more backtracking of def nodes, and lots of tests

erik-krogh · erik-krogh · commit a908b219e94e · 2022-02-03T23:10:38.000+01:00
diff --git a/python/ql/lib/semmle/python/ApiGraphs.qll b/python/ql/lib/semmle/python/ApiGraphs.qll
@@ -462,6 +462,14 @@ module API {
           lbl = Label::memberFromRef(pw) and
           rhs = pw.getValue()
         )
+        or
+        // TODO: I had expected `DataFlow::AttrWrite` to contain the attribute writes from a dict, that's how JS works.
+        exists(Dict dict, KeyValuePair item |
+          dict = pred.asExpr() and
+          dict.getItem(_) = item and
+          lbl = Label::member(item.getKey().(StrConst).getS()) and
+          rhs.asExpr() = item.getValue()
+        )
         // or
         // special case: from `require('m')` to an export of `prop` in `m`
         // TODO: Figure out if this is needed.
@@ -528,7 +536,7 @@ module API {
       |
         // Referring to an attribute on a node that is a use of `base`:
         lbl = Label::memberFromRef(ref) and
-        ref = pred.getAnAttributeReference()
+        ref = pred.getAnAttributeReference() // TODO: Change to read.
         or
         // Calling a node that is a use of `base`
         lbl = Label::return() and
@@ -548,20 +556,12 @@ module API {
         )
       )
       or
-      exists(DataFlow::Node def, CallableExpr fn |
+      exists(DataFlow::Node def, CallableExpr fn, int i |
         rhs(base, def) and fn = trackDefNode(def).asExpr()
       |
-        exists(int i |
-          lbl = Label::parameter(i) and
-          ref.asExpr() = fn.getInnerScope().getArg(i)
-        )
-        /*
-         * or // TODO: Figure out self. (and arg = -2, that might be a thing in python)
-         *        lbl = Label::receiver() and
-         *        ref = fn.getReceiver()
-         */
-
-        )
+        lbl = Label::parameter(i) and
+        ref.asExpr() = fn.getInnerScope().getArg(i)
+      )
       or
       /*
        * or // TODO: Figure out classes.
@@ -771,7 +771,8 @@ module API {
           ImportStar::namePossiblyDefinedInImportStar(_, member, _) or
           Impl::prefix_member(_, member, _) or
           exists(any(Module mod).getSubModule(member)) or
-          exports(_, member, _)
+          exports(_, member, _) or
+          member = any(Dict d).getAnItem().(KeyValuePair).getKey().(StrConst).getS()
         } or
         MkLabelUnknownMember() or
         MkLabelParameter(int i) {
diff --git a/python/ql/test/library-tests/ApiGraphs/deftest1.py b/python/ql/test/library-tests/ApiGraphs/deftest1.py
@@ -4,3 +4,32 @@ def callback(x): #$ use=moduleImport("mypkg").getMember("foo").getMember("bar").
     x.baz() #$ use=moduleImport("mypkg").getMember("foo").getMember("bar").getParameter(0).getParameter(0).getMember("baz").getReturn()
 
 foo.bar(callback) #$ def=moduleImport("mypkg").getMember("foo").getMember("bar").getParameter(0) use=moduleImport("mypkg").getMember("foo").getMember("bar").getReturn()
+
+def callback2(x): #$ use=moduleImport("mypkg").getMember("foo").getMember("baz").getParameter(0).getMember("c").getParameter(0)
+    x.baz2() #$ use=moduleImport("mypkg").getMember("foo").getMember("baz").getParameter(0).getMember("c").getParameter(0).getMember("baz2").getReturn()
+
+mydict = {
+  "c": callback2, #$ def=moduleImport("mypkg").getMember("foo").getMember("baz").getParameter(0).getMember("c")
+  "other": "whatever" #$ def=moduleImport("mypkg").getMember("foo").getMember("baz").getParameter(0).getMember("other")
+}
+
+foo.baz(mydict) #$ def=moduleImport("mypkg").getMember("foo").getMember("baz").getParameter(0) use=moduleImport("mypkg").getMember("foo").getMember("baz").getReturn()
+
+def callback3(x): #$ use=moduleImport("mypkg").getMember("foo").getMember("baz").getParameter(0).getMember("third").getParameter(0)
+    x.baz3() #$ use=moduleImport("mypkg").getMember("foo").getMember("baz").getParameter(0).getMember("third").getParameter(0).getMember("baz3").getReturn()
+
+mydict.third = callback3 #$ def=moduleImport("mypkg").getMember("foo").getMember("baz").getParameter(0).getMember("third")
+
+foo.blab(mydict) #$ def=moduleImport("mypkg").getMember("foo").getMember("blab").getParameter(0) use=moduleImport("mypkg").getMember("foo").getMember("blab").getReturn()
+
+def callback4(x): #$ use=moduleImport("mypkg").getMember("foo").getMember("quack").getParameter(0).getParameter(0)
+    x.baz4() #$ use=moduleImport("mypkg").getMember("foo").getMember("quack").getParameter(0).getParameter(0).getMember("baz4").getReturn()
+
+otherDict = {
+    # TODO: Backtracking through a property set using a dict doesn't work, but I can backtrack through explicit property writes, e.g. the `otherDict.fourth` below.
+    # TODO: There is a related TODO in ApiGraphs.qll
+    "blab": "whatever"
+}
+otherDict.fourth = callback4
+
+foo.quack(otherDict.fourth) #$ def=moduleImport("mypkg").getMember("foo").getMember("quack").getParameter(0) use=moduleImport("mypkg").getMember("foo").getMember("quack").getReturn()
diff --git a/python/ql/test/library-tests/ApiGraphs/mypkg/foo.py b/python/ql/test/library-tests/ApiGraphs/mypkg/foo.py
@@ -1 +1,6 @@
-value = 3 #$ def=moduleImport("mypkg").getMember("foo").getMember("value")
+value = 3 #$ def=moduleImport("mypkg").getMember("foo").getMember("value")
+
+class MyClass: #$ def=moduleImport("mypkg").getMember("foo").getMember("MyClass")
+    def myFunc(self, x): #$ def=moduleImport("mypkg").getMember("foo").getMember("MyClass").getMember("myFunc") use=moduleImport("mypkg").getMember("foo").getMember("MyClass").getMember("myFunc").getParameter(1)
+        self.selfThing() #$ use=moduleImport("mypkg").getMember("foo").getMember("MyClass").getMember("myFunc").getParameter(0).getMember("selfThing").getReturn()
+        x.xThing() #$ use=moduleImport("mypkg").getMember("foo").getMember("MyClass").getMember("myFunc").getParameter(1).getMember("xThing").getReturn()
