Use ContentSet a bit

Author: owen-mc

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll

@@ -1075,9 +1075,9 @@ module Conversions {
       nodeTo = decoding.getOutput()
     ) and
     (
-      c instanceof TupleElementContent
+      c instanceof TupleElementAnyContent
       or
-      c instanceof DictionaryElementContent
+      c instanceof DictionaryElementAnyContent
     )
   }
 
@@ -1087,9 +1087,9 @@ module Conversions {
       nodeTo = encoding.getOutput()
     ) and
     (
-      c instanceof TupleElementContent
+      c instanceof TupleElementAnyContent
       or
-      c instanceof DictionaryElementContent
+      c instanceof DictionaryElementAnyContent
     )
   }
 
@@ -1099,13 +1099,13 @@ module Conversions {
       fmt.getOp() instanceof Mod and
       fmt.getRight() = nodeFrom.asCfgNode()
     ) and
-    c instanceof TupleElementContent
+    c instanceof TupleElementAnyContent
     or
     // format_map
     // see https://docs.python.org/3/library/stdtypes.html#str.format_map
     nodeTo.(MethodCallNode).calls(_, "format_map") and
     nodeTo.(MethodCallNode).getArg(0) = nodeFrom and
-    c instanceof DictionaryElementContent
+    c instanceof DictionaryElementAnyContent
   }
 
   predicate readStep(Node nodeFrom, ContentSet c, Node nodeTo) {

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll

@@ -758,6 +758,8 @@ newtype TContent =
     // data-flow-private)
     index in [0 .. 7]
   } or
+  /** An element of a tuple at any index. */
+  TTupleElementAnyContent() or
   /** An element of a dictionary under a specific key. */
   TDictionaryElementContent(string key) {
     // {"key": ...}
@@ -870,6 +872,13 @@ class DictionaryElementAnyContent extends TDictionaryElementAnyContent, Content
   override string getMaDRepresentation() { result = "DictionaryElementAny" }
 }
 
+/** An element of a tuple at any index. */
+class TupleElementAnyContent extends TTupleElementAnyContent, Content {
+  override string toString() { result = "Any tuple element" }
+
+  override string getMaDRepresentation() { result = "TupleElementAny" }
+}
+
 /** An object attribute. */
 class AttributeContent extends TAttributeContent, Content {
   private string attr;
@@ -903,13 +912,31 @@ class CapturedVariableContent extends Content, TCapturedVariableContent {
  *
  * The set may be interpreted differently depending on whether it is
  * stored into (`getAStoreContent`) or read from (`getAReadContent`).
+ *
+ * Most `ContentSet`s are singletons (i.e. they consist of a single `Content`),
+ * but `DictionaryElementAnyContent` and `TupleElementAnyContent` act as
+ * wildcards on the read side: a read at such a `ContentSet` matches *any*
+ * specific dictionary key / tuple index store. This lets a single `ContentSet`
+ * stand in for the entire family of per-key/per-index contents, which keeps
+ * the dataflow `readSetEx` relation small when implicit reads are used (e.g.
+ * at sinks via `defaultImplicitTaintRead`).
  */
 class ContentSet instanceof Content {
   /** Gets a content that may be stored into when storing into this set. */
   Content getAStoreContent() { result = this }
 
   /** Gets a content that may be read from when reading from this set. */
-  Content getAReadContent() { result = this }
+  Content getAReadContent() {
+    result = this
+    or
+    // Wildcard expansion: a read at "any dict element" matches a store at any
+    // specific dictionary key, and similarly for tuples.
+    this instanceof DictionaryElementAnyContent and
+    result instanceof DictionaryElementContent
+    or
+    this instanceof TupleElementAnyContent and
+    result instanceof TupleElementContent
+  }
 
   /** Gets a textual representation of this content set. */
   string toString() { result = super.toString() }

python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll

@@ -74,6 +74,8 @@ module Input implements InputSig<Location, DataFlowImplSpecific::PythonDataFlow>
       cs = TTupleElementContent(index) and result = "TupleElement" and arg = index.toString()
     )
     or
+    cs = TTupleElementAnyContent() and result = "TupleElementAny" and arg = ""
+    or
     exists(string key |
       cs = TDictionaryElementContent(key) and result = "DictionaryElement" and arg = key
     )
@@ -149,6 +151,9 @@ module Private {
       exists(TupleElementContent c | c.getIndex() = index and result = content(c))
     }
 
