Merge pull request #7806 from erik-krogh/pyDef

Python: Add def nodes to API graphs

Author: yoff

python/ql/lib/semmle/python/ApiGraphs.qll

@@ -50,38 +50,22 @@ private module Aiomysql {
    * A query. Calling `execute` on a `Cursor` constructs a query.
    * See https://aiomysql.readthedocs.io/en/stable/cursors.html#Cursor.execute
    */
-  class CursorExecuteCall extends SqlConstruction::Range, DataFlow::CallCfgNode {
+  class CursorExecuteCall extends SqlConstruction::Range, API::CallNode {
     CursorExecuteCall() { this = cursor().getMember("execute").getACall() }
 
-    override DataFlow::Node getSql() { result in [this.getArg(0), this.getArgByName("operation")] }
-  }
-
-  /**
-   * This is only needed to connect the argument to the execute call with the subsequnt awaiting.
-   * It should be obsolete once we have `API::CallNode` available.
-   */
-  private DataFlow::TypeTrackingNode cursorExecuteCall(DataFlow::TypeTracker t, DataFlow::Node sql) {
-    // cursor created from connection
-    t.start() and
-    sql = result.(CursorExecuteCall).getSql()
-    or
-    exists(DataFlow::TypeTracker t2 | result = cursorExecuteCall(t2, sql).track(t2, t))
-  }
-
-  DataFlow::Node cursorExecuteCall(DataFlow::Node sql) {
-    cursorExecuteCall(DataFlow::TypeTracker::end(), sql).flowsTo(result)
+    override DataFlow::Node getSql() { result = this.getParameter(0, "operation").getARhs() }
   }
 
   /**
    * An awaited query. Awaiting the result of calling `execute` executes the query.
    * See https://aiomysql.readthedocs.io/en/stable/cursors.html#Cursor.execute
    */
   class AwaitedCursorExecuteCall extends SqlExecution::Range {
-    DataFlow::Node sql;
+    CursorExecuteCall executeCall;
 
-    AwaitedCursorExecuteCall() { this = awaited(cursorExecuteCall(sql)) }
+    AwaitedCursorExecuteCall() { this = executeCall.getReturn().getAwaited().getAnImmediateUse() }
 
-    override DataFlow::Node getSql() { result = sql }
+    override DataFlow::Node getSql() { result = executeCall.getSql() }
   }
 
   /**
@@ -107,39 +91,21 @@ private module Aiomysql {
    * A query. Calling `execute` on a `SAConnection` constructs a query.
    * See https://aiomysql.readthedocs.io/en/stable/sa.html#aiomysql.sa.SAConnection.execute
    */
-  class SAConnectionExecuteCall extends SqlConstruction::Range, DataFlow::CallCfgNode {
+  class SAConnectionExecuteCall extends SqlConstruction::Range, API::CallNode {
     SAConnectionExecuteCall() { this = saConnection().getMember("execute").getACall() }
 
-    override DataFlow::Node getSql() { result in [this.getArg(0), this.getArgByName("query")] }
-  }
-
-  /**
-   * This is only needed to connect the argument to the execute call with the subsequnt awaiting.
-   * It should be obsolete once we have `API::CallNode` available.
-   */
-  private DataFlow::TypeTrackingNode saConnectionExecuteCall(
-    DataFlow::TypeTracker t, DataFlow::Node sql
-  ) {
-    // saConnection created from engine
-    t.start() and
-    sql = result.(SAConnectionExecuteCall).getSql()
-    or
-    exists(DataFlow::TypeTracker t2 | result = saConnectionExecuteCall(t2, sql).track(t2, t))
-  }
-
-  DataFlow::Node saConnectionExecuteCall(DataFlow::Node sql) {
-    saConnectionExecuteCall(DataFlow::TypeTracker::end(), sql).flowsTo(result)
+    override DataFlow::Node getSql() { result = this.getParameter(0, "query").getARhs() }
   }
 
   /**
    * An awaited query. Awaiting the result of calling `execute` executes the query.
    * See https://aiomysql.readthedocs.io/en/stable/sa.html#aiomysql.sa.SAConnection.execute
    */
   class AwaitedSAConnectionExecuteCall extends SqlExecution::Range {
-    DataFlow::Node sql;
+    SAConnectionExecuteCall execute;
 
