Add cookbook queries

python/ql/examples/backticks.ql

@@ -0,0 +1,11 @@
+/**
+ * @name String conversion expressions
+ * @description Finds `String conversions` expressions (expressions enclosed in backticks), which are removed in Python 3
+ * @tags backtick
+ *       string conversion
+ */
+
+import python
+
+from Repr r
+select r

python/ql/examples/builtin_object.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Builtin objects
+ * @description Finds expressions that refer to an object in the builtins module (like int or None).
+ * @tags reference
+ *       builtin
+ *       object
+ */
+ 
+import python
+
+from Expr e
+where e.refersTo(builtin_object(_))
+select e

python/ql/examples/call.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Calls to function
+ * @description Finds calls to any function named "len"
+ * @tags call
+ *       function
+ */
+ 
+import python
+
+from FunctionObject len, CallNode call
+where len.getName() = "len" and len.getACall() = call
+select call

python/ql/examples/catch_exception.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Handle exception of given class
+ * @description Finds places where we handle MyExceptionClass exceptions
+ * @tags catch
+ *       try
+ *       exception
+ */
+ 
+import python
+
+from ExceptStmt ex, ClassObject cls
+where 
+    cls.getName() = "MyExceptionClass" and
+    ex.getType().refersTo(cls)
+select ex

python/ql/examples/conditional_expression.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Conditional expressions
+ * @description Finds conditional expressions of the form '... if ... else ...'
+ *              where the classes of the sub-expressions differ
+ * @tags conditional
+ *       expression
+ *       ternary
+ */
+
+import python
+
+from IfExp e, ClassObject cls1, ClassObject cls2
+where 
+    e.getBody().refersTo(_, cls1, _) and e.getOrelse().refersTo(_, cls2, _) and
+    cls1 != cls2
+select e

python/ql/examples/elif.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Elif statement
+ * @description Finds `elif` sub-statements within `if` statements
+ * @tags if
+ *       else
+ */
+
+import python
+
+from If i
+where i.isElif()
+select i

python/ql/examples/emptyblock.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Empty blocks
+ * @description Finds the first statement in a block consisting of nothing but Pass statements
+ * @tags empty
+ *       block
+ *       statement
+ */
+ 
+import python
+
+from StmtList blk
+where not exists(Stmt s | not s instanceof Pass)
+select blk.getItem(0)

python/ql/examples/emptythen.ql

@@ -0,0 +1,20 @@
+/**
+ * @name If statements with empty then branch
+ * @description Finds 'if' statements where the "then" branch 
+ *              consists entirely of Pass statements
+ * @tags if
+ *       then
+ *       empty
+ *       conditional
+ *       branch
+ */
+ 
+import python
+
+from If i
+where
+    not exists(Stmt s |
+        i.getStmt(_) = s and 
+        not s instanceof Pass
+    )
+select i

python/ql/examples/eq_true.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Equality test on boolean
+ * @description Finds tests like `==true`, `==false`, `"!=true`, `is false`
+ * @tags equals
+ *       test
+ *       boolean
+ */
+ 
+import python
+
+from Compare eq
+where eq.getAComparator() instanceof BooleanLiteral
+select eq

python/ql/examples/equalitystmt.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Equalities as expression statements
+ * @description Finds `==` equality expressions that form a statement
+ * @tags comparison
+ *       equality
+ *       expression statement
+ */
+ 
+import python
+
+from ExprStmt e, Compare eq
+where e.getValue() = eq and eq.getOp(0) instanceof Eq
+select e

python/ql/examples/extend_class.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Class subclasses
+ * @description Finds classes that subclass MyClass
+ * @tags class
+ *       extends
+ *       implements
+ *       overrides
+ *       subtype
+ *       supertype
+ */
+ 
+import python
+
+from ClassObject sub, ClassObject base
+where 
+    base.getName() = "MyClass" and
+    sub.getABaseType() = base
+select sub

python/ql/examples/filename.ql

@@ -0,0 +1,11 @@
+/**
+ * @name File with given name
+ * @description Finds files called `spam.py`
+ * @tags file
+ */
+ 
+import python
+
+from File f
+where f.getName() = "spam.py"
+select f

python/ql/examples/generator.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Generator functions
+ * @description Finds generator functions
+ * @tags generator
+ *       function
+ */
+
+import python
+
+from Function f
+where f.isGenerator()
+select f

python/ql/examples/integer_literal.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Integer literal
+ * @description Finds places where we use the integer literal `0`
+ * @tags integer
+ *       literal
+ */
+ 
+import python
+
+from IntegerLiteral literal
+where literal.getValue() = 0
+select literal

python/ql/examples/method_call.ql

@@ -0,0 +1,14 @@
+/**
+ * @name Call to method
+ * @description Finds calls to MyClass.methodName
+ * @tags call
+ *       method
+ */
+ 
+import python
+
+from AstNode call, FunctionObject method
+where 
+    method.getQualifiedName() = "MyClass.methodName" and
+    method.getACall().getNode() = call
+select call

