Fails to Detect Issues Based on Python Version and Returns Incorrect Signature Requirement

[ossie-git]

Pysa Bug

Pre-submission checklist [X] I've checked the list of common issues and mine does not appear

Bug description

I was going through the practice exercise3 and noticed the following

• if I create and use a virtual environment using Python 3.9, it finds both findings when I run pyre analyze --verify
• if I create and use a virtual environment using Python 3.12, it finds one findings (the eval) when I run pyre analyze --verify
• if I create and use a virtual environment using Python 3.13, it finds no findings when I run pyre analyze --verify

In the exercise, we have two sinks:

• eval
• exec

and we have the following in the predefined rce_sinks.pysa:

def eval(__source: TaintSink[RemoteCodeExecution], __globals, __locals): ...
if sys.version >= (3, 11, 0):
    def exec(__source: TaintSink[RemoteCodeExecution], __globals, __locals, *, closure): ...
else:
    def exec(__source: TaintSink[RemoteCodeExecution], __globals, __locals): ...

so they should both be detected, even on Python versions higher than 3.11

On 3.12, I would see the following in the output which means that it didn't match def exec and claims that there is a signature mismatch:

ƛ  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/rce_sinks.pysa:4: Model signature parameters for `exec` do not match implementation `def exec(unknown, globals: dict[str, Any] | None = ..., locals: Mapping[str, object] | None = ..., closure: tuple[CellType, ...] | None = ...) -> None: ...`. Reasons:
ƛ unexpected named parameter: `__locals`
ƛ unexpected named parameter: `__globals`
ƛ unexpected named parameter: `__source`

Running:

>>> import inspect
>>> inspect.signature(exec)
<Signature (source, /, globals=None, locals=None, *, closure=None)>

shows that the signature hasn't changed, but for some reason, pyre thinks that it has.

On 3.13, it did this both for exec and eval

ƛ  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/rce_sinks.pysa:2: Model signature parameters for `eval` do not match implementation `def eval(unknown, globals: dict[str, Any] | None = ..., locals: Mapping[str, object] | None = ...) -> Any: ...`. Reasons:
ƛ unexpected positional only parameter: `__locals` at position: 2, expected position 0
ƛ unexpected positional only parameter: `__globals` at position: 1, expected position 0
ƛ  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/rce_sinks.pysa:4: Model signature parameters for `exec` do not match implementation `def exec(unknown, globals: dict[str, Any] | None = ..., locals: Mapping[str, object] | None = ..., closure: tuple[CellType, ...] | None = ...) -> None: ...`. Reasons:
ƛ unexpected named parameter: `__locals`
ƛ unexpected named parameter: `__globals`
ƛ unexpected named parameter: `__source`

Again, looking at the signature shows that it hasn't changed:

>>> inspect.signature(eval)
<Signature (source, /, globals=None, locals=None)>

but pyre thinks that it has for some reason. Any ideas? Thanks

Reproduction steps See above

Expected behavior See above

Logs Please run your reproduction steps with --noninteractive (eg. pyre --noninteractive analyze) and paste the output here:

