github
diff --git a/‎python/ql/src/semmle/python/pointsto/Base.qll‎
Lines changed: 2 additions & 0 deletions b/‎python/ql/src/semmle/python/pointsto/Base.qll‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎python/ql/src/semmle/python/security/TaintTracking.qll‎
Lines changed: 34 additions & 2 deletions b/‎python/ql/src/semmle/python/security/TaintTracking.qll‎
Lines changed: 34 additions & 2 deletions
diff --git a/‎python/ql/src/semmle/python/types/Extensions.qll‎
Lines changed: 16 additions & 0 deletions b/‎python/ql/src/semmle/python/types/Extensions.qll‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎python/ql/test/library-tests/PointsTo/extensions/Extend.expected‎
Lines changed: 5 additions & 1 deletion b/‎python/ql/test/library-tests/PointsTo/extensions/Extend.expected‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎python/ql/test/library-tests/PointsTo/extensions/Extend.ql‎
Lines changed: 13 additions & 0 deletions b/‎python/ql/test/library-tests/PointsTo/extensions/Extend.ql‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎python/ql/test/library-tests/PointsTo/extensions/test.py‎
Lines changed: 4 additions & 1 deletion b/‎python/ql/test/library-tests/PointsTo/extensions/test.py‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎python/ql/test/library-tests/taint/general/TaintLib.qll‎
Lines changed: 32 additions & 0 deletions b/‎python/ql/test/library-tests/taint/general/TaintLib.qll‎
Lines changed: 32 additions & 0 deletions
@@ -50,6 +50,8 @@ ClassObject simple_types(Object obj) {
     obj.getOrigin() instanceof Module and result = theModuleType()
     or
     result = builtin_object_type(obj)
+    or
+    obj = unknownValue() and result = theUnknownType()
 }
 
 private ClassObject comprehension(Expr e) {
 
@@ -1237,7 +1237,7 @@ library module TaintFlowImplementation {
             )
             |
             not Filters::isinstance(test.getTest(), _, var.getSourceVariable().getAUse()) and
-            not test.getTest() = var.getSourceVariable().getAUse()
+            not boolean_filter(test.getTest(), var.getSourceVariable().getAUse())
             or
             exists(ControlFlowNode c, ClassObject cls |
                 Filters::isinstance(test.getTest(), c, var.getSourceVariable().getAUse())
@@ -1248,10 +1248,42 @@ library module TaintFlowImplementation {
                 test.getSense() = false and not kind.getClass().getAnImproperSuperType() = cls
             )
             or
-            test.getTest() = var.getSourceVariable().getAUse() and kind.booleanValue() = test.getSense()
+            test.getSense() = test_evaluates(test.getTest(), var.getSourceVariable().getAUse(), kind)
         )
     }
 
+    /** Gets the operand of a unary `not` expression. */
+    private ControlFlowNode not_operand(ControlFlowNode expr) {
+        expr.(UnaryExprNode).getNode().getOp() instanceof Not and
+        result = expr.(UnaryExprNode).getOperand()
+    }
+
+    /** Holds if `test` is the test in a branch and `use` is that test
+     * with all the `not` prefixes removed.
+     */
+    private predicate boolean_filter(ControlFlowNode test, ControlFlowNode use) {
+        any(PyEdgeRefinement ref).getTest() = test and
+        (
+            use = test
+            or
+            exists(ControlFlowNode notuse |
+                boolean_filter(test, notuse) and
+                use = not_operand(notuse)
+            )
+        )
+    }
+
+    /** Gets the boolean value that `test` evaluates to when `use` is tainted with `kind`
+     * and `test` and `use` are part of a test in a branch.
+     */
+    private boolean test_evaluates(ControlFlowNode test, ControlFlowNode use, TaintKind kind) {
+        boolean_filter(_, use) and
+        kind.taints(use) and
+        test = use and result = kind.booleanValue()
+        or
+        result = test_evaluates(not_operand(test), use, kind).booleanNot()
+    }
+
     pragma [noinline]
     predicate tainted_argument(ArgumentRefinement def, CallContext context, TaintedNode origin) {
         tainted_var(def.getInput(), context, origin)
 
@@ -3,6 +3,10 @@
  * 
  * This should be considered an advance feature. Modifying the points-to analysis
  * can cause queries to give strange and misleading results, if not done with care.
+ *
+ * WARNING:
+ *     This module interacts with the internals of points-to analysis and
+ *     the classes here are more likely to change than the rest of the library.
  */
 
 import python
@@ -34,6 +38,18 @@ abstract class CustomPointsToOriginFact extends CustomPointsToFact {
 
