Python: Use global data-flow for ContainsNonContainer.ql

tausbn · tausbn · commit c2c96b97a46c · 2026-04-10T21:18:39.000Z
Replaces the `classTracker`-based approach with one based on global
data-flow. To make it easy to share across queries, this is implemented
as a parameterised module.

The data-flow configuration itself keeps track of two flow states:
whether we're tracking a reference to a class or a reference to an
instance.
diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/ClassInstanceFlow.qll b/python/ql/lib/semmle/python/dataflow/new/internal/ClassInstanceFlow.qll
@@ -0,0 +1,118 @@
+/**
+ * Provides a reusable data-flow configuration for tracking class instances
+ * through global data-flow with full path support.
+ *
+ * This module is designed for quality queries that check whether instances
+ * of certain classes reach operations that require a specific interface
+ * (e.g., `__contains__`, `__iter__`, `__hash__`).
+ *
+ * The configuration uses two flow states:
+ * - `TrackingClass`: tracking a reference to the class itself
+ * - `TrackingInstance`: tracking an instance of the class
+ *
+ * At instantiation points (e.g., `cls()`), the state transitions from
+ * `TrackingClass` to `TrackingInstance`. Sinks are only matched in the
+ * `TrackingInstance` state.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.internal.DataFlowDispatch
+private import semmle.python.ApiGraphs
+
+/** A flow state for tracking class references and their instances. */
+abstract class ClassInstanceFlowState extends string {
+  bindingset[this]
+  ClassInstanceFlowState() { any() }
+}
+
+/** A state signifying that the tracked value is a reference to the class itself. */
+class TrackingClass extends ClassInstanceFlowState {
+  TrackingClass() { this = "TrackingClass" }
+}
+
+/** A state signifying that the tracked value is an instance of the class. */
+class TrackingInstance extends ClassInstanceFlowState {
+  TrackingInstance() { this = "TrackingInstance" }
+}
+
+/**
+ * Signature module for parameterizing `ClassInstanceFlow` per query.
+ */
+signature module ClassInstanceFlowSig {
+  /** Holds if `cls` is a class whose instances should be tracked to sinks. */
+  predicate isRelevantClass(Class cls);
+
+  /** Holds if `sink` is a location where reaching instances indicate a violation. */
+  predicate isInstanceSink(DataFlow::Node sink);
+
+  /**
+   * Holds if an `isinstance` check against `checkedType` should act as a barrier,
+   * suppressing alerts when the instance has been verified to have the expected interface.
+   */
+  predicate isGuardType(DataFlow::Node checkedType);
+}
+
+/**
+ * Constructs a global data-flow configuration for tracking instances of
+ * relevant classes from their definition to violation sinks.
+ */
+module ClassInstanceFlow<ClassInstanceFlowSig Sig> {
+  /**
+   * Holds if `guard` is an `isinstance` call checking `node` against a type
+   * that should suppress the alert.
+   */
+  private predicate isinstanceGuard(DataFlow::GuardNode guard, ControlFlowNode node, boolean branch) {
+    exists(DataFlow::CallCfgNode isinstance_call |
+      isinstance_call = API::builtin("isinstance").getACall() and
+      isinstance_call.getArg(0).asCfgNode() = node and
+      (
+        Sig::isGuardType(isinstance_call.getArg(1))
+        or
+        // Also handle tuples of types: isinstance(x, (T1, T2))
+        Sig::isGuardType(DataFlow::exprNode(isinstance_call.getArg(1).asExpr().(Tuple).getAnElt()))
+      ) and
+      guard = isinstance_call.asCfgNode() and
+      branch = true
+    )
+  }
+
+  private module Config implements DataFlow::StateConfigSig {
+    class FlowState = ClassInstanceFlowState;
+
+    predicate isSource(DataFlow::Node source, FlowState state) {
+      exists(ClassExpr ce |
+        Sig::isRelevantClass(ce.getInnerScope()) and
+        source.asExpr() = ce and
+        state instanceof TrackingClass
+      )
+    }
+
+    predicate isSink(DataFlow::Node sink, FlowState state) {
+      Sig::isInstanceSink(sink) and
+      state instanceof TrackingInstance
+    }
+
+    predicate isBarrier(DataFlow::Node node) {
+      node = DataFlow::BarrierGuard<isinstanceGuard/3>::getABarrierNode()
+    }
+
+    predicate isAdditionalFlowStep(
+      DataFlow::Node nodeFrom, FlowState stateFrom, DataFlow::Node nodeTo, FlowState stateTo
+    ) {
+      // Instantiation: class reference at the call function position
+      // flows to the call result as an instance.
+      stateFrom instanceof TrackingClass and
+      stateTo instanceof TrackingInstance and
+      exists(CallNode call |
+        nodeFrom.asCfgNode() = call.getFunction() and
+        nodeTo.asCfgNode() = call and
+        // Exclude decorator applications, where the result is a proxy
+        // rather than a typical instance.
+        not call.getNode() = any(FunctionExpr fe).getADecoratorCall()
+      )
+    }
+  }
+
+  module Flow = DataFlow::GlobalWithState<Config>;
+}
diff --git a/python/ql/src/Expressions/ContainsNonContainer.ql b/python/ql/src/Expressions/ContainsNonContainer.ql
@@ -1,7 +1,7 @@
 /**
  * @name Membership test with a non-container
  * @description A membership test, such as 'item in sequence', with a non-container on the right hand side will raise a 'TypeError'.
- * @kind problem
+ * @kind path-problem
  * @tags quality
  *       reliability
  *       correctness
@@ -14,6 +14,7 @@
 import python
 import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.internal.DataFlowDispatch
+private import semmle.python.dataflow.new.internal.ClassInstanceFlow
 private import semmle.python.ApiGraphs
 
