Merge pull request #2040 from RasmusWL/python-modernise-cherrypy

taus-semmle · web-flow · commit 04f14f1fe7ab · 2019-09-30T11:53:59.000+02:00
Python: Modernise cherrypy library
diff --git a/python/ql/src/semmle/python/web/cherrypy/General.qll b/python/ql/src/semmle/python/web/cherrypy/General.qll
@@ -2,31 +2,24 @@ import python
 import semmle.python.web.Http
 
 module CherryPy {
-
-    FunctionObject expose() {
-        result = ModuleObject::named("cherrypy").attr("expose")
-    }
-
+    FunctionValue expose() { result = Value::named("cherrypy.expose") }
 }
 
 class CherryPyExposedFunction extends Function {
-
     CherryPyExposedFunction() {
-        this.getADecorator().refersTo(CherryPy::expose())
+        this.getADecorator().pointsTo(CherryPy::expose())
         or
-        this.getADecorator().(Call).getFunc().refersTo(CherryPy::expose())
+        this.getADecorator().(Call).getFunc().pointsTo(CherryPy::expose())
     }
-
 }
 
 class CherryPyRoute extends CallNode {
-
     CherryPyRoute() {
         /* cherrypy.quickstart(root, script_name, config) */
-        ModuleObject::named("cherrypy").attr("quickstart").(FunctionObject).getACall() = this
+        Value::named("cherrypy.quickstart").(FunctionValue).getACall() = this
         or
         /* cherrypy.tree.mount(root, script_name, config) */
-        this.getFunction().(AttrNode).getObject("mount").refersTo(ModuleObject::named("cherrypy").attr("tree"))
+        this.getFunction().(AttrNode).getObject("mount").pointsTo(Value::named("cherrypy.tree"))
     }
 
     ClassObject getAppClass() {
@@ -36,9 +29,7 @@ class CherryPyRoute extends CallNode {
     }
 
     string getPath() {
-        exists(StringObject path |
-            result = path.getText() 
-            |
+        exists(StringObject path | result = path.getText() |
             this.getArg(1).refersTo(path)
             or
             this.getArgByName("script_name").refersTo(path)
@@ -50,7 +41,4 @@ class CherryPyRoute extends CallNode {
         or
         this.getArgByName("config").refersTo(_, result, _)
     }
-
 }
-
-
diff --git a/python/ql/src/semmle/python/web/cherrypy/Request.qll b/python/ql/src/semmle/python/web/cherrypy/Request.qll
@@ -1,16 +1,12 @@
 import python
-
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Basic
 import semmle.python.web.Http
 import semmle.python.web.cherrypy.General
 
 /** The cherrypy.request local-proxy object */
 class CherryPyRequest extends TaintKind {
-
-    CherryPyRequest() {
-        this = "cherrypy.request"
-    }
+    CherryPyRequest() { this = "cherrypy.request" }
 
     override TaintKind getTaintOfAttribute(string name) {
         name = "params" and result instanceof ExternalStringDictKind
@@ -19,20 +15,17 @@ class CherryPyRequest extends TaintKind {
     }
 
     override TaintKind getTaintOfMethodResult(string name) {
-            (
-                name = "getHeader" or
-                name = "getCookie" or
-                name = "getUser" or
-                name = "getPassword"
-            ) and
-            result instanceof ExternalStringKind
+        (
+            name = "getHeader" or
+            name = "getCookie" or
+            name = "getUser" or
+            name = "getPassword"
+        ) and
+        result instanceof ExternalStringKind
     }
-
 }
 
-
 class CherryPyExposedFunctionParameter extends TaintSource {
-
     CherryPyExposedFunctionParameter() {
         exists(Parameter p |
             p = any(CherryPyExposedFunction f).getAnArg() and
@@ -41,29 +34,13 @@ class CherryPyExposedFunctionParameter extends TaintSource {
         )
     }
 
-    override string toString() {
-        result = "CherryPy handler function parameter"
-    }
-
-    override predicate isSourceOf(TaintKind kind) {
-        kind instanceof ExternalStringKind
-    }
+    override string toString() { result = "CherryPy handler function parameter" }
 
+    override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
 }
 
 class CherryPyRequestSource extends TaintSource {
+    CherryPyRequestSource() { this.(ControlFlowNode).pointsTo(Value::named("cherrypy.request")) }
 
-    CherryPyRequestSource() {
-        this.(ControlFlowNode).refersTo(ModuleObject::named("cherrypy").attr("request"))
-    }
-
-    override predicate isSourceOf(TaintKind kind) {
-        kind instanceof CherryPyRequest
-    }
-
+    override predicate isSourceOf(TaintKind kind) { kind instanceof CherryPyRequest }
 }
-
-
-
-
-
diff --git a/python/ql/src/semmle/python/web/cherrypy/Response.qll b/python/ql/src/semmle/python/web/cherrypy/Response.qll
@@ -1,28 +1,18 @@
 import python
-
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Untrusted
 import semmle.python.web.Http
 import semmle.python.web.cherrypy.General
 
-
-
 class CherryPyExposedFunctionResult extends HttpResponseTaintSink {
-
     CherryPyExposedFunctionResult() {
         exists(Return ret |
             ret.getScope() instanceof CherryPyExposedFunction and
             ret.getValue().getAFlowNode() = this
         )
     }
 
-    override predicate sinks(TaintKind kind) {
-        kind instanceof StringKind
-    }
-
-    override string toString() {
-        result = "cherrypy handler function result"
-    }
+    override predicate sinks(TaintKind kind) { kind instanceof StringKind }
 
+    override string toString() { result = "cherrypy handler function result" }
 }
-
diff --git a/python/ql/test/library-tests/web/cherrypy/Sources.expected b/python/ql/test/library-tests/web/cherrypy/Sources.expected
@@ -1,4 +1,3 @@
 | ../../../query-tests/Security/lib/cherrypy/__init__.py:10 | _ThreadLocalProxy() | cherrypy.request |
-| ../../../query-tests/Security/lib/cherrypy/__init__.py:10 | request | cherrypy.request |
 | test.py:10 | arg | externally controlled string |
 | test.py:16 | arg | externally controlled string |
