Skip to content

Python: Make "Modification of parameter with default" flow-sensitive. #878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
markshannon merged 4 commits into from
Mar 1, 2019
Merged

Python: Make "Modification of parameter with default" flow-sensitive. #878

markshannon merged 4 commits into from
Mar 1, 2019

Conversation

@taus-semmle
Copy link
Contributor

@taus-semmle taus-semmle commented Feb 4, 2019
edited
Loading

Extends the analysis in py/modification-of-default-value to use taint tracking. This enables us to detect modifications that happen inside other function calls.

@felicity-semmle for the change note. (And also possibly the alert message?)

Open question:

I have encountered the following idiom in some places that are flagged by the current query

def foo(x=[]):
    if not x:
        x = [1]
    # ... more statements, none of which modify x

Should we treat if not x as a sanitiser for x? As far as I can tell, there are no hidden surprises in the above code.

felicitymay
felicitymay reviewed Feb 5, 2019
View reviewed changes
Copy link
Contributor

@felicitymay felicitymay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pinging me. One minor suggestion, otherwise the text lgtm.

@ghost
Copy link

ghost commented Feb 5, 2019
edited by ghost
Loading

CLA assistant check
All committers have signed the CLA.

@felicitymay
Copy link
Contributor

felicitymay commented Feb 5, 2019

Thanks for the change. Text LGTM.

markshannon
markshannon approved these changes Mar 1, 2019
View reviewed changes
Copy link
Contributor

@markshannon markshannon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. We can add handling of taint truthiness for another PR.

@markshannon markshannon merged commit 8a16164 into github:master Mar 1, 2019
@markshannon markshannon mentioned this pull request Mar 1, 2019
Merged
@tausbn tausbn deleted the python-mutable-default-with-flow branch February 12, 2021 18:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@felicitymay felicitymay felicitymay left review comments

@markshannon markshannon markshannon approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@taus-semmle @felicitymay @markshannon