+    /** Gets a summary component that represents a tuple element at any index. */
+    SummaryComponent tupleElementAny() { result = content(any(TupleElementAnyContent c)) }
+
     /** Gets a summary component that represents a dictionary element. */
     SummaryComponent dictionaryElement(string key) {
       exists(DictionaryElementContent c | c.getKey() = key and result = content(c))

python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll

@@ -17,13 +17,18 @@ predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
  */
 bindingset[node]
 predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) {
-  // We allow implicit reads of precise content
-  // imprecise content has already bubled up.
+  // We allow implicit reads of precise content; imprecise content has already
+  // bubbled up. We use the wildcard `*Any` content sets here rather than the
+  // per-key/per-index ones to avoid blowing up the size of `Stage1::readSetEx`
+  // (otherwise this predicate would expand to one row per (node, distinct key
+  // or index) and the framework's read-set relation grows quadratically).
+  // `ContentSet.getAReadContent` expands these wildcards back to the specific
+  // contents when matching against stores.
   exists(node) and
   (
-    c instanceof DataFlow::TupleElementContent
+    c instanceof DataFlow::TupleElementAnyContent
     or
-    c instanceof DataFlow::DictionaryElementContent
+    c instanceof DataFlow::DictionaryElementAnyContent
   )
 }
 

python/ql/test/2/extractor-tests/hidden/test.expected

@@ -1,5 +1,7 @@
+| .hidden/inner |
 | .hidden/inner/test.py |
 | .hidden/module.py |
+| folder |
 | folder/module.py |
 | package |
 | package/__init__.py |

python/ql/test/2/extractor-tests/import_depth/test.expected

@@ -1,4 +1,6 @@
 | Module package |
 | Module package.__init__ |
 | Module sys |
+| Module sys._jit |
+| Module sys.monitoring |
 | Module test |

python/ql/test/2/library-tests/ControlFlow/Exceptions/Handles.expected

@@ -1,11 +1 @@
-| 8 | ControlFlowNode for ExceptStmt | builtin-class AttributeError |
-| 10 | ControlFlowNode for ExceptStmt | builtin-class IndexError |
-| 12 | ControlFlowNode for ExceptStmt | builtin-class KeyError |
 | 14 | ControlFlowNode for ExceptStmt | builtin-class BaseException |
-| 23 | ControlFlowNode for ExceptStmt | builtin-class AttributeError |
-| 25 | ControlFlowNode for ExceptStmt | builtin-class IndexError |
-| 27 | ControlFlowNode for ExceptStmt | builtin-class KeyError |
-| 38 | ControlFlowNode for ExceptStmt | builtin-class AttributeError |
-| 40 | ControlFlowNode for ExceptStmt | builtin-class IndexError |
-| 42 | ControlFlowNode for ExceptStmt | builtin-class KeyError |
-| 57 | ControlFlowNode for ExceptStmt | builtin-class IOError |

python/ql/test/2/library-tests/ControlFlow/Exceptions/Known.expected

@@ -1,15 +0,0 @@
-| 4 | ControlFlowNode for Subscript | builtin-class IndexError |
-| 4 | ControlFlowNode for Subscript | builtin-class KeyError |
-| 5 | ControlFlowNode for Attribute | builtin-class AttributeError |
-| 7 | ControlFlowNode for Raise | builtin-class Exception |
-| 19 | ControlFlowNode for Subscript | builtin-class IndexError |
-| 19 | ControlFlowNode for Subscript | builtin-class KeyError |
-| 20 | ControlFlowNode for Attribute | builtin-class AttributeError |
-| 22 | ControlFlowNode for Raise | builtin-class Exception |
-| 30 | ControlFlowNode for Pass | builtin-class Exception |
-| 34 | ControlFlowNode for Subscript | builtin-class IndexError |
-| 34 | ControlFlowNode for Subscript | builtin-class KeyError |
-| 35 | ControlFlowNode for Attribute | builtin-class AttributeError |
-| 37 | ControlFlowNode for Raise | builtin-class Exception |
-| 53 | ControlFlowNode for Attribute() | builtin-class IOError |
-| 54 | ControlFlowNode for Attribute() | builtin-class IOError |

