Python: Don't rely on all DataFlowCall being resolved

RasmusWL · RasmusWL · commit df4d09b3f9ed · 2022-11-22T14:46:32.000+01:00
I've been living dangerously with that assumption :|
diff --git a/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll b/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
@@ -87,6 +87,7 @@ newtype TInterestingExternalApiCall =
   } or
   TResolvedCall(DataFlowPrivate::DataFlowCall call) {
     exists(call.getLocation().getFile().getRelativePath()) and
+    exists(call.getCallable()) and
     not call.getCallable() = any(SafeExternalApi safe).getSafeCallable() and
     // ignore calls inside codebase, and ignore calls that are marked as  safe. This is
     // only needed as long as we extract dependencies. When we stop doing that, all
diff --git a/python/ql/test/experimental/dataflow/calls/DataFlowCallTest.ql b/python/ql/test/experimental/dataflow/calls/DataFlowCallTest.ql
@@ -17,7 +17,8 @@ class DataFlowCallTest extends InlineExpectationsTest {
     exists(location.getFile().getRelativePath()) and
     exists(DataFlowDispatch::DataFlowCall call |
       location = call.getLocation() and
-      element = call.toString()
+      element = call.toString() and
+      exists(call.getCallable())
     |
       value = prettyExpr(call.getNode().getNode()) and
       tag = "call"