Below is the output for 3.13.0

2024-11-14 15:49:43,638 [PID 114464] INFO No binary specified, looking for `pyre.bin` in PATH
2024-11-14 15:49:43,638 [PID 114464] INFO Pyre binary is located at `/home/vagrant/.pyenv/versions/3.13.0/bin/pyre.bin`
2024-11-14 15:49:43,638 [PID 114464] INFO Could not determine the number of Pyre workers from configuration. Auto-set the value to 7.
2024-11-14 15:49:43,639 [PID 114464] INFO No typeshed specified, looking for it...
2024-11-14 15:49:43,640 [PID 114464] INFO Found: `/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed`
2024-11-14 15:49:43,642 [PID 114464] INFO Writing arguments into /tmp/pyre_arguments_994b4gkc.json...
2024-11-14 15:49:43,642 [PID 114464] DEBUG Arguments:
{
  "source_paths": {
    "kind": "simple",
    "paths": [
      "/tmp/pyre-check/documentation/pysa_tutorial/exercise3"
    ]
  },
  "search_paths": [
    "/tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/python3.13/site-packages$pip",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/python3.13/site-packages$yaml-stubs",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/python3.13/site-packages$packaging",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/python3.13/site-packages$mypy_django_plugin",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/python3.13/site-packages$django_stubs_ext",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/python3.13/site-packages$testslide",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/python3.13/site-packages$click",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/python3.13/site-packages$asgiref",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/python3.13/site-packages$libcst",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/python3.13/site-packages$django-stubs",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/python3.13/site-packages$dataclasses_json",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/python3.13/site-packages$marshmallow",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/python3.13/site-packages$typeguard",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stdlib",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/ExifRead",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/PyMySQL",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/PyYAML",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/aiofiles",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/boto",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/chevron",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/colorama",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/ldap3",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/mysqlclient",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/paramiko",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/psycopg2",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/pycurl",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/python-dateutil",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/pytz",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/regex",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/requests",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/retry",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/tqdm",
    "/home/vagrant/.pyenv/versions/3.13.0/lib/pyre_check/typeshed/stubs/ujson"
  ],
  "excludes": [
    ".*/integration_test/.*"
  ],
  "checked_directory_allowlist": [
    "/tmp/pyre-check/documentation/pysa_tutorial/exercise3"
  ],
  "checked_directory_blocklist": [],
  "extensions": [],
  "log_path": "/tmp/pyre-check/documentation/pysa_tutorial/exercise3/.pyre",
  "global_root": "/tmp/pyre-check/documentation/pysa_tutorial/exercise3",
  "debug": false,
  "python_version": {
    "major": 3,
    "minor": 13,
    "micro": 0
  },
  "shared_memory": {},
  "parallel": true,
  "number_of_workers": 7,
  "inline_decorators": false,
  "infer_self_tito": false,
  "infer_argument_tito": false,
  "no_verify": true,
  "verify_dsl": false,
  "verify_taint_config_only": false,
  "strict": false,
  "taint_model_paths": [
    "/tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint",
    "/tmp/pyre-check/documentation/pysa_tutorial/exercise3"
  ],
  "use_cache": false,
  "build_cache_only": false,
  "check_invariants": false,
  "limit_entrypoints": false,
  "compact_ocaml_heap": false,
  "saved_state": {
    "watchman_root": null,
    "project_name": null,
    "preset": null,
    "cache_critical_files": []
  },
  "compute_coverage": false
}
2024-11-14 15:49:43,663 [PID 114464] INFO  Initializing shared memory (heap_size: 8589934592, dep_table_pow: 1, hash_table_pow: 26)
2024-11-14 15:49:43,663 [PID 114464] INFO  Initializing and verifying taint configuration...
2024-11-14 15:49:43,673 [PID 114464] INFO  Initialized and verified taint configuration: 0.001s
2024-11-14 15:49:43,673 [PID 114464] PERFORMANCE  Initialized and verified taint configuration: 0.001s
2024-11-14 15:49:43,673 [PID 114464] INFO  Verifying model syntax...
2024-11-14 15:49:43,673 [PID 114464] INFO  Finding taint models in `/tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint, /tmp/pyre-check/documentation/pysa_tutorial/exercise3`.
2024-11-14 15:49:43,673 [PID 114464] INFO  Verified model syntax: 0.004s
