Python: Model io.open as FileSystemAccess

RasmusWL · RasmusWL · commit d88e5bdb3abd · 2020-11-24T18:27:33.000+01:00
diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -736,7 +736,11 @@ private module Stdlib {
   private class OpenCall extends FileSystemAccess::Range, DataFlow::CfgNode {
     override CallNode node;
 
-    OpenCall() { node.getFunction() = builtins_attr("open").asCfgNode() }
+    OpenCall() {
+      node.getFunction() = builtins_attr("open").asCfgNode()
+      or
+      node.getFunction() = io_attr("open").asCfgNode()
+    }
 
     override DataFlow::Node getAPathArgument() {
       result.asCfgNode() in [node.getArg(0), node.getArgByName("file")]
@@ -888,6 +892,59 @@ private module Stdlib {
       )
     }
   }
+
+  // ---------------------------------------------------------------------------
+  // io
+  // ---------------------------------------------------------------------------
+  /** Gets a reference to the `io` module. */
+  private DataFlow::Node io(DataFlow::TypeTracker t) {
+    t.start() and
+    result = DataFlow::importNode("io")
+    or
+    exists(DataFlow::TypeTracker t2 | result = io(t2).track(t2, t))
+  }
+
+  /** Gets a reference to the `io` module. */
+  DataFlow::Node io() { result = io(DataFlow::TypeTracker::end()) }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `io` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node io_attr(DataFlow::TypeTracker t, string attr_name) {
+    attr_name in ["open"] and
+    (
+      t.start() and
+      result = DataFlow::importNode("io" + "." + attr_name)
+      or
+      t.startInAttr(attr_name) and
+      result = io()
+    )
+    or
+    // Due to bad performance when using normal setup with `io_attr(t2, attr_name).track(t2, t)`
+    // we have inlined that code and forced a join
+    exists(DataFlow::TypeTracker t2 |
+      exists(DataFlow::StepSummary summary |
+        io_attr_first_join(t2, attr_name, result, summary) and
+        t = t2.append(summary)
+      )
+    )
+  }
+
+  pragma[nomagic]
+  private predicate io_attr_first_join(
+    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
+  ) {
+    DataFlow::StepSummary::step(io_attr(t2, attr_name), res, summary)
+  }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `io` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node io_attr(string attr_name) {
+    result = io_attr(DataFlow::TypeTracker::end(), attr_name)
+  }
 }
 
 // ---------------------------------------------------------------------------
diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib/FileSystemAccess.py b/python/ql/test/experimental/library-tests/frameworks/stdlib/FileSystemAccess.py
@@ -14,5 +14,5 @@
 builtins.open(file="filepath")  # $getAPathArgument="filepath"
 
 
-io.open("filepath")  # $ MISSING: getAPathArgument="filepath"
-io.open(file="filepath")  # $ MISSING: getAPathArgument="filepath"
+io.open("filepath")  # $getAPathArgument="filepath"
+io.open(file="filepath")  # $getAPathArgument="filepath"
