Question: Detecting Misuse of Pytz Timezones in Python with CodeQL

[ShreyTiwari]

Hello everyone,

I'm working on creating a CodeQL query to identify a specific code pattern in Python. My goal is to detect the misuse of Pytz timezones, particularly focusing on how datetime objects are created.

Example of Misuse:

1. temp = pytz.timezone("US/Eastern")
2. dt2 = datetime(1, 1, 1, tzinfo=temp)
3. dt3 = datetime(1, 1, 1)
4. dt3 = dt3.replace(tzinfo=temp)

I want to flag the misuse occurring in lines 2 and 4 where the Pytz timezone object is applied incorrectly.

Query Attempt:

Here's the query I have written so far:

import python
import semmle.python.ApiGraphs
import semmle.python.dataflow.new.DataFlow

class DatetimeCreation extends Call {
  DatetimeCreation() {
    ((Attribute)this.getFunc()).getName() = "datetime" or
    this.getFunc().toString() = "datetime"
  }
}

class ReplaceCall extends Call {
  ReplaceCall() {
    ((Attribute)this.getFunc()).getName() = "replace"
  }
}

from DatetimeCreation c, DataFlow::CallCfgNode pytz_call, Expr tzarg, ReplaceCall rc
where
  pytz_call = API::moduleImport("pytz").getMember("timezone").getACall() and
  (
    (
      c.getANamedArg().contains(tzarg) and 
      DataFlow::localFlow(pytz_call, DataFlow::exprNode(tzarg))
    ) 
    
    // Not working for now :(
    or
    DataFlow::localFlow(pytz_call, DataFlow::exprNode(rc))
  )
select c, "Datetime objects using Pytz timezones must be initialized using the localize method."

Issue:

The current implementation successfully detects the misuse on line 2 but fails to do so on line 4.

Request for Help:

Could someone help me identify what might be going wrong? Any pointers on debugging the CodeQL query or enhancing the current logic to detect the misuse in the replace call would be greatly appreciated.

Thank you!