python/ql/examples/mutualrecursion.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Mutual recursion
+ * @description Finds pairs of functions that call each other
+ * @tags method
+ *       recursion
+ */
+
+import python
+
+from FunctionObject m, FunctionObject n
+where m != n and m.getACallee() = n and n.getACallee() = m
+select m, n

python/ql/examples/new_instance.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Create new object
+ * @description Finds places where we create a new instanceof `MyClass`
+ * @tags call
+ *       constructor
+ *       new
+ */
+ 
+import python
+
+from Call new, ClassObject cls
+where
+    cls.getName() = "MyClass" and
+    new.getFunc().refersTo(cls)
+select new

python/ql/examples/override_method.ql

@@ -0,0 +1,14 @@
+/**
+ * @name Override of method
+ * @description Finds methods that overide MyClass.methodName
+ * @tags method
+ *       override
+ */
+ 
+import python
+
+from FunctionObject override, FunctionObject base
+where
+    base.getQualifiedName() = "MyClass.methodName" and
+    override.overrides(base)
+select override

python/ql/examples/print.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Find prints
+ * @description Find print statements or calls to the builtin function 'print'
+ * @tags print
+ */
+ 
+import python
+
+from AstNode print
+where 
+    /* Python 2 without `from __future__ import print_function` */
+    print instanceof Print
+    or
+    /* Python 3 or with `from __future__ import print_function` */
+    print.(Call).getFunc().refersTo(thePrintFunction())
+select print

python/ql/examples/private_access.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Private access
+ * @description Find accesses to "private" attributes (those starting with an underscore) 
+ * @tags access
+ *       private
+ */
+ 
+import python
+
+predicate is_private(Attribute a) {
+    a.getName().matches("\\_%") and 
+    not a.getName().matches("\\_\\_%\\_\\_")
+}
+
+from Attribute access
+where is_private(access) and
+not access.getObject().(Name).getId() = "self"
+select access

python/ql/examples/queries.xml

@@ -0,0 +1 @@
+<queries language="python"/>

python/ql/examples/raise_exception.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Raise exception of a class
+ * @description Finds places where we raise AnException or one of its subclasses
+ * @tags throw
+ *       raise
+ *       exception
+ */
+ 
+import python
+
+from Raise raise, ClassObject ex
+where
+    ex.getName() = "AnException" and
+    (
+        raise.getException().refersTo(ex.getAnImproperSuperType())
+        or
+        raise.getException().refersTo(_, ex.getAnImproperSuperType(), _)
+    )
+select raise, "Don't raise instances of 'AnException'"

python/ql/examples/raw_string.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Raw string literals
+ * @description Finds string literals with an 'r' prefix 
+ * @tags string
+ *       raw
+ */
+ 
+import python
+
+from StrConst s
+where s.getPrefix().matches("%r%")
+select s

python/ql/examples/recursion.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Recursion
+ * @description Finds functions that call themselves
+ * @tags method
+ *       recursion
+ */
+
+import python
+
+from FunctionObject f
+where f.getACallee() = f
+select f

python/ql/examples/singlequotestring.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Single-quoted string literals
+ * @description Finds string literals using single quotes
+ * @tags string
+ *       single quote
+ *       quote
+ */
+
+import python
+
+from StrConst s
+where s.getPrefix().charAt(_) = "'"
+select s

python/ql/examples/store_none.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Store None to collection
+ * @description Finds places where `None` is used as an index when storing to a collection
+ * @tags None
+ *       parameter
+ *       argument
+ *       collection
+ *       add
+ */
+ 
+import python
+
+from SubscriptNode store
+where 
+    store.isStore() and
+    store.getIndex().refersTo(theNoneObject())
+select store

python/ql/examples/todocomment.ql

@@ -0,0 +1,12 @@
+/**
+ * @name TODO comments
+ * @description Finds comments containing the word "TODO"
+ * @tags comment
+ *       TODO
+ */
+
+import python
+
+from Comment c
+where c.getText().regexpMatch("(?si).*\\bTODO\\b.*")
+select c

python/ql/examples/too_many_params.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Functions with many parameters
+ * @description Finds functions with more than 7 parameters
+ * @tags function
+ *       parameter
+ *       argument
+ */
+
+import python
+
+from Function fcn
+where count(fcn.getAnArg()) > 7
+select fcn

python/ql/examples/tryfinally.ql

@@ -0,0 +1,14 @@
+/**
+ * @name Try-finally statements
+ * @description Finds try-finally statements without an exception handler
+ * @tags try
+ *       finally
+ *       exceptions
+ */
+
+import python
+
+from Try t
+where exists(t.getFinalbody())
+  and not exists(t.getAHandler())
+select t