 predicate rhs_in_expr(Expr rhs, Compare cmp) {
@@ -22,65 +23,36 @@ predicate rhs_in_expr(Expr rhs, Compare cmp) {
   )
 }
 
-/**
- * Holds if `origin` is the result of applying a class as a decorator to a function.
- * Such decorator classes act as proxies, and the runtime value of the decorated
- * attribute may be of a different type than the decorator class itself.
- */
-predicate isDecoratorApplication(DataFlow::LocalSourceNode origin) {
-  exists(FunctionExpr fe | origin.asExpr() = fe.getADecoratorCall())
-}
+module ContainsNonContainerSig implements ClassInstanceFlowSig {
+  predicate isRelevantClass(Class cls) {
+    not DuckTyping::isContainer(cls) and
+    not DuckTyping::hasUnresolvedBase(getADirectSuperclass*(cls)) and
+    not exists(CallNode setattr_call |
+      setattr_call.getFunction().(NameNode).getId() = "setattr" and
+      setattr_call.getArg(0).(NameNode).getId() = cls.getName() and
+      setattr_call.getScope() = cls.getScope()
+    )
+  }
 
-/**
- * Holds if `cls` has methods dynamically added via `setattr`, so we cannot
- * statically determine its full interface.
- */
-predicate hasDynamicMethods(Class cls) {
-  exists(CallNode setattr_call |
-    setattr_call.getFunction().(NameNode).getId() = "setattr" and
-    setattr_call.getArg(0).(NameNode).getId() = cls.getName() and
-    setattr_call.getScope() = cls.getScope()
-  )
-}
+  predicate isInstanceSink(DataFlow::Node sink) { rhs_in_expr(sink.asExpr(), _) }
 
-/**
- * Holds if `cls_arg` references a known container builtin type, either directly
- * or as an element of a tuple.
- */
-private predicate isContainerTypeArg(DataFlow::Node cls_arg) {
-  cls_arg =
-    API::builtin(["list", "tuple", "set", "frozenset", "dict", "str", "bytes", "bytearray"])
-        .getAValueReachableFromSource()
-  or
-  isContainerTypeArg(DataFlow::exprNode(cls_arg.asExpr().(Tuple).getAnElt()))
+  predicate isGuardType(DataFlow::Node checkedType) {
+    checkedType =
+      API::builtin(["list", "tuple", "set", "frozenset", "dict", "str", "bytes", "bytearray"])
+          .getAValueReachableFromSource()
+  }
 }
 
-/**
- * Holds if `rhs` is guarded by an `isinstance` check that tests for
- * a container type.
- */
-predicate guardedByIsinstanceContainer(DataFlow::Node rhs) {
-  exists(
-    DataFlow::GuardNode guard, DataFlow::CallCfgNode isinstance_call, DataFlow::LocalSourceNode src
-  |
-    isinstance_call = API::builtin("isinstance").getACall() and
-    src.flowsTo(isinstance_call.getArg(0)) and
-    src.flowsTo(rhs) and
-    isContainerTypeArg(isinstance_call.getArg(1)) and
-    guard = isinstance_call.asCfgNode() and
-    guard.controlsBlock(rhs.asCfgNode().getBasicBlock(), true)
-  )
-}
+module ContainsNonContainerFlow = ClassInstanceFlow<ContainsNonContainerSig>;
+
+import ContainsNonContainerFlow::Flow::PathGraph
 