python/ql/test/2/library-tests/ControlFlow/Exceptions/Likely.expected

@@ -1,25 +1,23 @@
-| 4 | ControlFlowNode for Subscript | 10 | ControlFlowNode for ExceptStmt |
-| 4 | ControlFlowNode for Subscript | 12 | ControlFlowNode for ExceptStmt |
-| 5 | ControlFlowNode for Attribute | 8 | ControlFlowNode for ExceptStmt |
 | 6 | ControlFlowNode for a() | 8 | ControlFlowNode for ExceptStmt |
 | 6 | ControlFlowNode for a() | 10 | ControlFlowNode for ExceptStmt |
 | 6 | ControlFlowNode for a() | 12 | ControlFlowNode for ExceptStmt |
 | 6 | ControlFlowNode for a() | 14 | ControlFlowNode for ExceptStmt |
-| 7 | ControlFlowNode for Raise | 14 | ControlFlowNode for ExceptStmt |
-| 19 | ControlFlowNode for Subscript | 25 | ControlFlowNode for ExceptStmt |
-| 19 | ControlFlowNode for Subscript | 27 | ControlFlowNode for ExceptStmt |
-| 20 | ControlFlowNode for Attribute | 23 | ControlFlowNode for ExceptStmt |
+| 7 | ControlFlowNode for Exception() | 8 | ControlFlowNode for ExceptStmt |
+| 7 | ControlFlowNode for Exception() | 10 | ControlFlowNode for ExceptStmt |
+| 7 | ControlFlowNode for Exception() | 12 | ControlFlowNode for ExceptStmt |
+| 7 | ControlFlowNode for Exception() | 14 | ControlFlowNode for ExceptStmt |
 | 21 | ControlFlowNode for a() | 23 | ControlFlowNode for ExceptStmt |
 | 21 | ControlFlowNode for a() | 25 | ControlFlowNode for ExceptStmt |
 | 21 | ControlFlowNode for a() | 27 | ControlFlowNode for ExceptStmt |
 | 21 | ControlFlowNode for a() | 30 | ControlFlowNode for Pass |
-| 22 | ControlFlowNode for Raise | 30 | ControlFlowNode for Pass |
-| 34 | ControlFlowNode for Subscript | 40 | ControlFlowNode for ExceptStmt |
-| 34 | ControlFlowNode for Subscript | 42 | ControlFlowNode for ExceptStmt |
-| 35 | ControlFlowNode for Attribute | 38 | ControlFlowNode for ExceptStmt |
+| 22 | ControlFlowNode for Exception() | 23 | ControlFlowNode for ExceptStmt |
+| 22 | ControlFlowNode for Exception() | 25 | ControlFlowNode for ExceptStmt |
+| 22 | ControlFlowNode for Exception() | 27 | ControlFlowNode for ExceptStmt |
+| 22 | ControlFlowNode for Exception() | 30 | ControlFlowNode for Pass |
 | 36 | ControlFlowNode for a() | 38 | ControlFlowNode for ExceptStmt |
 | 36 | ControlFlowNode for a() | 40 | ControlFlowNode for ExceptStmt |
 | 36 | ControlFlowNode for a() | 42 | ControlFlowNode for ExceptStmt |
-| 53 | ControlFlowNode for Attribute() | 57 | ControlFlowNode for ExceptStmt |
-| 54 | ControlFlowNode for Attribute() | 57 | ControlFlowNode for ExceptStmt |
+| 37 | ControlFlowNode for Exception() | 38 | ControlFlowNode for ExceptStmt |
+| 37 | ControlFlowNode for Exception() | 40 | ControlFlowNode for ExceptStmt |
+| 37 | ControlFlowNode for Exception() | 42 | ControlFlowNode for ExceptStmt |
 | 56 | ControlFlowNode for Attribute() | 57 | ControlFlowNode for ExceptStmt |

python/ql/test/2/library-tests/ControlFlow/Exceptions/Unknown.expected

@@ -1,6 +1,9 @@
 | 6 | ControlFlowNode for a() |
+| 7 | ControlFlowNode for Exception() |
 | 21 | ControlFlowNode for a() |
+| 22 | ControlFlowNode for Exception() |
 | 36 | ControlFlowNode for a() |
+| 37 | ControlFlowNode for Exception() |
 | 51 | ControlFlowNode for open() |
 | 56 | ControlFlowNode for Attribute() |
 | 58 | ControlFlowNode for Attribute() |