Python: filter more sinks in stdlib

yoff · yoff · commit 421d4f3497dc · 2023-11-20T21:35:52.000+01:00
Rename variable to reflect larger scope

We had test results inside `os.py`, I suppose we have found a little extra flow.
diff --git a/python/ql/lib/semmle/python/security/dataflow/PathInjectionCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/PathInjectionCustomizations.qll
@@ -71,11 +71,11 @@ module PathInjection {
       // ```
       //
       // The same approach is used in the command injection query.
-      not exists(Module pathlib |
-        pathlib.getName() = "pathlib" and
-        this.getScope().getEnclosingModule() = pathlib and
-        // do allow this call if we're analyzing pathlib.py as part of CPython though
-        not exists(pathlib.getFile().getRelativePath())
+      not exists(Module inStdlib |
+        inStdlib.getName() in ["pathlib", "os"] and
+        this.getScope().getEnclosingModule() = inStdlib and
+        // do allow this call if we're analyzing, say, pathlib.py as part of CPython though
+        not exists(inStdlib.getFile().getRelativePath())
       )
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -71,11 +71,11 @@ module PathInjection {`
`71`	`71`	// ```
`72`	`72`	`//`
`73`	`73`	`// The same approach is used in the command injection query.`
`74`		`- not exists(Module pathlib \|`
`75`		`- pathlib.getName() = "pathlib" and`
`76`		`- this.getScope().getEnclosingModule() = pathlib and`
`77`		`- // do allow this call if we're analyzing pathlib.py as part of CPython though`
`78`		`- not exists(pathlib.getFile().getRelativePath())`
	`74`	`+ not exists(Module inStdlib \|`
	`75`	`+ inStdlib.getName() in ["pathlib", "os"] and`
	`76`	`+ this.getScope().getEnclosingModule() = inStdlib and`
	`77`	`+ // do allow this call if we're analyzing, say, pathlib.py as part of CPython though`
	`78`	`+ not exists(inStdlib.getFile().getRelativePath())`
`79`	`79`	`)`
`80`	`80`	`}`
`81`	`81`	`}`