Python: Update taint-tracking to use new points-to API.

markshannon · markshannon · commit 782311f805fd · 2019-04-26T16:21:46.000+01:00
diff --git a/python/ql/src/semmle/python/objects/ObjectAPI.qll b/python/ql/src/semmle/python/objects/ObjectAPI.qll
@@ -94,6 +94,10 @@ class ModuleValue extends Value {
         result = this.(ModuleObjectInternal).getName()
     }
 
+    Module getScope() {
+        result = this.(ModuleObjectInternal).getSourceModule()
+    }
+
 }
 
 module Module {
@@ -128,6 +132,10 @@ class CallableValue extends Value {
         none()
     }
 
+    Function getScope() {
+        result = this.(PythonFunctionObjectInternal).getScope()
+    }
+
 }
 
 class ClassValue extends Value {
diff --git a/python/ql/src/semmle/python/security/TaintTracking.qll b/python/ql/src/semmle/python/security/TaintTracking.qll
@@ -133,12 +133,17 @@ abstract class TaintKind extends string {
         )
     }
 
+    /** DEPRECATED -- Use getType() instead */
+    ClassObject getClass() {
+        none()
+    }
+
     /** Gets the class of this kind of taint.
      * For example, if this were a kind of string taint
      * the `result` would be `theStrType()`.
      */
-    ClassObject getClass() {
-        none()
+    ClassValue getType() {
+        result.getSource() = this.getClass()
     }
 
     /** Gets the boolean values (may be one, neither, or both) that
@@ -194,7 +199,7 @@ class SequenceKind extends CollectionKind {
             mod.getOp() instanceof Mod and
             mod.getAnOperand() = fromnode and
             result = this.getItem() and
-            result.getClass() = theStrType()
+            result.getType() = Value::named("str")
         )
     }
 
@@ -279,7 +284,7 @@ module DictKind {
     predicate flowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
         TaintFlowImplementation::copyCall(fromnode, tonode)
         or
-        tonode.(CallNode).getFunction().refersTo(theDictType()) and
+        tonode.(CallNode).getFunction().pointsTo(Value::named("dict")) and
         tonode.(CallNode).getArg(0) = fromnode
     }
 
@@ -947,8 +952,8 @@ library module TaintFlowImplementation {
 
     pragma [noinline]
     private predicate import_flow(TaintedNode fromnode, ImportExprNode tonode, CallContext tocontext, string name) {
-        exists(ModuleObject mod |
-            tonode.refersTo(mod) and
+        exists(ModuleValue mod |
+            tonode.pointsTo(mod) and
             module_attribute_tainted(mod, name, fromnode) and
             tocontext.appliesTo(tonode)
         )
@@ -965,9 +970,9 @@ library module TaintFlowImplementation {
 
     pragma [noinline]
     predicate from_import_step(TaintedNode fromnode, TrackedValue totaint, CallContext tocontext, ControlFlowNode tonode) {
-        exists(string name, ImportExprNode fmod, ModuleObject mod |
+        exists(string name, ImportExprNode fmod, ModuleValue mod |
             fmod = tonode.(ImportMemberNode).getModule(name) and
-            fmod.refersTo(mod) and
+            fmod.pointsTo(mod) and
             tocontext.appliesTo(tonode) and
             module_attribute_tainted(mod, name, fromnode) and
             totaint = fromnode.getTrackedValue()
@@ -977,7 +982,7 @@ library module TaintFlowImplementation {
     pragma [noinline]
     predicate getattr_step(TaintedNode fromnode, TrackedValue totaint, CallContext tocontext, CallNode tonode) {
         exists(ControlFlowNode arg, string name |
-            tonode.getFunction().refersTo(Object::builtin("getattr")) and
+            tonode.getFunction().pointsTo(Value::named("getattr")) and
             arg = tonode.getArg(0) and
             name = tonode.getArg(1).getNode().(StrConst).getText() and
             arg = fromnode.getNode() and
@@ -1017,11 +1022,11 @@ library module TaintFlowImplementation {
         )
     }
 
-    predicate module_attribute_tainted(ModuleObject m, string name, TaintedNode origin) {
+    predicate module_attribute_tainted(ModuleValue m, string name, TaintedNode origin) {
         exists(EssaVariable var, CallContext c |
             var.getName() = name and
             BaseFlow::reaches_exit(var) and
-            var.getScope() = m.getModule() and
+            var.getScope() = m.getScope() and
             tainted_var(var, c, origin) and
             c = TTop()
         )
@@ -1062,9 +1067,9 @@ library module TaintFlowImplementation {
     }
 
