Merge pull request #1591 from markshannon/python-fix-property-setter-handling

Python: fix property setter handling in points-to.

Author: taus-semmle

python/ql/src/semmle/python/objects/Descriptors.qll

@@ -32,7 +32,7 @@ class PropertyInternal extends ObjectInternal, TProperty {
     private Context getContext() { this = TProperty(_,result,  _) }
 
     override string toString() {
-        result = "property" + this.getName()
+        result = "property " + this.getName()
     }
 
     override boolean booleanValue() { result = true }
@@ -63,16 +63,19 @@ class PropertyInternal extends ObjectInternal, TProperty {
 
     override predicate calleeAndOffset(Function scope, int paramOffset) { none() }
 
-    pragma [noinline] override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) { none() }
+    pragma [noinline] override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) {
+        value = TPropertySetterOrDeleter(this, name) and origin = CfgOrigin::unknown()
+    }
 
-    pragma [noinline] override predicate attributesUnknown() { none() }
+    override predicate attributesUnknown() { none() }
 
     override predicate subscriptUnknown() { none() }
 
     override boolean isDescriptor() { result = true }
 
     override int length() { none() }
-    pragma [noinline] override predicate binds(ObjectInternal cls, string name, ObjectInternal descriptor) { none() }
+
+    override predicate binds(ObjectInternal cls, string name, ObjectInternal descriptor) { none() }
 
     pragma [noinline] override predicate descriptorGetClass(ObjectInternal cls, ObjectInternal value, CfgOrigin origin) {
         any(ObjectInternal obj).binds(cls, _, this) and
@@ -100,6 +103,80 @@ class PropertyInternal extends ObjectInternal, TProperty {
 
 }
 
+private class PropertySetterOrDeleter extends ObjectInternal, TPropertySetterOrDeleter {
+
+    override string toString() {
+        result = this.getProperty().toString() + "." + this.getName()
+    }
+
+    override string getName() {
+        this = TPropertySetterOrDeleter(_, result)
+    }
+
+    PropertyInternal getProperty() {
+        this = TPropertySetterOrDeleter(result, _)
+    }
+
+    override predicate callResult(ObjectInternal obj, CfgOrigin origin) {
+        exists(ControlFlowNode call |
+            obj = this.getProperty() and obj = TProperty(call, _, _) and
+            origin = CfgOrigin::fromCfgNode(call)
+        )
+    }
+
+    override predicate introducedAt(ControlFlowNode node, PointsToContext context) {
+        none()
+    }
+
+    override ClassDecl getClassDeclaration() { none() }
+
+    override boolean isClass() { result = false }
+
+    override ObjectInternal getClass() {
+       result = TBuiltinClassObject(Builtin::special("MethodType"))
+    }
+
+    override predicate notTestableForEquality() { none() }
+
+    override Builtin getBuiltin() { none() }
+
+    override ControlFlowNode getOrigin() { none() }
+
+    override predicate callResult(PointsToContext callee, ObjectInternal obj, CfgOrigin origin) { none() }
+
+    override int intValue() { none() }
+
+    override string strValue() { none() }
+
+    override boolean booleanValue() { result = true }
+
+    override predicate calleeAndOffset(Function scope, int paramOffset) { none() }
+
+    override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) { none() }
+
+    override predicate attributesUnknown() { none() }
+
+    override predicate subscriptUnknown() { none() }
+
+    override boolean isDescriptor() { result = true }
+
+    override int length() { none() }
+
+    override predicate binds(ObjectInternal cls, string name, ObjectInternal descriptor) { none() }
+
+    override predicate contextSensitiveCallee() { none() }
+
+    override ObjectInternal getIterNext() { none() }
+
+    override predicate descriptorGetClass(ObjectInternal cls, ObjectInternal value, CfgOrigin origin) { none() }
+
+    override predicate descriptorGetInstance(ObjectInternal instance, ObjectInternal value, CfgOrigin origin) { none() }
+
+    override predicate useOriginAsLegacyObject() { none() }
+
+}
+
+
 /** A class representing classmethods in Python */
 class ClassMethodObjectInternal extends ObjectInternal, TClassMethod {
 