 }
 
+/* Custom points-to fact with inferred class */
+abstract class CustomPointsToObjectFact extends CustomPointsToFact {
+
+    abstract predicate pointsTo(Object value);
+
+    override predicate pointsTo(Context context, Object value, ClassObject cls, ControlFlowNode origin) {
+        this.pointsTo(value) and cls = simple_types(value) and origin = this and context.appliesTo(this)
+    }
+
+}
+
+
 /** INTERNAL -- Do not use */
 abstract class CustomPointsToAttribute extends Object {
 
 
@@ -1,10 +1,12 @@
 | test.py:4:1:4:3 | ControlFlowNode for one | int 1 |
 | test.py:5:1:5:3 | ControlFlowNode for two | int 2 |
 | test.py:8:1:8:1 | ControlFlowNode for IntegerLiteral | int 1 |
-| test.py:8:1:8:7 | ControlFlowNode for Tuple | Tuple |
+| test.py:8:1:8:11 | ControlFlowNode for Tuple | Tuple |
 | test.py:8:3:8:3 | ControlFlowNode for IntegerLiteral | int 2 |
 | test.py:8:5:8:5 | ControlFlowNode for IntegerLiteral | int 3 |
 | test.py:8:7:8:7 | ControlFlowNode for IntegerLiteral | int 4 |
+| test.py:8:9:8:9 | ControlFlowNode for IntegerLiteral | int 5 |
+| test.py:8:11:8:11 | ControlFlowNode for IntegerLiteral | int 6 |
 | test.py:10:1:10:2 | ControlFlowNode for a3 | int 3 |
 | test.py:10:6:10:7 | ControlFlowNode for Tuple | Tuple |
 | test.py:10:6:10:13 | ControlFlowNode for Attribute | int 3 |
@@ -13,3 +15,5 @@
 | test.py:11:6:11:15 | ControlFlowNode for Attribute | int 4 |
 | test.py:13:1:13:2 | ControlFlowNode for a3 | int 3 |
 | test.py:14:1:14:2 | ControlFlowNode for a4 | int 4 |
+| test.py:16:1:16:4 | ControlFlowNode for five | int 5 |
+| test.py:17:1:17:3 | ControlFlowNode for six | int 6 |
@@ -38,6 +38,19 @@ class AttributeExtension  extends CustomPointsToAttribute {
 
 }
 
+class NoClassExtension extends CustomPointsToObjectFact {
+
+    NoClassExtension() { this = this }
+
+    override predicate pointsTo(Object value) {
+        this.(NameNode).getId() = "five" and value.(NumericObject).intValue() = 5
+        or
+        this.(NameNode).getId() = "six" and value.(NumericObject).intValue() = 6
+    }
+
+}
+
+
 from ControlFlowNode f, Object o
 where f.getLocation().getFile().getBaseName() = "test.py" and f.refersTo(o)
 select f, o.toString()
 
@@ -5,10 +5,13 @@
 two
 
 #Make sure values exist in DB
-1,2,3,4
+1,2,3,4,5,6
 
 a3 = ().three
 a4 = False.four
 
 a3
 a4
+
+five
+six
@@ -334,3 +334,35 @@ class OsCommand extends TaintSink {
     }
 
 }
+
+
+class Falsey extends TaintKind {
+
+    Falsey() { this = "falsey" }
+
+    override boolean booleanValue() {
+        result = false
+    }
+
+}
+
+class FalseySource  extends TaintSource {
+
+    FalseySource() {
+         this.(NameNode).getId() = "FALSEY"
+    }
+
+    override predicate isSourceOf(TaintKind kind) {
+        kind instanceof Falsey
+    }
+
+    override string toString() {
+        result = "falsey.source"
+    }
+
+}
+
+
+
+
+
Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,8 @@ ClassObject simple_types(Object obj) {`
`50`	`50`	`obj.getOrigin() instanceof Module and result = theModuleType()`
`51`	`51`	`or`
`52`	`52`	`result = builtin_object_type(obj)`
	`53`	`+ or`
	`54`	`+ obj = unknownValue() and result = theUnknownType()`
`53`	`55`	`}`
`54`	`56`
`55`	`57`	`private ClassObject comprehension(Expr e) {`