-    AwaitedSAConnectionExecuteCall() { this = awaited(saConnectionExecuteCall(sql)) }
+    AwaitedSAConnectionExecuteCall() { this = execute.getReturn().getAwaited().getAnImmediateUse() }
 
-    override DataFlow::Node getSql() { result = sql }
+    override DataFlow::Node getSql() { result = execute.getSql() }
   }
 }

python/ql/lib/semmle/python/frameworks/Aiomysql.qll

@@ -50,38 +50,22 @@ private module Aiopg {
    * A query. Calling `execute` on a `Cursor` constructs a query.
    * See https://aiopg.readthedocs.io/en/stable/core.html#aiopg.Cursor.execute
    */
-  class CursorExecuteCall extends SqlConstruction::Range, DataFlow::CallCfgNode {
+  class CursorExecuteCall extends SqlConstruction::Range, API::CallNode {
     CursorExecuteCall() { this = cursor().getMember("execute").getACall() }
 
-    override DataFlow::Node getSql() { result in [this.getArg(0), this.getArgByName("operation")] }
-  }
-
-  /**
-   * This is only needed to connect the argument to the execute call with the subsequnt awaiting.
-   * It should be obsolete once we have `API::CallNode` available.
-   */
-  private DataFlow::TypeTrackingNode cursorExecuteCall(DataFlow::TypeTracker t, DataFlow::Node sql) {
-    // cursor created from connection
-    t.start() and
-    sql = result.(CursorExecuteCall).getSql()
-    or
-    exists(DataFlow::TypeTracker t2 | result = cursorExecuteCall(t2, sql).track(t2, t))
-  }
-
-  DataFlow::Node cursorExecuteCall(DataFlow::Node sql) {
-    cursorExecuteCall(DataFlow::TypeTracker::end(), sql).flowsTo(result)
+    override DataFlow::Node getSql() { result = this.getParameter(0, "operation").getARhs() }
   }
 
   /**
    * An awaited query. Awaiting the result of calling `execute` executes the query.
    * See https://aiopg.readthedocs.io/en/stable/core.html#aiopg.Cursor.execute
    */
   class AwaitedCursorExecuteCall extends SqlExecution::Range {
-    DataFlow::Node sql;
+    CursorExecuteCall execute;
 
-    AwaitedCursorExecuteCall() { this = awaited(cursorExecuteCall(sql)) }
+    AwaitedCursorExecuteCall() { this = execute.getReturn().getAwaited().getAnImmediateUse() }
 
-    override DataFlow::Node getSql() { result = sql }
+    override DataFlow::Node getSql() { result = execute.getSql() }
   }
 
   /**
@@ -103,39 +87,21 @@ private module Aiopg {
    * A query. Calling `execute` on a `SAConnection` constructs a query.
    * See https://aiopg.readthedocs.io/en/stable/sa.html#aiopg.sa.SAConnection.execute
    */
-  class SAConnectionExecuteCall extends SqlConstruction::Range, DataFlow::CallCfgNode {
+  class SAConnectionExecuteCall extends SqlConstruction::Range, API::CallNode {
     SAConnectionExecuteCall() { this = saConnection().getMember("execute").getACall() }
 
-    override DataFlow::Node getSql() { result in [this.getArg(0), this.getArgByName("query")] }
-  }
-
-  /**
-   * This is only needed to connect the argument to the execute call with the subsequnt awaiting.
-   * It should be obsolete once we have `API::CallNode` available.
-   */
-  private DataFlow::TypeTrackingNode saConnectionExecuteCall(
-    DataFlow::TypeTracker t, DataFlow::Node sql
-  ) {
-    // saConnection created from engine
-    t.start() and
-    sql = result.(SAConnectionExecuteCall).getSql()
-    or
-    exists(DataFlow::TypeTracker t2 | result = saConnectionExecuteCall(t2, sql).track(t2, t))
-  }
-
-  DataFlow::Node saConnectionExecuteCall(DataFlow::Node sql) {
-    saConnectionExecuteCall(DataFlow::TypeTracker::end(), sql).flowsTo(result)
+    override DataFlow::Node getSql() { result = this.getParameter(0, "query").getARhs() }
   }
 
