From 1c68c987b0448d0276e5270b7384fb9451067e50 Mon Sep 17 00:00:00 2001 From: Taus Date: Wed, 17 Apr 2024 16:03:45 +0000 Subject: [PATCH] Python: Change all remaining occurrences of `StrConst` Done using ``` git grep StrConst | xargs sed -i 's/StrConst/StringLiteral/g' ``` --- python/ql/examples/snippets/raw_string.ql | 2 +- .../ql/examples/snippets/singlequotestring.ql | 2 +- python/ql/lib/analysis/DefinitionTracking.qll | 2 +- .../modules/stdlib/HashlibModule.qll | 12 +++++------ .../modules/stdlib/HmacModule.qll | 4 ++-- python/ql/lib/semmle/python/ApiGraphs.qll | 2 +- python/ql/lib/semmle/python/Concepts.qll | 4 ++-- python/ql/lib/semmle/python/Files.qll | 4 ++-- python/ql/lib/semmle/python/Module.qll | 4 ++-- python/ql/lib/semmle/python/PrintAst.qll | 8 ++++---- python/ql/lib/semmle/python/Scope.qll | 2 +- python/ql/lib/semmle/python/Stmts.qll | 2 +- .../python/dataflow/new/BarrierGuards.qll | 4 ++-- .../dataflow/new/SensitiveDataSources.qll | 8 ++++---- .../dataflow/new/internal/Attributes.qll | 6 +++--- .../dataflow/new/internal/DataFlowPrivate.qll | 10 +++++----- .../dataflow/new/internal/DataFlowPublic.qll | 6 +++--- .../new/internal/ImportResolution.qll | 4 ++-- .../dataflow/new/internal/MatchUnpacking.qll | 4 ++-- .../dataflow/new/internal/PrintNode.qll | 6 +++--- .../python/dataflow/old/Implementation.qll | 2 +- .../semmle/python/frameworks/Cryptodome.qll | 2 +- .../lib/semmle/python/frameworks/Django.qll | 4 ++-- .../lib/semmle/python/frameworks/FastApi.qll | 4 ++-- .../ql/lib/semmle/python/frameworks/Rsa.qll | 4 ++-- .../lib/semmle/python/frameworks/Stdlib.qll | 10 +++++----- .../lib/semmle/python/frameworks/Urllib3.qll | 2 +- .../lib/semmle/python/objects/Constants.qll | 8 ++++---- .../lib/semmle/python/objects/ObjectAPI.qll | 2 +- .../ql/lib/semmle/python/objects/TObject.qll | 4 ++-- .../ql/lib/semmle/python/pointsto/Filters.qll | 2 +- .../lib/semmle/python/pointsto/PointsTo.qll | 2 +- .../python/pointsto/PointsToContext.qll | 2 +- python/ql/lib/semmle/python/regex.qll | 2 +- .../semmle/python/regexp/RegexTreeView.qll | 6 +++--- .../python/regexp/internal/ParseRegExp.qll | 4 ++-- .../python/regexp/internal/RegExpTracking.qll | 2 +- .../dataflow/LogInjectionCustomizations.qll | 2 +- .../PamAuthorizationCustomizations.qll | 2 +- ...ServerSideRequestForgeryCustomizations.qll | 10 +++++----- .../dataflow/TarSlipCustomizations.qll | 4 ++-- ...ShellCommandConstructionCustomizations.qll | 2 +- .../dataflow/UrlRedirectCustomizations.qll | 4 ++-- python/ql/lib/semmle/python/strings.qll | 14 ++++++------- .../ql/lib/semmle/python/types/ModuleKind.qll | 2 +- python/ql/lib/semmle/python/types/Object.qll | 2 +- .../DuplicateKeyInDictionaryLiteral.ql | 2 +- .../Formatting/AdvancedFormatting.qll | 2 +- .../Expressions/IncorrectComparisonUsingIs.ql | 4 ++-- python/ql/src/Expressions/IsComparisons.qll | 4 ++-- ...nintentionalImplicitStringConcatenation.ql | 4 ++-- .../WrongNumberArgumentsForFormat.ql | 4 ++-- python/ql/src/Imports/UnusedImport.ql | 4 ++-- .../CVE-2018-1281/BindToAllInterfaces.ql | 6 +++--- .../IncompleteUrlSubstringSanitization.ql | 10 +++++----- .../Security/CWE-798/HardcodedCredentials.ql | 10 +++++----- .../src/Statements/AssertLiteralConstant.ql | 2 +- python/ql/src/Statements/StatementNoEffect.ql | 2 +- python/ql/src/Statements/TopLevelPrint.ql | 2 +- python/ql/src/Variables/Loop.qll | 2 +- python/ql/src/Variables/MonkeyPatched.qll | 4 ++-- python/ql/src/Variables/MultiplyDefined.ql | 2 +- python/ql/src/Variables/UndefinedExport.ql | 4 ++-- .../ql/src/Variables/UnusedModuleVariable.ql | 2 +- .../WebAppConstantSecretKeyFlask.qll | 4 ++-- .../WebAppConstantSecretKeySource.qll | 6 +++--- .../Security/CWE-287/ImproperLdapAuth.ql | 2 +- ...nsafeUsageOfClientSideEncryptionVersion.ql | 2 +- .../ClientSuppliedIpUsedInSecurityCheck.ql | 2 +- ...ClientSuppliedIpUsedInSecurityCheckLib.qll | 20 +++++++++---------- .../Security/CWE-770/UnicodeDoS.ql | 6 +++--- .../semmle/python/CookieHeader.qll | 8 ++++---- .../semmle/python/frameworks/Django.qll | 2 +- .../semmle/python/frameworks/Flask.qll | 2 +- .../semmle/python/frameworks/JWT.qll | 2 +- .../semmle/python/frameworks/Sendgrid.qll | 4 ++-- .../semmle/python/libraries/Authlib.qll | 2 +- .../semmle/python/libraries/PyJWT.qll | 4 ++-- .../semmle/python/libraries/PythonJose.qll | 4 ++-- .../semmle/python/libraries/Python_JWT.qll | 2 +- .../semmle/python/libraries/SmtpLib.qll | 2 +- .../python/security/DecompressionBomb.qll | 18 ++++++++--------- .../python/security/LdapInsecureAuth.qll | 8 ++++---- .../semmle/python/security/TimingAttack.qll | 12 +++++------ .../test/2/extractor-tests/multibyte/Test.ql | 2 +- .../library-tests/locations/general/Prefix.ql | 2 +- .../2/library-tests/locations/strings/test.ql | 2 +- .../extractor-tests/fstrings3.6/Formatted.ql | 2 +- .../extractor-tests/fstrings3.6/Successors.ql | 4 ++-- .../extractor-tests/fstrings3.8/Successors.ql | 4 ++-- .../test/3/extractor-tests/multibyte/Test.ql | 2 +- .../library-tests/locations/general/Prefix.ql | 2 +- .../test/experimental/dataflow/testConfig.qll | 2 +- .../experimental/dataflow/testTaintConfig.qll | 2 +- .../import-resolution/importflow.ql | 2 +- .../test/extractor-tests/long_string/Test.ql | 2 +- .../string_concatenation/StrConst.ql | 2 +- .../ApiGraphs/py3/verifyApiGraphs.ql | 2 +- .../library-tests/exprs/strings/Strings.ql | 2 +- .../locations/implicit_concatenation/parts.ql | 2 +- .../locations/implicit_concatenation/test.ql | 4 ++-- 101 files changed, 211 insertions(+), 211 deletions(-) diff --git a/python/ql/examples/snippets/raw_string.ql b/python/ql/examples/snippets/raw_string.ql index 78b1bbefb9a..347d91ad412 100644 --- a/python/ql/examples/snippets/raw_string.ql +++ b/python/ql/examples/snippets/raw_string.ql @@ -8,6 +8,6 @@ import python -from StrConst s +from StringLiteral s where s.getPrefix().matches("%r%") select s diff --git a/python/ql/examples/snippets/singlequotestring.ql b/python/ql/examples/snippets/singlequotestring.ql index 2c2ee5704a5..3111f39fcea 100644 --- a/python/ql/examples/snippets/singlequotestring.ql +++ b/python/ql/examples/snippets/singlequotestring.ql @@ -9,6 +9,6 @@ import python -from StrConst s +from StringLiteral s where s.getPrefix().charAt(_) = "'" select s diff --git a/python/ql/lib/analysis/DefinitionTracking.qll b/python/ql/lib/analysis/DefinitionTracking.qll index 6cf9e118681..5a9811f6248 100644 --- a/python/ql/lib/analysis/DefinitionTracking.qll +++ b/python/ql/lib/analysis/DefinitionTracking.qll @@ -410,7 +410,7 @@ private predicate sets_attribute(ArgumentRefinement def, string name) { call = def.getDefiningNode() and call.getFunction().refersTo(Object::builtin("setattr")) and def.getInput().getAUse() = call.getArg(0) and - call.getArg(1).getNode().(StrConst).getText() = name + call.getArg(1).getNode().(StringLiteral).getText() = name ) } diff --git a/python/ql/lib/experimental/cryptography/modules/stdlib/HashlibModule.qll b/python/ql/lib/experimental/cryptography/modules/stdlib/HashlibModule.qll index 7ceb58c109d..5b2586dc54a 100644 --- a/python/ql/lib/experimental/cryptography/modules/stdlib/HashlibModule.qll +++ b/python/ql/lib/experimental/cryptography/modules/stdlib/HashlibModule.qll @@ -26,10 +26,10 @@ module Hashes { } override string getName() { - result = super.normalizeName(this.asExpr().(StrConst).getText()) + result = super.normalizeName(this.asExpr().(StringLiteral).getText()) or // if not a known/static string, assume from an outside source and the algorithm is UNKNOWN - not this.asExpr() instanceof StrConst and result = unknownAlgorithm() + not this.asExpr() instanceof StringLiteral and result = unknownAlgorithm() } } @@ -49,10 +49,10 @@ module Hashes { } override string getName() { - result = super.normalizeName(this.asExpr().(StrConst).getText()) + result = super.normalizeName(this.asExpr().(StringLiteral).getText()) or // if not a known/static string, assume from an outside source and the algorithm is UNKNOWN - not this.asExpr() instanceof StrConst and result = unknownAlgorithm() + not this.asExpr() instanceof StringLiteral and result = unknownAlgorithm() } } @@ -88,9 +88,9 @@ module Hashes { // Name is a string constant or consider the name unknown // NOTE: we are excluding hmac.new and hmac.HMAC constructor calls so we are expecting // a string or an outside configuration only - result = super.normalizeName(this.asExpr().(StrConst).getText()) + result = super.normalizeName(this.asExpr().(StringLiteral).getText()) or - not this.asExpr() instanceof StrConst and + not this.asExpr() instanceof StringLiteral and result = unknownAlgorithm() } } diff --git a/python/ql/lib/experimental/cryptography/modules/stdlib/HmacModule.qll b/python/ql/lib/experimental/cryptography/modules/stdlib/HmacModule.qll index 25634543a0b..0ae3829b2f9 100644 --- a/python/ql/lib/experimental/cryptography/modules/stdlib/HmacModule.qll +++ b/python/ql/lib/experimental/cryptography/modules/stdlib/HmacModule.qll @@ -62,9 +62,9 @@ module Hashes { then result = super.normalizeName("MD5") else ( // Else get the string name, if its a string constant, or UNKNOWN if otherwise - result = super.normalizeName(this.asExpr().(StrConst).getText()) + result = super.normalizeName(this.asExpr().(StringLiteral).getText()) or - not this.asExpr() instanceof StrConst and result = unknownAlgorithm() + not this.asExpr() instanceof StringLiteral and result = unknownAlgorithm() ) } } diff --git a/python/ql/lib/semmle/python/ApiGraphs.qll b/python/ql/lib/semmle/python/ApiGraphs.qll index 6f27c829e32..b89e5c24987 100644 --- a/python/ql/lib/semmle/python/ApiGraphs.qll +++ b/python/ql/lib/semmle/python/ApiGraphs.qll @@ -257,7 +257,7 @@ module API { */ Node getSubscript(string key) { exists(API::Node index | result = this.getSubscriptAt(index) | - key = index.getAValueReachingSink().asExpr().(PY::StrConst).getText() + key = index.getAValueReachingSink().asExpr().(PY::StringLiteral).getText() ) } diff --git a/python/ql/lib/semmle/python/Concepts.qll b/python/ql/lib/semmle/python/Concepts.qll index 92f94abf0d6..4b14a834b31 100644 --- a/python/ql/lib/semmle/python/Concepts.qll +++ b/python/ql/lib/semmle/python/Concepts.qll @@ -855,7 +855,7 @@ module Http { /** Gets the URL pattern for this route, if it can be statically determined. */ string getUrlPattern() { - exists(StrConst str | + exists(StringLiteral str | this.getUrlPatternArg().getALocalSource() = DataFlow::exprNode(str) and result = str.getText() ) @@ -983,7 +983,7 @@ module Http { /** Gets the mimetype of this HTTP response, if it can be statically determined. */ string getMimetype() { - exists(StrConst str | + exists(StringLiteral str | this.getMimetypeOrContentTypeArg().getALocalSource() = DataFlow::exprNode(str) and result = str.getText().splitAt(";", 0) ) diff --git a/python/ql/lib/semmle/python/Files.qll b/python/ql/lib/semmle/python/Files.qll index 5340a3fdc43..2da0dd61f88 100644 --- a/python/ql/lib/semmle/python/Files.qll +++ b/python/ql/lib/semmle/python/Files.qll @@ -93,7 +93,7 @@ class File extends Container, Impl::File { exists(Stmt s | s.getLocation().getFile() = this) or // The file contains the usual `if __name__ == '__main__':` construction - exists(If i, Name name, StrConst main, Cmpop op | + exists(If i, Name name, StringLiteral main, Cmpop op | i.getScope().(Module).getFile() = this and op instanceof Eq and i.getTest().(Compare).compares(name, op, main) and @@ -123,7 +123,7 @@ private predicate occupied_line(File f, int n) { exists(Location l | l.getFile() = f | l.getStartLine() = n or - exists(StrConst s | s.getLocation() = l | n in [l.getStartLine() .. l.getEndLine()]) + exists(StringLiteral s | s.getLocation() = l | n in [l.getStartLine() .. l.getEndLine()]) ) } diff --git a/python/ql/lib/semmle/python/Module.qll b/python/ql/lib/semmle/python/Module.qll index 0a083eec9a8..307433fe95b 100644 --- a/python/ql/lib/semmle/python/Module.qll +++ b/python/ql/lib/semmle/python/Module.qll @@ -125,9 +125,9 @@ class Module extends Module_, Scope, AstNode { a.getScope() = this and all.getId() = "__all__" and ( - a.getValue().