Python: Model C-based loaders for PyYAML

Not really that important. But easy to do while I was working on this library.

python/change-notes/2021-03-18-yaml-handle-C-based-loaders.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Improved modeling of the `PyYAML` PyPI package, so we now correctly treat `CSafeLoader` and `CBaseLoader` as being safe loaders that can not lead to code execution.

python/ql/src/semmle/python/frameworks/Yaml.qll

@@ -56,7 +56,10 @@ private module Yaml {
       not exists(DataFlow::Node loader_arg |
         loader_arg in [this.getArg(1), this.getArgByName("Loader")]
       |
-        loader_arg = API::moduleImport("yaml").getMember(["SafeLoader", "BaseLoader"]).getAUse()
+        loader_arg =
+          API::moduleImport("yaml")
+              .getMember(["SafeLoader", "BaseLoader", "CSafeLoader", "CBaseLoader"])
+              .getAUse()
       )
     }
 

python/ql/test/experimental/library-tests/frameworks/yaml/Decoding.py

@@ -21,5 +21,5 @@ yaml.full_load_all(payload) # $ decodeInput=payload decodeOutput=Attribute() dec
 # C-based loaders with `libyaml`
 yaml.load(payload, yaml.CLoader)  # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML decodeMayExecuteInput
 yaml.load(payload, yaml.CFullLoader)  # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML decodeMayExecuteInput
-yaml.load(payload, yaml.CSafeLoader)  # $decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML SPURIOUS: decodeMayExecuteInput
-yaml.load(payload, yaml.CBaseLoader)  # $decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML SPURIOUS: decodeMayExecuteInput
+yaml.load(payload, yaml.CSafeLoader)  # $decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML
+yaml.load(payload, yaml.CBaseLoader)  # $decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML