Python: Model Python 2 only platform.popen command execution

RasmusWL · RasmusWL · commit 6c4fd7c1ff11 · 2020-10-06T20:25:03.000+02:00
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -413,4 +413,73 @@ private module Stdlib {
       result.asCfgNode() = this.asCfgNode().(CallNode).getArgByName("cmd")
     }
   }
+
+  // ---------------------------------------------------------------------------
+  // platform
+  // ---------------------------------------------------------------------------
+  /** Gets a reference to the `platform` module. */
+  private DataFlow::Node platform(DataFlow::TypeTracker t) {
+    t.start() and
+    result = DataFlow::importModule("platform")
+    or
+    exists(DataFlow::TypeTracker t2 | result = platform(t2).track(t2, t))
+  }
+
+  /** Gets a reference to the `platform` module. */
+  DataFlow::Node platform() { result = platform(DataFlow::TypeTracker::end()) }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `platform` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node platform_attr(DataFlow::TypeTracker t, string attr_name) {
+    attr_name in ["popen"] and
+    (
+      t.start() and
+      result = DataFlow::importMember("platform", attr_name)
+      or
+      t.startInAttr(attr_name) and
+      result = DataFlow::importModule("platform")
+    )
+    or
+    // Due to bad performance when using normal setup with `platform_attr(t2, attr_name).track(t2, t)`
+    // we have inlined that code and forced a join
+    exists(DataFlow::TypeTracker t2 |
+      exists(DataFlow::StepSummary summary |
+        platform_attr_first_join(t2, attr_name, result, summary) and
+        t = t2.append(summary)
+      )
+    )
+  }
+
+  pragma[nomagic]
+  private predicate platform_attr_first_join(
+    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
+  ) {
+    DataFlow::StepSummary::step(platform_attr(t2, attr_name), res, summary)
+  }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `platform` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node platform_attr(string attr_name) {
+    result = platform_attr(DataFlow::TypeTracker::end(), attr_name)
+  }
+
+  /**
+   * A call to the `platform.popen` function.
+   * See https://docs.python.org/2.7/library/platform.html#platform.popen
+   */
+  private class PlatformPopenCall extends SystemCommandExecution::Range {
+    PlatformPopenCall() {
+      this.asCfgNode().(CallNode).getFunction() = platform_attr("popen").asCfgNode()
+    }
+
+    override DataFlow::Node getCommand() {
+      result.asCfgNode() = this.asCfgNode().(CallNode).getArg(0)
+      or
+      result.asCfgNode() = this.asCfgNode().(CallNode).getArgByName("cmd")
+    }
+  }
 }
diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/ConceptsTest.expected b/python/ql/test/experimental/library-tests/frameworks/stdlib-py2/ConceptsTest.expected
@@ -1,2 +0,0 @@
-| SystemCommandExecution.py:19:31:19:56 | Comment # $getCommand="cmd1; cmd2" | Missing result:getCommand="cmd1; cmd2" |
-| SystemCommandExecution.py:20:35:20:60 | Comment # $getCommand="cmd1; cmd2" | Missing result:getCommand="cmd1; cmd2" |

Original file line number	Diff line number	Diff line change
`@@ -1,2 +0,0 @@`
`1`		`-\| SystemCommandExecution.py:19:31:19:56 \| Comment # $getCommand="cmd1; cmd2" \| Missing result:getCommand="cmd1; cmd2" \|`
`2`		`-\| SystemCommandExecution.py:20:35:20:60 \| Comment # $getCommand="cmd1; cmd2" \| Missing result:getCommand="cmd1; cmd2" \|`