(List).getAnElt().(StrConst).getText() = name + a.getValue().(List).getAnElt().(StringLiteral).getText() = name or - a.getValue().(Tuple).getAnElt().(StrConst).getText() = name + a.getValue().(Tuple).getAnElt().(StringLiteral).getText() = name ) ) } diff --git a/python/ql/lib/semmle/python/PrintAst.qll b/python/ql/lib/semmle/python/PrintAst.qll index 6189a47d4bb..d2aec338a58 100644 --- a/python/ql/lib/semmle/python/PrintAst.qll +++ b/python/ql/lib/semmle/python/PrintAst.qll @@ -423,13 +423,13 @@ class ParameterNode extends AstElementNode { } /** - * A print node for a `StrConst`. + * A print node for a `StringLiteral`. * * The string has a child, if the child is used as a regular expression, * which is the root of the regular expression. */ -class StrConstNode extends AstElementNode { - override StrConst element; +class StringLiteralNode extends AstElementNode { + override StringLiteral element; } /** @@ -599,7 +599,7 @@ private module PrettyPrinting { or result = "class " + a.(Class).getName() or - result = a.(StrConst).getText() + result = a.(StringLiteral).getText() or result = "yield " + a.(Yield).getValue() or diff --git a/python/ql/lib/semmle/python/Scope.qll b/python/ql/lib/semmle/python/Scope.qll index c40936dbdab..891e249faf5 100644 --- a/python/ql/lib/semmle/python/Scope.qll +++ b/python/ql/lib/semmle/python/Scope.qll @@ -48,7 +48,7 @@ class Scope extends Scope_ { string getName() { py_strs(result, this, 0) } /** Gets the docstring for this scope */ - StrConst getDocString() { result = this.getStmt(0).(ExprStmt).getValue() } + StringLiteral getDocString() { result = this.getStmt(0).(ExprStmt).getValue() } /** Gets the entry point into this Scope's control flow graph */ ControlFlowNode getEntryNode() { py_scope_flow(result, this, -1) } diff --git a/python/ql/lib/semmle/python/Stmts.qll b/python/ql/lib/semmle/python/Stmts.qll index cc42c933af6..ea309227af6 100644 --- a/python/ql/lib/semmle/python/Stmts.qll +++ b/python/ql/lib/semmle/python/Stmts.qll @@ -284,7 +284,7 @@ class If extends If_ { /** Whether this if statement takes the form `if __name__ == "__main__":` */ predicate isNameEqMain() { - exists(StrConst m, Name n, Compare c | + exists(StringLiteral m, Name n, Compare c | this.getTest() = c and c.getOp(0) instanceof Eq and ( diff --git a/python/ql/lib/semmle/python/dataflow/new/BarrierGuards.qll b/python/ql/lib/semmle/python/dataflow/new/BarrierGuards.qll index 2d501b3ce17..ad8b668a94a 100644 --- a/python/ql/lib/semmle/python/dataflow/new/BarrierGuards.qll +++ b/python/ql/lib/semmle/python/dataflow/new/BarrierGuards.qll @@ -5,7 +5,7 @@ private import semmle.python.dataflow.new.DataFlow private predicate stringConstCompare(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) { exists(CompareNode cn | cn = g | - exists(StrConst str_const, Cmpop op | + exists(StringLiteral str_const, Cmpop op | op = any(Eq eq) and branch = true or op = any(NotEq ne) and branch = false @@ -21,7 +21,7 @@ private predicate stringConstCompare(DataFlow::GuardNode g, ControlFlowNode node op = any(NotIn ni) and branch = false | forall(ControlFlowNode elem | elem = str_const_iterable.getAnElement() | - elem.getNode() instanceof StrConst + elem.getNode() instanceof StringLiteral ) and cn.operands(node, op, str_const_iterable) ) diff --git a/python/ql/lib/semmle/python/dataflow/new/SensitiveDataSources.qll b/python/ql/lib/semmle/python/dataflow/new/SensitiveDataSources.qll index 0ef65c478d5..705c4476fb1 100644 --- a/python/ql/lib/semmle/python/dataflow/new/SensitiveDataSources.qll +++ b/python/ql/lib/semmle/python/dataflow/new/SensitiveDataSources.qll @@ -91,7 +91,7 @@ private module SensitiveDataModeling { // Note: If this is implemented with type-tracking, we will get cross-talk as // illustrated in python/ql/test/experimental/dataflow/sensitive-data/test.py exists(DataFlow::LocalSourceNode source | - source.asExpr().(StrConst).getText() = sensitiveString(classification) and + source.asExpr().(StringLiteral).getText() = sensitiveString(classification) and source.flowsTo(result) ) } @@ -173,8 +173,8 @@ private module SensitiveDataModeling { } pragma[nomagic] - private string sensitiveStrConstCandidate() { - result = any(StrConst s | not s.isDocString()).getText() and + private string sensitiveStringLiteralCandidate() { + result = any(StringLiteral s | not s.isDocString()).getText() and not result.regexpMatch(notSensitiveRegexp()) } @@ -217,7 +217,7 @@ private module SensitiveDataModeling { result in [ sensitiveNameCandidate(), sensitiveAttributeNameCandidate(), sensitiveParameterNameCandidate(), sensitiveFunctionNameCandidate(), - sensitiveStrConstCandidate() + sensitiveStringLiteralCandidate() ] } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/Attributes.qll b/python/ql/lib/semmle/python/dataflow/new/internal/Attributes.qll index ff88dd47d35..51dccc29312 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/Attributes.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/Attributes.qll @@ -40,7 +40,7 @@ abstract class AttrRef extends Node { or exists(LocalSourceNode nodeFrom | nodeFrom.flowsTo(this.getAttributeNameExpr()) and - attrName = nodeFrom.(CfgNode).getNode().getNode().(StrConst).getText() + attrName = nodeFrom.(CfgNode).getNode().getNode().(StringLiteral).getText() ) } @@ -178,7 +178,7 @@ private class SetAttrCallAsAttrWrite extends AttrWrite, CfgNode { override ExprNode getAttributeNameExpr() { result.asCfgNode() = node.getName() } override string getAttributeName() { - result = this.getAttributeNameExpr().(CfgNode).getNode().getNode().(StrConst).getText() + result = this.getAttributeNameExpr().(CfgNode).getNode().getNode().(StringLiteral).getText() } } @@ -254,7 +254,7 @@ private class GetAttrCallAsAttrRead extends AttrRead, CfgNode { override ExprNode getAttributeNameExpr() { result.asCfgNode() = node.getName() } override string getAttributeName() { - result = this.getAttributeNameExpr().(CfgNode).getNode().getNode().(StrConst).getText() + result = this.getAttributeNameExpr().(CfgNode).getNode().getNode().(StringLiteral).getText() } } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll index 9d7b1d5aa84..c7d0da2c519 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll @@ -813,7 +813,7 @@ predicate dictStoreStep(CfgNode nodeFrom, DictionaryElementContent c, Node nodeT exists(KeyValuePair item | item = nodeTo.asCfgNode().(DictNode).getNode().(Dict).getAnItem() and nodeFrom.getNode().getNode() = item.getValue() and - c.getKey() = item.getKey().(StrConst).getS() + c.getKey() = item.getKey().(StringLiteral).getS() ) } @@ -829,13 +829,13 @@ private predicate moreDictStoreSteps(CfgNode nodeFrom, DictionaryElementContent exists(SubscriptNode subscript | nodeTo.(PostUpdateNode).getPreUpdateNode().asCfgNode() = subscript.getObject() and nodeFrom.asCfgNode() = subscript.(DefinitionNode).getValue() and - c.getKey() = subscript.getIndex().getNode().(StrConst).getText() + c.getKey() = subscript.getIndex().getNode().(StringLiteral).getText() ) or // see https://docs.python.org/3.10/library/stdtypes.html#dict.setdefault exists(MethodCallNode call | call.calls(nodeTo.(PostUpdateNode).getPreUpdateNode(), "setdefault") and - call.getArg(0).asExpr().(StrConst).getText() = c.getKey() and + call.getArg(0).asExpr().(StringLiteral).getText() = c.getKey() and nodeFrom = call.getArg(1) ) } @@ -844,7 +844,7 @@ predicate dictClearStep(Node node, DictionaryElementContent c) { exists(SubscriptNode subscript | subscript instanceof DefinitionNode and node.asCfgNode() = subscript.getObject() and - c.getKey() = subscript.getIndex().getNode().(StrConst).getText() + c.getKey() = subscript.getIndex().getNode().(StringLiteral).getText() ) } @@ -954,7 +954,7 @@ predicate subscriptReadStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) { nodeTo.getNode().(SubscriptNode).getIndex().getNode().(IntegerLiteral).getValue() or c.(DictionaryElementContent).getKey() = - nodeTo.getNode().(SubscriptNode).getIndex().getNode().(StrConst).getS() + nodeTo.getNode().(SubscriptNode).getIndex().getNode().(StringLiteral).getS() ) } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll index f9ee4fc6e46..1410c7dff16 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll @@ -606,17 +606,17 @@ newtype TContent = /** An element of a dictionary under a specific key. */ TDictionaryElementContent(string key) { // {"key": ...} - key = any(KeyValuePair kvp).getKey().(StrConst).getText() + key = any(KeyValuePair kvp).getKey().(StringLiteral).getText() or // func(key=...) key = any(Keyword kw).getArg() or // d["key"] = ... - key = any(SubscriptNode sub | sub.isStore() | sub.getIndex().getNode().(StrConst).getText()) + key = any(SubscriptNode sub | sub.isStore() | sub.getIndex().getNode().(StringLiteral).getText()) or // d.setdefault("key", ...) exists(CallNode call | call.getFunction().(AttrNode).getName() = "setdefault" | - key = call.getArg(0).getNode().(StrConst).getText() + key = call.getArg(0).getNode().(StringLiteral).getText() ) } or /** An element of a dictionary under any key. */ diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/ImportResolution.qll b/python/ql/lib/semmle/python/dataflow/new/internal/ImportResolution.qll index 40d9463e546..36773abe2b4 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/ImportResolution.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/ImportResolution.qll @@ -146,7 +146,7 @@ module ImportResolution { def.getValue() = n and def.(NameNode).getId() = "__all__" and def.getScope() = m and - any(StrConst s | s.getText() = name) = n.getAnElement().getNode() + any(StringLiteral s | s.getText() = name) = n.getAnElement().getNode() ) } @@ -210,7 +210,7 @@ module ImportResolution { exists(SubscriptNode sub | sub.getObject() = sys_modules_reference().asCfgNode() and sub.getIndex() = n and - n.getNode().(StrConst).getText() = name and + n.getNode().(StringLiteral).getText() = name and sub.(DefinitionNode).getValue() = mod.asCfgNode() and mod = getModuleReference(result) ) diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/MatchUnpacking.qll b/python/ql/lib/semmle/python/dataflow/new/internal/MatchUnpacking.qll index 4883dea52d4..8064c34d921 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/MatchUnpacking.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/MatchUnpacking.qll @@ -224,7 +224,7 @@ predicate matchMappingReadStep(Node nodeFrom, Content c, Node nodeTo) { | nodeFrom.(CfgNode).getNode().getNode() = subject and nodeTo.(CfgNode).getNode().getNode() = value and - c.(DictionaryElementContent).getKey() = key.getLiteral().(StrConst).getText() + c.(DictionaryElementContent).getKey() = key.getLiteral().(StringLiteral).getText() ) } @@ -256,7 +256,7 @@ predicate matchMappingClearStep(Node n, Content c) { dstar = subject.getAMapping() | n.(CfgNode).getNode().getNode() = dstar.getTarget() and - c.(DictionaryElementContent).getKey() = key.getLiteral().(StrConst).getText() + c.(DictionaryElementContent).getKey() = key.getLiteral().(StringLiteral).getText() ) } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/PrintNode.qll b/python/ql/lib/semmle/python/dataflow/new/internal/PrintNode.qll index 14dec8d14b7..76cd0a37822 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/PrintNode.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/PrintNode.qll @@ -18,7 +18,7 @@ private import semmle.python.dataflow.new.internal.DataFlowPrivate as DataFlowPr */ string prettyExpr(Expr e) { not e instanceof Num and - not e instanceof StrConst and + not e instanceof StringLiteral and not e instanceof Subscript and not e instanceof Call and not e instanceof Attribute and @@ -27,8 +27,8 @@ string prettyExpr(Expr e) { result = e.