-from Compare cmp, DataFlow::LocalSourceNode origin, DataFlow::Node rhs, Class cls
+from
+  ContainsNonContainerFlow::Flow::PathNode source, ContainsNonContainerFlow::Flow::PathNode sink,
+  ClassExpr ce
 where
-  origin = classInstanceTracker(cls) and
-  origin.flowsTo(rhs) and
-  not DuckTyping::isContainer(cls) and
-  not DuckTyping::hasUnresolvedBase(getADirectSuperclass*(cls)) and
-  not isDecoratorApplication(origin) and
-  not hasDynamicMethods(cls) and
-  not guardedByIsinstanceContainer(rhs) and
-  rhs_in_expr(rhs.asExpr(), cmp)
-select cmp, "This test may raise an Exception as the $@ may be of non-container class $@.", origin,
-  "target", cls, cls.getName()
+  ContainsNonContainerFlow::Flow::flowPath(source, sink) and
+  source.getNode().asExpr() = ce
+select sink.getNode(), source, sink,
+  "This test may raise an Exception as the $@ may be of non-container class $@.", source.getNode(),
+  "target", ce.getInnerScope(), ce.getInnerScope().getName()
diff --git a/python/ql/test/query-tests/Expressions/general/ContainsNonContainer.expected b/python/ql/test/query-tests/Expressions/general/ContainsNonContainer.expected
@@ -1,2 +1,22 @@
-| expressions_test.py:89:8:89:15 | Compare | This test may raise an Exception as the $@ may be of non-container class $@. | expressions_test.py:88:11:88:17 | ControlFlowNode for XIter() | target | expressions_test.py:77:1:77:20 | Class XIter | XIter |
-| expressions_test.py:91:8:91:19 | Compare | This test may raise an Exception as the $@ may be of non-container class $@. | expressions_test.py:88:11:88:17 | ControlFlowNode for XIter() | target | expressions_test.py:77:1:77:20 | Class XIter | XIter |
+edges
+| expressions_test.py:77:1:77:20 | ControlFlowNode for ClassExpr | expressions_test.py:77:7:77:11 | ControlFlowNode for XIter | provenance |  |
+| expressions_test.py:77:7:77:11 | ControlFlowNode for XIter | expressions_test.py:88:11:88:15 | ControlFlowNode for XIter | provenance |  |
+| expressions_test.py:88:5:88:7 | ControlFlowNode for seq | expressions_test.py:89:13:89:15 | ControlFlowNode for seq | provenance |  |
+| expressions_test.py:88:5:88:7 | ControlFlowNode for seq | expressions_test.py:91:17:91:19 | ControlFlowNode for seq | provenance |  |
+| expressions_test.py:88:5:88:7 | ControlFlowNode for seq | expressions_test.py:91:17:91:19 | ControlFlowNode for seq | provenance |  |
+| expressions_test.py:88:11:88:15 | ControlFlowNode for XIter | expressions_test.py:88:11:88:17 | ControlFlowNode for XIter() | provenance | Config |
+| expressions_test.py:88:11:88:17 | ControlFlowNode for XIter() | expressions_test.py:88:5:88:7 | ControlFlowNode for seq | provenance |  |
+nodes
+| expressions_test.py:77:1:77:20 | ControlFlowNode for ClassExpr | semmle.label | ControlFlowNode for ClassExpr |
+| expressions_test.py:77:7:77:11 | ControlFlowNode for XIter | semmle.label | ControlFlowNode for XIter |
+| expressions_test.py:88:5:88:7 | ControlFlowNode for seq | semmle.label | ControlFlowNode for seq |
+| expressions_test.py:88:11:88:15 | ControlFlowNode for XIter | semmle.label | ControlFlowNode for XIter |
+| expressions_test.py:88:11:88:17 | ControlFlowNode for XIter() | semmle.label | ControlFlowNode for XIter() |
+| expressions_test.py:89:13:89:15 | ControlFlowNode for seq | semmle.label | ControlFlowNode for seq |
+| expressions_test.py:91:17:91:19 | ControlFlowNode for seq | semmle.label | ControlFlowNode for seq |
+| expressions_test.py:91:17:91:19 | ControlFlowNode for seq | semmle.label | ControlFlowNode for seq |
+subpaths
+#select
+| expressions_test.py:89:13:89:15 | ControlFlowNode for seq | expressions_test.py:77:1:77:20 | ControlFlowNode for ClassExpr | expressions_test.py:89:13:89:15 | ControlFlowNode for seq | This test may raise an Exception as the $@ may be of non-container class $@. | expressions_test.py:77:1:77:20 | ControlFlowNode for ClassExpr | target | expressions_test.py:77:1:77:20 | Class XIter | XIter |
+| expressions_test.py:91:17:91:19 | ControlFlowNode for seq | expressions_test.py:77:1:77:20 | ControlFlowNode for ClassExpr | expressions_test.py:91:17:91:19 | ControlFlowNode for seq | This test may raise an Exception as the $@ may be of non-container class $@. | expressions_test.py:77:1:77:20 | ControlFlowNode for ClassExpr | target | expressions_test.py:77:1:77:20 | Class XIter | XIter |
+| expressions_test.py:91:17:91:19 | ControlFlowNode for seq | expressions_test.py:77:1:77:20 | ControlFlowNode for ClassExpr | expressions_test.py:91:17:91:19 | ControlFlowNode for seq | This test may raise an Exception as the $@ may be of non-container class $@. | expressions_test.py:77:1:77:20 | ControlFlowNode for ClassExpr | target | expressions_test.py:77:1:77:20 | Class XIter | XIter |