@@ -143,9 +220,9 @@ class ClassMethodObjectInternal extends ObjectInternal, TClassMethod {
 
     override predicate calleeAndOffset(Function scope, int paramOffset) { none() }
 
-    pragma [noinline] override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) { none() }
+    override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) { none() }
 
-    pragma [noinline] override predicate attributesUnknown() { none() }
+    override predicate attributesUnknown() { none() }
 
     override predicate subscriptUnknown() { none() }
 
@@ -235,9 +312,9 @@ class StaticMethodObjectInternal extends ObjectInternal, TStaticMethod {
         this.getFunction().calleeAndOffset(scope, paramOffset)
     }
 
-    pragma [noinline] override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) { none() }
+    override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) { none() }
 
-    pragma [noinline] override predicate attributesUnknown() { none() }
+    override predicate attributesUnknown() { none() }
 
     override predicate subscriptUnknown() { none() }
 
@@ -253,7 +330,7 @@ class StaticMethodObjectInternal extends ObjectInternal, TStaticMethod {
         value = this.getFunction() and origin = CfgOrigin::unknown()
     }
 
-    pragma [noinline] override predicate binds(ObjectInternal instance, string name, ObjectInternal descriptor) { none() }
+    override predicate binds(ObjectInternal instance, string name, ObjectInternal descriptor) { none() }
 
     override int length() { none() }
 

python/ql/src/semmle/python/objects/TObject.qll

@@ -194,6 +194,14 @@ cached newtype TObject =
         PointsToInternal::pointsTo(call.getArg(0), ctx, getter, _)
     }
     or
+    /* Represents the `setter` or `deleter` method of a property object. */
+    TPropertySetterOrDeleter(PropertyInternal property, string method) {
+        exists(AttrNode attr |
+            PointsToInternal::pointsTo(attr.getObject(method), _, property, _)
+        ) and
+        ( method = "setter" or method = "deleter" )
+    }
+    or
     /* Represents a dynamically created class */
     TDynamicClass(CallNode instantiation, ClassObjectInternal metacls, PointsToContext context) {
         PointsToInternal::pointsTo(instantiation.getFunction(), context, metacls, _) and

python/ql/test/library-tests/PointsTo/properties/Lookup.expected

@@ -0,0 +1,6 @@
+| class C | p | property p |
+| class D | __init__ | Function D.__init__ |
+| class D | q | property q |
+| class E | __init__ | Function D.__init__ |
+| class E | p | property p |
+| class E | q | property q |

python/ql/test/library-tests/PointsTo/properties/Lookup.ql

@@ -0,0 +1,8 @@
+
+import python
+import semmle.python.pointsto.PointsTo
+import semmle.python.objects.ObjectInternal
+
+from ClassObjectInternal cls, string name, ObjectInternal f
+where cls.lookup(name, f, _) and exists(f.getOrigin())
+select cls.toString(), name, f.toString()

