = num
    def print(self) -> None:
        print(self.field)


if __name__ == '__main__':
    var1 = Cls(2)
    var2 = var1
    var2.field = 3
    var1.print()
    var1.field2 = 4
    print(var2.field2)

CodeQL

import python
import semmle.python.ApiGraphs
import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking

module MyConf implements DataFlow::ConfigSig {
    predicate isSource(DataFlow::Node source) {
        source.asExpr() instanceof IntegerLiteral
    }
    predicate isSink(DataFlow::Node sink) {
        sink = API::builtin("print").getACall().getArg(0)
    }
}

module MyFlow = DataFlow::Global<MyConf>;

from DataFlow::Node source, DataFlow::Node sink
where MyFlow::flow(source, sink)
select source, sink

Output

source sink
1 self.field in line 7
2 self.field in line 7

Expected result

source sink
1 self.field in line 7
2 self.field in line 7
3 self.field in line 7
4 self.field in line 16

hksdpc255 avatar Jul 19 '24 10:07 hksdpc255

Perhaps the problem is that CodeQL does not "see" that var1 and var2 are references to the same object. What happens if you don't write var1 = var2 and use var1 in all the places where it says var2 ?

aibaars avatar Jul 19 '24 15:07 aibaars

That's the problem. CodeQL does not "see" that var1 and var2 are references to the same object.

hksdpc255 avatar Jul 22 '24 06:07 hksdpc255

So, is there any plan to fix this bug?

hksdpc255 avatar Jul 23 '24 04:07 hksdpc255