     predicate self_init_end_transfer(EssaVariable self, CallContext callee, CallNode call, CallContext caller) {
-        exists(ClassObject cls, Function init |
-            PointsTo::instantiation(call, _, cls) and
-            init = cls.lookupAttribute("__init__").(FunctionObject).getFunction() and
+        exists(ClassValue cls, Function init |
+            call.getFunction().pointsTo(cls) and
+            init = cls.attr("__init__").(CallableValue).getScope() and
             self.getSourceVariable().(Variable).isSelf() and self.getScope() = init
             |
             callee = caller.getCallee(call)
@@ -1198,10 +1203,10 @@ library module TaintFlowImplementation {
     predicate parameter_step(CallContext caller, ControlFlowNode argument, CallContext callee, NameNode param) {
         exists(ParameterDefinition def |
             def.getDefiningNode() = param and
-            exists(FunctionObject func, CallNode call |
-                exists(int n | argument = func.getArgumentForCall(call, n) and param.getNode() = func.getFunction().getArg(n))
+            exists(CallableValue func, CallNode call |
+                exists(int n | argument = func.getArgumentForCall(call, n) and param.getNode() = func.getScope().getArg(n))
                 or
-                exists(string name | argument = func.getNamedArgumentForCall(call, name) and param.getNode() = func.getFunction().getArgByName(name))
+                exists(string name | argument = func.getNamedArgumentForCall(call, name) and param.getNode() = func.getScope().getArgByName(name))
                 or
                 class_initializer_argument(_, _, call, func, argument, param)
                 |
@@ -1211,11 +1216,11 @@ library module TaintFlowImplementation {
     }
 
     pragma [noinline]
-    predicate class_initializer_argument(ClassObject cls, int n, CallNode call, FunctionObject func, ControlFlowNode argument, NameNode param) {
-        PointsTo::instantiation(call, _, cls) and
-        cls.lookupAttribute("__init__") = func and
+    predicate class_initializer_argument(ClassValue cls, int n, CallNode call, CallableValue func, ControlFlowNode argument, NameNode param) {
+        call.getFunction().pointsTo(cls) and
+        cls.attr("__init__") = func and
         call.getArg(n) = argument and
-        param.getNode() = func.getFunction().getArg(n+1)
+        param.getNode() = func.getScope().getArg(n+1)
     }
 
     pragma [noinline]
@@ -1257,15 +1262,15 @@ library module TaintFlowImplementation {
             not Filters::isinstance(test.getTest(), _, var.getSourceVariable().getAUse()) and
             not boolean_filter(test.getTest(), var.getSourceVariable().getAUse())
             or
-            exists(ControlFlowNode c, ClassObject cls |
+            exists(ControlFlowNode c, ClassValue cls |
                 Filters::isinstance(test.getTest(), c, var.getSourceVariable().getAUse())
-                and c.refersTo(cls)
+                and c.pointsTo(cls)
                 |
                 test.getSense() = true and not exists(kind.getClass())
                 or
-                test.getSense() = true and kind.getClass().getAnImproperSuperType() = cls
+                test.getSense() = true and kind.getClass().getASuperType() = cls
                 or
-                test.getSense() = false and not kind.getClass().getAnImproperSuperType() = cls
+                test.getSense() = false and not kind.getType().getASuperType() = cls
             )
             or
             test.getSense() = test_evaluates(test.getTest(), var.getSourceVariable().getAUse(), kind)
@@ -1311,8 +1316,9 @@ library module TaintFlowImplementation {
 
     pragma [noinline]
     predicate tainted_import_star(ImportStarRefinement def, CallContext context, TaintedNode origin) {
-        exists(ModuleObject mod, string name |
-            PointsTo::Flow::module_and_name_for_import_star(mod, name, def, _) |
+        exists(ModuleValue mod, string name |
+            PointsTo::pointsTo(def.getDefiningNode().(ImportStarNode).getModule(), _, mod, _) and
+            name = def.getSourceVariable().getName() |
             if mod.exports(name) then (
                 /* Attribute from imported module */
                 module_attribute_tainted(mod, name, origin) and
@@ -1362,7 +1368,7 @@ library module TaintFlowImplementation {
             tonode.getArg(0) = fromnode
         )
         or
-        tonode.getFunction().refersTo(Object::builtin("reversed")) and
+        tonode.getFunction().pointsTo(Value::named("reversed")) and
         tonode.getArg(0) = fromnode
     }
 
@@ -1501,11 +1507,11 @@ class CallContext extends TCallContext {
             f.getFunction() = s and f.getACall() = call
         )
         or
-        exists(ClassObject cls,CallNode call |
+        exists(ClassValue cls,CallNode call |
             this = TCalleeContext(call, _, _) and
-            PointsTo::instantiation(call, _, cls) and
-            s = cls.lookupAttribute("__init__").(FunctionObject).getFunction() and
-            call.getFunction().refersTo(cls)
+            call.getFunction().pointsTo(cls) and
+            s = cls.attr("__init__").(CallableValue).getScope() and
+            call.getFunction().pointsTo(cls)
         )
     }
 