(Num).getN() or result = - e.(StrConst).getPrefix() + e.(StrConst).getText() + - e.(StrConst).getPrefix().regexpReplaceAll("[a-zA-Z]+", "") + e.(StringLiteral).getPrefix() + e.(StringLiteral).getText() + + e.(StringLiteral).getPrefix().regexpReplaceAll("[a-zA-Z]+", "") or result = prettyExpr(e.(Subscript).getObject()) + "[" + prettyExpr(e.(Subscript).getIndex()) + "]" or diff --git a/python/ql/lib/semmle/python/dataflow/old/Implementation.qll b/python/ql/lib/semmle/python/dataflow/old/Implementation.qll index 55ea5de1059..19197f4bd30 100644 --- a/python/ql/lib/semmle/python/dataflow/old/Implementation.qll +++ b/python/ql/lib/semmle/python/dataflow/old/Implementation.qll @@ -410,7 +410,7 @@ class TaintTrackingImplementation extends string instanceof TaintTracking::Confi call = node.asCfgNode() and call.getFunction().pointsTo(ObjectInternal::builtin("getattr")) and arg = call.getArg(0) and - attrname = call.getArg(1).getNode().(StrConst).getText() and + attrname = call.getArg(1).getNode().(StringLiteral).getText() and arg = srcnode.asCfgNode() | path = srcpath.fromAttribute(attrname) and diff --git a/python/ql/lib/semmle/python/frameworks/Cryptodome.qll b/python/ql/lib/semmle/python/frameworks/Cryptodome.qll index f0a309644ad..4dc193b1386 100644 --- a/python/ql/lib/semmle/python/frameworks/Cryptodome.qll +++ b/python/ql/lib/semmle/python/frameworks/Cryptodome.qll @@ -83,7 +83,7 @@ private module CryptodomeModel { /** Gets the name of the curve to use, as well as the origin that explains how we obtained this name. */ string getCurveWithOrigin(DataFlow::Node origin) { - exists(StrConst str | origin = DataFlow::exprNode(str) | + exists(StringLiteral str | origin = DataFlow::exprNode(str) | origin = this.getCurveArg().getALocalSource() and result = str.getText() ) diff --git a/python/ql/lib/semmle/python/frameworks/Django.qll b/python/ql/lib/semmle/python/frameworks/Django.qll index 3e9fd8030ff..064dba57f92 100644 --- a/python/ql/lib/semmle/python/frameworks/Django.qll +++ b/python/ql/lib/semmle/python/frameworks/Django.qll @@ -2862,14 +2862,14 @@ module PrivateDjango { // // This also strongly implies that `mw` is in fact a Django middleware setting and // not just a variable named `MIDDLEWARE`. - list.getAnElt().(StrConst).getText() = + list.getAnElt().(StringLiteral).getText() = "django.contrib.auth.middleware.AuthenticationMiddleware" ) } override boolean getVerificationSetting() { if - list.getAnElt().(StrConst).getText() in [ + list.getAnElt().(StringLiteral).getText() in [ "django.middleware.csrf.CsrfViewMiddleware", // see https://github.com/mozilla/django-session-csrf "session_csrf.CsrfMiddleware" diff --git a/python/ql/lib/semmle/python/frameworks/FastApi.qll b/python/ql/lib/semmle/python/frameworks/FastApi.qll index cc5739c0cf7..8c958e9343d 100644 --- a/python/ql/lib/semmle/python/frameworks/FastApi.qll +++ b/python/ql/lib/semmle/python/frameworks/FastApi.qll @@ -183,7 +183,7 @@ module FastApi { | exists(Assign assign | assign = cls.getAStmt() | assign.getATarget().(Name).getId() = "media_type" and - result = assign.getValue().(StrConst).getText() + result = assign.getValue().(StringLiteral).getText() ) or // TODO: this should use a proper MRO calculation instead @@ -372,7 +372,7 @@ module FastApi { headers.accesses(instance(), "headers") and this.calls(headers, "append") and keyArg in [this.getArg(0), this.getArgByName("key")] and - keyArg.getALocalSource().asExpr().(StrConst).getText().toLowerCase() = "set-cookie" + keyArg.getALocalSource().asExpr().(StringLiteral).getText().toLowerCase() = "set-cookie" ) } diff --git a/python/ql/lib/semmle/python/frameworks/Rsa.qll b/python/ql/lib/semmle/python/frameworks/Rsa.qll index 4b7142177f9..0f0dd2d3d92 100644 --- a/python/ql/lib/semmle/python/frameworks/Rsa.qll +++ b/python/ql/lib/semmle/python/frameworks/Rsa.qll @@ -80,7 +80,7 @@ private module Rsa { result.getName() = "RSA" or // hashing part - exists(StrConst str, DataFlow::Node hashNameArg | + exists(StringLiteral str, DataFlow::Node hashNameArg | hashNameArg in [this.getArg(2), this.getArgByName("hash_method")] and DataFlow::exprNode(str) = hashNameArg.getALocalSource() and result.matchesName(str.getText()) @@ -132,7 +132,7 @@ private module Rsa { override DataFlow::Node getInitialization() { result = this } override Cryptography::CryptographicAlgorithm getAlgorithm() { - exists(StrConst str, DataFlow::Node hashNameArg | + exists(StringLiteral str, DataFlow::Node hashNameArg | hashNameArg in [this.getArg(1), this.getArgByName("method_name")] and DataFlow::exprNode(str) = hashNameArg.getALocalSource() and result.matchesName(str.getText()) diff --git a/python/ql/lib/semmle/python/frameworks/Stdlib.qll b/python/ql/lib/semmle/python/frameworks/Stdlib.qll index b674d10daf9..cd257955682 100644 --- a/python/ql/lib/semmle/python/frameworks/Stdlib.qll +++ b/python/ql/lib/semmle/python/frameworks/Stdlib.qll @@ -2785,7 +2785,7 @@ module StdlibPrivate { /** Gets a call to `hashlib.new` with `algorithmName` as the first argument. */ private API::CallNode hashlibNewCall(string algorithmName) { algorithmName = - result.getParameter(0, "name").getAValueReachingSink().asExpr().(StrConst).getText() and + result.getParameter(0, "name").getAValueReachingSink().asExpr().(StringLiteral).getText() and result = API::moduleImport("hashlib").getMember("new").getACall() } @@ -2908,7 +2908,7 @@ module StdlibPrivate { exists(string algorithmName | result.matchesName(algorithmName) | this.getDigestArg().asSink() = hashlibMember(algorithmName).asSource() or - this.getDigestArg().getAValueReachingSink().asExpr().(StrConst).getText() = algorithmName + this.getDigestArg().getAValueReachingSink().asExpr().(StringLiteral).getText() = algorithmName ) } @@ -4418,7 +4418,7 @@ module StdlibPrivate { override DataFlow::CallCfgNode getACall() { result.(DataFlow::MethodCallNode).getMethodName() = "pop" and - result.getArg(0).getALocalSource().asExpr().(StrConst).getText() = key + result.getArg(0).getALocalSource().asExpr().(StringLiteral).getText() = key } override DataFlow::ArgumentNode getACallback() { none() } @@ -4441,7 +4441,7 @@ module StdlibPrivate { override DataFlow::CallCfgNode getACall() { result.(DataFlow::MethodCallNode).getMethodName() = "get" and - result.getArg(0).getALocalSource().asExpr().(StrConst).getText() = key + result.getArg(0).getALocalSource().asExpr().(StringLiteral).getText() = key } override DataFlow::ArgumentNode getACallback() { none() } @@ -4541,7 +4541,7 @@ module StdlibPrivate { override DataFlow::CallCfgNode getACall() { result.(DataFlow::MethodCallNode).getMethodName() = "setdefault" and - result.getArg(0).getALocalSource().asExpr().(StrConst).getText() = key + result.getArg(0).getALocalSource().asExpr().(StringLiteral).getText() = key } override DataFlow::ArgumentNode getACallback() { none() } diff --git a/python/ql/lib/semmle/python/frameworks/Urllib3.qll b/python/ql/lib/semmle/python/frameworks/Urllib3.qll index 23332afc7aa..ee35fc9af0a 100644 --- a/python/ql/lib/semmle/python/frameworks/Urllib3.qll +++ b/python/ql/lib/semmle/python/frameworks/Urllib3.qll @@ -78,7 +78,7 @@ module Urllib3 { // see https://urllib3.readthedocs.io/en/stable/user-guide.html?highlight=cert_reqs#certificate-verification disablingNode = constructor.getKeywordParameter("cert_reqs").asSink() and argumentOrigin = constructor.getKeywordParameter("cert_reqs").getAValueReachingSink() and - argumentOrigin.asExpr().(StrConst).getText() = "CERT_NONE" + argumentOrigin.asExpr().(StringLiteral).getText() = "CERT_NONE" or // assert_hostname // see https://urllib3.readthedocs.io/en/stable/reference/urllib3.connectionpool.html?highlight=assert_hostname#urllib3.HTTPSConnectionPool diff --git a/python/ql/lib/semmle/python/objects/Constants.qll b/python/ql/lib/semmle/python/objects/Constants.qll index 7813e3639ad..31b63399ff4 100644 --- a/python/ql/lib/semmle/python/objects/Constants.qll +++ b/python/ql/lib/semmle/python/objects/Constants.qll @@ -239,8 +239,8 @@ class UnicodeObjectInternal extends ConstantObjectInternal, TUnicode { override predicate introducedAt(ControlFlowNode node, PointsToContext context) { context.appliesTo(node) and - node.getNode().(StrConst).getText() = this.strValue() and - node.getNode().(StrConst).isUnicode() + node.getNode().(StringLiteral).getText() = this.strValue() and + node.getNode().(StringLiteral).isUnicode() } override ObjectInternal getClass() { result = TBuiltinClassObject(Builtin::special("unicode")) } @@ -272,8 +272,8 @@ class BytesObjectInternal extends ConstantObjectInternal, TBytes { override predicate introducedAt(ControlFlowNode node, PointsToContext context) { context.appliesTo(node) and - node.getNode().(StrConst).getText() = this.strValue() and - not node.getNode().(StrConst).isUnicode() + node.getNode().(StringLiteral).getText() = this.strValue() and + not node.getNode().(StringLiteral).isUnicode() } override ObjectInternal getClass() { result = TBuiltinClassObject(Builtin::special("bytes")) } diff --git a/python/ql/lib/semmle/python/objects/ObjectAPI.qll b/python/ql/lib/semmle/python/objects/ObjectAPI.qll index 3ac0f381806..dc1363b2ebe 100644 --- a/python/ql/lib/semmle/python/objects/ObjectAPI.qll +++ b/python/ql/lib/semmle/python/objects/ObjectAPI.qll @@ -201,7 +201,7 @@ class ModuleValue extends Value instanceof ModuleObjectInternal { ( not this.getPath().getExtension() = "py" or - exists(If i, Name name, StrConst main, Cmpop op | + exists(If i, Name name, StringLiteral main, Cmpop op | i.getScope() = this.getScope() and op instanceof Eq and i.getTest().(Compare).compares(name, op, main) and diff --git a/python/ql/lib/semmle/python/objects/TObject.qll b/python/ql/lib/semmle/python/objects/TObject.qll index 55f5bb0215f..12b4dc901c3 100644 --- a/python/ql/lib/semmle/python/objects/TObject.qll +++ b/python/ql/lib/semmle/python/objects/TObject.qll @@ -84,7 +84,7 @@ newtype TObject = /** The unicode string `s` */ TUnicode(string s) { // Any string explicitly mentioned in the source code. - exists(StrConst str | + exists(StringLiteral str | s = str.getText() and str.isUnicode() ) @@ -100,7 +100,7 @@ newtype TObject = /** The byte string `s` */ TBytes(string s) { // Any string explicitly mentioned in the source code. - exists(StrConst str | + exists(StringLiteral str | s = str.getText() and not str.isUnicode() ) diff --git a/python/ql/lib/semmle/python/pointsto/Filters.qll b/python/ql/lib/semmle/python/pointsto/Filters.qll index 4ae75685730..f9e0229ef6f 100644 --- a/python/ql/lib/semmle/python/pointsto/Filters.qll +++ b/python/ql/lib/semmle/python/pointsto/Filters.qll @@ -9,7 +9,7 @@ import python predicate hasattr(CallNode c, ControlFlowNode obj, string attr) { c.getFunction().getNode().(Name).getId() = "hasattr" and c.getArg(0) = obj and - c.getArg(1).getNode().(StrConst).getText() = attr + c.getArg(1).getNode().(StringLiteral).getText() = attr } /** Holds if `c` is a call to `isinstance(use, cls)`. */ diff --git a/python/ql/lib/semmle/python/pointsto/PointsTo.qll b/python/ql/lib/semmle/python/pointsto/PointsTo.qll index fb05e9b49ff..56e8f6d6a63 100644 --- a/python/ql/lib/semmle/python/pointsto/PointsTo.qll +++ b/python/ql/lib/semmle/python/pointsto/PointsTo.qll @@ -691,7 +691,7 @@ module PointsToInternal { sub.getObject() = sys_modules_flow and pointsTo(sys_modules_flow, _, ObjectInternal::sysModules(), _) and sub.getIndex() = n and - n.getNode().(StrConst).getText() = name and + n.getNode().(StringLiteral).getText() = name and sub.