Python points-to. Move extension to prevent points-to being recomputed.

markshannon · markshannon · commit f6cc0be4a4ea · 2019-05-31T16:26:43.000+01:00
diff --git a/python/ql/src/semmle/python/types/Extensions.qll b/python/ql/src/semmle/python/types/Extensions.qll
@@ -14,6 +14,7 @@ private import semmle.python.pointsto.PointsTo
 private import semmle.python.pointsto.PointsToContext
 private import semmle.python.objects.TObject
 private import semmle.python.objects.ObjectInternal
+private import semmle.python.web.HttpConstants
 
 abstract class PointsToExtension extends @py_flow_node {
 
@@ -96,6 +97,33 @@ class RangeIterationVariableFact extends PointsToExtension {
 
 }
 
+/* bottle module route constants */
+
+class BottleRoutePointToExtension extends PointsToExtension {
+
+    string name;
+
+    BottleRoutePointToExtension() {
+        exists(DefinitionNode defn |
+            defn.getScope().(Module).getName() = "bottle" and
+            this = defn.getValue() and
+            name = defn.(NameNode).getId()
+            |
+            name = "route" or
+            name = httpVerbLower()
+        )
+    }
+
+    override predicate pointsTo(Context context, ObjectInternal value, ControlFlowNode origin) {
+        context.isImport() and
+        exists(CfgOrigin orig |
+            Module::named("bottle").attr("Bottle").(ClassObjectInternal).attribute(name, value, orig) and
+            origin = orig.asCfgNodeOrHere(this)
+        )
+    }
+
+}
+
 /* Python 3.6+ regex module constants */
 
 class ReModulePointToExtension extends PointsToExtension {
diff --git a/python/ql/src/semmle/python/web/Http.qll b/python/ql/src/semmle/python/web/Http.qll
@@ -1,25 +1,13 @@
 import python
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.External
+import HttpConstants
 
 /** Generic taint source from a http request */
 abstract class HttpRequestTaintSource extends TaintSource {
 
 }
 
-/** Gets an http verb */
-string httpVerb() {
-    result = "GET" or result = "POST" or
-    result = "PUT" or result = "PATCH" or
-    result = "DELETE" or result = "OPTIONS" or
-    result = "HEAD"
-}
-
-/** Gets an http verb, in lower case */
-string httpVerbLower() {
-    result = httpVerb().toLowerCase()
-}
-
 /** Taint kind representing the WSGI environment.
  * As specified in PEP 3333. https://www.python.org/dev/peps/pep-3333/#environ-variables
  */
diff --git a/python/ql/src/semmle/python/web/HttpConstants.qll b/python/ql/src/semmle/python/web/HttpConstants.qll
@@ -0,0 +1,13 @@
+
+/** Gets an http verb */
+string httpVerb() {
+    result = "GET" or result = "POST" or
+    result = "PUT" or result = "PATCH" or
+    result = "DELETE" or result = "OPTIONS" or
+    result = "HEAD"
+}
+
+/** Gets an http verb, in lower case */
+string httpVerbLower() {
+    result = httpVerb().toLowerCase()
+}
diff --git a/python/ql/src/semmle/python/web/bottle/General.qll b/python/ql/src/semmle/python/web/bottle/General.qll
@@ -54,26 +54,3 @@ class BottleRoute extends ControlFlowNode {
 }
 
 
-/* bottle module route constants */
-
-class BottleRoutePointToExtension extends CustomPointsToFact {
-
-    string name;
-
-    BottleRoutePointToExtension() {
-        exists(DefinitionNode defn |
-            defn.getScope().(Module).getName() = "bottle" and
-            this = defn.getValue() and
-            name = defn.(NameNode).getId()
-            |
-            name = "route" or
-            name = httpVerbLower()
-        )
-    }
-
-    override predicate pointsTo(Context context, Object value, ClassObject cls, ControlFlowNode origin) {
-        context.isImport() and
-        ModuleObject::named("bottle").attr("Bottle").(ClassObject).attributeRefersTo(name, value, cls, origin)
-    }
-}
-
