Merge pull request #3005 from RasmusWL/python-modernise-string-taint

Python: Modernise StringKind files
2020-03-12 15:01:18 +01:00 · 2020-03-12 15:01:18 +01:00 · 099997088a
--- a/python/ql/src/semmle/python/security/strings/Basic.qll
+++ b/python/ql/src/semmle/python/security/strings/Basic.qll
@ -71,11 +71,7 @@ private predicate str_method_call(ControlFlowNode fromnode, CallNode tonode) {
 /* tonode = ....format(fromnode) */
 private predicate str_format(ControlFlowNode fromnode, CallNode tonode) {
    tonode.getFunction().(AttrNode).getName() = "format" and
-    (
-        tonode.getAnArg() = fromnode
-        or
-        tonode.getNode().getAKeyword().getValue() = fromnode.getNode()
-    )
+    tonode.getAnArg() = fromnode
 }

 /* tonode = codec.[en|de]code(fromnode)*/
@ -93,9 +89,10 @@ private predicate encode_decode(ControlFlowNode fromnode, CallNode tonode) {
 /* tonode = str(fromnode)*/
 private predicate to_str(ControlFlowNode fromnode, CallNode tonode) {
    tonode.getAnArg() = fromnode and
-    exists(ClassObject str |
-        tonode.getFunction().refersTo(str) |
-        str = theUnicodeType() or str = theBytesType()
+    (
+        tonode = ClassValue::bytes().getACall()
+        or
+        tonode = ClassValue::unicode().getACall()
    )
 }

@ -110,11 +107,8 @@ private predicate slice(ControlFlowNode fromnode, SubscriptNode tonode) {

 /* tonode = os.path.join(..., fromnode, ...) */
 private predicate os_path_join(ControlFlowNode fromnode, CallNode tonode) {
-    exists(FunctionObject path_join |
-        path_join = ModuleObject::named("os").attr("path").(ModuleObject).attr("join")
-        and
-        tonode = path_join.getACall() and tonode.getAnArg() = fromnode 
-    )
+    tonode = Value::named("os.path.join").getACall()
+    and tonode.getAnArg() = fromnode
 }

 /** A kind of "taint", representing a dictionary mapping str->"taint" */
@ -125,5 +119,3 @@ class StringDictKind extends DictKind {
    }

 }
-
-
--- a/python/ql/src/semmle/python/security/strings/Common.qll
+++ b/python/ql/src/semmle/python/security/strings/Common.qll
@ -5,12 +5,12 @@ import python
 predicate copy_call(ControlFlowNode fromnode, CallNode tonode) {
    tonode.getFunction().(AttrNode).getObject("copy") = fromnode
    or
-    exists(ModuleObject copy, string name |
+    exists(ModuleValue copy, string name |
        name = "copy" or name = "deepcopy" |
-        copy.attr(name).(FunctionObject).getACall() = tonode and
+        copy.attr(name).(FunctionValue).getACall() = tonode and
        tonode.getArg(0) = fromnode
    )
    or
-    tonode.getFunction().refersTo(Object::builtin("reversed")) and
+    tonode.getFunction().pointsTo(Value::named("reversed")) and
    tonode.getArg(0) = fromnode
 }
--- a/python/ql/src/semmle/python/security/strings/External.qll
+++ b/python/ql/src/semmle/python/security/strings/External.qll
@ -139,11 +139,8 @@ private predicate json_subscript_taint(
 }

 private predicate json_load(ControlFlowNode fromnode, CallNode tonode) {
-    exists(FunctionObject json_loads |
-        ModuleObject::named("json").attr("loads") = json_loads and
-        json_loads.getACall() = tonode and
-        tonode.getArg(0) = fromnode
-    )
+    tonode = Value::named("json.loads").getACall() and
+    tonode.getArg(0) = fromnode
 }

 private predicate urlsplit(ControlFlowNode fromnode, CallNode tonode) {