(DefinitionNode).getValue() = mod and pointsTo(mod, _, m, _) ) diff --git a/python/ql/lib/semmle/python/pointsto/PointsToContext.qll b/python/ql/lib/semmle/python/pointsto/PointsToContext.qll index 4bbc4001b4d..d68ce93e576 100644 --- a/python/ql/lib/semmle/python/pointsto/PointsToContext.qll +++ b/python/ql/lib/semmle/python/pointsto/PointsToContext.qll @@ -253,7 +253,7 @@ predicate executes_in_runtime_context(Function f) { } private predicate maybe_main(Module m) { - exists(If i, Compare cmp, Name name, StrConst main | m.getAStmt() = i and i.getTest() = cmp | + exists(If i, Compare cmp, Name name, StringLiteral main | m.getAStmt() = i and i.getTest() = cmp | cmp.compares(name, any(Eq eq), main) and name.getId() = "__name__" and main.getText() = "__main__" diff --git a/python/ql/lib/semmle/python/regex.qll b/python/ql/lib/semmle/python/regex.qll index 827f6b89e34..0c96e504946 100644 --- a/python/ql/lib/semmle/python/regex.qll +++ b/python/ql/lib/semmle/python/regex.qll @@ -15,7 +15,7 @@ RegExpTerm getTermForExecution(Concepts::RegexExecution exec) { ) } -/** A StrConst used as a regular expression */ +/** A StringLiteral used as a regular expression */ deprecated class RegexString extends Regex { RegexString() { this = RegExpTracking::regExpSource(_).asExpr() } } diff --git a/python/ql/lib/semmle/python/regexp/RegexTreeView.qll b/python/ql/lib/semmle/python/regexp/RegexTreeView.qll index 1f8712d6763..04e9ba31ec0 100644 --- a/python/ql/lib/semmle/python/regexp/RegexTreeView.qll +++ b/python/ql/lib/semmle/python/regexp/RegexTreeView.qll @@ -9,7 +9,7 @@ import Impl as RegexTreeView import Impl /** Gets the parse tree resulting from parsing `re`, if such has been constructed. */ -RegExpTerm getParsedRegExp(StrConst re) { result.getRegex() = re and result.isRootTerm() } +RegExpTerm getParsedRegExp(StringLiteral re) { result.getRegex() = re and result.isRootTerm() } /** * An element containing a regular expression term, that is, either @@ -230,7 +230,7 @@ module Impl implements RegexTreeViewSig { index > 0 and exists(int previousOffset | previousOffset = this.getPartOffset(index - 1) | result = - previousOffset + re.(StrConst).getImplicitlyConcatenatedPart(index - 1).getContentLength() + previousOffset + re.(StringLiteral).getImplicitlyConcatenatedPart(index - 1).getContentLength() ) } @@ -240,7 +240,7 @@ module Impl implements RegexTreeViewSig { */ StringPart getPart(int localOffset) { exists(int index, int prefixLength | index = max(int i | this.getPartOffset(i) <= start) | - result = re.(StrConst).getImplicitlyConcatenatedPart(index) and + result = re.(StringLiteral).getImplicitlyConcatenatedPart(index) and result.contextSize(prefixLength, _) and // Example: // re.compile('...' r"""...this..""") diff --git a/python/ql/lib/semmle/python/regexp/internal/ParseRegExp.qll b/python/ql/lib/semmle/python/regexp/internal/ParseRegExp.qll index 4e2d76a8a99..6ac12e00e81 100644 --- a/python/ql/lib/semmle/python/regexp/internal/ParseRegExp.qll +++ b/python/ql/lib/semmle/python/regexp/internal/ParseRegExp.qll @@ -105,8 +105,8 @@ private module FindRegexMode { */ deprecated class Regex = RegExp; -/** A StrConst used as a regular expression */ -class RegExp extends Expr instanceof StrConst { +/** A StringLiteral used as a regular expression */ +class RegExp extends Expr instanceof StringLiteral { DataFlow::Node use; RegExp() { this = RegExpTracking::regExpSource(use).asExpr() } diff --git a/python/ql/lib/semmle/python/regexp/internal/RegExpTracking.qll b/python/ql/lib/semmle/python/regexp/internal/RegExpTracking.qll index 39d3e918de9..a48650f963a 100644 --- a/python/ql/lib/semmle/python/regexp/internal/RegExpTracking.qll +++ b/python/ql/lib/semmle/python/regexp/internal/RegExpTracking.qll @@ -15,7 +15,7 @@ private import semmle.python.dataflow.new.DataFlow private import semmle.python.Concepts as Concepts /** Gets a constant string value that may be used as a regular expression. */ -DataFlow::LocalSourceNode strStart() { result.asExpr() instanceof StrConst } +DataFlow::LocalSourceNode strStart() { result.asExpr() instanceof StringLiteral } private import semmle.python.regex as Regex diff --git a/python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll index 2e2c71ee53b..2f582a7f67d 100644 --- a/python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll +++ b/python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll @@ -90,7 +90,7 @@ module LogInjection { // TODO: Consider rewriting using flow states. ReplaceLineBreaksSanitizer() { this.getFunction().(DataFlow::AttrRead).getAttributeName() = "replace" and - this.getArg(0).asExpr().(StrConst).getText() in ["\r\n", "\n"] + this.getArg(0).asExpr().(StringLiteral).getText() in ["\r\n", "\n"] } } } diff --git a/python/ql/lib/semmle/python/security/dataflow/PamAuthorizationCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/PamAuthorizationCustomizations.qll index b3acdef6ef5..afba208e0e4 100644 --- a/python/ql/lib/semmle/python/security/dataflow/PamAuthorizationCustomizations.qll +++ b/python/ql/lib/semmle/python/security/dataflow/PamAuthorizationCustomizations.qll @@ -20,7 +20,7 @@ module PamAuthorizationCustomizations { exists(API::CallNode findLibCall, API::CallNode cdllCall | findLibCall = API::moduleImport("ctypes").getMember("util").getMember("find_library").getACall() and - findLibCall.getParameter(0).getAValueReachingSink().asExpr().(StrConst).getText() = "pam" and + findLibCall.getParameter(0).getAValueReachingSink().asExpr().(StringLiteral).getText() = "pam" and cdllCall = API::moduleImport("ctypes").getMember("CDLL").getACall() and cdllCall.getParameter(0).getAValueReachingSink() = findLibCall | diff --git a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll index 82dfb9ebec2..4ba4080d39d 100644 --- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll +++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll @@ -88,7 +88,7 @@ module ServerSideRequestForgery { exists(BinaryExprNode add | add.getOp() instanceof Add and add.getRight() = this.asCfgNode() and - not add.getLeft().getNode().(StrConst).getText().toLowerCase() in ["http://", "https://"] + not add.getLeft().getNode().(StringLiteral).getText().toLowerCase() in ["http://", "https://"] ) or // % formatting @@ -97,7 +97,7 @@ module ServerSideRequestForgery { fmt.getRight() = this.asCfgNode() and // detecting %-formatting is not super easy, so we simplify it to only handle // when there is a **single** substitution going on. - not fmt.getLeft().getNode().(StrConst).getText().regexpMatch("^(?i)https?://%s[^%]*$") + not fmt.getLeft().getNode().(StringLiteral).getText().regexpMatch("^(?i)https?://%s[^%]*$") ) or // arguments to a format call @@ -106,9 +106,9 @@ module ServerSideRequestForgery { | call.getMethodName() = "format" and ( - if call.getObject().asExpr().(StrConst).getText().regexpMatch(httpPrefixRe) + if call.getObject().asExpr().(StringLiteral).getText().regexpMatch(httpPrefixRe) then - exists(string text | text = call.getObject().asExpr().(StrConst).getText() | + exists(string text | text = call.getObject().asExpr().(StringLiteral).getText() | // `http://{}...` exists(text.regexpCapture(httpPrefixRe, 1)) and this in [call.getArg(any(int i | i >= 1)), call.getArgByName(_)] @@ -129,7 +129,7 @@ module ServerSideRequestForgery { or // f-string exists(Fstring fstring | - if fstring.getValue(0).(StrConst).getText().toLowerCase() in ["http://", "https://"] + if fstring.getValue(0).(StringLiteral).getText().toLowerCase() in ["http://", "https://"] then fstring.getValue(any(int i | i >= 2)) = this.asExpr() else fstring.getValue(any(int i | i >= 1)) = this.asExpr() ) diff --git a/python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll index 442d6e8ebb4..2dbe2c542ae 100644 --- a/python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll +++ b/python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll @@ -39,7 +39,7 @@ module TarSlip { this = API::moduleImport("tarfile").getMember("open").getACall() and // If argument refers to a string object, then it's a hardcoded path and // this tarfile is safe. - not this.(DataFlow::CallCfgNode).getArg(0).getALocalSource().asExpr() instanceof StrConst and + not this.(DataFlow::CallCfgNode).getArg(0).getALocalSource().asExpr() instanceof StringLiteral and // Ignore opens within the tarfile module itself not this.getLocation().getFile().getBaseName() = "tarfile.py" } @@ -70,7 +70,7 @@ module TarSlip { exists(Expr filterValue | filterValue = call.getParameter(4, "filter").getAValueReachingSink().asExpr() and ( - filterValue.(StrConst).getText() = "fully_trusted" + filterValue.(StringLiteral).getText() = "fully_trusted" or filterValue instanceof None ) diff --git a/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll index 6d245f472de..d680a7d16e6 100644 --- a/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll +++ b/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll @@ -33,7 +33,7 @@ module UnsafeShellCommandConstruction { /** A sink for shell command constructed from library input vulnerabilities. */ abstract class Sink extends DataFlow::Node { - Sink() { not this.asExpr() instanceof StrConst } // filter out string constants, makes testing easier + Sink() { not this.asExpr() instanceof StringLiteral } // filter out string constants, makes testing easier /** Gets a description of how the string in this sink was constructed. */ abstract string describe(); diff --git a/python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll index 8a9f54b5085..f765386010c 100644 --- a/python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll +++ b/python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll @@ -118,8 +118,8 @@ module UrlRedirect { ReplaceBackslashesSanitizer() { this.calls(receiver, "replace") and - this.getArg(0).asExpr().(StrConst).getText() = "\\" and - this.getArg(1).asExpr().(StrConst).getText() in ["/", ""] + this.getArg(0).asExpr().(StringLiteral).getText() = "\\" and + this.getArg(1).asExpr().(StringLiteral).getText() in ["/", ""] } override predicate sanitizes(FlowState state) { state instanceof MayContainBackslashes } diff --git a/python/ql/lib/semmle/python/strings.qll b/python/ql/lib/semmle/python/strings.qll index c8a134736d3..6db098c07b5 100644 --- a/python/ql/lib/semmle/python/strings.qll +++ b/python/ql/lib/semmle/python/strings.qll @@ -1,10 +1,10 @@ import python -predicate format_string(StrConst e) { +predicate format_string(StringLiteral e) { exists(BinaryExpr b | b.getOp() instanceof Mod and b.getLeft() = e) } -predicate mapping_format(StrConst e) { +predicate mapping_format(StringLiteral e) { conversion_specifier(e, _).regexpMatch("%\\([A-Z_a-z0-9]+\\).*") } @@ -17,18 +17,18 @@ predicate mapping_format(StrConst e) { * TYPE = "[bdiouxXeEfFgGcrs%]" */ -private string conversion_specifier_string(StrConst e, int number, int position) { +private string conversion_specifier_string(StringLiteral e, int number, int position) { exists(string s, string regex | s = e.getText() | regex = "%(\\([^)]*\\))?[#0\\- +]*(\\*|[0-9]*)(\\.(\\*|[0-9]*))?(h|H|l|L)?[badiouxXeEfFgGcrs%]" and result = s.regexpFind(regex, number, position) ) } -private string conversion_specifier(StrConst e, int number) { +private string conversion_specifier(StringLiteral e, int number) { result = conversion_specifier_string(e, number, _) and result != "%%" } -int illegal_conversion_specifier(StrConst e) { +int illegal_conversion_specifier(StringLiteral e) { format_string(e) and "%" = e.getText().charAt(result) and // not the start of a conversion specifier or the second % of a %% @@ -37,7 +37,7 @@ int illegal_conversion_specifier(StrConst e) { } /** Gets the number of format items in a format string */ -int format_items(StrConst e) { +int format_items(StringLiteral e) { result = count(int i | | conversion_specifier(e, i)) + // a conversion specifier uses an extra item for each * @@ -47,7 +47,7 @@ int format_items(StrConst e) { private string str(Expr e) { result = e.(Num).getN() or - result = "'" + e.(StrConst).getText() + "'" + result = "'" + e.