Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 795adf0

Browse files
RasmusWLRasmusWL
committed
Python: Fix API::moduleImport("foo.bar") 
1 parent 3844c5b commit 795adf0

3 files changed

Lines changed: 10 additions & 7 deletions

File tree

python/ql/src/experimental/Security/CWE-285/PamAuthorization.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ import semmle.python.dataflow.new.TaintTracking
1616

1717
API::Node libPam() {
1818
exists(API::CallNode findLibCall, API::CallNode cdllCall |
19-
findLibCall = API::moduleImport("ctypes.util").getMember("find_library").getACall() and
19+
findLibCall = API::moduleImport("ctypes").getMember("util").getMember("find_library").getACall() and
2020
findLibCall.getParameter(0).getAValueReachingRhs().asExpr().(StrConst).getText() = "pam" and
2121
cdllCall = API::moduleImport("ctypes").getMember("CDLL").getACall() and
2222
cdllCall.getParameter(0).getAValueReachingRhs() = findLibCall

python/ql/src/experimental/semmle/python/frameworks/NoSQL.qll

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -210,10 +210,13 @@ private module NoSql {
210210
*/
211211
private class BsonObjectIdCall extends DataFlow::CallCfgNode, NoSqlSanitizer::Range {
212212
BsonObjectIdCall() {
213-
this =
214-
API::moduleImport(["bson", "bson.objectid", "bson.json_util"])
215-
.getMember("ObjectId")
216-
.getACall()
213+
exists(API::Node mod |
214+
mod = API::moduleImport("bson")
215+
or
216+
mod = API::moduleImport("bson").getMember(["objectid", "json_util"])
217+
|
218+
this = mod.getMember("ObjectId").getACall()
219+
)
217220
}
218221

219222
override DataFlow::Node getAnInput() { result = this.getArg(0) }

python/ql/test/experimental/dataflow/typetracking/tracked.ql

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -131,7 +131,7 @@ DataFlow::Node foo() { foo(DataFlow::TypeTracker::end()).flowsTo(result) }
131131
/** Gets a reference to `foo.bar` (fictive module). */
132132
private DataFlow::TypeTrackingNode foo_bar(DataFlow::TypeTracker t) {
133133
t.start() and
134-
result = API::moduleImport("foo.bar").getAnImmediateUse()
134+
result = API::moduleImport("foo").getMember("bar").getAnImmediateUse()
135135
or
136136
t.startInAttr("bar") and
137137
result = foo()
@@ -145,7 +145,7 @@ DataFlow::Node foo_bar() { foo_bar(DataFlow::TypeTracker::end()).flowsTo(result)
145145
/** Gets a reference to `foo.bar.baz` (fictive attribute on `foo.bar` module). */
146146
private DataFlow::TypeTrackingNode foo_bar_baz(DataFlow::TypeTracker t) {
147147
t.start() and
148-
result = API::moduleImport("foo.bar.baz").getAnImmediateUse()
148+
result = API::moduleImport("foo").getMember("bar").getMember("baz").getAnImmediateUse()
149149
or
150150
t.startInAttr("baz") and
151151
result = foo_bar()

0 commit comments

Comments
 (0)