A synthetic data-flow node to allow flow to keyword parameters from a **kwargs argument.
Take the code snippet below as an example. Since the call only has a **kwargs argument,
with a ** argument position, we add this synthetic parameter node with ** parameter position,
and a read step to the p1 parameter.
def foo(p1, p2): ...
kwargs = {"p1": 42, "p2": 43}
foo(**kwargs)
Note that this will introduce a bit of redundancy in cases like
foo(p1=taint(1), p2=taint(2))
where direct keyword matching is possible, since we construct a synthesized dict
splat argument (SynthDictSplatArgumentNode) at the call site, which means that
taint(1) will flow into p1 both via normal keyword matching and via the synthesized
nodes (and similarly for p2). However, this redundancy is OK since
(a) it means that type-tracking through keyword arguments also works in most cases,
(b) read/store steps can be avoided when direct keyword matching is possible, and
hence access path limits are not a concern, and
(c) since the synthesized nodes are hidden, the reported data-flow paths will be
collapsed anyway.
Import path
import semmle.python.dataflow.new.internal.DataFlowPrivateDirect supertypes
Fields
Predicates
| getLocation | Gets the location of this node |
| getParameter | Gets the |
| getScope | Gets the scope of this node. |
| toString | Gets a textual representation of this element. |
Inherited predicates
| asCfgNode | Gets the control-flow node corresponding to this node, if any. | from Node |
| asExpr | Gets the expression corresponding to this node, if any. | from Node |
| getALocalSource | Gets a local source node from which data may flow to this node in zero or more local data-flow steps. | from Node |
| getEnclosingCallable | Gets the enclosing callable of this node. | from Node |
| hasLocationInfo | Holds if this element is at the specified location. The location spans column | from Node |
| isParameterOf | Holds if this node is the parameter of callable | from ParameterNodeImpl |