Python: scaffold for testing data flow coverage

yoff · yoff · commit 5973fe84112c · 2020-06-25T10:32:10.000+02:00
diff --git a/python/ql/test/experimental/dataflow/coverage/dataflow.expected b/python/ql/test/experimental/dataflow/coverage/dataflow.expected
diff --git a/python/ql/test/experimental/dataflow/coverage/dataflow.ql b/python/ql/test/experimental/dataflow/coverage/dataflow.ql
@@ -0,0 +1,9 @@
+import experimental.dataflow.testConfig
+
+from
+  DataFlow::Node source,
+  DataFlow::Node sink
+where
+  exists(TestConfiguration cfg | cfg.hasFlow(source, sink))
+select
+  source, sink
diff --git a/python/ql/test/experimental/dataflow/coverage/localFlow.expected b/python/ql/test/experimental/dataflow/coverage/localFlow.expected
@@ -0,0 +1,7 @@
+| test.py:13:5:13:5 | SSA variable x | test.py:12:1:12:33 | Exit node for Function test_tuple_with_local_flow |
+| test.py:13:5:13:5 | SSA variable x | test.py:14:9:14:9 | ControlFlowNode for x |
+| test.py:13:10:13:18 | ControlFlowNode for Tuple | test.py:13:5:13:5 | SSA variable x |
+| test.py:14:5:14:5 | SSA variable y | test.py:15:5:15:11 | SSA variable y |
+| test.py:14:5:14:5 | SSA variable y | test.py:15:10:15:10 | ControlFlowNode for y |
+| test.py:14:9:14:12 | ControlFlowNode for Subscript | test.py:14:5:14:5 | SSA variable y |
+| test.py:15:5:15:11 | SSA variable y | test.py:12:1:12:33 | Exit node for Function test_tuple_with_local_flow |
diff --git a/python/ql/test/experimental/dataflow/coverage/localFlow.ql b/python/ql/test/experimental/dataflow/coverage/localFlow.ql
@@ -0,0 +1,8 @@
+import python
+import experimental.dataflow.DataFlow
+
+from DataFlow::Node nodeFrom, DataFlow::Node nodeTo
+where
+  DataFlow::localFlowStep(nodeFrom, nodeTo) and
+  nodeFrom.getEnclosingCallable().getName().matches("%\\_with\\_local\\_flow")
+select nodeFrom, nodeTo
diff --git a/python/ql/test/experimental/dataflow/coverage/test.py b/python/ql/test/experimental/dataflow/coverage/test.py
@@ -0,0 +1,15 @@
+# This should cover all the syntactical constructs that we hope to support
+# Intended sources should be the variable `SOUCE` and intended sinks should be
+# arguments to the function `SINK` (see python/ql/test/experimental/dataflow/testConfig.qll).
+#
+# Functions whose name ends with "_with_local_flow" will also be tested for local flow.
+
+# Uncomment these to test the test code
+# SOURCE = 42
+# def SINK(x):
+#     return 42
+
+def test_tuple_with_local_flow():
+    x = (3, SOURCE)
+    y = x[1]
+    SINK(y)
diff --git a/python/ql/test/experimental/dataflow/regression/config.qll b/python/ql/test/experimental/dataflow/regression/config.qll
diff --git a/python/ql/test/experimental/dataflow/regression/dataflow.ql b/python/ql/test/experimental/dataflow/regression/dataflow.ql
@@ -5,7 +5,7 @@
  * hope to remove the false positive.
  */
 
-import config
+import experimental.dataflow.testConfig
 
 from
   DataFlow::Node source,
diff --git a/python/ql/test/experimental/dataflow/testConfig.qll b/python/ql/test/experimental/dataflow/testConfig.qll
@@ -0,0 +1,29 @@
+/**
+ * Configuration to test selected data flow
+ * Sources in the source code are denoted by the special name `SOURCE`,
+ * and sinks are denoted by arguments to the special function `SINK`.
+ * For example, given the test code
+ * ```python
+ *  def test():
+ *      s = SOURCE
+ *      SINK(s)
+ * ```
+ * `SOURCE` will be a source and the second occurance of `s` will be a sink.
+ */
+
+import experimental.dataflow.DataFlow
+
+class TestConfiguration extends DataFlow::Configuration {
+  TestConfiguration() { this = "TestConfiguration" }
+
+  override predicate isSource(DataFlow::Node node) {
+    node.asCfgNode().(NameNode).getId() = "SOURCE"
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(CallNode call |
+      call.getFunction().(NameNode).getId() = "SINK" and
+      node.asCfgNode() = call.getAnArg()
+    )
+  }
+}
