diff --git a/python/ql/src/semmle/python/security/strings/Basic.qll b/python/ql/src/semmle/python/security/strings/Basic.qll index 9dda9c59729..5a18bf04e7f 100755 --- a/python/ql/src/semmle/python/security/strings/Basic.qll +++ b/python/ql/src/semmle/python/security/strings/Basic.qll @@ -71,11 +71,7 @@ private predicate str_method_call(ControlFlowNode fromnode, CallNode tonode) { /* tonode = ....format(fromnode) */ private predicate str_format(ControlFlowNode fromnode, CallNode tonode) { tonode.getFunction().(AttrNode).getName() = "format" and - ( - tonode.getAnArg() = fromnode - or - tonode.getNode().getAKeyword().getValue() = fromnode.getNode() - ) + tonode.getAnArg() = fromnode } /* tonode = codec.[en|de]code(fromnode)*/ @@ -93,9 +89,10 @@ private predicate encode_decode(ControlFlowNode fromnode, CallNode tonode) { /* tonode = str(fromnode)*/ private predicate to_str(ControlFlowNode fromnode, CallNode tonode) { tonode.getAnArg() = fromnode and - exists(ClassObject str | - tonode.getFunction().refersTo(str) | - str = theUnicodeType() or str = theBytesType() + ( + tonode = ClassValue::bytes().getACall() + or + tonode = ClassValue::unicode().getACall() ) } @@ -110,11 +107,8 @@ private predicate slice(ControlFlowNode fromnode, SubscriptNode tonode) { /* tonode = os.path.join(..., fromnode, ...) */ private predicate os_path_join(ControlFlowNode fromnode, CallNode tonode) { - exists(FunctionObject path_join | - path_join = ModuleObject::named("os").attr("path").(ModuleObject).attr("join") - and - tonode = path_join.getACall() and tonode.getAnArg() = fromnode - ) + tonode = Value::named("os.path.join").getACall() + and tonode.getAnArg() = fromnode } /** A kind of "taint", representing a dictionary mapping str->"taint" */ @@ -125,5 +119,3 @@ class StringDictKind extends DictKind { } } - - diff --git a/python/ql/src/semmle/python/security/strings/Common.qll b/python/ql/src/semmle/python/security/strings/Common.qll index 36af5568fd2..6ac796d109b 100644 --- a/python/ql/src/semmle/python/security/strings/Common.qll +++ b/python/ql/src/semmle/python/security/strings/Common.qll @@ -5,12 +5,12 @@ import python predicate copy_call(ControlFlowNode fromnode, CallNode tonode) { tonode.getFunction().(AttrNode).getObject("copy") = fromnode or - exists(ModuleObject copy, string name | + exists(ModuleValue copy, string name | name = "copy" or name = "deepcopy" | - copy.attr(name).(FunctionObject).getACall() = tonode and + copy.attr(name).(FunctionValue).getACall() = tonode and tonode.getArg(0) = fromnode ) or - tonode.getFunction().refersTo(Object::builtin("reversed")) and + tonode.getFunction().pointsTo(Value::named("reversed")) and tonode.getArg(0) = fromnode } diff --git a/python/ql/src/semmle/python/security/strings/External.qll b/python/ql/src/semmle/python/security/strings/External.qll index fca73a2f0b2..c8084552a5d 100644 --- a/python/ql/src/semmle/python/security/strings/External.qll +++ b/python/ql/src/semmle/python/security/strings/External.qll @@ -139,11 +139,8 @@ private predicate json_subscript_taint( } private predicate json_load(ControlFlowNode fromnode, CallNode tonode) { - exists(FunctionObject json_loads | - ModuleObject::named("json").attr("loads") = json_loads and - json_loads.getACall() = tonode and - tonode.getArg(0) = fromnode - ) + tonode = Value::named("json.loads").getACall() and + tonode.getArg(0) = fromnode } private predicate urlsplit(ControlFlowNode fromnode, CallNode tonode) {