Merge pull request #1840 from markshannon/python-better-hasattribute-handling

psygnisfive · web-flow · commit 36f99c19bc0e · 2019-08-28T10:45:44.000-07:00
Python: Add 'hasAttribute' predicate to ObjectInternal and Value.
diff --git a/python/ql/src/semmle/python/objects/Classes.qll b/python/ql/src/semmle/python/objects/Classes.qll
@@ -97,6 +97,12 @@ abstract class ClassObjectInternal extends ObjectInternal {
     /* Classes aren't usually iterable, but can e.g. Enums */
     override ObjectInternal getIterNext() { result = ObjectInternal::unknown() }
 
+    override predicate hasAttribute(string name) {
+        this.getClassDeclaration().declaresAttribute(name)
+        or
+        Types::getBase(this, _).hasAttribute(name)
+    }
+
 }
 
 /** Class representing Python source classes */
diff --git a/python/ql/src/semmle/python/objects/Modules.qll b/python/ql/src/semmle/python/objects/Modules.qll
@@ -59,6 +59,18 @@ abstract class ModuleObjectInternal extends ObjectInternal {
     /* Modules aren't iterable */
     override ObjectInternal getIterNext() { none() }
 
+    /** Holds if this module "exports" name.
+     * That is, does it define `name` in `__all__` or is
+     * `__all__` not defined and `name` a global variable that does not start with "_"
+     * This is the set of names imported by `from ... import *`.
+     */
+    predicate exports(string name) {
+        not this.(ModuleObjectInternal).attribute("__all__", _, _) and this.hasAttribute(name)
+        and not name.charAt(0) = "_"
+        or
+        py_exports(this.getSourceModule(), name)
+    }
+
 }
 
 /** A class representing built-in modules */
@@ -209,6 +221,13 @@ class PackageObjectInternal extends ModuleObjectInternal, TPackageObject {
         )
     }
 
+    /** Holds if this value has the attribute `name` */
+    override predicate hasAttribute(string name) {
+        this.getInitModule().hasAttribute(name)
+        or
+        exists(this.submodule(name))
+    }
+
 }
 
 /** A class representing Python modules */
@@ -261,6 +280,24 @@ class PythonModuleObjectInternal extends ModuleObjectInternal, TPythonModule {
         result = this.getSourceModule().getEntryNode()
     }
 
+    /** Holds if this value has the attribute `name` */
+    override predicate hasAttribute(string name) {
+        name = "__name__"
+        or
+        this.getSourceModule().(ImportTimeScope).definesName(name)
+        or
+        exists(ModuleObjectInternal mod, ImportStarNode imp |
+            PointsToInternal::pointsTo(imp, _, mod, _) and
+            imp.getScope() = this.getSourceModule() and
+            mod.exports(name)
+        )
+        or
+        exists(ObjectInternal defined |
+            this.attribute(name, defined, _) and
+            not defined instanceof UndefinedInternal
+        )
+    }
+
 }
 
 /** A class representing a module that is missing from the DB, but inferred to exists from imports. */
diff --git a/python/ql/src/semmle/python/objects/ObjectAPI.qll b/python/ql/src/semmle/python/objects/ObjectAPI.qll
@@ -94,6 +94,11 @@ class Value extends TObject {
         result = this.(ObjectInternal).getName()
     }
 
+    /** Holds if this value has the attribute `name` */
+    predicate hasAttribute(string name) {
+        this.(ObjectInternal).hasAttribute(name)
+    }
+
 }
 
 /** Class representing modules in the Python program
@@ -111,10 +116,7 @@ class ModuleValue extends Value {
      * This is the set of names imported by `from ... import *`.
      */
     predicate exports(string name) {
-        not this.(ModuleObjectInternal).attribute("__all__", _, _) and exists(this.attr(name))
-        and not name.charAt(0) = "_"
-        or
-        py_exports(this.getScope(), name)
+        PointsTo::moduleExports(this, name)
     }
 
     /** Gets the scope for this module, provided that it is a Python module. */
diff --git a/python/ql/src/semmle/python/objects/ObjectInternal.qll b/python/ql/src/semmle/python/objects/ObjectInternal.qll
@@ -182,6 +182,11 @@ class ObjectInternal extends TObject {
      */
     abstract ObjectInternal getIterNext();
 
+    /** Holds if this value has the attribute `name` */
+    predicate hasAttribute(string name) {
+        this.(ObjectInternal).attribute(name, _, _)
+    }
+
 }
 
 
diff --git a/python/ql/src/semmle/python/pointsto/PointsTo.qll b/python/ql/src/semmle/python/pointsto/PointsTo.qll
@@ -166,6 +166,10 @@ module PointsTo {
         )
     }
 
+    cached predicate moduleExports(ModuleObjectInternal mod, string name) {
+        InterModulePointsTo::moduleExportsBoolean(mod, name) = true
+    }
+
 }
 
 cached module PointsToInternal {
diff --git a/python/ql/src/semmle/python/types/ClassObject.qll b/python/ql/src/semmle/python/types/ClassObject.qll
@@ -151,7 +151,7 @@ class ClassObject extends Object {
 
     /** Whether this class has a attribute named `name`, either declared or inherited.*/
     predicate hasAttribute(string name) {
-        Types::getMro(theClass()).getAnItem().getClassDeclaration().declaresAttribute(name)
+        theClass().hasAttribute(name)
     }
 
     /** Whether it is impossible to know all the attributes of this class. Usually because it is
diff --git a/python/ql/src/semmle/python/types/ModuleObject.qll b/python/ql/src/semmle/python/types/ModuleObject.qll
@@ -51,9 +51,8 @@ abstract class ModuleObject extends Object {
         result = this.getAttribute(name)
     }
 
