Python points-to/taint-tracking: Fix up flow into __init__ methods.

python/ql/src/semmle/python/objects/Classes.qll

@@ -97,9 +97,8 @@ class PythonClassObjectInternal extends ClassObjectInternal, TPythonClassObject
 
     override predicate calleeAndOffset(Function scope, int paramOffset) {
         exists(PythonFunctionObjectInternal init |
-            // TO DO... Lookup init...
-            none() |
-            init.getScope() = scope and paramOffset = 1
+            this.lookup("__init__", init, _) and
+            init.calleeAndOffset(scope, paramOffset-1)
         )
     }
 

python/ql/src/semmle/python/objects/ObjectAPI.qll

@@ -146,5 +146,9 @@ class ClassValue extends Value {
         result = Types::getMro(this).getAnItem()
     }
 
+    Value lookup(string name) {
+        this.(ClassObjectInternal).lookup(name, result, _)
+    }
+
 }
 

python/ql/src/semmle/python/security/TaintTracking.qll

@@ -1069,7 +1069,7 @@ library module TaintFlowImplementation {
     predicate self_init_end_transfer(EssaVariable self, CallContext callee, CallNode call, CallContext caller) {
         exists(ClassValue cls, Function init |
             call.getFunction().pointsTo(cls) and
-            init = cls.attr("__init__").(CallableValue).getScope() and
+            init = cls.lookup("__init__").(CallableValue).getScope() and
             self.getSourceVariable().(Variable).isSelf() and self.getScope() = init
             |
             callee = caller.getCallee(call)
@@ -1218,7 +1218,7 @@ library module TaintFlowImplementation {
     pragma [noinline]
     predicate class_initializer_argument(ClassValue cls, int n, CallNode call, CallableValue func, ControlFlowNode argument, NameNode param) {
         call.getFunction().pointsTo(cls) and
-        cls.attr("__init__") = func and
+        cls.lookup("__init__") = func and
         call.getArg(n) = argument and
         param.getNode() = func.getScope().getArg(n+1)
     }
@@ -1510,7 +1510,7 @@ class CallContext extends TCallContext {
         exists(ClassValue cls,CallNode call |
             this = TCalleeContext(call, _, _) and
             call.getFunction().pointsTo(cls) and
-            s = cls.attr("__init__").(CallableValue).getScope() and
+            s = cls.lookup("__init__").(CallableValue).getScope() and
             call.getFunction().pointsTo(cls)
         )
     }

python/ql/src/semmle/python/types/ClassObject.qll

@@ -108,7 +108,7 @@ class ClassObject extends Object {
       Will include attributes of super-classes */
     Object lookupAttribute(string name) {
         exists(Value val |
-            theClass().attribute(name, val, _) and
+            theClass().lookup(name, val, _) and
             result = val.getSource()
         )
     }
@@ -135,7 +135,7 @@ class ClassObject extends Object {
     /** Whether the named attribute refers to the object, class and origin */
     predicate attributeRefersTo(string name, Object obj, ClassObject cls, ControlFlowNode origin) {
         exists(Value val, CfgOrigin valorig |
-            theClass().attribute(name, val, valorig) and
+            theClass().lookup(name, val, valorig) and
             obj = val.getSource() and
             cls = val.getClass().getSource() and
             origin = valorig.toCfgNode()