2024-11-14 15:49:43,673 [PID 114464] PERFORMANCE  Verified model syntax: 0.004s
2024-11-14 15:49:43,673 [PID 114464] INFO  Parsing taint models modes...
2024-11-14 15:49:43,673 [PID 114464] INFO  Finding taint models in `/tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint, /tmp/pyre-check/documentation/pysa_tutorial/exercise3`.
2024-11-14 15:49:43,674 [PID 114464] INFO  Parsed taint models modes: 0.002s
2024-11-14 15:49:43,674 [PID 114464] PERFORMANCE  Parsed taint models modes: 0.002s
2024-11-14 15:49:43,674 [PID 114464] INFO  Building module tracker...
2024-11-14 15:49:43,744 [PID 114464] PERFORMANCE  Module tracker built: 0.069s
2024-11-14 15:49:43,745 [PID 114464] PERFORMANCE  Full environment built: 0.070s
2024-11-14 15:49:43,745 [PID 114464] INFO  Starting type checking...
2024-11-14 15:49:43,745 [PID 114464] INFO  Found 3345 modules
2024-11-14 15:49:43,745 [PID 114464] INFO  Collecting all definitions...
2024-11-14 15:49:45,299 [PID 114464] PERFORMANCE  Collected definitions (defines: 64026): 1.555s
2024-11-14 15:49:45,299 [PID 114464] INFO  Found 64026 functions
2024-11-14 15:49:45,299 [PID 114464] INFO  Checking 64026 functions...
2024-11-14 15:49:47,822 [PID 114464] INFO  Processed 4574 of 64026 functions
2024-11-14 15:49:48,270 [PID 114464] INFO  Processed 9148 of 64026 functions
2024-11-14 15:49:48,758 [PID 114464] INFO  Processed 13722 of 64026 functions
2024-11-14 15:49:48,809 [PID 114464] INFO  Processed 18296 of 64026 functions
2024-11-14 15:49:48,840 [PID 114464] INFO  Processed 22870 of 64026 functions
2024-11-14 15:49:49,685 [PID 114464] INFO  Processed 27444 of 64026 functions
2024-11-14 15:49:50,590 [PID 114464] INFO  Processed 32018 of 64026 functions
2024-11-14 15:49:50,773 [PID 114464] INFO  Processed 36592 of 64026 functions
2024-11-14 15:49:51,028 [PID 114464] INFO  Processed 41166 of 64026 functions
2024-11-14 15:49:51,171 [PID 114464] INFO  Processed 45740 of 64026 functions
2024-11-14 15:49:51,252 [PID 114464] INFO  Processed 50314 of 64026 functions
2024-11-14 15:49:51,303 [PID 114464] INFO  Processed 54888 of 64026 functions
2024-11-14 15:49:52,650 [PID 114464] INFO  Processed 59452 of 64026 functions
2024-11-14 15:49:53,378 [PID 114464] INFO  Processed 64026 of 64026 functions
2024-11-14 15:49:53,378 [PID 114464] PERFORMANCE  Check_TypeCheck: 8.074s
2024-11-14 15:49:53,378 [PID 114464] MEMORY  Shared memory size post-typecheck (size: 80)
2024-11-14 15:49:53,379 [PID 114464] INFO  Computing class hierarchy graph...
2024-11-14 15:49:53,806 [PID 114464] INFO  Computed class hierarchy graph: 0.427s
2024-11-14 15:49:53,806 [PID 114464] PERFORMANCE  Computed class hierarchy graph: 0.427s
2024-11-14 15:49:53,806 [PID 114464] INFO  Computing class intervals...
2024-11-14 15:49:53,827 [PID 114464] INFO  Computed class intervals: 0.019s
2024-11-14 15:49:53,827 [PID 114464] PERFORMANCE  Computed class intervals: 0.019s
2024-11-14 15:49:53,877 [PID 114464] INFO  Fetching initial callables to analyze...
2024-11-14 15:49:54,397 [PID 114464] INFO  Fetched initial callables to analyze: 0.520s
2024-11-14 15:49:54,397 [PID 114464] PERFORMANCE  Fetched initial callables to analyze (definitions: 12898, internals: 4, stubs: 36453): 0.520s
2024-11-14 15:49:54,397 [PID 114464] INFO  Parsing taint models...
2024-11-14 15:49:54,569 [PID 114464] INFO  Finding taint models in `/tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint, /tmp/pyre-check/documentation/pysa_tutorial/exercise3`.
2024-11-14 15:49:55,067 [PID 114464] ERROR  Found 35 model verification errors!
2024-11-14 15:49:55,068 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/rce_sinks.pysa:2: Model signature parameters for `eval` do not match implementation `def eval(unknown, globals: dict[str, Any] | None = ..., locals: Mapping[str, object] | None = ...) -> Any: ...`. Reasons:
2024-11-14 15:49:55,068 [PID 114464] ERROR unexpected positional only parameter: `__locals` at position: 2, expected position 0
2024-11-14 15:49:55,068 [PID 114464] ERROR unexpected positional only parameter: `__globals` at position: 1, expected position 0
2024-11-14 15:49:55,068 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/rce_sinks.pysa:4: Model signature parameters for `exec` do not match implementation `def exec(unknown, globals: dict[str, Any] | None = ..., locals: Mapping[str, object] | None = ..., closure: tuple[CellType, ...] | None = ...) -> None: ...`. Reasons:
2024-11-14 15:49:55,068 [PID 114464] ERROR unexpected named parameter: `__locals`
2024-11-14 15:49:55,068 [PID 114464] ERROR unexpected named parameter: `__globals`
2024-11-14 15:49:55,068 [PID 114464] ERROR unexpected named parameter: `__source`
2024-11-14 15:49:55,068 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/requests_api_sinks.pysa:312: Model signature parameters for `urllib.request.urlopen` do not match implementation `def urlopen(url: str | Request, data: unknown = ..., timeout: float | None = ..., context: SSLContext | None = ...) -> Any: ...`. Reasons:
2024-11-14 15:49:55,068 [PID 114464] ERROR unexpected named parameter: `cadefault`
2024-11-14 15:49:55,068 [PID 114464] ERROR unexpected named parameter: `capath`
2024-11-14 15:49:55,068 [PID 114464] ERROR unexpected named parameter: `cafile`
