From 5bbb8fdfc037319c93a2b901b75368b2a11b5272 Mon Sep 17 00:00:00 2001 From: GeekMasher Date: Wed, 27 Jul 2022 18:43:02 +0100 Subject: [PATCH 1/2] Add false positive for local sources --- .gitignore | 2 ++ .vimignore | 5 +++++ tests/python-tests/libraries/localsources/app.py | 9 +++++++++ 3 files changed, 16 insertions(+) create mode 100644 .vimignore diff --git a/.gitignore b/.gitignore index 8341e0db03..a565262ebc 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,8 @@ # CodeQL related .codeql .cache +*.testproj/ +*.actual # Test files / folders test.ql diff --git a/.vimignore b/.vimignore new file mode 100644 index 0000000000..8ab5515d50 --- /dev/null +++ b/.vimignore @@ -0,0 +1,5 @@ + +codeql/ +codeql-go/ +.cache/ + diff --git a/tests/python-tests/libraries/localsources/app.py b/tests/python-tests/libraries/localsources/app.py index 25ddd44596..6727685534 100644 --- a/tests/python-tests/libraries/localsources/app.py +++ b/tests/python-tests/libraries/localsources/app.py @@ -31,3 +31,12 @@ f2 = os.open("/etc/passwd", os.O_RDONLY) i10 = os.read(f2, 1024) + + +# False Positives + +import tempfile + +t1 = tempfile.gettempdir() +t2 = tempfile.mkdtemp() + From f465ac56841358fc9f3dc4ace098a697dc4f3d4b Mon Sep 17 00:00:00 2001 From: Mathew Payne Date: Wed, 27 Jul 2022 19:16:12 +0100 Subject: [PATCH 2/2] Fix FPs by removing FileSystemAccess::Range --- python/github/LocalSources.qll | 24 ++++++++----------- .../localsources/LocalSourcesTest.expected | 3 --- .../libraries/localsources/app.py | 1 - 3 files changed, 10 insertions(+), 18 deletions(-) diff --git a/python/github/LocalSources.qll b/python/github/LocalSources.qll index 9163fc77fe..4402f5886b 100644 --- a/python/github/LocalSources.qll +++ b/python/github/LocalSources.qll @@ -80,20 +80,16 @@ module LocalSources { class FileReadSource extends LocalSources::Range { FileReadSource() { // exists(StrConst literal | this = DataFlow::exprNode(literal)) - ( - exists(DataFlow::Node call | - ( - // https://docs.python.org/3/library/functions.html#open - // var = open('abc.txt') - call = API::builtin("open").getACall().getAMethodCall("read") - or - // https://docs.python.org/3/library/os.html#os.read - call = API::moduleImport("os").getMember(["read"]).getACall() - ) and - this = call - ) - or - this instanceof FileSystemAccess::Range + exists(DataFlow::Node call | + ( + // https://docs.python.org/3/library/functions.html#open + // var = open('abc.txt') + call = API::builtin("open").getACall().getAMethodCall("read") + or + // https://docs.python.org/3/library/os.html#os.read + call = API::moduleImport("os").getMember(["read"]).getACall() + ) and + this = call ) and this.getScope().inSource() } diff --git a/tests/python-tests/libraries/localsources/LocalSourcesTest.expected b/tests/python-tests/libraries/localsources/LocalSourcesTest.expected index 3c872fa335..06b6222d1c 100644 --- a/tests/python-tests/libraries/localsources/LocalSourcesTest.expected +++ b/tests/python-tests/libraries/localsources/LocalSourcesTest.expected @@ -6,9 +6,6 @@ | app.py:20:8:20:26 | ControlFlowNode for Attribute() | | app.py:22:6:22:11 | ControlFlowNode for Attribute | | app.py:23:6:23:15 | ControlFlowNode for Attribute | -| app.py:26:5:26:23 | ControlFlowNode for open() | | app.py:27:6:27:13 | ControlFlowNode for Attribute() | -| app.py:29:6:29:24 | ControlFlowNode for open() | | app.py:30:10:30:17 | ControlFlowNode for Attribute() | -| app.py:32:6:32:40 | ControlFlowNode for Attribute() | | app.py:33:7:33:23 | ControlFlowNode for Attribute() | diff --git a/tests/python-tests/libraries/localsources/app.py b/tests/python-tests/libraries/localsources/app.py index 6727685534..bfbf2b985b 100644 --- a/tests/python-tests/libraries/localsources/app.py +++ b/tests/python-tests/libraries/localsources/app.py @@ -39,4 +39,3 @@ t1 = tempfile.gettempdir() t2 = tempfile.mkdtemp() -