Python: Add getAReturnedNode to PythonFunctionValue

RasmusWL · RasmusWL · commit 48f873e3d92c · 2019-12-18T12:00:43.000+01:00
diff --git a/python/ql/src/semmle/python/objects/ObjectAPI.qll b/python/ql/src/semmle/python/objects/ObjectAPI.qll
@@ -211,7 +211,7 @@ module Value {
     }
 
     /** Gets the `Value` for the integer constant `i`, if it exists.
-     * There will be no `Value` for most integers, but the following are 
+     * There will be no `Value` for most integers, but the following are
      * guaranteed to exist:
      * * From zero to 511 inclusive.
      * * All powers of 2 (up to 2**30)
@@ -486,6 +486,11 @@ class PythonFunctionValue extends FunctionValue {
         )
     }
 
+    /** Gets a control flow node corresponding to a return statement in this function */
+    ControlFlowNode getAReturnedNode() {
+        result = this.getScope().getAReturnValueFlowNode()
+    }
+
 }
 
 /** Class representing builtin functions, such as `len` or `print` */
diff --git a/python/ql/src/semmle/python/web/flask/Response.qll b/python/ql/src/semmle/python/web/flask/Response.qll
@@ -9,8 +9,8 @@ import semmle.python.web.flask.General
  */
 class FlaskRoutedResponse extends HttpResponseTaintSink {
     FlaskRoutedResponse() {
-        exists(PyFunctionObject response |
-            flask_routing(_, response.getFunction()) and
+        exists(PythonFunctionValue response |
+            flask_routing(_, response.getScope()) and
             this = response.getAReturnedNode()
         )
     }
diff --git a/python/ql/src/semmle/python/web/pyramid/Response.qll b/python/ql/src/semmle/python/web/pyramid/Response.qll
@@ -11,8 +11,8 @@ private import semmle.python.web.Http
  */
 class PyramidRoutedResponse extends HttpResponseTaintSink {
     PyramidRoutedResponse() {
-        exists(PyFunctionObject view |
-            is_pyramid_view_function(view.getFunction()) and
+        exists(PythonFunctionValue view |
+            is_pyramid_view_function(view.getScope()) and
             this = view.getAReturnedNode()
         )
     }
diff --git a/python/ql/src/semmle/python/web/twisted/Response.qll b/python/ql/src/semmle/python/web/twisted/Response.qll
@@ -11,8 +11,7 @@ class TwistedResponse extends TaintSink {
             isKnownRequestHandlerMethodName(name) and
             name = func.getName() and
             func = getTwistedRequestHandlerMethod(name) and
-            func.getScope() = ret.getScope() and
-            ret.getValue().getAFlowNode() = this
+            this = func.getAReturnedNode()
         )
     }
 

Original file line number	Diff line number	Diff line change
`@@ -211,7 +211,7 @@ module Value {`
`211`	`211`	`}`
`212`	`212`
`213`	`213`	/** Gets the `Value` for the integer constant `i`, if it exists.
`214`		- * There will be no `Value` for most integers, but the following are
	`214`	+ * There will be no `Value` for most integers, but the following are
`215`	`215`	`* guaranteed to exist:`
`216`	`216`	`* * From zero to 511 inclusive.`
`217`	`217`	`* * All powers of 2 (up to 2**30)`
`@@ -486,6 +486,11 @@ class PythonFunctionValue extends FunctionValue {`
`486`	`486`	`)`
`487`	`487`	`}`
`488`	`488`
	`489`	`+ /** Gets a control flow node corresponding to a return statement in this function */`
	`490`	`+ ControlFlowNode getAReturnedNode() {`
	`491`	`+ result = this.getScope().getAReturnValueFlowNode()`
	`492`	`+ }`
	`493`	`+`
`489`	`494`	`}`
`490`	`495`
`491`	`496`	/** Class representing builtin functions, such as `len` or `print` */
Original file line number	Diff line number	Diff line change
`@@ -9,8 +9,8 @@ import semmle.python.web.flask.General`
`9`	`9`	`*/`
`10`	`10`	`class FlaskRoutedResponse extends HttpResponseTaintSink {`
`11`	`11`	`FlaskRoutedResponse() {`
`12`		`- exists(PyFunctionObject response \|`
`13`		`- flask_routing(_, response.getFunction()) and`
	`12`	`+ exists(PythonFunctionValue response \|`
	`13`	`+ flask_routing(_, response.getScope()) and`
`14`	`14`	`this = response.getAReturnedNode()`
`15`	`15`	`)`
`16`	`16`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,8 +11,8 @@ private import semmle.python.web.Http`
`11`	`11`	`*/`
`12`	`12`	`class PyramidRoutedResponse extends HttpResponseTaintSink {`
`13`	`13`	`PyramidRoutedResponse() {`
`14`		`- exists(PyFunctionObject view \|`
`15`		`- is_pyramid_view_function(view.getFunction()) and`
	`14`	`+ exists(PythonFunctionValue view \|`
	`15`	`+ is_pyramid_view_function(view.getScope()) and`
`16`	`16`	`this = view.getAReturnedNode()`
`17`	`17`	`)`
`18`	`18`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,8 +11,7 @@ class TwistedResponse extends TaintSink {`
`11`	`11`	`isKnownRequestHandlerMethodName(name) and`
`12`	`12`	`name = func.getName() and`
`13`	`13`	`func = getTwistedRequestHandlerMethod(name) and`
`14`		`- func.getScope() = ret.getScope() and`
`15`		`- ret.getValue().getAFlowNode() = this`
	`14`	`+ this = func.getAReturnedNode()`
`16`	`15`	`)`
`17`	`16`	`}`
`18`	`17`