2024-11-14 15:49:55,068 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/sqlite3_sinks.pysa:6: The modelled function `sqlite3.Connection.executescript` is an imported function, please model `sqlite3.dbapi2.Connection.executescript` directly.
2024-11-14 15:49:55,068 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/sqlite3_sinks.pysa:5: The modelled function `sqlite3.Connection.executemany` is an imported function, please model `sqlite3.dbapi2.Connection.executemany` directly.
2024-11-14 15:49:55,068 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/sqlite3_sinks.pysa:4: The modelled function `sqlite3.Connection.execute` is an imported function, please model `sqlite3.dbapi2.Connection.execute` directly.
2024-11-14 15:49:55,068 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/sqlite3_sinks.pysa:3: The modelled function `sqlite3.Cursor.executescript` is an imported function, please model `sqlite3.dbapi2.Cursor.executescript` directly.
2024-11-14 15:49:55,068 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/sqlite3_sinks.pysa:2: The modelled function `sqlite3.Cursor.executemany` is an imported function, please model `sqlite3.dbapi2.Cursor.executemany` directly.
2024-11-14 15:49:55,068 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/sqlite3_sinks.pysa:1: The modelled function `sqlite3.Cursor.execute` is an imported function, please model `sqlite3.dbapi2.Cursor.execute` directly.
2024-11-14 15:49:55,068 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/general.pysa:24: `_io.BytesIO.__init__` is not part of the environment, no module `_io` in search path.
2024-11-14 15:49:55,068 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/filesystem_other_sinks.pysa:33: Model signature parameters for `shutil._RmtreeType.__call__` do not match implementation `(self: _RmtreeType, path: PathLike[bytes] | PathLike[str] | bytes | str, ignore_errors: bool, onerror: ((...) -> Any, str, tuple[type[BaseException], BaseException, TracebackType]) -> object, onexc: None = ..., dir_fd: int | None = ...) -> None`. Reason: invalid position 2 for named parameter `onerror` (valid options are {formal(onerror, position=3), formal(onerror)}).
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_sources_sinks.pysa:137: The modelled function `django.db.models.manager.Manager.get` is an imported function, please model `django.db.models.manager.BaseManager.get` directly.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_sources_sinks.pysa:134: The function, method or property `django.contrib.sessions.backends.base.SessionBase._session_key` is not a valid attribute - did you mean to use `def django.contrib.sessions.backends.base.SessionBase._session_key(): ...`?
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_sources_sinks.pysa:133: The function, method or property `django.contrib.sessions.backends.base.SessionBase.session_key` is not a valid attribute - did you mean to use `def django.contrib.sessions.backends.base.SessionBase.session_key(): ...`?
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_sources_sinks.pysa:122: Module `django` does not define `django.http.response.HttpResponse.content`.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_sources_sinks.pysa:95: The modelled function `django.db.models.manager.Manager.raw` is an imported function, please model `django.db.models.manager.BaseManager.raw` directly.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_sources_sinks.pysa:79: The modelled function `django.http.response.HttpResponseRedirect.__init__` is an imported function, please model `django.http.response.HttpResponseRedirectBase.__init__` directly.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_sources_sinks.pysa:73: Module `django` does not define `django.http.response.HttpResponse.content`.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_sources_sinks.pysa:63: Class `django.http.response.HttpResponseBase` has no attribute `_headers`.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_sources_sinks.pysa:62: Class `django.http.response.HttpResponseBase` has no attribute `_headers`.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_sources_sinks.pysa:59: Model signature parameters for `django.http.response.HttpResponseBase.setdefault` do not match implementation `(self: HttpResponseBase, key: str, value: str) -> None`. Reason: unexpected named parameter: `header`.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_sources_sinks.pysa:25: Module `django` does not define `django.http.request.build_request_repr`.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_sources_sinks.pysa:23: The modelled function `django.http.request.HttpRequest.__repr__` is an imported function, please model `object.__repr__` directly.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_sources_sinks.pysa:12: The function, method or property `django.http.request.HttpRequest.body` is not a valid attribute - did you mean to use `def django.http.request.HttpRequest.body(): ...`?
