github · Napalys · Aug 4, 2025 · Aug 4, 2025 · Aug 4, 2025 · Aug 4, 2025
@@ -556,6 +556,67 @@ predicate runtimeJumpStep(Node nodeFrom, Node nodeTo) {
     nodeFrom.asCfgNode() = param.getDefault() and
     nodeTo.asCfgNode() = param.getDefiningNode()
   )
+  or
+  // Enhanced global variable field access tracking
+  globalVariableNestedFieldJumpStep(nodeFrom, nodeTo)
+}
+
+/**
+ * Holds if there is a jump step from `nodeFrom` to `nodeTo` through global variable field access.
+ * This supports tracking nested object field access through global variables like `app.obj.foo`.
+ */
+predicate globalVariableNestedFieldJumpStep(Node nodeFrom, Node nodeTo) {
+  exists(ModuleVariableNode globalVar, AttrWrite write, AttrRead read |
+    // Match writes and reads on the same global variable attribute path
+    exists(string accessPath |
+      globalVariableAttrPath(globalVar, accessPath, write.getObject()) and
+      globalVariableAttrPath(globalVar, accessPath, read.getObject())
+    ) and
+    write.getAttributeName() = read.getAttributeName() and
+    nodeFrom = write.getValue() and
+    nodeTo = read //and
+    //write.getEnclosingCallable() != read.getEnclosingCallable()
+  )
+}
+
+/**
+ * Maximum depth for global variable nested attribute access.
+ * Depth 0 = globalVar.foo, depth 1 = globalVar.foo.bar, depth 2 = globalVar.foo.bar.baz, etc.
+ */
+private int getMaxGlobalVariableDepth() { result = 10 }
+
+/**
+ * Holds if `node` is an attribute access path starting from global variable `globalVar`.
+ * Supports configurable nesting depth via getMaxGlobalVariableDepth().
+ */
+predicate globalVariableAttrPath(ModuleVariableNode globalVar, string accessPath, Node node) {
+  exists(int depth |
+    globalVariableAttrPathAtDepth(globalVar, accessPath, node, depth) and
+    depth >= 0
+  )
+}
+
+/**
+ * Holds if `node` is an attribute access path starting from global variable `globalVar` at specific `depth`.
+ */
+predicate globalVariableAttrPathAtDepth(
+  ModuleVariableNode globalVar, string accessPath, Node node, int depth
+) {
+  // Base case: Direct global variable access (depth 0)
+  depth = 0 and
+  node in [globalVar.getARead(), globalVar.getAWrite(), globalVar] and
+  accessPath = ""
+  or
+  exists(Node obj, string attrName, string parentAccessPath, int parentDepth |
+    node.(AttrRead).accesses(obj, attrName)
+    or
+    exists(AttrWrite aw | aw.accesses(obj, attrName) and aw.getValue() = node)
+  |
+    globalVariableAttrPathAtDepth(globalVar, parentAccessPath, obj, parentDepth) and
+    accessPath = parentAccessPath + "." + attrName and
+    depth = parentDepth + 1 and
+    depth <= getMaxGlobalVariableDepth()
+  )
 }
 
 //--------

@@ -301,12 +301,12 @@ def set_to_source():
 @expects(4) # $ unresolved_call=expects(..) unresolved_call=expects(..)(..)
 def test_global_flow_to_class_attribute():
     inst = WithTuple2()
-    SINK_F(WithTuple2.my_tuple[0])
+    SINK_F(WithTuple2.my_tuple[0])  # $ SPURIOUS: flow="SOURCE, l:-5 -> WithTuple2.my_tuple[0]"
     SINK_F(inst.my_tuple[0])
 
     set_to_source()
 
-    SINK(WithTuple2.my_tuple[0]) # $ MISSING: flow="SOURCE, l:-10 -> WithTuple2.my_tuple[0]"
+    SINK(WithTuple2.my_tuple[0]) # $ flow="SOURCE, l:-10 -> WithTuple2.my_tuple[0]"
     SINK(inst.my_tuple[0]) # $ MISSING: flow="SOURCE, l:-11 -> inst.my_tuple[0]"
 
 

@@ -146,6 +146,7 @@ def fields_with_local_flow(x):
 class NestedObj(object):
     def __init__(self):
         self.obj = MyObj("OK")
+        self.obj.foo = "default"
 
     def getObj(self):
         return self.obj
@@ -163,17 +164,31 @@ def getObj(self):
 a2 = NestedObj()
 a2.getObj().foo = x2
 SINK(a2.obj.foo) # $ flow="SOURCE, l:-3 -> a2.obj.foo"
+
+# Global variable
+app = NestedObj()
+
+def init_global():
+    app.obj.foo = SOURCE
+
+def read_global(): 
+    return app.obj.foo
+
+def test_global_nested_attributes():
+    init_global()
+    result = read_global() 
+    SINK(result) # $ flow="SOURCE, l:-8 -> result"
 
 # ------------------------------------------------------------------------------
 # Global scope interaction
 # ------------------------------------------------------------------------------
 
 def func_defined_before():
-    SINK(global_obj.foo) # $ MISSING: flow="SOURCE, l:+3 -> global_obj.foo"
+    SINK(global_obj.foo) # $ flow="SOURCE, l:+3 -> global_obj.foo"
 
 global_obj = MyObj(NONSOURCE)
 global_obj.foo = SOURCE
 SINK(global_obj.foo) # $ flow="SOURCE, l:-1 -> global_obj.foo"
 
 def func_defined_after():
-    SINK(global_obj.foo) # $ MISSING: flow="SOURCE, l:-4 -> global_obj.foo"
+    SINK(global_obj.foo) # $ flow="SOURCE, l:-4 -> global_obj.foo"