Python: Even more API::Node pushing.

tausbn · tausbn · commit 46eb3fd10ac9 · 2021-02-08T14:22:42.000+01:00
diff --git a/python/ql/src/semmle/python/frameworks/Flask.qll b/python/ql/src/semmle/python/frameworks/Flask.qll
@@ -306,9 +306,9 @@ private module FlaskModel {
 
   private module FlaskRequestTracking {
     /** Gets a reference to either of the `get_json` or `get_data` attributes of a Flask request. */
-    DataFlow::Node tainted_methods(string attr_name) {
+    API::Node tainted_methods(string attr_name) {
       attr_name in ["get_data", "get_json"] and
-      result = flask::request().getMember(attr_name).getAUse()
+      result = flask::request().getMember(attr_name)
     }
   }
 
@@ -364,7 +364,7 @@ private module FlaskModel {
       )
       or
       // methods (needs special handling to track bound-methods -- see `FlaskRequestMethodCallsAdditionalTaintStep` below)
-      this = FlaskRequestTracking::tainted_methods(attr_name)
+      this = FlaskRequestTracking::tainted_methods(attr_name).getAUse()
     }
 
     override string getSourceType() { result = "flask.request input" }
@@ -374,7 +374,7 @@ private module FlaskModel {
     override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
       // NOTE: `request -> request.tainted_method` part is handled as part of RequestInputAccess
       // tainted_method -> tainted_method()
-      nodeFrom = FlaskRequestTracking::tainted_methods(_) and
+      nodeFrom = FlaskRequestTracking::tainted_methods(_).getAUse() and
       nodeTo.asCfgNode().(CallNode).getFunction() = nodeFrom.asCfgNode()
     }
   }
@@ -443,7 +443,7 @@ private module FlaskModel {
     DataFlow::CfgNode {
     override CallNode node;
 
-    FlaskRedirectCall() { node.getFunction() = flask_attr("redirect").asCfgNode() }
+    FlaskRedirectCall() { node.getFunction() = flask_attr("redirect").getAUse().asCfgNode() }
 
     override DataFlow::Node getRedirectLocation() {
       result.asCfgNode() in [node.getArg(0), node.getArgByName("location")]

Original file line number	Diff line number	Diff line change
`@@ -306,9 +306,9 @@ private module FlaskModel {`
`306`	`306`
`307`	`307`	`private module FlaskRequestTracking {`
`308`	`308`	/** Gets a reference to either of the `get_json` or `get_data` attributes of a Flask request. */
`309`		`- DataFlow::Node tainted_methods(string attr_name) {`
	`309`	`+ API::Node tainted_methods(string attr_name) {`
`310`	`310`	`attr_name in ["get_data", "get_json"] and`
`311`		`- result = flask::request().getMember(attr_name).getAUse()`
	`311`	`+ result = flask::request().getMember(attr_name)`
`312`	`312`	`}`
`313`	`313`	`}`
`314`	`314`
`@@ -364,7 +364,7 @@ private module FlaskModel {`
`364`	`364`	`)`
`365`	`365`	`or`
`366`	`366`	// methods (needs special handling to track bound-methods -- see `FlaskRequestMethodCallsAdditionalTaintStep` below)
`367`		`- this = FlaskRequestTracking::tainted_methods(attr_name)`
	`367`	`+ this = FlaskRequestTracking::tainted_methods(attr_name).getAUse()`
`368`	`368`	`}`
`369`	`369`
`370`	`370`	`override string getSourceType() { result = "flask.request input" }`
`@@ -374,7 +374,7 @@ private module FlaskModel {`
`374`	`374`	`override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`375`	`375`	// NOTE: `request -> request.tainted_method` part is handled as part of RequestInputAccess
`376`	`376`	`// tainted_method -> tainted_method()`
`377`		`- nodeFrom = FlaskRequestTracking::tainted_methods(_) and`
	`377`	`+ nodeFrom = FlaskRequestTracking::tainted_methods(_).getAUse() and`
`378`	`378`	`nodeTo.asCfgNode().(CallNode).getFunction() = nodeFrom.asCfgNode()`
`379`	`379`	`}`
`380`	`380`	`}`
`@@ -443,7 +443,7 @@ private module FlaskModel {`
`443`	`443`	`DataFlow::CfgNode {`
`444`	`444`	`override CallNode node;`
`445`	`445`
`446`		`- FlaskRedirectCall() { node.getFunction() = flask_attr("redirect").asCfgNode() }`
	`446`	`+ FlaskRedirectCall() { node.getFunction() = flask_attr("redirect").getAUse().asCfgNode() }`
`447`	`447`
`448`	`448`	`override DataFlow::Node getRedirectLocation() {`
`449`	`449`	`result.asCfgNode() in [node.getArg(0), node.getArgByName("location")]`