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_sources_sinks.pysa:11: Class `django.http.request.HttpRequest` has no attribute `REQUEST`.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_sources_sinks.pysa:6: Class `django.http.request.HttpRequest` has no attribute `user_agent`.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_sources_sinks.pysa:5: Class `django.http.request.HttpRequest` has no attribute `user_agent_string`.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_rest_framework.pysa:15: `rest_framework.request.Request.stream` is not part of the environment, no module `rest_framework` in search path.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_rest_framework.pysa:13: `rest_framework.request.Request.content_type` is not part of the environment, no module `rest_framework` in search path.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_rest_framework.pysa:11: `rest_framework.request.Request.query_params` is not part of the environment, no module `rest_framework` in search path.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_rest_framework.pysa:9: `rest_framework.request.Request.data` is not part of the environment, no module `rest_framework` in search path.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_rest_framework.pysa:7: `rest_framework.request.Request.QUERY_PARAMS` is not part of the environment, no module `rest_framework` in search path.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_rest_framework.pysa:5: `rest_framework.request.Request.DATA` is not part of the environment, no module `rest_framework` in search path.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_rest_framework.pysa:3: `rest_framework.request.Request.FILES` is not part of the environment, no module `rest_framework` in search path.
2024-11-14 15:49:55,069 [PID 114464] ERROR  /tmp/pyre-check/documentation/pysa_tutorial/exercise3/../../../stubs/taint/core_privacy_security/django_rest_framework.pysa:1: `rest_framework.request.Request.POST` is not part of the environment, no module `rest_framework` in search path.
2024-11-14 15:49:55,069 [PID 114464] INFO  Parsed taint models: 0.669s
2024-11-14 15:49:55,069 [PID 114464] PERFORMANCE  Parsed taint models (models: 843, queries: 0): 0.669s
2024-11-14 15:49:55,069 [PID 114464] INFO  Computing inferred models...
2024-11-14 15:49:55,505 [PID 114464] INFO  Computed inferred models: 0.433s
2024-11-14 15:49:55,506 [PID 114464] PERFORMANCE  Computed inferred models (models: 713): 0.434s
2024-11-14 15:49:55,658 [PID 114464] INFO  Computing overrides...
2024-11-14 15:49:56,187 [PID 114464] WARNING  `lib2to3.fixer_base.BaseFix.transform` has 56 overrides, this might slow down the analysis considerably.
2024-11-14 15:49:56,187 [PID 114464] WARNING  `libcst._nodes.base.CSTNode._codegen_impl` has 102 overrides, this might slow down the analysis considerably.
2024-11-14 15:49:56,187 [PID 114464] WARNING  `libcst._nodes.base.CSTNode._visit_and_replace_children` has 119 overrides, this might slow down the analysis considerably.
2024-11-14 15:49:56,187 [PID 114464] WARNING  `typing.GenericMeta.__getitem__` has 56 overrides, this might slow down the analysis considerably.
2024-11-14 15:49:56,198 [PID 114464] INFO  Overrides computed: 0.542s
2024-11-14 15:49:56,198 [PID 114464] PERFORMANCE  Overrides computed: 0.542s
2024-11-14 15:49:56,198 [PID 114464] INFO  Indexing global constants...
2024-11-14 15:49:56,534 [PID 114464] INFO  Finished constant propagation analysis: 0.335s
2024-11-14 15:49:56,534 [PID 114464] PERFORMANCE  Finished constant propagation analysis: 0.336s
2024-11-14 15:49:56,534 [PID 114464] INFO  Building call graph...
2024-11-14 15:50:04,791 [PID 114464] INFO  Call graph built: 8.254s
2024-11-14 15:50:04,792 [PID 114464] PERFORMANCE  Call graph built: 8.254s
2024-11-14 15:50:04,792 [PID 114464] INFO  Computing dependencies...
2024-11-14 15:50:04,873 [PID 114464] INFO  Computed dependencies: 0.076s
2024-11-14 15:50:04,873 [PID 114464] PERFORMANCE  Computed dependencies: 0.076s
2024-11-14 15:50:04,873 [PID 114464] INFO  Purging shared memory...
2024-11-14 15:50:04,873 [PID 114464] PERFORMANCE  Purged shared memory: 0.007s
2024-11-14 15:50:04,874 [PID 114464] INFO  Purging shared memory...
2024-11-14 15:50:04,894 [PID 114464] PERFORMANCE  Purged shared memory: 0.012s
2024-11-14 15:50:04,894 [PID 114464] INFO  Analysis fixpoint started for 8346 overrides and 9 functions......
2024-11-14 15:50:05,350 [PID 114464] PERFORMANCE  Recorded initial models: 0.456s
2024-11-14 15:50:05,351 [PID 114464] INFO  Iteration #0. 4 callables [views.$toplevel, views.get_operator_safe, views.operate_on_threes, views.operate_on_twos]
2024-11-14 15:50:05,351 [PID 114464] INFO  Processed 4 of 4 callables
2024-11-14 15:50:05,351 [PID 114464] INFO  Iteration #0, 4 callables, heap size 0.100GB took 0.00s
2024-11-14 15:50:05,351 [PID 114464] INFO  Iteration #1. 2 callables [views.get_operator_safe, views.operate_on_twos]
2024-11-14 15:50:05,351 [PID 114464] INFO  Processed 2 of 2 callables
2024-11-14 15:50:05,351 [PID 114464] INFO  Iteration #1, 2 callables, heap size 0.100GB took 0.00s
2024-11-14 15:50:05,381 [PID 114464] INFO  Found 0 issues
2024-11-14 15:50:05,382 [PID 114464] INFO  Analysis fixpoint complete: 0.487s
2024-11-14 15:50:05,382 [PID 114464] PERFORMANCE  Analysis fixpoint complete (iterations: 2, heap size: 99731264, issues: 0): 0.487s
2024-11-14 15:50:05,382 [PID 114464] PERFORMANCE  Analyze: 21.710s
[]

