Attempt to restructuring ReMethods and RegexExecution's modules

jorgectf · jorgectf · commit caaf5436c6a4 · 2021-04-27T19:54:14.000+02:00
diff --git a/python/ql/src/semmle/python/Concepts.qll b/python/ql/src/semmle/python/Concepts.qll
@@ -654,7 +654,7 @@ class CompiledRegex extends DataFlow::Node {
 }
 
 class RegexExecution extends DataFlow::Node {
-  RegexExecution() { this instanceof DirectRegex or this instanceof CompiledRegex }
+  RegexExecution() { this instanceof DirectRegex or this instanceof CompiledRegex } // How should this be cross-imported with Stdlib?
 }
 
 class RegexEscape extends DataFlow::Node {
diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -864,6 +864,36 @@ private module Stdlib {
   class Sqlite3 extends PEP249ModuleApiNode {
     Sqlite3() { this = API::moduleImport("sqlite3") }
   }
+
+  // ---------------------------------------------------------------------------
+  // re
+  // ---------------------------------------------------------------------------
+  /** List of re methods. */
+  private class ReMethods extends string {
+    ReMethods() { this in ["match", "fullmatch", "search", "split", "findall", "finditer"] }
+  }
+
+  /** re.ReMethod(pattern, string) */
+  private class DirectRegex extends DataFlow::Node {
+    DirectRegex() {
+      exists(ReMethods reMethod, DataFlow::CallCfgNode reCall |
+        reCall = API::moduleImport("re").getMember(reMethod).getACall() and
+        this = reCall.getArg(0)
+      )
+    }
+  }
+
+  /** re.compile(pattern).ReMethod */
+  class CompiledRegex extends DataFlow::Node {
+    CompiledRegex() {
+      exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
+        patternCall = API::moduleImport("re").getMember("compile").getACall() and
+        patternCall = reMethod.getObject().getALocalSource() and
+        reMethod.getAttributeName() instanceof ReMethods and
+        this = patternCall.getArg(0)
+      )
+    }
+  }
 }
 
 // ---------------------------------------------------------------------------

Original file line number	Diff line number	Diff line change
`@@ -654,7 +654,7 @@ class CompiledRegex extends DataFlow::Node {`
`654`	`654`	`}`
`655`	`655`
`656`	`656`	`class RegexExecution extends DataFlow::Node {`
`657`		`- RegexExecution() { this instanceof DirectRegex or this instanceof CompiledRegex }`
	`657`	`+ RegexExecution() { this instanceof DirectRegex or this instanceof CompiledRegex } // How should this be cross-imported with Stdlib?`
`658`	`658`	`}`
`659`	`659`
`660`	`660`	`class RegexEscape extends DataFlow::Node {`