Python: Add MarkupSafe model

tausbn · RasmusWL · commit 62db8cc6336b · 2023-12-08T11:27:51.000+01:00
diff --git a/python/ql/lib/semmle/python/frameworks/MarkupSafe.qll b/python/ql/lib/semmle/python/frameworks/MarkupSafe.qll
@@ -9,12 +9,15 @@ private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.internal.InstanceTaintStepsHelper
+private import semmle.python.frameworks.data.ModelsAsData
 
 /**
+ * INTERNAL: Do not use.
+ *
  * Provides models for the `MarkupSafe` PyPI package.
  * See https://markupsafe.palletsprojects.com/en/2.0.x/.
  */
-private module MarkupSafeModel {
+module MarkupSafeModel {
   /**
    * Provides models for the `markupsafe.Markup` class
    *
@@ -26,6 +29,8 @@ private module MarkupSafeModel {
       result = API::moduleImport("markupsafe").getMember("Markup")
       or
       result = API::moduleImport("flask").getMember("Markup")
+      or
+      result = ModelOutput::getATypeNode("markupsafe.Markup~Subclass").getASubclass*()
     }
 
     /**
diff --git a/python/ql/src/meta/ClassHierarchy/Find.ql b/python/ql/src/meta/ClassHierarchy/Find.ql
@@ -20,6 +20,7 @@ private import semmle.python.frameworks.Aiohttp
 private import semmle.python.frameworks.Fabric
 private import semmle.python.frameworks.Httpx
 private import semmle.python.frameworks.Invoke
+private import semmle.python.frameworks.MarkupSafe
 import semmle.python.frameworks.data.internal.ApiGraphModelsExtensions as Extensions
 
 class FlaskViewClasses extends FindSubclassesSpec {
@@ -303,6 +304,12 @@ class InvokeContext extends FindSubclassesSpec {
   }
 }
 
+class MarkupSafe extends FindSubclassesSpec {
+  MarkupSafe() { this = "markupsafe.Markup~Subclass" }
+
+  override API::Node getAlreadyModeledClass() { result = MarkupSafeModel::Markup::classRef() }
+}
+
 bindingset[fullyQualified]
 predicate fullyQualifiedToYamlFormat(string fullyQualified, string type2, string path) {
   exists(int firstDot | firstDot = fullyQualified.indexOf(".", 0, 0) |