   /**
    * An awaited query. Awaiting the result of calling `execute` executes the query.
    * See https://aiopg.readthedocs.io/en/stable/sa.html#aiopg.sa.SAConnection.execute
    */
   class AwaitedSAConnectionExecuteCall extends SqlExecution::Range {
-    DataFlow::Node sql;
+    SAConnectionExecuteCall excute;
 
-    AwaitedSAConnectionExecuteCall() { this = awaited(saConnectionExecuteCall(sql)) }
+    AwaitedSAConnectionExecuteCall() { this = excute.getReturn().getAwaited().getAnImmediateUse() }
 
-    override DataFlow::Node getSql() { result = sql }
+    override DataFlow::Node getSql() { result = excute.getSql() }
   }
 }

python/ql/lib/semmle/python/frameworks/Aiopg.qll

@@ -71,48 +71,27 @@ private module Asyncpg {
    * The result of calling `prepare(query)` is a `PreparedStatementFactory` and the argument, `query` needs to
    * be tracked to the place where a `PreparedStatement` is created and then futher to any executing methods.
    * Hence the two type trackers.
-   *
-   * TODO: Rewrite this, once we have `API::CallNode` available.
    */
   module PreparedStatement {
-    class PreparedStatementConstruction extends SqlConstruction::Range, DataFlow::CallCfgNode {
+    class PreparedStatementConstruction extends SqlConstruction::Range, API::CallNode {
       PreparedStatementConstruction() { this = connection().getMember("prepare").getACall() }
 
-      override DataFlow::Node getSql() { result in [this.getArg(0), this.getArgByName("query")] }
+      override DataFlow::Node getSql() { result = this.getParameter(0, "query").getARhs() }
     }
 
-    private DataFlow::TypeTrackingNode preparedStatementFactory(
-      DataFlow::TypeTracker t, DataFlow::Node sql
-    ) {
-      t.start() and
-      sql = result.(PreparedStatementConstruction).getSql()
-      or
-      exists(DataFlow::TypeTracker t2 | result = preparedStatementFactory(t2, sql).track(t2, t))
-    }
-
-    DataFlow::Node preparedStatementFactory(DataFlow::Node sql) {
-      preparedStatementFactory(DataFlow::TypeTracker::end(), sql).flowsTo(result)
-    }
-
-    private DataFlow::TypeTrackingNode preparedStatement(DataFlow::TypeTracker t, DataFlow::Node sql) {
-      t.start() and
-      result = awaited(preparedStatementFactory(sql))
-      or
-      exists(DataFlow::TypeTracker t2 | result = preparedStatement(t2, sql).track(t2, t))
-    }
-
-    DataFlow::Node preparedStatement(DataFlow::Node sql) {
-      preparedStatement(DataFlow::TypeTracker::end(), sql).flowsTo(result)
-    }
-
-    class PreparedStatementExecution extends SqlExecution::Range, DataFlow::MethodCallNode {
-      DataFlow::Node sql;
+    class PreparedStatementExecution extends SqlExecution::Range, API::CallNode {
+      PreparedStatementConstruction prepareCall;
 
       PreparedStatementExecution() {
-        this.calls(preparedStatement(sql), ["executemany", "fetch", "fetchrow", "fetchval"])
+        this =
+          prepareCall
+              .getReturn()
+              .getAwaited()
+              .getMember(["executemany", "fetch", "fetchrow", "fetchval"])
+              .getACall()
       }
 
-      override DataFlow::Node getSql() { result = sql }
+      override DataFlow::Node getSql() { result = prepareCall.getSql() }
     }
   }
 
@@ -124,37 +103,36 @@ private module Asyncpg {
    * The result of calling `cursor` in either case is a `CursorFactory` and the argument, `query` needs to
    * be tracked to the place where a `Cursor` is created, hence the type tracker.
    * The creation of the `Cursor` executes the query.
-   *
-   * TODO: Rewrite this, once we have `API::CallNode` available.
    */
   module Cursor {
-    class CursorConstruction extends SqlConstruction::Range, DataFlow::CallCfgNode {
+    class CursorConstruction extends SqlConstruction::Range, API::CallNode {
       CursorConstruction() { this = connection().getMember("cursor").getACall() }
 