(StringLiteral).getText() + "'" } /** Gets a string representation of an expression more suited for embedding in message strings than .toString() */ diff --git a/python/ql/lib/semmle/python/types/ModuleKind.qll b/python/ql/lib/semmle/python/types/ModuleKind.qll index edb582b3627..ef44d80701e 100644 --- a/python/ql/lib/semmle/python/types/ModuleKind.qll +++ b/python/ql/lib/semmle/python/types/ModuleKind.qll @@ -15,7 +15,7 @@ private predicate is_script(ModuleObject m) { ( m.getModule().getFile().getExtension() != ".py" or - exists(If i, Name name, StrConst main, Cmpop op | + exists(If i, Name name, StringLiteral main, Cmpop op | i.getScope() = m.getModule() and op instanceof Eq and i.getTest().(Compare).compares(name, op, main) and diff --git a/python/ql/lib/semmle/python/types/Object.qll b/python/ql/lib/semmle/python/types/Object.qll index b408fc7ba1c..6c76067dc68 100644 --- a/python/ql/lib/semmle/python/types/Object.qll +++ b/python/ql/lib/semmle/python/types/Object.qll @@ -9,7 +9,7 @@ private predicate is_an_object(@py_object obj) { /* CFG nodes for numeric literals, all of which have a @py_cobject for the value of that literal */ obj instanceof ControlFlowNode and not obj.(ControlFlowNode).getNode() instanceof IntegerLiteral and - not obj.(ControlFlowNode).getNode() instanceof StrConst + not obj.(ControlFlowNode).getNode() instanceof StringLiteral or obj instanceof Builtin } diff --git a/python/ql/src/Expressions/DuplicateKeyInDictionaryLiteral.ql b/python/ql/src/Expressions/DuplicateKeyInDictionaryLiteral.ql index 61046863718..7a5399700ec 100644 --- a/python/ql/src/Expressions/DuplicateKeyInDictionaryLiteral.ql +++ b/python/ql/src/Expressions/DuplicateKeyInDictionaryLiteral.ql @@ -22,7 +22,7 @@ predicate dict_key(Dict d, Expr k, string s) { // We use � to mark unrepresentable characters // so two instances of � may represent different strings in the source code not "�" = s.charAt(_) and - exists(StrConst c | c = k | + exists(StringLiteral c | c = k | s = "u\"" + c.getText() + "\"" and c.isUnicode() or s = "b\"" + c.getText() + "\"" and not c.isUnicode() diff --git a/python/ql/src/Expressions/Formatting/AdvancedFormatting.qll b/python/ql/src/Expressions/Formatting/AdvancedFormatting.qll index 1ba8a1843d9..7da80ffa027 100644 --- a/python/ql/src/Expressions/Formatting/AdvancedFormatting.qll +++ b/python/ql/src/Expressions/Formatting/AdvancedFormatting.qll @@ -1,7 +1,7 @@ import python /** A string constant that looks like it may be used in string formatting operations. */ -class PossibleAdvancedFormatString extends StrConst { +class PossibleAdvancedFormatString extends StringLiteral { PossibleAdvancedFormatString() { this.getText().matches("%{%}%") } private predicate field(int start, int end) { diff --git a/python/ql/src/Expressions/IncorrectComparisonUsingIs.ql b/python/ql/src/Expressions/IncorrectComparisonUsingIs.ql index aab2ba6bfa1..a60430aa4c1 100644 --- a/python/ql/src/Expressions/IncorrectComparisonUsingIs.ql +++ b/python/ql/src/Expressions/IncorrectComparisonUsingIs.ql @@ -21,7 +21,7 @@ predicate comparison_using_is(Compare comp, ControlFlowNode left, Cmpop op, Cont } private predicate cpython_interned_value(Expr e) { - exists(string text | text = e.(StrConst).getText() | + exists(string text | text = e.(StringLiteral).getText() | text.length() = 0 or text.length() = 1 and text.regexpMatch("[U+0000-U+00ff]") @@ -34,7 +34,7 @@ private predicate cpython_interned_value(Expr e) { predicate uninterned_literal(Expr e) { ( - e instanceof StrConst + e instanceof StringLiteral or e instanceof IntegerLiteral or diff --git a/python/ql/src/Expressions/IsComparisons.qll b/python/ql/src/Expressions/IsComparisons.qll index b6f06b30108..7825d01999b 100644 --- a/python/ql/src/Expressions/IsComparisons.qll +++ b/python/ql/src/Expressions/IsComparisons.qll @@ -49,7 +49,7 @@ predicate simple_constant(ControlFlowNode f) { } private predicate cpython_interned_value(Expr e) { - exists(string text | text = e.(StrConst).getText() | + exists(string text | text = e.(StringLiteral).getText() | text.length() = 0 or text.length() = 1 and text.regexpMatch("[U+0000-U+00ff]") @@ -70,7 +70,7 @@ private predicate universally_interned_value(Expr e) { or exists(Tuple t | t = e and not exists(t.getAnElt())) or - e.(StrConst).getText() = "" + e.(StringLiteral).getText() = "" } /** Holds if the expression `e` points to an interned constant in CPython. */ diff --git a/python/ql/src/Expressions/UnintentionalImplicitStringConcatenation.ql b/python/ql/src/Expressions/UnintentionalImplicitStringConcatenation.ql index 9547d0045ca..f653db40571 100644 --- a/python/ql/src/Expressions/UnintentionalImplicitStringConcatenation.ql +++ b/python/ql/src/Expressions/UnintentionalImplicitStringConcatenation.ql @@ -15,12 +15,12 @@ import python predicate string_const(Expr s) { - s instanceof StrConst + s instanceof StringLiteral or string_const(s.(BinaryExpr).getLeft()) and string_const(s.(BinaryExpr).getRight()) } -from StrConst s +from StringLiteral s where // Implicitly concatenated string is in a list and that list contains at least one other string. exists(List l, Expr other | diff --git a/python/ql/src/Expressions/WrongNumberArgumentsForFormat.ql b/python/ql/src/Expressions/WrongNumberArgumentsForFormat.ql index 2bf67102ff3..2a6d3f62be8 100644 --- a/python/ql/src/Expressions/WrongNumberArgumentsForFormat.ql +++ b/python/ql/src/Expressions/WrongNumberArgumentsForFormat.ql @@ -15,7 +15,7 @@ import python import semmle.python.strings -predicate string_format(BinaryExpr operation, StrConst str, Value args, AstNode origin) { +predicate string_format(BinaryExpr operation, StringLiteral str, Value args, AstNode origin) { operation.getOp() instanceof Mod and exists(Context ctx | operation.getLeft().pointsTo(ctx, _, str) and @@ -34,7 +34,7 @@ int sequence_length(Value args) { } from - BinaryExpr operation, StrConst fmt, Value args, int slen, int alen, AstNode origin, + BinaryExpr operation, StringLiteral fmt, Value args, int slen, int alen, AstNode origin, string provided where string_format(operation, fmt, args, origin) and diff --git a/python/ql/src/Imports/UnusedImport.ql b/python/ql/src/Imports/UnusedImport.ql index e9c2dbe839d..787ec019f57 100644 --- a/python/ql/src/Imports/UnusedImport.ql +++ b/python/ql/src/Imports/UnusedImport.ql @@ -53,7 +53,7 @@ predicate imported_module_used_in_doctest(Import imp) { pragma[noinline] private string doctest_in_scope(Scope scope) { - exists(StrConst doc | + exists(StringLiteral doc | doc.getEnclosingModule() = scope and doc.isDocString() and result = doc.getText() and @@ -63,7 +63,7 @@ private string doctest_in_scope(Scope scope) { pragma[noinline] private string typehint_annotation_in_module(Module module_scope) { - exists(StrConst annotation | + exists(StringLiteral annotation | annotation = any(Arguments a).getAnAnnotation().getASubExpression*() or annotation = any(AnnAssign a).getAnnotation().getASubExpression*() diff --git a/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql b/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql index 5751c23493e..5e2e27b3bf4 100644 --- a/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql +++ b/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql @@ -29,9 +29,9 @@ private string vulnerableHostname() { /** Gets a reference to a hostname that can be used to bind to all interfaces. */ private DataFlow::TypeTrackingNode vulnerableHostnameRef(DataFlow::TypeTracker t, string hostname) { t.start() and - exists(StrConst allInterfacesStrConst | hostname = vulnerableHostname() | - allInterfacesStrConst.getText() = hostname and - result.asExpr() = allInterfacesStrConst + exists(StringLiteral allInterfacesStringLiteral | hostname = vulnerableHostname() | + allInterfacesStringLiteral.getText() = hostname and + result.asExpr() = allInterfacesStringLiteral ) or exists(DataFlow::TypeTracker t2 | result = vulnerableHostnameRef(t2, hostname).track(t2, t)) diff --git a/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql b/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql index 6bf97d50bf5..5ab77438d63 100644 --- a/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql +++ b/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql @@ -16,7 +16,7 @@ import semmle.python.regex private string commonTopLevelDomainRegex() { result = "com|org|edu|gov|uk|net|io" } -predicate looksLikeUrl(StrConst s) { +predicate looksLikeUrl(StringLiteral s) { exists(string text | text = s.getText() | text.regexpMatch("(?i)([a-z]*:?//)?\\.?([a-z0-9-]+\\.)+(" + commonTopLevelDomainRegex() + ")(:[0-9]+)?/?") @@ -26,7 +26,7 @@ predicate looksLikeUrl(StrConst s) { ) } -predicate incomplete_sanitization(Expr sanitizer, StrConst url) { +predicate incomplete_sanitization(Expr sanitizer, StringLiteral url) { looksLikeUrl(url) and ( sanitizer.(Compare).compares(url, any(In i), _) @@ -37,19 +37,19 @@ predicate incomplete_sanitization(Expr sanitizer, StrConst url) { ) } -predicate unsafe_call_to_startswith(Call sanitizer, StrConst url) { +predicate unsafe_call_to_startswith(Call sanitizer, StringLiteral url) { sanitizer.getFunc().(Attribute).getName() = "startswith" and sanitizer.getArg(0) = url and not url.getText().regexpMatch("(?i)https?://[\\.a-z0-9-]+/.*") } -predicate unsafe_call_to_endswith(Call sanitizer, StrConst url) { +predicate unsafe_call_to_endswith(Call sanitizer, StringLiteral url) { sanitizer.getFunc().(Attribute).getName() = "endswith" and sanitizer.getArg(0) = url and not url.getText().regexpMatch("(?i)\\.([a-z0-9-]+)(\\.[a-z0-9-]+)+") } -from Expr sanitizer, StrConst url +from Expr sanitizer, StringLiteral url where incomplete_sanitization(sanitizer, url) select sanitizer, "The string $@ may be at an arbitrary position in the sanitized URL.", url, url.getText() diff --git a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql index 04197b13610..4a2ff24a2f2 100644 --- a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql +++ b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql @@ -20,7 +20,7 @@ private import semmle.python.dataflow.new.internal.DataFlowDispatch as DataFlowD private import semmle.python.dataflow.new.internal.Builtins::Builtins as Builtins bindingset[char, fraction] -predicate fewer_characters_than(StrConst str, string char, float fraction) { +predicate fewer_characters_than(StringLiteral str, string char, float fraction) { exists(string text, int chars | text = str.getText() and chars = count(int i | text.charAt(i) = char) @@ -41,15 +41,15 @@ predicate possible_reflective_name(string name) { exists(Builtins::likelyBuiltin(name)) } -int char_count(StrConst str) { result = count(string c | c = str.getText().charAt(_)) } +int char_count(StringLiteral str) { result = count(string c | c = str.getText().charAt(_)) } -predicate capitalized_word(StrConst str) { str.getText().regexpMatch("[A-Z][a-z]+") } +predicate capitalized_word(StringLiteral str) { str.getText().regexpMatch("[A-Z][a-z]+") } -predicate format_string(StrConst str) { str.getText().matches("%{%}%") } +predicate format_string(StringLiteral str) { str.getText().matches("%{%}%") } predicate maybeCredential(ControlFlowNode f) { /* A string that is not too short and unlikely to be text or an identifier. */ - exists(StrConst str | str = f.getNode() | + exists(StringLiteral str | str = f.getNode() | /* At least 10 characters */ str.getText().length() > 9 and /* Not too much whitespace */ diff --git a/python/ql/src/Statements/AssertLiteralConstant.ql b/python/ql/src/Statements/AssertLiteralConstant.ql index 372b25fd10d..73bd1645858 100644 --- a/python/ql/src/Statements/AssertLiteralConstant.ql +++ b/python/ql/src/Statements/AssertLiteralConstant.ql @@ -21,7 +21,7 @@ where exists(Expr test | test = a.getTest() | value = test.(IntegerLiteral).getN() or - value = "\"" + test.(StrConst).getS() + "\"" + value = "\"" + test.(StringLiteral).getS() + "\"" or value = test.