[dataflowengineoss] take into account frontends that use the -1 ind…

…ex for named arguments (#5000)

dataflowengineoss/src/main/scala/io/joern/dataflowengineoss/passes/reachingdef/EdgeValidator.scala

@@ -58,8 +58,10 @@ object EdgeValidator {
     flowSemantic.mappings.exists(explicitlyFlowsToReturnValue)
 
   private def explicitlyFlowsToReturnValue(flowPath: FlowPath): Boolean = flowPath match {
-    case FlowMapping(_, ParameterNode(dst, _)) => dst == -1
-    case PassThroughMapping                    => true
-    case _                                     => false
+    // Some frontends (e.g. python) denote named arguments using `-1` as the argument index. As such
+    // `-1` denotes the return value only if there's no argument name.
+    case FlowMapping(_, ParameterNode(-1, None)) => true
+    case PassThroughMapping                      => true
+    case _                                       => false
   }
 }

joern-cli/frontends/pysrc2cpg/src/test/scala/io/joern/pysrc2cpg/dataflow/DataFlowTests.scala

@@ -227,6 +227,19 @@ class DataFlowTests extends PySrc2CpgFixture(withOssDataflow = true) {
     flows shouldBe empty
   }
 
+  "don't taint the return value when specifying a named argument" in {
+    val cpg = code("""
+        |import foo
+        |foo.bar(foo.baz(A=1))
+        |""".stripMargin)
+      // The taint spec for `baz` here says that its argument "A" only taints itself. This is to make sure
+      // its return value is not tainted even when we are using `-1` in the spec.
+      .withSemantics(DefaultSemantics().plus(List(FlowSemantic(".*baz", List(FlowMapping(-1, "A", -1, "A")), true))))
+    val one = cpg.literal("1")
+    val bar = cpg.call("bar").argument
+    bar.reachableByFlows(one).map(flowToResultPairs) shouldBe empty
+  }
+
   "chained call" in {
     val cpg: Cpg = code("""
       |a = 42