Merge pull request #3005 from RasmusWL/python-modernise-string-taint

tausbn · web-flow · commit 099997088a93 · 2020-03-12T15:01:18.000+01:00
Python: Modernise StringKind files
diff --git a/python/ql/src/semmle/python/security/strings/Basic.qll b/python/ql/src/semmle/python/security/strings/Basic.qll
@@ -71,11 +71,7 @@ private predicate str_method_call(ControlFlowNode fromnode, CallNode tonode) {
 /* tonode = ....format(fromnode) */
 private predicate str_format(ControlFlowNode fromnode, CallNode tonode) {
     tonode.getFunction().(AttrNode).getName() = "format" and
-    (
-        tonode.getAnArg() = fromnode
-        or
-        tonode.getNode().getAKeyword().getValue() = fromnode.getNode()
-    )
+    tonode.getAnArg() = fromnode
 }
 
 /* tonode = codec.[en|de]code(fromnode)*/
@@ -93,9 +89,10 @@ private predicate encode_decode(ControlFlowNode fromnode, CallNode tonode) {
 /* tonode = str(fromnode)*/
 private predicate to_str(ControlFlowNode fromnode, CallNode tonode) {
     tonode.getAnArg() = fromnode and
-    exists(ClassObject str |
-        tonode.getFunction().refersTo(str) |
-        str = theUnicodeType() or str = theBytesType()
+    (
+        tonode = ClassValue::bytes().getACall()
+        or
+        tonode = ClassValue::unicode().getACall()
     )
 }
 
@@ -110,11 +107,8 @@ private predicate slice(ControlFlowNode fromnode, SubscriptNode tonode) {
 
 /* tonode = os.path.join(..., fromnode, ...) */
 private predicate os_path_join(ControlFlowNode fromnode, CallNode tonode) {
-    exists(FunctionObject path_join |
-        path_join = ModuleObject::named("os").attr("path").(ModuleObject).attr("join")
-        and
-        tonode = path_join.getACall() and tonode.getAnArg() = fromnode 
-    )
+    tonode = Value::named("os.path.join").getACall()
+    and tonode.getAnArg() = fromnode
 }
 
 /** A kind of "taint", representing a dictionary mapping str->"taint" */
@@ -125,5 +119,3 @@ class StringDictKind extends DictKind {
     }
 
 }
-
-
diff --git a/python/ql/src/semmle/python/security/strings/Common.qll b/python/ql/src/semmle/python/security/strings/Common.qll
@@ -5,12 +5,12 @@ import python
 predicate copy_call(ControlFlowNode fromnode, CallNode tonode) {
     tonode.getFunction().(AttrNode).getObject("copy") = fromnode
     or
-    exists(ModuleObject copy, string name |
+    exists(ModuleValue copy, string name |
         name = "copy" or name = "deepcopy" |
-        copy.attr(name).(FunctionObject).getACall() = tonode and
+        copy.attr(name).(FunctionValue).getACall() = tonode and
         tonode.getArg(0) = fromnode
     )
     or
-    tonode.getFunction().refersTo(Object::builtin("reversed")) and
+    tonode.getFunction().pointsTo(Value::named("reversed")) and
     tonode.getArg(0) = fromnode
 }
diff --git a/python/ql/src/semmle/python/security/strings/External.qll b/python/ql/src/semmle/python/security/strings/External.qll
@@ -139,11 +139,8 @@ private predicate json_subscript_taint(
 }
 
 private predicate json_load(ControlFlowNode fromnode, CallNode tonode) {
-    exists(FunctionObject json_loads |
-        ModuleObject::named("json").attr("loads") = json_loads and
-        json_loads.getACall() = tonode and
-        tonode.getArg(0) = fromnode
-    )
+    tonode = Value::named("json.loads").getACall() and
+    tonode.getArg(0) = fromnode
 }
 
 private predicate urlsplit(ControlFlowNode fromnode, CallNode tonode) {

Original file line number	Diff line number	Diff line change
`@@ -139,11 +139,8 @@ private predicate json_subscript_taint(`
`139`	`139`	`}`
`140`	`140`
`141`	`141`	`private predicate json_load(ControlFlowNode fromnode, CallNode tonode) {`
`142`		`- exists(FunctionObject json_loads \|`
`143`		`- ModuleObject::named("json").attr("loads") = json_loads and`
`144`		`- json_loads.getACall() = tonode and`
`145`		`- tonode.getArg(0) = fromnode`
`146`		`- )`
	`142`	`+ tonode = Value::named("json.loads").getACall() and`
	`143`	`+ tonode.getArg(0) = fromnode`
`147`	`144`	`}`
`148`	`145`
`149`	`146`	`private predicate urlsplit(ControlFlowNode fromnode, CallNode tonode) {`