(NameConstant).toString() ) and diff --git a/python/ql/src/Statements/StatementNoEffect.ql b/python/ql/src/Statements/StatementNoEffect.ql index 5343b3e866f..72a9c91f8ae 100644 --- a/python/ql/src/Statements/StatementNoEffect.ql +++ b/python/ql/src/Statements/StatementNoEffect.ql @@ -121,7 +121,7 @@ predicate python2_print(Expr e) { predicate no_effect(Expr e) { // strings can be used as comments - not e instanceof StrConst and + not e instanceof StringLiteral and not e.hasSideEffects() and forall(Expr sub | sub = e.getASubExpression*() | not side_effecting_binary(sub) and diff --git a/python/ql/src/Statements/TopLevelPrint.ql b/python/ql/src/Statements/TopLevelPrint.ql index 8d35c7c942b..068bd594f74 100644 --- a/python/ql/src/Statements/TopLevelPrint.ql +++ b/python/ql/src/Statements/TopLevelPrint.ql @@ -14,7 +14,7 @@ import python predicate main_eq_name(If i) { - exists(Name n, StrConst m, Compare c | + exists(Name n, StringLiteral m, Compare c | i.getTest() = c and c.getLeft() = n and c.getAComparator() = m and diff --git a/python/ql/src/Variables/Loop.qll b/python/ql/src/Variables/Loop.qll index be19d4077c4..c7749fe476b 100644 --- a/python/ql/src/Variables/Loop.qll +++ b/python/ql/src/Variables/Loop.qll @@ -9,7 +9,7 @@ private predicate empty_sequence(Expr e) { or e instanceof Tuple and not exists(e.(Tuple).getAnElt()) or - e.(StrConst).getText().length() = 0 + e.(StringLiteral).getText().length() = 0 } /* This has the potential for refinement, but we err on the side of fewer false positives for now. */ diff --git a/python/ql/src/Variables/MonkeyPatched.qll b/python/ql/src/Variables/MonkeyPatched.qll index d06731f5223..ab842afbf26 100644 --- a/python/ql/src/Variables/MonkeyPatched.qll +++ b/python/ql/src/Variables/MonkeyPatched.qll @@ -1,7 +1,7 @@ import python predicate monkey_patched_builtin(string name) { - exists(AttrNode attr, SubscriptNode subscr, StrConst s | + exists(AttrNode attr, SubscriptNode subscr, StringLiteral s | subscr.isStore() and subscr.getIndex().getNode() = s and s.getText() = name and @@ -9,7 +9,7 @@ predicate monkey_patched_builtin(string name) { attr.getObject("__dict__").pointsTo(Module::builtinModule()) ) or - exists(CallNode call, ControlFlowNode bltn, StrConst s | + exists(CallNode call, ControlFlowNode bltn, StringLiteral s | call.getArg(0) = bltn and bltn.pointsTo(Module::builtinModule()) and call.getArg(1).getNode() = s and diff --git a/python/ql/src/Variables/MultiplyDefined.ql b/python/ql/src/Variables/MultiplyDefined.ql index a045dd6e8fa..7d0e76fb6c3 100644 --- a/python/ql/src/Variables/MultiplyDefined.ql +++ b/python/ql/src/Variables/MultiplyDefined.ql @@ -43,7 +43,7 @@ predicate simple_literal(Expr e) { or e instanceof Dict and not exists(e.(Dict).getAKey()) or - e.(StrConst).getText() = "" + e.(StringLiteral).getText() = "" } /** diff --git a/python/ql/src/Variables/UndefinedExport.ql b/python/ql/src/Variables/UndefinedExport.ql index c57925cb591..537828616e5 100644 --- a/python/ql/src/Variables/UndefinedExport.ql +++ b/python/ql/src/Variables/UndefinedExport.ql @@ -14,7 +14,7 @@ import python /** Whether name is declared in the __all__ list of this module */ -predicate declaredInAll(Module m, StrConst name) { +predicate declaredInAll(Module m, StringLiteral name) { exists(Assign a, GlobalVariable all | a.defines(all) and a.getScope() = m and @@ -70,7 +70,7 @@ predicate contains_unknown_import_star(ModuleValue m) { ) } -from ModuleValue m, StrConst name, string exported_name +from ModuleValue m, StringLiteral name, string exported_name where declaredInAll(m.getScope(), name) and exported_name = name.getText() and diff --git a/python/ql/src/Variables/UnusedModuleVariable.ql b/python/ql/src/Variables/UnusedModuleVariable.ql index 543f17f6f35..869c31cb4fa 100644 --- a/python/ql/src/Variables/UnusedModuleVariable.ql +++ b/python/ql/src/Variables/UnusedModuleVariable.ql @@ -24,7 +24,7 @@ predicate complex_all(Module m) { | not a.getValue() instanceof List or - exists(Expr e | e = a.getValue().(List).getAnElt() | not e instanceof StrConst) + exists(Expr e | e = a.getValue().(List).getAnElt() | not e instanceof StringLiteral) ) or exists(Call c, GlobalVariable all | diff --git a/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKeyFlask.qll b/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKeyFlask.qll index b9068b2cdea..139f3e58f24 100644 --- a/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKeyFlask.qll +++ b/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKeyFlask.qll @@ -121,7 +121,7 @@ module FlaskConstantSecretKeyConfig { .getACall() and result = [ - cn.getParameter(0).getAValueReachingSink().asExpr().(StrConst).getText(), + cn.getParameter(0).getAValueReachingSink().asExpr().(StringLiteral).getText(), cn.getParameter(0).asSink().asExpr().(Name).getId() ] } @@ -134,6 +134,6 @@ module FlaskConstantSecretKeyConfig { .getASuccessor*() .getMember("from_object") .getACall() and - result = cn.getParameter(0).asSink().asExpr().(StrConst).getText() + result = cn.getParameter(0).asSink().asExpr().(StringLiteral).getText() } } diff --git a/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKeySource.qll b/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKeySource.qll index ab176bf7f2e..452f006494b 100644 --- a/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKeySource.qll +++ b/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKeySource.qll @@ -11,12 +11,12 @@ class WebAppConstantSecretKeySource extends DataFlow::Node { env = API::moduleImport("environ").getMember("Env") and // has default value exists(API::Node param | param = env.getKeywordParameter("SECRET_KEY") | - param.asSink().asExpr().getASubExpression*() instanceof StrConst + param.asSink().asExpr().getASubExpression*() instanceof StringLiteral ) and this = env.getReturn().getReturn().asSource() ) or - this.asExpr() instanceof StrConst + this.asExpr() instanceof StringLiteral or exists(API::CallNode cn | cn = @@ -25,7 +25,7 @@ class WebAppConstantSecretKeySource extends DataFlow::Node { API::moduleImport("os").getMember("environ").getMember("get").getACall() ] and cn.getNumArgument() = 2 and - DataFlow::localFlow(any(DataFlow::Node n | n.asExpr() instanceof StrConst), cn.getArg(1)) and + DataFlow::localFlow(any(DataFlow::Node n | n.asExpr() instanceof StringLiteral), cn.getArg(1)) and this.asExpr() = cn.asExpr() ) ) and diff --git a/python/ql/src/experimental/Security/CWE-287/ImproperLdapAuth.ql b/python/ql/src/experimental/Security/CWE-287/ImproperLdapAuth.ql index 22fc39f09f5..14008dff8d4 100644 --- a/python/ql/src/experimental/Security/CWE-287/ImproperLdapAuth.ql +++ b/python/ql/src/experimental/Security/CWE-287/ImproperLdapAuth.ql @@ -20,7 +20,7 @@ predicate authenticatesImproperly(LdapBind ldapBind) { not exists(ldapBind.getPassword()) ) or - exists(StrConst emptyString | + exists(StringLiteral emptyString | emptyString.getText() = "" and DataFlow::localFlow(DataFlow::exprNode(emptyString), ldapBind.getPassword()) ) diff --git a/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql b/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql index b23ca4b0bc6..c548eac6836 100644 --- a/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql +++ b/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql @@ -109,7 +109,7 @@ private module AzureBlobClientConfig implements DataFlow::StateConfigSig { exists(DataFlow::AttrWrite attr | node = anyClient(_).getAValueReachableFromSource() and attr.accesses(node, "encryption_version") and - attr.getValue().asExpr().(StrConst).getText() in ["'2.0'", "2.0"] + attr.getValue().asExpr().(StringLiteral).getText() in ["'2.0'", "2.0"] ) or // small optimization to block flow with no encryption out of the post-update node diff --git a/python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql b/python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql index 51d6c9b6652..219192ce45d 100644 --- a/python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql +++ b/python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql @@ -41,7 +41,7 @@ private module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::Co exists(Subscript ss | not ss.getIndex().(IntegerLiteral).getText() = "0" and ss.getObject().(Call).getFunc().(Attribute).getName() = "split" and - ss.getObject().(Call).getAnArg().(StrConst).getText() = "," and + ss.getObject().(Call).getAnArg().(StringLiteral).getText() = "," and ss = node.asExpr() ) } diff --git a/python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheckLib.qll b/python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheckLib.qll index 9167e300ac5..3d6ff03d3e4 100644 --- a/python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheckLib.qll +++ b/python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheckLib.qll @@ -20,7 +20,7 @@ private class FlaskClientSuppliedIpUsedInSecurityCheck extends ClientSuppliedIpU { FlaskClientSuppliedIpUsedInSecurityCheck() { this = Flask::request().getMember("headers").getMember(["get", "get_all", "getlist"]).getACall() and - this.getArg(0).asExpr().(StrConst).getText().toLowerCase() = clientIpParameterName() + this.getArg(0).asExpr().(StringLiteral).getText().toLowerCase() = clientIpParameterName() } } @@ -35,7 +35,7 @@ private class DjangoClientSuppliedIpUsedInSecurityCheck extends ClientSuppliedIp headers.getAttributeName() in ["headers", "META"] and this.calls(headers, "get") ) and - this.getArg(0).asExpr().(StrConst).getText().toLowerCase() = clientIpParameterName() + this.getArg(0).asExpr().(StringLiteral).getText().toLowerCase() = clientIpParameterName() } } @@ -54,7 +54,7 @@ private class TornadoClientSuppliedIpUsedInSecurityCheck extends ClientSuppliedI headers.getAttributeName() = "headers" and this.calls(headers, ["get", "get_list"]) ) and - this.getArg(0).asExpr().(StrConst).getText().toLowerCase() = clientIpParameterName() + this.getArg(0).asExpr().(StringLiteral).getText().toLowerCase() = clientIpParameterName() } } @@ -85,8 +85,8 @@ private class CompareSink extends PossibleSecurityCheck { CompareSink() { exists(Call call | call.getFunc().(Attribute).getName() = "startswith" and - call.getArg(0).(StrConst).getText().regexpMatch(getIpAddressRegex()) and - not call.getArg(0).(StrConst).getText() = "0:0:0:0:0:0:0:1" and + call.getArg(0).(StringLiteral).getText().regexpMatch(getIpAddressRegex()) and + not call.getArg(0).(StringLiteral).getText() = "0:0:0:0:0:0:0:1" and call.getFunc().(Attribute).getObject() = this.asExpr() ) or @@ -97,12 +97,12 @@ private class CompareSink extends PossibleSecurityCheck { ) and ( compare.getLeft() = this.asExpr() and - compare.getComparator(0).(StrConst).getText() instanceof PrivateHostName and - not compare.getComparator(0).(StrConst).getText() = "0:0:0:0:0:0:0:1" + compare.getComparator(0).(StringLiteral).getText() instanceof PrivateHostName and + not compare.getComparator(0).(StringLiteral).getText() = "0:0:0:0:0:0:0:1" or compare.getComparator(0) = this.asExpr() and - compare.getLeft().(StrConst).getText() instanceof PrivateHostName and - not compare.getLeft().(StrConst).getText() = "0:0:0:0:0:0:0:1" + compare.getLeft().(StringLiteral).getText() instanceof PrivateHostName and + not compare.getLeft().(StringLiteral).getText() = "0:0:0:0:0:0:0:1" ) ) or @@ -115,7 +115,7 @@ private class CompareSink extends PossibleSecurityCheck { compare.getLeft() = this.asExpr() or compare.getComparator(0) = this.asExpr() and - not compare.getLeft().(StrConst).getText() in ["%", ",", "."] + not compare.getLeft().(StringLiteral).getText() in ["%", ",", "."] ) ) } diff --git a/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql b/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql index 9e0a3a3018a..a338a57b2c3 100644 --- a/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql +++ b/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql @@ -25,16 +25,16 @@ class UnicodeCompatibilityNormalize extends API::CallNode { UnicodeCompatibilityNormalize() { ( this = API::moduleImport("unicodedata").getMember("normalize").getACall() and - this.getParameter(0).getAValueReachingSink().asExpr().