Python: Model `os.stat` (and friends)

python/change-notes/2021-11-16-os-stat.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added modeling of `os.stat`, `os.lstat`, `os.statvfs`, `os.fstat`, and `os.fstatvfs`, which are new sinks for the _Uncontrolled data used in path expression_ (`py/path-injection`) query.

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -273,6 +273,29 @@ private module StdlibPrivate {
     }
   }
 
+  /**
+   * The `os` module has multiple methods for getting the status of a file, like
+   * a stat() system call.
+   *
+   * Note: `os.fstat` and `os.fstatvfs` operate on file-descriptors.
+   *
+   * See:
+   * - https://docs.python.org/3.10/library/os.html#os.stat
+   * - https://docs.python.org/3.10/library/os.html#os.lstat
+   * - https://docs.python.org/3.10/library/os.html#os.statvfs
+   * - https://docs.python.org/3.10/library/os.html#os.fstat
+   * - https://docs.python.org/3.10/library/os.html#os.fstatvfs
+   */
+  private class OsProbingCall extends FileSystemAccess::Range, DataFlow::CallCfgNode {
+    OsProbingCall() {
+      this = os().getMember(["stat", "lstat", "statvfs", "fstat", "fstatvfs"]).getACall()
+    }
+
+    override DataFlow::Node getAPathArgument() {
+      result in [this.getArg(0), this.getArgByName("path")]
+    }
+  }
+
   /**
    * The `os.path` module offers a number of methods for checking if a file exists and/or has certain
    * properties, leading to a file system access.

python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py

@@ -42,3 +42,8 @@ import genericpath
 posixpath.exists("filepath") # $ getAPathArgument="filepath"
 ntpath.exists("filepath") # $ getAPathArgument="filepath"
 genericpath.exists("filepath") # $ getAPathArgument="filepath"
+
+import os
+
+os.stat("filepath") # $ getAPathArgument="filepath"
+os.stat(path="filepath") # $ getAPathArgument="filepath"