@@ -1625,7 +1631,7 @@ pragma [noinline]
 private predicate dict_construct(ControlFlowNode itemnode, ControlFlowNode dictnode) {
     dictnode.(DictNode).getAValue() = itemnode
     or
-    dictnode.(CallNode).getFunction().refersTo(theDictType()) and
+    dictnode.(CallNode).getFunction().pointsTo(Value::named("dict")) and
     dictnode.(CallNode).getArgByName(_) = itemnode
 }
 
@@ -1648,11 +1654,11 @@ private predicate sequence_call(ControlFlowNode fromnode, CallNode tonode) {
     tonode.getArg(0) = fromnode and
     exists(ControlFlowNode cls |
         cls = tonode.getFunction() |
-        cls.refersTo(theListType())
+        cls.pointsTo(Value::named("list"))
         or
-        cls.refersTo(theTupleType())
+        cls.pointsTo(Value::named("tuple"))
         or
-        cls.refersTo(theSetType())
+        cls.pointsTo(Value::named("set"))
     )
 }
 
diff --git a/python/ql/src/semmle/python/security/strings/Basic.qll b/python/ql/src/semmle/python/security/strings/Basic.qll
@@ -27,8 +27,8 @@ abstract class StringKind extends TaintKind {
         result = this and copy_call(fromnode, tonode)
     }
 
-    override ClassObject getClass() {
-        result = theStrType() or result = theUnicodeType()
+    override ClassValue getType() {
+        result = Value::named("bytes") or result = Value::named("str") or result = Value::named("unicode")
     }
 
 }
diff --git a/python/ql/src/semmle/python/web/pyramid/Request.qll b/python/ql/src/semmle/python/web/pyramid/Request.qll
@@ -11,8 +11,8 @@ class PyramidRequest extends BaseWebobRequest {
         this = "pyramid.request"
     }
 
-    override ClassObject getClass() {
-        result = ModuleObject::named("pyramid.request").attr("Request")
+    override ClassValue getType() {
+        result = Value::named("pyramid.request.Request")
     }
 
 }
diff --git a/python/ql/src/semmle/python/web/webob/Request.qll b/python/ql/src/semmle/python/web/webob/Request.qll
@@ -44,8 +44,8 @@ class WebobRequest extends BaseWebobRequest {
         this = "webob.Request"
     }
 
-    override ClassObject getClass() {
-        result = ModuleObject::named("webob.request").attr("Request")
+    override ClassValue getType() {
+        result = Value::named("webob.request.Request")
     }
 
 }

Original file line number	Diff line number	Diff line change
`@@ -94,6 +94,10 @@ class ModuleValue extends Value {`
`94`	`94`	`result = this.(ModuleObjectInternal).getName()`
`95`	`95`	`}`
`96`	`96`
	`97`	`+ Module getScope() {`
	`98`	`+ result = this.(ModuleObjectInternal).getSourceModule()`
	`99`	`+ }`
	`100`	`+`
`97`	`101`	`}`
`98`	`102`
`99`	`103`	`module Module {`
`@@ -128,6 +132,10 @@ class CallableValue extends Value {`
`128`	`132`	`none()`
`129`	`133`	`}`
`130`	`134`
	`135`	`+ Function getScope() {`
	`136`	`+ result = this.(PythonFunctionObjectInternal).getScope()`
	`137`	`+ }`
	`138`	`+`
`131`	`139`	`}`
`132`	`140`
`133`	`141`	`class ClassValue extends Value {`
Original file line number	Diff line number	Diff line change
`@@ -27,8 +27,8 @@ abstract class StringKind extends TaintKind {`
`27`	`27`	`result = this and copy_call(fromnode, tonode)`
`28`	`28`	`}`
`29`	`29`
`30`		`- override ClassObject getClass() {`
`31`		`- result = theStrType() or result = theUnicodeType()`
	`30`	`+ override ClassValue getType() {`
	`31`	`+ result = Value::named("bytes") or result = Value::named("str") or result = Value::named("unicode")`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,8 +11,8 @@ class PyramidRequest extends BaseWebobRequest {`
`11`	`11`	`this = "pyramid.request"`
`12`	`12`	`}`
`13`	`13`
`14`		`- override ClassObject getClass() {`
`15`		`- result = ModuleObject::named("pyramid.request").attr("Request")`
	`14`	`+ override ClassValue getType() {`
	`15`	`+ result = Value::named("pyramid.request.Request")`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`}`
Original file line number	Diff line number	Diff line change
`@@ -44,8 +44,8 @@ class WebobRequest extends BaseWebobRequest {`
`44`	`44`	`this = "webob.Request"`
`45`	`45`	`}`
`46`	`46`
`47`		`- override ClassObject getClass() {`
`48`		`- result = ModuleObject::named("webob.request").attr("Request")`
	`47`	`+ override ClassValue getType() {`
	`48`	`+ result = Value::named("webob.request.Request")`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`}`