python/ql/test/library-tests/PointsTo/properties/Values.expected

@@ -0,0 +1,31 @@
+| test.py:3:1:3:16 | test.py:3 | ControlFlowNode for ClassExpr | import | class C | builtin-class type |
+| test.py:3:9:3:14 | test.py:3 | ControlFlowNode for object | import | builtin-class object | builtin-class type |
+| test.py:5:6:5:13 | test.py:5 | ControlFlowNode for property | import | builtin-class property | builtin-class type |
+| test.py:5:6:5:13 | test.py:5 | ControlFlowNode for property() | import | property p | builtin-class property |
+| test.py:6:5:6:16 | test.py:6 | ControlFlowNode for FunctionExpr | import | Function C.p | builtin-class function |
+| test.py:7:16:7:16 | test.py:7 | ControlFlowNode for IntegerLiteral | runtime | int 0 | builtin-class int |
+| test.py:9:1:9:16 | test.py:9 | ControlFlowNode for ClassExpr | import | class D | builtin-class type |
+| test.py:9:9:9:14 | test.py:9 | ControlFlowNode for object | import | builtin-class object | builtin-class type |
+| test.py:11:5:11:23 | test.py:11 | ControlFlowNode for FunctionExpr | import | Function D.__init__ | builtin-class function |
+| test.py:12:9:12:12 | test.py:12 | ControlFlowNode for self | runtime | self instance of D | class D |
+| test.py:12:18:12:18 | test.py:12 | ControlFlowNode for IntegerLiteral | runtime | int 0 | builtin-class int |
+| test.py:14:6:14:13 | test.py:14 | ControlFlowNode for property | import | builtin-class property | builtin-class type |
+| test.py:14:6:14:13 | test.py:14 | ControlFlowNode for property() | import | property q | builtin-class property |
+| test.py:15:5:15:16 | test.py:15 | ControlFlowNode for FunctionExpr | import | Function D.q | builtin-class function |
+| test.py:16:16:16:19 | test.py:16 | ControlFlowNode for self | runtime | self instance of D | class D |
+| test.py:18:6:18:6 | test.py:18 | ControlFlowNode for q | import | property q | builtin-class property |
+| test.py:18:6:18:13 | test.py:18 | ControlFlowNode for Attribute | import | property q.setter | builtin-class method |
+| test.py:18:6:18:13 | test.py:18 | ControlFlowNode for Attribute() | import | property q | builtin-class property |
+| test.py:19:5:19:23 | test.py:19 | ControlFlowNode for FunctionExpr | import | Function D.q | builtin-class function |
+| test.py:20:9:20:12 | test.py:20 | ControlFlowNode for self | runtime | self instance of D | class D |
+| test.py:22:1:22:14 | test.py:22 | ControlFlowNode for ClassExpr | import | class E | builtin-class type |
+| test.py:22:9:22:9 | test.py:22 | ControlFlowNode for C | import | class C | builtin-class type |
+| test.py:22:12:22:12 | test.py:22 | ControlFlowNode for D | import | class D | builtin-class type |
+| test.py:25:1:25:1 | test.py:25 | ControlFlowNode for C | import | class C | builtin-class type |
+| test.py:25:1:25:3 | test.py:25 | ControlFlowNode for Attribute | import | property p | builtin-class property |
+| test.py:26:1:26:1 | test.py:26 | ControlFlowNode for D | import | class D | builtin-class type |
+| test.py:26:1:26:3 | test.py:26 | ControlFlowNode for Attribute | import | property q | builtin-class property |
+| test.py:27:1:27:1 | test.py:27 | ControlFlowNode for E | import | class E | builtin-class type |
+| test.py:27:1:27:3 | test.py:27 | ControlFlowNode for Attribute | import | property p | builtin-class property |
+| test.py:28:1:28:1 | test.py:28 | ControlFlowNode for E | import | class E | builtin-class type |
+| test.py:28:1:28:3 | test.py:28 | ControlFlowNode for Attribute | import | property q | builtin-class property |

python/ql/test/library-tests/PointsTo/properties/Values.ql

@@ -0,0 +1,15 @@
+
+import python
+import semmle.python.objects.ObjectInternal
+
+string vrepr(Value v) {
+    /* Work around differing names in 2/3 */
+    not v = ObjectInternal::boundMethod() and result = v.toString()
+    or
+    v = ObjectInternal::boundMethod() and result = "builtin-class method"
+}
+
+from ControlFlowNode f, Context ctx, Value v, ControlFlowNode origin
+where
+  f.pointsTo(ctx, v, origin)
+select f.getLocation(), f.toString(), ctx, vrepr(v), vrepr(v.getClass())

python/ql/test/library-tests/PointsTo/properties/test.py

@@ -0,0 +1,28 @@
+
+
+class C(object):
+
+    @property
+    def p(self):
+        return 0
+
+class D(object):
+
+    def __init__(self):
+        self.v = 0
+
+    @property
+    def q(self):
+        return self.v
+
+    @q.setter
+    def q(self, value):
+        self.v = value
+
+class E(C, D):
+    pass
+
+C.p
+D.q
+E.p
+E.q