Python: Modernise flask library

RasmusWL · RasmusWL · commit a9d43a2c49f9 · 2019-11-11T17:18:26.000+01:00
diff --git a/python/ql/src/Security/CWE-215/FlaskDebug.ql b/python/ql/src/Security/CWE-215/FlaskDebug.ql
@@ -17,7 +17,7 @@ import semmle.python.web.flask.General
 
 from CallNode call, Object isTrue
 where
-    call = theFlaskClass().declaredAttribute("run").(FunctionObject).getACall() and
+    call = theFlaskClass().declaredAttribute("run").(FunctionValue).getACall() and
     call.getArgByName("debug").refersTo(isTrue) and
     isTrue.booleanValue() = true
 select call, "A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger."
diff --git a/python/ql/src/semmle/python/web/flask/General.qll b/python/ql/src/semmle/python/web/flask/General.qll
@@ -1,31 +1,26 @@
 import python
 import semmle.python.web.Http
 
-/** The flask module */
-ModuleObject theFlaskModule() {
-    result = ModuleObject::named("flask")
-}
-
 /** The flask app class */
-ClassObject theFlaskClass() {
-    result = theFlaskModule().attr("Flask")
+ClassValue theFlaskClass() {
+    result = Value::named("flask.Flask")
 }
 
 /** The flask MethodView class */
-ClassObject theFlaskMethodViewClass() {
-    result = ModuleObject::named("flask.views").attr("MethodView")
+ClassValue theFlaskMethodViewClass() {
+    result = Value::named("flask.views.MethodView")
 }
 
-ClassObject theFlaskReponseClass() {
-    result = theFlaskModule().attr("Response")
+ClassValue theFlaskReponseClass() {
+    result = Value::named("flask.Response")
 }
 
 /** Holds if `route` is routed to `func`
  * by decorating `func` with `app.route(route)`
  */
 predicate app_route(ControlFlowNode route, Function func) {
     exists(CallNode route_call, CallNode decorator_call |
-        route_call.getFunction().(AttrNode).getObject("route").refersTo(_, theFlaskClass(), _) and
+        route_call.getFunction().(AttrNode).getObject("route").pointsTo().getClass() = theFlaskClass() and
         decorator_call.getFunction() = route_call and
         route_call.getArg(0) = route and
         decorator_call.getArg(0).getNode().(FunctionExpr).getInnerScope() = func
@@ -35,7 +30,7 @@ predicate app_route(ControlFlowNode route, Function func) {
 /* Helper for add_url_rule */
 private predicate add_url_rule_call(ControlFlowNode regex, ControlFlowNode callable) {
     exists(CallNode call |
-        call.getFunction().(AttrNode).getObject("add_url_rule").refersTo(_, theFlaskClass(), _) and
+        call.getFunction().(AttrNode).getObject("add_url_rule").pointsTo().getClass() = theFlaskClass() and
         regex = call.getArg(0) |
         callable = call.getArg(2) or
         callable = call.getArgByName("view_func")
@@ -47,14 +42,14 @@ predicate add_url_rule(ControlFlowNode regex, Function func) {
     exists(ControlFlowNode callable |
         add_url_rule_call(regex, callable)
         |
-        exists(PyFunctionObject f | f.getFunction() = func and callable.refersTo(f))
+        exists(PythonFunctionValue f | f.getScope() = func and callable.pointsTo(f))
         or
         /* MethodView.as_view() */
         exists(MethodViewClass view_cls |
             view_cls.asTaint().taints(callable) |
-            func = view_cls.lookupAttribute(httpVerbLower()).(FunctionObject).getFunction()
+            func = view_cls.lookup(httpVerbLower()).(FunctionValue).getScope()
         )
-        /* TO DO -- Handle Views that aren't MethodViews */
+        /* TODO: -- Handle Views that aren't MethodViews */
     )
 }
 
@@ -68,10 +63,10 @@ predicate flask_routing(ControlFlowNode regex, Function func) {
 }
 
 /** A class that extends flask.views.MethodView */
-private class MethodViewClass extends ClassObject {
+private class MethodViewClass extends ClassValue {
 
     MethodViewClass() {
-        this.getAnImproperSuperType() = theFlaskMethodViewClass()
+        this.getASuperType() = theFlaskMethodViewClass()
     }
 
