Python: Improve SelfRefMixin

RasmusWL · RasmusWL · commit ba19f95d3ec0 · 2023-12-08T11:27:50.000+01:00
This is important to model mixins correctly, for example when they help
handle incoming requests, and therefore need to know that `self.kwargs`
contains data controlled by a user.
diff --git a/python/ql/lib/semmle/python/frameworks/internal/SelfRefMixin.qll b/python/ql/lib/semmle/python/frameworks/internal/SelfRefMixin.qll
@@ -6,6 +6,7 @@
 
 private import python
 private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.internal.DataFlowDispatch
 
 /**
  * INTERNAL: Do not use.
@@ -16,23 +17,23 @@ abstract class SelfRefMixin extends Class {
   /**
    * Gets a reference to instances of this class, originating from a self parameter of
    * a method defined on this class.
-   *
-   * Note: TODO: This doesn't take MRO into account
-   * Note: TODO: This doesn't take staticmethod/classmethod into account
    */
   private DataFlow::TypeTrackingNode getASelfRef(DataFlow::TypeTracker t) {
     t.start() and
-    result.(DataFlow::ParameterNode).getParameter() = this.getAMethod().getArg(0)
+    exists(Class cls, Function meth |
+      cls = getADirectSuperclass*(this) and
+      meth = cls.getAMethod() and
+      not isStaticmethod(meth) and
+      not isClassmethod(meth) and
+      result.(DataFlow::ParameterNode).getParameter() = meth.getArg(0)
+    )
     or
     exists(DataFlow::TypeTracker t2 | result = this.getASelfRef(t2).track(t2, t))
   }
 
   /**
    * Gets a reference to instances of this class, originating from a self parameter of
    * a method defined on this class.
-   *
-   * Note: TODO: This doesn't take MRO into account
-   * Note: TODO: This doesn't take staticmethod/classmethod into account
    */
   DataFlow::Node getASelfRef() { this.getASelfRef(DataFlow::TypeTracker::end()).flowsTo(result) }
 }