(StrConst).getText() in ["NFKC", "NFKD"] + this.getParameter(0).getAValueReachingSink().asExpr().(StringLiteral).getText() in ["NFKC", "NFKD"] or this = API::moduleImport("pyunormalize").getMember("normalize").getACall() and - this.getParameter(0).getAValueReachingSink().asExpr().(StrConst).getText() in ["NFKC", "NFKD"] + this.getParameter(0).getAValueReachingSink().asExpr().(StringLiteral).getText() in ["NFKC", "NFKD"] ) and argIdx = 1 or ( this = API::moduleImport("textnorm").getMember("normalize_unicode").getACall() and - this.getParameter(1).getAValueReachingSink().asExpr().(StrConst).getText() in ["NFKC", "NFKD"] + this.getParameter(1).getAValueReachingSink().asExpr().(StringLiteral).getText() in ["NFKC", "NFKD"] or this = API::moduleImport("unidecode").getMember("unidecode").getACall() or diff --git a/python/ql/src/experimental/semmle/python/CookieHeader.qll b/python/ql/src/experimental/semmle/python/CookieHeader.qll index 690dff3ecba..3a1437dff4a 100644 --- a/python/ql/src/experimental/semmle/python/CookieHeader.qll +++ b/python/ql/src/experimental/semmle/python/CookieHeader.qll @@ -28,7 +28,7 @@ import experimental.semmle.python.Concepts */ class CookieHeader extends Cookie::Range instanceof HeaderDeclaration { CookieHeader() { - exists(StrConst str | + exists(StringLiteral str | str.getText() = "Set-Cookie" and DataFlow::exprNode(str) .(DataFlow::LocalSourceNode) @@ -37,7 +37,7 @@ class CookieHeader extends Cookie::Range instanceof HeaderDeclaration { } override predicate isSecure() { - exists(StrConst str | + exists(StringLiteral str | str.getText().regexpMatch(".*; *Secure;.*") and DataFlow::exprNode(str) .(DataFlow::LocalSourceNode) @@ -46,7 +46,7 @@ class CookieHeader extends Cookie::Range instanceof HeaderDeclaration { } override predicate isHttpOnly() { - exists(StrConst str | + exists(StringLiteral str | str.getText().regexpMatch(".*; *HttpOnly;.*") and DataFlow::exprNode(str) .(DataFlow::LocalSourceNode) @@ -55,7 +55,7 @@ class CookieHeader extends Cookie::Range instanceof HeaderDeclaration { } override predicate isSameSite() { - exists(StrConst str | + exists(StringLiteral str | str.getText().regexpMatch(".*; *SameSite=(Strict|Lax);.*") and DataFlow::exprNode(str) .(DataFlow::LocalSourceNode) diff --git a/python/ql/src/experimental/semmle/python/frameworks/Django.qll b/python/ql/src/experimental/semmle/python/frameworks/Django.qll index 47b05cc95fd..c1a5629ef68 100644 --- a/python/ql/src/experimental/semmle/python/frameworks/Django.qll +++ b/python/ql/src/experimental/semmle/python/frameworks/Django.qll @@ -159,7 +159,7 @@ private module ExperimentalPrivateDjango { } override predicate isSameSite() { - exists(StrConst str | + exists(StringLiteral str | str.getText() in ["Strict", "Lax"] and DataFlow::exprNode(str) .(DataFlow::LocalSourceNode) diff --git a/python/ql/src/experimental/semmle/python/frameworks/Flask.qll b/python/ql/src/experimental/semmle/python/frameworks/Flask.qll index 3252acf24fd..aa120dc1fcb 100644 --- a/python/ql/src/experimental/semmle/python/frameworks/Flask.qll +++ b/python/ql/src/experimental/semmle/python/frameworks/Flask.qll @@ -119,7 +119,7 @@ module ExperimentalFlask { } override predicate isSameSite() { - exists(StrConst str | + exists(StringLiteral str | str.getText() in ["Strict", "Lax"] and DataFlow::exprNode(str) .(DataFlow::LocalSourceNode) diff --git a/python/ql/src/experimental/semmle/python/frameworks/JWT.qll b/python/ql/src/experimental/semmle/python/frameworks/JWT.qll index f5098014f2b..5d8fd98f2c0 100644 --- a/python/ql/src/experimental/semmle/python/frameworks/JWT.qll +++ b/python/ql/src/experimental/semmle/python/frameworks/JWT.qll @@ -6,7 +6,7 @@ predicate isEmptyOrNone(DataFlow::Node arg) { isEmpty(arg) or isNone(arg) } /** Checks if an empty string `""` flows to `arg` */ predicate isEmpty(DataFlow::Node arg) { - exists(StrConst emptyString | + exists(StringLiteral emptyString | emptyString.getText() = "" and DataFlow::exprNode(emptyString).(DataFlow::LocalSourceNode).flowsTo(arg) ) diff --git a/python/ql/src/experimental/semmle/python/frameworks/Sendgrid.qll b/python/ql/src/experimental/semmle/python/frameworks/Sendgrid.qll index 51ff2fda354..c9814917c73 100644 --- a/python/ql/src/experimental/semmle/python/frameworks/Sendgrid.qll +++ b/python/ql/src/experimental/semmle/python/frameworks/Sendgrid.qll @@ -74,7 +74,7 @@ private module Sendgrid { private DataFlow::Node sendgridContent(DataFlow::CallCfgNode contentCall, string mime) { mime in ["text/plain", "text/html", "text/x-amp-html"] and - exists(StrConst mimeNode | + exists(StringLiteral mimeNode | mimeNode.getText() = mime and DataFlow::exprNode(mimeNode).(DataFlow::LocalSourceNode).flowsTo(contentCall.getArg(0)) and result = contentCall.getArg(1) @@ -122,7 +122,7 @@ private module Sendgrid { contentElement = this.getKeywordParameter("request_body").getSubscript("content").getASubscript() | - contentElement.getSubscript("type").getAValueReachingSink().asExpr().(StrConst).getText() = + contentElement.getSubscript("type").getAValueReachingSink().asExpr().(StringLiteral).getText() = ["text/html", "text/x-amp-html"] and result = contentElement.getSubscript("value").getAValueReachingSink() ) diff --git a/python/ql/src/experimental/semmle/python/libraries/Authlib.qll b/python/ql/src/experimental/semmle/python/libraries/Authlib.qll index afb80950ea6..02c52ca2b72 100644 --- a/python/ql/src/experimental/semmle/python/libraries/Authlib.qll +++ b/python/ql/src/experimental/semmle/python/libraries/Authlib.qll @@ -49,7 +49,7 @@ private module Authlib { } override string getAlgorithmString() { - exists(StrConst str | + exists(StringLiteral str | DataFlow::exprNode(str).(DataFlow::LocalSourceNode).flowsTo(this.getAlgorithm()) and result = str.getText() ) diff --git a/python/ql/src/experimental/semmle/python/libraries/PyJWT.qll b/python/ql/src/experimental/semmle/python/libraries/PyJWT.qll index fb4764310c8..caf09b4bd99 100644 --- a/python/ql/src/experimental/semmle/python/libraries/PyJWT.qll +++ b/python/ql/src/experimental/semmle/python/libraries/PyJWT.qll @@ -39,7 +39,7 @@ private module PyJwt { } override string getAlgorithmString() { - exists(StrConst str | + exists(StringLiteral str | DataFlow::exprNode(str).(DataFlow::LocalSourceNode).flowsTo(this.getAlgorithm()) and result = str.getText() ) @@ -75,7 +75,7 @@ private module PyJwt { } override string getAlgorithmString() { - exists(StrConst str | + exists(StringLiteral str | DataFlow::exprNode(str).(DataFlow::LocalSourceNode).flowsTo(this.getAlgorithm()) and result = str.getText() ) diff --git a/python/ql/src/experimental/semmle/python/libraries/PythonJose.qll b/python/ql/src/experimental/semmle/python/libraries/PythonJose.qll index 86efd7f86bf..d17f5ec62d5 100644 --- a/python/ql/src/experimental/semmle/python/libraries/PythonJose.qll +++ b/python/ql/src/experimental/semmle/python/libraries/PythonJose.qll @@ -40,7 +40,7 @@ private module PythonJose { } override string getAlgorithmString() { - exists(StrConst str | + exists(StringLiteral str | DataFlow::exprNode(str).(DataFlow::LocalSourceNode).flowsTo(this.getAlgorithm()) and result = str.getText() ) @@ -76,7 +76,7 @@ private module PythonJose { } override string getAlgorithmString() { - exists(StrConst str | + exists(StringLiteral str | DataFlow::exprNode(str).(DataFlow::LocalSourceNode).flowsTo(this.getAlgorithm()) and result = str.getText() ) diff --git a/python/ql/src/experimental/semmle/python/libraries/Python_JWT.qll b/python/ql/src/experimental/semmle/python/libraries/Python_JWT.qll index abfca2e6375..b46d9e35b92 100644 --- a/python/ql/src/experimental/semmle/python/libraries/Python_JWT.qll +++ b/python/ql/src/experimental/semmle/python/libraries/Python_JWT.qll @@ -38,7 +38,7 @@ private module Python_Jwt { override DataFlow::Node getAlgorithm() { result = this.verifyCall().getArg(2) } override string getAlgorithmString() { - exists(StrConst str | + exists(StringLiteral str | DataFlow::exprNode(str).(DataFlow::LocalSourceNode).flowsTo(this.getAlgorithm()) and result = str.getText() ) diff --git a/python/ql/src/experimental/semmle/python/libraries/SmtpLib.qll b/python/ql/src/experimental/semmle/python/libraries/SmtpLib.qll index 7ecbbc1beba..5bb9ef6cb8e 100644 --- a/python/ql/src/experimental/semmle/python/libraries/SmtpLib.qll +++ b/python/ql/src/experimental/semmle/python/libraries/SmtpLib.qll @@ -23,7 +23,7 @@ module SmtpLib { private DataFlow::CallCfgNode mimeText(string mimetype) { result = smtpMimeTextInstance().getACall() and - [result.getArg(1), result.getArgByName("_subtype")].asExpr().(StrConst).getText() = mimetype + [result.getArg(1), result.getArgByName("_subtype")].asExpr().(StringLiteral).getText() = mimetype } /** diff --git a/python/ql/src/experimental/semmle/python/security/DecompressionBomb.qll b/python/ql/src/experimental/semmle/python/security/DecompressionBomb.qll index b7821abcaf8..9a4cd048b90 100644 --- a/python/ql/src/experimental/semmle/python/security/DecompressionBomb.qll +++ b/python/ql/src/experimental/semmle/python/security/DecompressionBomb.qll @@ -145,7 +145,7 @@ module TarFile { .getParameter(1, "mode") .getAValueReachingSink() .asExpr() - .(StrConst) + .(StringLiteral) .getText() ) or not result @@ -153,7 +153,7 @@ module TarFile { .getParameter(1, "mode") .getAValueReachingSink() .asExpr() - .(StrConst) + .(StringLiteral) .getText() .matches("r:%") ) @@ -211,7 +211,7 @@ module Pandas { .getKeywordParameter("compression") .getAValueReachingSink() .asExpr() - .(StrConst) + .(StringLiteral) .getText() = "tar" ) ) @@ -260,13 +260,13 @@ module Gzip { this = gzipCall.getParameter(0, "filename").asSink() and ( not exists( - gzipCall.getParameter(1, "mode").getAValueReachingSink().asExpr().(StrConst).getText() + gzipCall.getParameter(1, "mode").getAValueReachingSink().asExpr().(StringLiteral).getText() ) or gzipCall .getParameter(1, "mode") .getAValueReachingSink() .asExpr() - .(StrConst) + .(StringLiteral) .getText() .matches("%r%") ) @@ -297,13 +297,13 @@ module Bz2 { this = bz2Call.getParameter(0, "filename").asSink() and ( not exists( - bz2Call.getParameter(1, "mode").getAValueReachingSink().asExpr().(StrConst).getText() + bz2Call.getParameter(1, "mode").getAValueReachingSink().asExpr().(StringLiteral).getText() ) or bz2Call .getParameter(1, "mode") .getAValueReachingSink() .asExpr() - .(StrConst) + .(StringLiteral) .getText() .matches("%r%") ) @@ -334,13 +334,13 @@ module Lzma { this = lzmaCall.getParameter(0, "filename").asSink() and ( not exists( - lzmaCall.getParameter(1, "mode").getAValueReachingSink().asExpr().(StrConst).getText() + lzmaCall.getParameter(1, "mode").getAValueReachingSink().asExpr().(StringLiteral).getText() ) or lzmaCall .getParameter(1, "mode") .getAValueReachingSink() .asExpr() - .(StrConst) + .