mirror of
https://github.com/github/codeql.git
synced 2025-12-18 01:33:15 +01:00
Python: Use backtracker for verify arg
This commit is contained in:
Rasmus Wriedt Larsen
@@ -24,24 +24,33 @@ DataFlow::CallCfgNode outgoingRequestCall(string verb) {
|
|||||||
result = API::moduleImport("requests").getMember(verb).getACall()
|
result = API::moduleImport("requests").getMember(verb).getACall()
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Gets a reference to a falsey value (excluding None), with origin `origin`. */
|
/** Gets the "verfiy" argument to a outgoingRequestCall. */
|
||||||
private DataFlow::TypeTrackingNode falseyNotNone(DataFlow::TypeTracker t, DataFlow::Node origin) {
|
DataFlow::Node verifyArg(DataFlow::CallCfgNode call) {
|
||||||
t.start() and
|
call = outgoingRequestCall(_) and
|
||||||
result.asExpr().(ImmutableLiteral).booleanValue() = false and
|
result = call.getArgByName("verify")
|
||||||
not result.asExpr() instanceof None and
|
|
||||||
origin = result
|
|
||||||
or
|
|
||||||
exists(DataFlow::TypeTracker t2 | result = falseyNotNone(t2, origin).track(t2, t))
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Gets a reference to a falsey value (excluding None), with origin `origin`. */
|
/** Gets a back-reference to the verify argument `arg`. */
|
||||||
DataFlow::Node falseyNotNone(DataFlow::Node origin) {
|
private DataFlow::TypeTrackingNode verifyArgBacktracker(
|
||||||
falseyNotNone(DataFlow::TypeTracker::end(), origin).flowsTo(result)
|
DataFlow::TypeBackTracker t, DataFlow::Node arg
|
||||||
|
) {
|
||||||
|
t.start() and
|
||||||
|
arg = verifyArg(_) and
|
||||||
|
result = arg.getALocalSource()
|
||||||
|
or
|
||||||
|
exists(DataFlow::TypeBackTracker t2 | result = verifyArgBacktracker(t2, arg).backtrack(t2, t))
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Gets a back-reference to the verify argument `arg`. */
|
||||||
|
DataFlow::LocalSourceNode verifyArgBacktracker(DataFlow::Node arg) {
|
||||||
|
result = verifyArgBacktracker(DataFlow::TypeBackTracker::end(), arg)
|
||||||
}
|
}
|
||||||
|
|
||||||
from DataFlow::CallCfgNode call, DataFlow::Node falseyOrigin, string verb
|
from DataFlow::CallCfgNode call, DataFlow::Node falseyOrigin, string verb
|
||||||
where
|
where
|
||||||
call = outgoingRequestCall(verb) and
|
call = outgoingRequestCall(verb) and
|
||||||
|
falseyOrigin = verifyArgBacktracker(verifyArg(call)) and
|
||||||
// requests treats `None` as the default and all other "falsey" values as `False`.
|
// requests treats `None` as the default and all other "falsey" values as `False`.
|
||||||
call.getArgByName("verify") = falseyNotNone(falseyOrigin)
|
falseyOrigin.asExpr().(ImmutableLiteral).booleanValue() = false and
|
||||||
|
not falseyOrigin.asExpr() instanceof None
|
||||||
select call, "Call to requests." + verb + " with verify=$@", falseyOrigin, "False"
|
select call, "Call to requests." + verb + " with verify=$@", falseyOrigin, "False"
|
||||||
|
|||||||
Reference in New Issue
Block a user