Apply suggestions

jorgectf · yoff · jorgectf · commit 0f20eeb39564 · 2021-04-27T19:54:19.000+02:00
Co-authored-by: yoff &lt;lerchedahl@gmail.com&gt;
diff --git a/python/ql/src/semmle/python/Concepts.qll b/python/ql/src/semmle/python/Concepts.qll
@@ -666,7 +666,7 @@ module RegexExecution {
 }
 
 class RegexExecution extends DataFlow::Node {
-  override RegexExecution::Range range;
+  RegexExecution::Range range;
 
   RegexExecution() { this = range }
 
diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -875,25 +875,32 @@ private module Stdlib {
     }
 
     /** re.ReMethod(pattern, string) */
-    private class DirectRegex extends RegexExecution::Range {
+    private class DirectRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
+      DataFlow::Node regexNode;
+
       DirectRegex() {
-        exists(ReMethods reMethod, DataFlow::CallCfgNode reCall |
-          reCall = API::moduleImport("re").getMember(reMethod).getACall() and
-          this = reCall.getArg(0)
-        )
+        this = API::moduleImport("re").getMember(any(ReMethods m)).getACall() and
+        regexNode = this.getArg(0)
       }
+
+      override DataFlow::Node getRegexNode() { result = regexNode }
     }
 
     /** re.compile(pattern).ReMethod */
-    private class CompiledRegex extends RegexExecution::Range {
+    private class CompiledRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
+      DataFlow::Node regexNode;
+
       CompiledRegex() {
         exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
+          this.getFunction() = reMethod and
           patternCall = API::moduleImport("re").getMember("compile").getACall() and
           patternCall = reMethod.getObject().getALocalSource() and
           reMethod.getAttributeName() instanceof ReMethods and
-          this = patternCall.getArg(0)
+          regexNode = patternCall.getArg(0)
         )
       }
+
+      override DataFlow::Node getRegexNode() { result = regexNode }
     }
 
     private class RegexEscape extends DataFlow::Node {
diff --git a/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll b/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll
@@ -17,7 +17,10 @@ class RegexInjectionFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof RegexExecution }
+ override predicate isSink(DataFlow::Node sink) { sink = any(RegexExecution re).getRegexNode() }
 
-  override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof RegexEscape }
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer =
+      API::moduleImport("re").getMember("escape").getACall().(DataFlow::CallCfgNode).getArg(0)
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -666,7 +666,7 @@ module RegexExecution {`
`666`	`666`	`}`
`667`	`667`
`668`	`668`	`class RegexExecution extends DataFlow::Node {`
`669`		`- override RegexExecution::Range range;`
	`669`	`+ RegexExecution::Range range;`
`670`	`670`
`671`	`671`	`RegexExecution() { this = range }`
`672`	`672`