From 0dc036abd17ad23afa4bf9b64d935d6c86637eeb Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Thu, 3 Oct 2024 09:31:02 +0200
Subject: [PATCH 1/3] Python: Allow type tracking through comprehensions - the
 subscript operator is extended to comprehensions - the capture jump-step is
 extended to work for the functions generated inside comprehensions

---
 python/ql/lib/semmle/python/ApiGraphs.qll                  | 7 +++++++
 .../python/dataflow/new/internal/TypeTrackingImpl.qll      | 2 +-
 .../ql/test/library-tests/frameworks/stdlib/http_server.py | 4 ++--
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/python/ql/lib/semmle/python/ApiGraphs.qll b/python/ql/lib/semmle/python/ApiGraphs.qll
index 1ce04852f3ad..4385259ca9b3 100644
--- a/python/ql/lib/semmle/python/ApiGraphs.qll
+++ b/python/ql/lib/semmle/python/ApiGraphs.qll
@@ -843,6 +843,13 @@ module API {
         ref = pred.getSubscript(_) and
         ref.asCfgNode().isLoad()
         or
+        // Subscript via comprehension
+        lbl = Label::subscript() and
+        exists(PY::Comp comp |
+          pred.asExpr() = comp.getIterable() and
+          ref.asExpr() = comp.getNthInnerLoop(0).getTarget()
+        )
+        or
         // Subclassing a node
         lbl = Label::subclass() and
         exists(PY::ClassExpr clsExpr, DataFlow::Node superclass | pred.flowsTo(superclass) |
diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll b/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll
index f3e4ff40800b..415028ad8277 100644
--- a/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll
@@ -304,7 +304,7 @@ module TypeTrackingInput implements Shared::TypeTrackingInput {
       var.hasDefiningNode(def)
     |
       nodeTo.(DataFlowPublic::ScopeEntryDefinitionNode).getDefinition() = e and
-      nodeFrom.asCfgNode() = def.getValue() and
+      nodeFrom.asCfgNode() = def and
       var.getScope().getScope*() = nodeFrom.getScope()
     )
   }
diff --git a/python/ql/test/library-tests/frameworks/stdlib/http_server.py b/python/ql/test/library-tests/frameworks/stdlib/http_server.py
index 27ec2211f4bc..9110aa6a26a9 100644
--- a/python/ql/test/library-tests/frameworks/stdlib/http_server.py
+++ b/python/ql/test/library-tests/frameworks/stdlib/http_server.py
@@ -30,7 +30,7 @@ def test_cgi_FieldStorage_taint():
         form['key'][0].value, # $ tainted
         form['key'][0].file, # $ tainted
         form['key'][0].filename, # $ tainted
-        [field.value for field in form['key']], # $ MISSING: tainted
+        [field.value for field in form['key']], # $ tainted
 
         # `form.getvalue('key')` will be a list, if multiple fields named "key" are provided
         form.getvalue('key'), # $ tainted
@@ -40,7 +40,7 @@ def test_cgi_FieldStorage_taint():
 
         form.getlist('key'), # $ tainted
         form.getlist('key')[0], # $ tainted
-        [field.value for field in form.getlist('key')], # $ MISSING: tainted
+        [field.value for field in form.getlist('key')], # $ tainted
     )
 
 

From 9e808c17aff2aee6f74f4cf14972607c0744ab7d Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Thu, 3 Oct 2024 10:09:59 +0200
Subject: [PATCH 2/3] Python: add change note

---
 .../2024-10-03-typetracking-through-comprehensions.md         | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 python/ql/lib/change-notes/released/2024-10-03-typetracking-through-comprehensions.md

diff --git a/python/ql/lib/change-notes/released/2024-10-03-typetracking-through-comprehensions.md b/python/ql/lib/change-notes/released/2024-10-03-typetracking-through-comprehensions.md
new file mode 100644
index 000000000000..72d853460305
--- /dev/null
+++ b/python/ql/lib/change-notes/released/2024-10-03-typetracking-through-comprehensions.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Type tracking, and hence the API graph, is now able to correctly trace trough comprehensions.
\ No newline at end of file

From 6d486f99319ce11fe7411ff9c28becc02c9dd5df Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Thu, 3 Oct 2024 10:15:55 +0200
Subject: [PATCH 3/3] Python: move change note to the right place

---
 .../2024-10-03-typetracking-through-comprehensions.md             | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename python/ql/lib/change-notes/{released => }/2024-10-03-typetracking-through-comprehensions.md (100%)

diff --git a/python/ql/lib/change-notes/released/2024-10-03-typetracking-through-comprehensions.md b/python/ql/lib/change-notes/2024-10-03-typetracking-through-comprehensions.md
similarity index 100%
rename from python/ql/lib/change-notes/released/2024-10-03-typetracking-through-comprehensions.md
rename to python/ql/lib/change-notes/2024-10-03-typetracking-through-comprehensions.md