     /* As we are restricted to strings for taint kinds, we need to map these classes to strings. */
@@ -96,9 +91,9 @@ private class MethodViewTaint extends TaintKind {
 private class AsView extends TaintSource {
 
     AsView() {
-        exists(ClassObject view_class |
-            view_class.getAnImproperSuperType() = theFlaskMethodViewClass() and
-            this.(CallNode).getFunction().(AttrNode).getObject("as_view").refersTo(view_class)
+        exists(ClassValue view_class |
+            view_class.getASuperType() = theFlaskMethodViewClass() and
+            this.(CallNode).getFunction().(AttrNode).getObject("as_view").pointsTo(view_class)
         )
     }
 
@@ -109,7 +104,7 @@ private class AsView extends TaintSource {
     override predicate isSourceOf(TaintKind kind) {
         exists(MethodViewClass view_class |
             kind = view_class.asTaint() and
-            this.(CallNode).getFunction().(AttrNode).getObject("as_view").refersTo(view_class)
+            this.(CallNode).getFunction().(AttrNode).getObject("as_view").pointsTo(view_class)
         )
     }
 
@@ -119,7 +114,7 @@ private class AsView extends TaintSource {
 class FlaskCookieSet extends CookieSet, CallNode {
 
     FlaskCookieSet() {
-        this.getFunction().(AttrNode).getObject("set_cookie").refersTo(_, theFlaskReponseClass(), _)
+        this.getFunction().(AttrNode).getObject("set_cookie").pointsTo().getClass() = theFlaskReponseClass()
     }
 
     override string toString() { result = CallNode.super.toString() }
diff --git a/python/ql/src/semmle/python/web/flask/Redirect.qll b/python/ql/src/semmle/python/web/flask/Redirect.qll
@@ -8,8 +8,8 @@ import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Basic
 import semmle.python.web.flask.General
 
-FunctionObject flask_redirect() {
-    result = theFlaskModule().attr("redirect")
+FunctionValue flask_redirect() {
+    result = Value::named("flask.redirect")
 }
 
 /**
diff --git a/python/ql/src/semmle/python/web/flask/Request.qll b/python/ql/src/semmle/python/web/flask/Request.qll
@@ -4,15 +4,15 @@ import semmle.python.security.TaintTracking
 import semmle.python.web.Http
 import semmle.python.web.flask.General
 
-private Object theFlaskRequestObject() {
-    result = theFlaskModule().attr("request")
+private Value theFlaskRequestObject() {
+    result = Value::named("flask.request")
 
 }
 
 /** Holds if `attr` is an access of attribute `name` of the flask request object */
 private predicate flask_request_attr(AttrNode attr, string name) {
     attr.isLoad() and
-    attr.getObject(name).refersTo(theFlaskRequestObject())
+    attr.getObject(name).pointsTo(theFlaskRequestObject())
 }
 
 /** Source of external data from a flask request */
diff --git a/python/ql/src/semmle/python/web/flask/Response.qll b/python/ql/src/semmle/python/web/flask/Response.qll
@@ -32,7 +32,7 @@ class FlaskResponseArgument extends HttpResponseTaintSink {
 
     FlaskResponseArgument() {
         exists(CallNode call |
-            call.getFunction().refersTo(theFlaskReponseClass()) and
+            call.getFunction().pointsTo(theFlaskReponseClass()) and
             call.getArg(0) = this
         )
     }

Original file line number	Diff line number	Diff line change
`@@ -8,8 +8,8 @@ import semmle.python.security.TaintTracking`
`8`	`8`	`import semmle.python.security.strings.Basic`
`9`	`9`	`import semmle.python.web.flask.General`
`10`	`10`
`11`		`-FunctionObject flask_redirect() {`
`12`		`- result = theFlaskModule().attr("redirect")`
	`11`	`+FunctionValue flask_redirect() {`
	`12`	`+ result = Value::named("flask.redirect")`
`13`	`13`	`}`
`14`	`14`
`15`	`15`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ class FlaskResponseArgument extends HttpResponseTaintSink {`
`32`	`32`
`33`	`33`	`FlaskResponseArgument() {`
`34`	`34`	`exists(CallNode call \|`
`35`		`- call.getFunction().refersTo(theFlaskReponseClass()) and`
	`35`	`+ call.getFunction().pointsTo(theFlaskReponseClass()) and`
`36`	`36`	`call.getArg(0) = this`
`37`	`37`	`)`
`38`	`38`	`}`