(StringLiteral) .getText() .matches("%r%") ) diff --git a/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll b/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll index e8249dcdff7..a63332137d1 100644 --- a/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll +++ b/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll @@ -18,7 +18,7 @@ string getPrivateHostRegex() { } // "ldap://somethingon.theinternet.com" -class LdapFullHost extends StrConst { +class LdapFullHost extends StringLiteral { LdapFullHost() { exists(string s | s = this.getText() and @@ -29,15 +29,15 @@ class LdapFullHost extends StrConst { } } -class LdapSchema extends StrConst { +class LdapSchema extends StringLiteral { LdapSchema() { this.getText().regexpMatch(getSchemaRegex()) } } -class LdapPrivateHost extends StrConst { +class LdapPrivateHost extends StringLiteral { LdapPrivateHost() { this.getText().regexpMatch(getPrivateHostRegex()) } } -predicate concatAndCompareAgainstFullHostRegex(LdapSchema schema, StrConst host) { +predicate concatAndCompareAgainstFullHostRegex(LdapSchema schema, StringLiteral host) { not host instanceof LdapPrivateHost and (schema.getText() + host.getText()).regexpMatch(getFullHostRegex()) } diff --git a/python/ql/src/experimental/semmle/python/security/TimingAttack.qll b/python/ql/src/experimental/semmle/python/security/TimingAttack.qll index f072f212305..30a58c009c7 100644 --- a/python/ql/src/experimental/semmle/python/security/TimingAttack.qll +++ b/python/ql/src/experimental/semmle/python/security/TimingAttack.qll @@ -204,7 +204,7 @@ abstract class ClientSuppliedSecret extends DataFlow::CallCfgNode { } private class FlaskClientSuppliedSecret extends ClientSuppliedSecret { FlaskClientSuppliedSecret() { this = Flask::request().getMember("headers").getMember(["get", "get_all", "getlist"]).getACall() and - [this.getArg(0), this.getArgByName(["key", "name"])].asExpr().(StrConst).getText().toLowerCase() = + [this.getArg(0), this.getArgByName(["key", "name"])].asExpr().(StringLiteral).getText().toLowerCase() = sensitiveheaders() } } @@ -216,7 +216,7 @@ private class DjangoClientSuppliedSecret extends ClientSuppliedSecret { .getMember(["headers", "META"]) .getMember("get") .getACall() and - [this.getArg(0), this.getArgByName("key")].asExpr().(StrConst).getText().toLowerCase() = + [this.getArg(0), this.getArgByName("key")].asExpr().(StringLiteral).getText().toLowerCase() = sensitiveheaders() } } @@ -229,7 +229,7 @@ API::Node requesthandler() { private class TornadoClientSuppliedSecret extends ClientSuppliedSecret { TornadoClientSuppliedSecret() { this = requesthandler().getMember(["headers", "META"]).getMember("get").getACall() and - [this.getArg(0), this.getArgByName("key")].asExpr().(StrConst).getText().toLowerCase() = + [this.getArg(0), this.getArgByName("key")].asExpr().(StringLiteral).getText().toLowerCase() = sensitiveheaders() } } @@ -243,7 +243,7 @@ private class WerkzeugClientSuppliedSecret extends ClientSuppliedSecret { WerkzeugClientSuppliedSecret() { this = headers().getMember(["headers", "META"]).getMember(["get", "get_all", "getlist"]).getACall() and - [this.getArg(0), this.getArgByName(["key", "name"])].asExpr().(StrConst).getText().toLowerCase() = + [this.getArg(0), this.getArgByName(["key", "name"])].asExpr().(StringLiteral).getText().toLowerCase() = sensitiveheaders() } } @@ -314,10 +314,10 @@ class CompareSink extends DataFlow::Node { ) and ( compare.getLeft() = this.asExpr() and - not compare.getComparator(0).(StrConst).getText() = "bearer" + not compare.getComparator(0).(StringLiteral).getText() = "bearer" or compare.getComparator(0) = this.asExpr() and - not compare.getLeft().(StrConst).getText() = "bearer" + not compare.getLeft().(StringLiteral).getText() = "bearer" ) ) or diff --git a/python/ql/test/2/extractor-tests/multibyte/Test.ql b/python/ql/test/2/extractor-tests/multibyte/Test.ql index c6c92eefdd3..25b5e9c0a2c 100644 --- a/python/ql/test/2/extractor-tests/multibyte/Test.ql +++ b/python/ql/test/2/extractor-tests/multibyte/Test.ql @@ -1,4 +1,4 @@ import python -from StrConst s +from StringLiteral s select s, s.getText() diff --git a/python/ql/test/2/library-tests/locations/general/Prefix.ql b/python/ql/test/2/library-tests/locations/general/Prefix.ql index bee9e555cc6..361499ce8fa 100644 --- a/python/ql/test/2/library-tests/locations/general/Prefix.ql +++ b/python/ql/test/2/library-tests/locations/general/Prefix.ql @@ -1,4 +1,4 @@ import python -from StrConst s +from StringLiteral s select s.getLocation().getStartLine(), s.getText(), s.getPrefix() diff --git a/python/ql/test/2/library-tests/locations/strings/test.ql b/python/ql/test/2/library-tests/locations/strings/test.ql index be3052d9500..8956611c0a9 100644 --- a/python/ql/test/2/library-tests/locations/strings/test.ql +++ b/python/ql/test/2/library-tests/locations/strings/test.ql @@ -1,5 +1,5 @@ import python -from StrConst s, int bl, int bc, int el, int ec +from StringLiteral s, int bl, int bc, int el, int ec where s.getLocation().hasLocationInfo(_, bl, bc, el, ec) select bl, bc, el, ec, s.getText() diff --git a/python/ql/test/3/extractor-tests/fstrings3.6/Formatted.ql b/python/ql/test/3/extractor-tests/fstrings3.6/Formatted.ql index 3685825bfe3..b57e9ee0c33 100644 --- a/python/ql/test/3/extractor-tests/fstrings3.6/Formatted.ql +++ b/python/ql/test/3/extractor-tests/fstrings3.6/Formatted.ql @@ -8,7 +8,7 @@ where not exists(val.getConversion()) and typeconv = " " ) and ( - format = val.getFormatSpec().getValue(0).(StrConst).getText() + format = val.getFormatSpec().getValue(0).(StringLiteral).getText() or not exists(val.getFormatSpec()) and format = "" ) diff --git a/python/ql/test/3/extractor-tests/fstrings3.6/Successors.ql b/python/ql/test/3/extractor-tests/fstrings3.6/Successors.ql index f18572f75ac..fe8e7f836de 100644 --- a/python/ql/test/3/extractor-tests/fstrings3.6/Successors.ql +++ b/python/ql/test/3/extractor-tests/fstrings3.6/Successors.ql @@ -1,9 +1,9 @@ import python string repr(AstNode a) { - not a instanceof StrConst and result = a.toString() + not a instanceof StringLiteral and result = a.toString() or - result = "\"" + a.(StrConst).getText() + "\"" + result = "\"" + a.(StringLiteral).getText() + "\"" } from ControlFlowNode p, ControlFlowNode s, BasicBlock b, int n diff --git a/python/ql/test/3/extractor-tests/fstrings3.8/Successors.ql b/python/ql/test/3/extractor-tests/fstrings3.8/Successors.ql index f18572f75ac..fe8e7f836de 100644 --- a/python/ql/test/3/extractor-tests/fstrings3.8/Successors.ql +++ b/python/ql/test/3/extractor-tests/fstrings3.8/Successors.ql @@ -1,9 +1,9 @@ import python string repr(AstNode a) { - not a instanceof StrConst and result = a.toString() + not a instanceof StringLiteral and result = a.toString() or - result = "\"" + a.(StrConst).getText() + "\"" + result = "\"" + a.(StringLiteral).getText() + "\"" } from ControlFlowNode p, ControlFlowNode s, BasicBlock b, int n diff --git a/python/ql/test/3/extractor-tests/multibyte/Test.ql b/python/ql/test/3/extractor-tests/multibyte/Test.ql index c6c92eefdd3..25b5e9c0a2c 100644 --- a/python/ql/test/3/extractor-tests/multibyte/Test.ql +++ b/python/ql/test/3/extractor-tests/multibyte/Test.ql @@ -1,4 +1,4 @@ import python -from StrConst s +from StringLiteral s select s, s.getText() diff --git a/python/ql/test/3/library-tests/locations/general/Prefix.ql b/python/ql/test/3/library-tests/locations/general/Prefix.ql index bee9e555cc6..361499ce8fa 100644 --- a/python/ql/test/3/library-tests/locations/general/Prefix.ql +++ b/python/ql/test/3/library-tests/locations/general/Prefix.ql @@ -1,4 +1,4 @@ import python -from StrConst s +from StringLiteral s select s.getLocation().getStartLine(), s.getText(), s.getPrefix() diff --git a/python/ql/test/experimental/dataflow/testConfig.qll b/python/ql/test/experimental/dataflow/testConfig.qll index 887f9e48e8e..552180eeaaf 100644 --- a/python/ql/test/experimental/dataflow/testConfig.qll +++ b/python/ql/test/experimental/dataflow/testConfig.qll @@ -27,7 +27,7 @@ module TestConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node node) { node.(DataFlow::CfgNode).getNode().(NameNode).getId() = "SOURCE" or - node.(DataFlow::CfgNode).getNode().getNode().(StrConst).getS() = "source" + node.(DataFlow::CfgNode).getNode().getNode().(StringLiteral).getS() = "source" or node.(DataFlow::CfgNode).getNode().getNode().(IntegerLiteral).getN() = "42" or diff --git a/python/ql/test/experimental/dataflow/testTaintConfig.qll b/python/ql/test/experimental/dataflow/testTaintConfig.qll index 89e9593c89f..c9770600eeb 100644 --- a/python/ql/test/experimental/dataflow/testTaintConfig.qll +++ b/python/ql/test/experimental/dataflow/testTaintConfig.qll @@ -28,7 +28,7 @@ module TestConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node node) { node.(DataFlow::CfgNode).getNode().(NameNode).getId() = "SOURCE" or - node.(DataFlow::CfgNode).getNode().getNode().(StrConst).getS() = "source" + node.(DataFlow::CfgNode).getNode().getNode().(StringLiteral).getS() = "source" or node.(DataFlow::CfgNode).getNode().getNode().(IntegerLiteral).getN() = "42" or diff --git a/python/ql/test/experimental/import-resolution/importflow.ql b/python/ql/test/experimental/import-resolution/importflow.ql index 0225cb2dc86..0398f1a7a69 100644 --- a/python/ql/test/experimental/import-resolution/importflow.ql +++ b/python/ql/test/experimental/import-resolution/importflow.ql @@ -9,7 +9,7 @@ private class SourceString extends DataFlow::Node { string contents; SourceString() { - this.asExpr().(StrConst).getText() = contents and + this.asExpr().(StringLiteral).getText() = contents and this.asExpr().getParent() instanceof Assign or this.asExpr().(ClassExpr).getInnerScope().getName() = "SOURCE" and diff --git a/python/ql/test/extractor-tests/long_string/Test.ql b/python/ql/test/extractor-tests/long_string/Test.ql index fd025e1cbc9..e8dc478c094 100644 --- a/python/ql/test/extractor-tests/long_string/Test.ql +++ b/python/ql/test/extractor-tests/long_string/Test.ql @@ -1,4 +1,4 @@ import python -from StrConst s +from StringLiteral s select s.getLocation(), s.getText() diff --git a/python/ql/test/extractor-tests/string_concatenation/StrConst.ql b/python/ql/test/extractor-tests/string_concatenation/StrConst.ql index 0afdfe408b8..132ddd7436c 100644 --- a/python/ql/test/extractor-tests/string_concatenation/StrConst.ql +++ b/python/ql/test/extractor-tests/string_concatenation/StrConst.ql @@ -1,3 +1,3 @@ import python -select any(StrConst s) as s, s.getText() +select any(StringLiteral s) as s, s.getText() diff --git a/python/ql/test/library-tests/ApiGraphs/py3/verifyApiGraphs.ql b/python/ql/test/library-tests/ApiGraphs/py3/verifyApiGraphs.ql index c1f7e8ad5e1..e3308914a57 100644 --- a/python/ql/test/library-tests/ApiGraphs/py3/verifyApiGraphs.ql +++ b/python/ql/test/library-tests/ApiGraphs/py3/verifyApiGraphs.ql @@ -6,6 +6,6 @@ class CustomEntryPoint extends API::EntryPoint { CustomEntryPoint() { this = "CustomEntryPoint" } override DataFlow::LocalSourceNode getASource() { - result.asExpr().(StrConst).getText() = "magic_string" + result.asExpr().(StringLiteral).getText() = "magic_string" } } diff --git a/python/ql/test/library-tests/exprs/strings/Strings.ql b/python/ql/test/library-tests/exprs/strings/Strings.ql index 7d6a697a8ed..d42c4bc91cd 100644 --- a/python/ql/test/library-tests/exprs/strings/Strings.ql +++ b/python/ql/test/library-tests/exprs/strings/Strings.ql @@ -1,4 +1,4 @@ import python -from StrConst s +from StringLiteral s select s.getLocation(), s.getPrefix(), s.getText() diff --git a/python/ql/test/library-tests/locations/implicit_concatenation/parts.ql b/python/ql/test/library-tests/locations/implicit_concatenation/parts.ql index 992f695663e..a4c090704d8 100644 --- a/python/ql/test/library-tests/locations/implicit_concatenation/parts.ql +++ b/python/ql/test/library-tests/locations/implicit_concatenation/parts.ql @@ -1,5 +1,5 @@ import python -from StrConst s, StringPart part, int n +from StringLiteral s, StringPart part, int n where part = s.getImplicitlyConcatenatedPart(n) select s.getLocation().getStartLine(), s.getText(), n, part.getText() diff --git a/python/ql/test/library-tests/locations/implicit_concatenation/test.ql b/python/ql/test/library-tests/locations/implicit_concatenation/test.ql index ca595f53833..d85e40a7fdd 100644 --- a/python/ql/test/library-tests/locations/implicit_concatenation/test.ql +++ b/python/ql/test/library-tests/locations/implicit_concatenation/test.ql @@ -1,10 +1,10 @@ import python -class ImplicitConcat extends StrConst { +class ImplicitConcat extends StringLiteral { ImplicitConcat() { exists(this.getAnImplicitlyConcatenatedPart()) } } -from StrConst s, boolean isConcat +from StringLiteral s, boolean isConcat where s instanceof ImplicitConcat and isConcat = true or