Python: do not stake out too much territory

Author: yoff

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatchPointsTo.qll

@@ -617,6 +617,18 @@ class SpecialCall extends DataFlowSourceCall, TSpecialCall {
  * and not be available for a summary.
  */
 class LibraryCall extends NormalCall {
+  LibraryCall() {
+    // TODO: share this with `resolvedCall`
+    not (
+      call = any(DataFlowCallableValue cv).getACall()
+      or
+      call = any(DataFlowLambda l).getACall()
+      or
+      // TODO: this should be covered by `DataFlowCallableValue`, but a `ClassValue` is not a `CallableValue`.
+      call = any(ClassValue c).getACall()
+    )
+  }
+
   // TODO: Implement Python calling convention?
   override Node getArg(int n) { result = TCfgNode(call.getArg(n)) }
 

python/ql/test/experimental/dataflow/calls/test.py

@@ -32,6 +32,6 @@ def __getitem__(self, key):
     # ignored.
     import mypkg
     mypkg.foo(42) # $ call=mypkg.foo(..) qlclass=NormalCall
-    mypkg.subpkg.bar(43) # $ call=mypkg.subpkg.bar(..) qlclass=NormalCall
+    mypkg.subpkg.bar(43) # $ call=mypkg.subpkg.bar(..) qlclass=LibraryCall arg_0=43
 except:
     pass