-
     predicate hasAttribute(string name) {
-        exists(theModule().attr(name))
+        theModule().hasAttribute(name)
     }
 
     predicate attributeRefersTo(string name, Object obj, ControlFlowNode origin) {
diff --git a/python/ql/test/query-tests/Variables/undefined/UndefinedExport.expected b/python/ql/test/query-tests/Variables/undefined/UndefinedExport.expected
@@ -0,0 +1,2 @@
+| decorated_exports.py:3:33:3:45 | Str | The name 'not_defined' is exported by __all__ but is not defined. |
+| exports.py:1:57:1:64 | Str | The name 'nosuch' is exported by __all__ but is not defined. |
diff --git a/python/ql/test/query-tests/Variables/undefined/UndefinedExport.qlref b/python/ql/test/query-tests/Variables/undefined/UndefinedExport.qlref
@@ -0,0 +1 @@
+Variables/UndefinedExport.ql
diff --git a/python/ql/test/query-tests/Variables/undefined/UndefinedGlobal.expected b/python/ql/test/query-tests/Variables/undefined/UndefinedGlobal.expected
@@ -4,3 +4,5 @@
 | UndefinedGlobal.py:123:5:123:7 | ug3 | This use of global variable 'ug3' may be undefined. |
 | UninitializedLocal.py:5:13:5:15 | ug1 | This use of global variable 'ug1' may be undefined. |
 | UninitializedLocal.py:22:9:22:11 | ug1 | This use of global variable 'ug1' may be undefined. |
+| decorated_exports.py:10:2:10:19 | undotted_decorator | This use of global variable 'undotted_decorator' may be undefined. |
+| decorated_exports.py:14:2:14:13 | not_imported | This use of global variable 'not_imported' may be undefined. |
diff --git a/python/ql/test/query-tests/Variables/undefined/decorated_exports.py b/python/ql/test/query-tests/Variables/undefined/decorated_exports.py
@@ -0,0 +1,16 @@
+import dotted
+
+__all__ = ["foo", "bar", "baz", "not_defined"]
+
+
+@dotted.decorator
+def foo():
+    pass
+
+@undotted_decorator
+def bar():
+    pass
+
+@not_imported.but_dotted
+def baz():
+    pass
diff --git a/python/ql/test/query-tests/Variables/undefined/exports.py b/python/ql/test/query-tests/Variables/undefined/exports.py
@@ -0,0 +1,19 @@
+__all__ = ["foo", "bar", "baz", "quux", "blat", "frob", "nosuch", "i_got_it_elsewhere"]
+
+with open("foo.txt") as f:
+    foo = f.read()
+
+b = open("bar.txt")
+bar = b.read()
+
+baz = open("baz.txt")
+
+from unknown_module import unknown_value
+
+quux = 5 + unknown_value
+
+blat = str(5)
+
+frob = "5"
+
+from unknown_module import i_got_it_elsewhere
diff --git a/python/ql/test/query-tests/Variables/undefined/unknown_import_star.py b/python/ql/test/query-tests/Variables/undefined/unknown_import_star.py
@@ -0,0 +1,3 @@
+__all__ = ["foo"]
+
+from unknown_module import *

Original file line number	Diff line number	Diff line change
`@@ -182,6 +182,11 @@ class ObjectInternal extends TObject {`
`182`	`182`	`*/`
`183`	`183`	`abstract ObjectInternal getIterNext();`
`184`	`184`
	`185`	+ /** Holds if this value has the attribute `name` */
	`186`	`+ predicate hasAttribute(string name) {`
	`187`	`+ this.(ObjectInternal).attribute(name, _, _)`
	`188`	`+ }`
	`189`	`+`
`185`	`190`	`}`
`186`	`191`
`187`	`192`
Original file line number	Diff line number	Diff line change
`@@ -166,6 +166,10 @@ module PointsTo {`
`166`	`166`	`)`
`167`	`167`	`}`
`168`	`168`
	`169`	`+ cached predicate moduleExports(ModuleObjectInternal mod, string name) {`
	`170`	`+ InterModulePointsTo::moduleExportsBoolean(mod, name) = true`
	`171`	`+ }`
	`172`	`+`
`169`	`173`	`}`
`170`	`174`
`171`	`175`	`cached module PointsToInternal {`
Original file line number	Diff line number	Diff line change
`@@ -151,7 +151,7 @@ class ClassObject extends Object {`
`151`	`151`
`152`	`152`	/** Whether this class has a attribute named `name`, either declared or inherited.*/
`153`	`153`	`predicate hasAttribute(string name) {`
`154`		`- Types::getMro(theClass()).getAnItem().getClassDeclaration().declaresAttribute(name)`
	`154`	`+ theClass().hasAttribute(name)`
`155`	`155`	`}`
`156`	`156`
`157`	`157`	`/** Whether it is impossible to know all the attributes of this class. Usually because it is`
Original file line number	Diff line number	Diff line change
`@@ -51,9 +51,8 @@ abstract class ModuleObject extends Object {`
`51`	`51`	`result = this.getAttribute(name)`
`52`	`52`	`}`
`53`	`53`
`54`		`-`
`55`	`54`	`predicate hasAttribute(string name) {`
`56`		`- exists(theModule().attr(name))`
	`55`	`+ theModule().hasAttribute(name)`
`57`	`56`	`}`
`58`	`57`
`59`	`58`	`predicate attributeRefersTo(string name, Object obj, ControlFlowNode origin) {`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| decorated_exports.py:3:33:3:45 \| Str \| The name 'not_defined' is exported by __all__ but is not defined. \|`
	`2`	`+\| exports.py:1:57:1:64 \| Str \| The name 'nosuch' is exported by __all__ but is not defined. \|`