-      override DataFlow::Node getSql() { result in [this.getArg(0), this.getArgByName("query")] }
-    }
-
-    private DataFlow::TypeTrackingNode cursorFactory(DataFlow::TypeTracker t, DataFlow::Node sql) {
-      // cursor created from connection
-      t.start() and
-      sql = result.(CursorConstruction).getSql()
-      or
-      // cursor created from prepared statement
-      t.start() and
-      result.(DataFlow::MethodCallNode).calls(PreparedStatement::preparedStatement(sql), "cursor")
-      or
-      exists(DataFlow::TypeTracker t2 | result = cursorFactory(t2, sql).track(t2, t))
-    }
-
-    DataFlow::Node cursorFactory(DataFlow::Node sql) {
-      cursorFactory(DataFlow::TypeTracker::end(), sql).flowsTo(result)
+      override DataFlow::Node getSql() { result = this.getParameter(0, "query").getARhs() }
     }
 
     /** The creation of a `Cursor` executes the associated query. */
     class CursorCreation extends SqlExecution::Range {
       DataFlow::Node sql;
 
-      CursorCreation() { this = awaited(cursorFactory(sql)) }
+      CursorCreation() {
+        exists(CursorConstruction c |
+          sql = c.getSql() and
+          this = c.getReturn().getAwaited().getAnImmediateUse()
+        )
+        or
+        exists(PreparedStatement::PreparedStatementConstruction prepareCall |
+          sql = prepareCall.getSql() and
+          this =
+            prepareCall
+                .getReturn()
+                .getAwaited()
+                .getMember("cursor")
+                .getReturn()
+                .getAwaited()
+                .getAnImmediateUse()
+        )
+      }
 
       override DataFlow::Node getSql() { result = sql }
     }

python/ql/lib/semmle/python/frameworks/Asyncpg.qll

@@ -24,7 +24,7 @@ private import semmle.python.frameworks.Stdlib
  * - https://docs.python-requests.org/en/latest/
  */
 private module Requests {
-  private class OutgoingRequestCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
+  private class OutgoingRequestCall extends HTTP::Client::Request::Range, API::CallNode {
     string methodName;
 
     OutgoingRequestCall() {
@@ -54,14 +54,11 @@ private module Requests {
       result = this.getArg(1)
     }
 
-    /** Gets the `verify` argument to this outgoing requests call. */
-    DataFlow::Node getVerifyArg() { result = this.getArgByName("verify") }
-
     override predicate disablesCertificateValidation(
       DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
     ) {
-      disablingNode = this.getVerifyArg() and
-      argumentOrigin = verifyArgBacktracker(disablingNode) and
+      disablingNode = this.getKeywordParameter("verify").getARhs() and
+      argumentOrigin = this.getKeywordParameter("verify").getAValueReachingRhs() and
       argumentOrigin.asExpr().(ImmutableLiteral).booleanValue() = false and
       not argumentOrigin.asExpr() instanceof None
     }
@@ -79,22 +76,6 @@ private module Requests {
     }
   }
 
-  /** Gets a back-reference to the verify argument `arg`. */
-  private DataFlow::TypeTrackingNode verifyArgBacktracker(
-    DataFlow::TypeBackTracker t, DataFlow::Node arg
-  ) {
-    t.start() and
-    arg = any(OutgoingRequestCall c).getVerifyArg() and
-    result = arg.getALocalSource()
-    or
-    exists(DataFlow::TypeBackTracker t2 | result = verifyArgBacktracker(t2, arg).backtrack(t2, t))
-  }
-
-  /** Gets a back-reference to the verify argument `arg`. */
-  private DataFlow::LocalSourceNode verifyArgBacktracker(DataFlow::Node arg) {
-    result = verifyArgBacktracker(DataFlow::TypeBackTracker::end(), arg)
-  }
-
   // ---------------------------------------------------------------------------
   // Response
   // ---------------------------------------------------------------------------