Python: Don't make duplicate sink for Tornado handler

RasmusWL · RasmusWL · commit 2cdbae08b638 · 2020-01-28T13:06:48.000+01:00
`self.write(...)` would be treated as *both* TornadoConnectionWrite and
TornadoHttpRequestHandlerWrite
diff --git a/python/ql/src/semmle/python/web/tornado/Response.qll b/python/ql/src/semmle/python/web/tornado/Response.qll
@@ -24,11 +24,8 @@ class TornadoConnectionWrite extends HttpResponseTaintSink {
     TornadoConnectionWrite() {
         exists(CallNode call, ControlFlowNode conn |
             conn = call.getFunction().(AttrNode).getObject("write") and
-            this = call.getAnArg()
-        |
+            this = call.getAnArg() and
             exists(TornadoConnection tc | tc.taints(conn))
-            or
-            isTornadoRequestHandlerInstance(conn)
         )
     }
 
@@ -41,8 +38,8 @@ class TornadoHttpRequestHandlerWrite extends HttpResponseTaintSink {
     TornadoHttpRequestHandlerWrite() {
         exists(CallNode call, ControlFlowNode node |
             node = call.getFunction().(AttrNode).getObject("write") and
-            isTornadoRequestHandlerInstance(node) and
-            this = call.getAnArg()
+            this = call.getAnArg() and
+            isTornadoRequestHandlerInstance(node)
         )
     }
 
diff --git a/python/ql/test/library-tests/web/tornado/HttpSinks.expected b/python/ql/test/library-tests/web/tornado/HttpSinks.expected
@@ -1,8 +1,4 @@
 | test.py:6:20:6:43 | tornado.HttpRequesHandler.write | externally controlled string |
-| test.py:6:20:6:43 | tornado.connection.write | externally controlled string |
 | test.py:12:20:12:23 | tornado.HttpRequesHandler.write | externally controlled string |
-| test.py:12:20:12:23 | tornado.connection.write | externally controlled string |
 | test.py:20:23:20:25 | tornado.HttpRequesHandler.redirect | externally controlled string |
 | test.py:26:20:26:48 | tornado.HttpRequesHandler.write | externally controlled string |
-| test.py:26:20:26:48 | tornado.connection.write | externally controlled string |
-FIXME

Original file line number	Diff line number	Diff line change
`@@ -24,11 +24,8 @@ class TornadoConnectionWrite extends HttpResponseTaintSink {`
`24`	`24`	`TornadoConnectionWrite() {`
`25`	`25`	`exists(CallNode call, ControlFlowNode conn \|`
`26`	`26`	`conn = call.getFunction().(AttrNode).getObject("write") and`
`27`		`- this = call.getAnArg()`
`28`		`- \|`
	`27`	`+ this = call.getAnArg() and`
`29`	`28`	`exists(TornadoConnection tc \| tc.taints(conn))`
`30`		`- or`
`31`		`- isTornadoRequestHandlerInstance(conn)`
`32`	`29`	`)`
`33`	`30`	`}`
`34`	`31`
`@@ -41,8 +38,8 @@ class TornadoHttpRequestHandlerWrite extends HttpResponseTaintSink {`
`41`	`38`	`TornadoHttpRequestHandlerWrite() {`
`42`	`39`	`exists(CallNode call, ControlFlowNode node \|`
`43`	`40`	`node = call.getFunction().(AttrNode).getObject("write") and`
`44`		`- isTornadoRequestHandlerInstance(node) and`
`45`		`- this = call.getAnArg()`
	`41`	`+ this = call.getAnArg() and`
	`42`	`+ isTornadoRequestHandlerInstance(node)`
`46`	`43`	`)`
`47`	`44`	`}`
`48`	`45`