Merge pull request github#6274 from tausbn/python-api-graphs-import-star

RasmusWL · web-flow · commit db78e3a7da86 · 2021-09-10T13:25:41.000+02:00
Python: Support `import *` in API graphs
diff --git a/python/ql/lib/semmle/python/ApiGraphs.qll b/python/ql/lib/semmle/python/ApiGraphs.qll
@@ -424,13 +424,8 @@ module API {
      * a value in the module `m`.
      */
     private predicate possible_builtin_defined_in_module(string name, Module m) {
-      exists(NameNode n |
-        not exists(LocalVariable v | n.defines(v)) and
-        n.isStore() and
-        name = n.getId() and
-        name = getBuiltInName() and
-        m = n.getEnclosingModule()
-      )
+      global_name_defined_in_module(name, m) and
+      name = getBuiltInName()
     }
 
     /**
@@ -445,6 +440,51 @@ module API {
       m = n.getEnclosingModule()
     }
 
+    /**
+     * Holds if `n` is an access of a variable called `name` (which is _not_ the name of a
+     * built-in, and which is _not_ a global defined in the enclosing module) inside the scope `s`.
+     */
+    private predicate name_possibly_defined_in_import_star(NameNode n, string name, Scope s) {
+      n.isLoad() and
+      name = n.getId() and
+      // Not already defined in an enclosing scope.
+      not exists(LocalVariable v |
+        v.getId() = name and v.getScope() = n.getScope().getEnclosingScope*()
+      ) and
+      not name = getBuiltInName() and
+      s = n.getScope().getEnclosingScope*() and
+      exists(potential_import_star_base(s)) and
+      not global_name_defined_in_module(name, n.getEnclosingModule())
+    }
+
+    /** Holds if a global variable called `name` is assigned a value in the module `m`. */
+    private predicate global_name_defined_in_module(string name, Module m) {
+      exists(NameNode n |
+        not exists(LocalVariable v | n.defines(v)) and
+        n.isStore() and
+        name = n.getId() and
+        m = n.getEnclosingModule()
+      )
+    }
+
+    /**
+     * Gets the API graph node for all modules imported with `from ... import *` inside the scope `s`.
+     *
+     * For example, given
+     *
+     * `from foo.bar import *`
+     *
+     * this would be the API graph node with the path
+     *
+     * `moduleImport("foo").getMember("bar")`
+     */
+    private TApiNode potential_import_star_base(Scope s) {
+      exists(DataFlow::Node ref |
+        ref.asCfgNode() = any(ImportStarNode n | n.getScope() = s).getModule() and
+        use(result, ref)
+      )
+    }
+
     /**
      * Holds if `ref` is a use of a node that should have an incoming edge from `base` labeled
      * `lbl` in the API graph.
@@ -487,6 +527,15 @@ module API {
       // Built-ins, treated as members of the module `builtins`
       base = MkModuleImport("builtins") and
       lbl = Label::member(any(string name | ref = likely_builtin(name)))
+      or
+      // Unknown variables that may belong to a module imported with `import *`
+      exists(Scope s |
+        base = potential_import_star_base(s) and
+        lbl =
+          Label::member(any(string name |
+              name_possibly_defined_in_import_star(ref.asCfgNode(), name, s)
+            ))
+      )
     }
 
     /**
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test.py b/python/ql/test/experimental/dataflow/ApiGraphs/test.py
@@ -74,12 +74,6 @@ def f():
     change_foo()
     sink(foo) #$ use=moduleImport("danger").getMember("SOURCE")
 
-# Star imports
-
-from unknown import * #$ use=moduleImport("unknown")
-
-hello() #$ MISSING: use=moduleImport("unknown").getMember("hello").getReturn()
-
 
 # Subclasses
 
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test_import_star.py b/python/ql/test/experimental/dataflow/ApiGraphs/test_import_star.py
@@ -0,0 +1,36 @@
+# Star imports
+
+from unknown import * #$ use=moduleImport("unknown")
+
+# Currently missing, as we do not consider `hello` to be a `LocalSourceNode`, since it has flow
+# going into it from its corresponding `GlobalSsaVariable`.
+hello() #$ MISSING: use=moduleImport("unknown").getMember("hello").getReturn()
+
+# We don't want our analysis to think that either `non_module_member` or `outer_bar` can
+# come from `from unknown import *`
+non_module_member
+
+outer_bar = 5
+outer_bar
+
+def foo():
+    world() #$ use=moduleImport("unknown").getMember("world").getReturn()
+    bar = 5
+    bar
+    non_module_member
+    print(bar) #$ use=moduleImport("builtins").getMember("print").getReturn()
+
+def quux():
+    global non_module_member
+    non_module_member = 5
+
+def func1():
+    var() #$ use=moduleImport("unknown").getMember("var").getReturn()
+    def func2():
+        var = "FOO"
+
+def func3():
+    var2 = print #$ use=moduleImport("builtins").getMember("print")
+    def func4():
+        var2() #$ MISSING: use=moduleImport("builtins").getMember("print").getReturn()
+    func4()
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test_import_star2.py b/python/ql/test/experimental/dataflow/ApiGraphs/test_import_star2.py
@@ -0,0 +1,15 @@
+# Star imports in local scope
+
+hello2() 
+
+def foo():
+    from unknown2 import * #$ use=moduleImport("unknown2")
+    world2() #$ use=moduleImport("unknown2").getMember("world2").getReturn()
+    bar2 = 5
+    bar2
+    non_module_member2
+    print(bar2) #$ use=moduleImport("builtins").getMember("print").getReturn()
+
+def quux2():
+    global non_module_member2
+    non_module_member2 = 5