Additional context Add any other context about the problem here. (like dependencies in your venv, third party stub files being used, overall goals, etc.)

[arthaud]

Hi @ossie-git, thanks for reaching out.

I was able to reproduce the problem, using the uv tool, which is quite convenient:

$ uvx --python 3.10 --with fb-sapp --with django-stubs --from pyre-check pyre -n analyze --no-verify
# 2 issues
$ uvx --python 3.12 --with fb-sapp --with django-stubs --from pyre-check pyre -n analyze --no-verify
# 1 issue
$ uvx --python 3.13 --with fb-sapp --with django-stubs --from pyre-check pyre -n analyze --no-verify

The problem is indeed in our taint stubs. I have a fix internally, we should be able to merge that in master pretty quickly. Once that is merged and the issue is closed, you should be able to use the pyre-check-nightly package instead of pyre-check, until we push a new release.

[ossie-git]

Thanks @arthaud. Given that this might have resulted in CI/CD pipelines and normal users running pysa missing findings, would it be possible to have these types of errors (signature mismatches) result in pysa failing with a non-zero exit code instead of continuing? A possible option would be to add a command line switch which would allow users to override this. Just a suggestion. Thanks

[arthaud]

You should get an error if you are running without --no-verify. The problem is that you would also get unrelated errors, related to missing stubs. We would definitely want to improve this, but have higher priority work, unfortunately.