mirror of
https://github.com/github/codeql.git
synced 2026-05-04 13:15:21 +02:00
Python: type trackers to API graph
base on new subscript in the API graph There are a few more uses of type tracking through `SubscriptNode`s, but these start from an instance given by a data flow node.
This commit is contained in:
Rasmus Lerchedahl Petersen
@@ -408,21 +408,21 @@ module Flask {
|
||||
}
|
||||
}
|
||||
|
||||
private API::Node requestFileStorage() {
|
||||
// TODO: This approach for identifying member-access is very adhoc, and we should
|
||||
// be able to do something more structured for providing modeling of the members
|
||||
// of a container-object.
|
||||
result = request().getMember("files").getASubscript()
|
||||
or
|
||||
result = request().getMember("files").getMember("get").getReturn()
|
||||
or
|
||||
result = request().getMember("files").getMember("getlist").getReturn().getASubscript()
|
||||
}
|
||||
|
||||
/** An `FileStorage` instance that originates from a flask request. */
|
||||
private class FlaskRequestFileStorageInstances extends Werkzeug::FileStorage::InstanceSource {
|
||||
FlaskRequestFileStorageInstances() {
|
||||
// TODO: This approach for identifying member-access is very adhoc, and we should
|
||||
// be able to do something more structured for providing modeling of the members
|
||||
// of a container-object.
|
||||
exists(API::Node files | files = request().getMember("files") |
|
||||
this.asCfgNode().(SubscriptNode).getObject() =
|
||||
files.getAValueReachableFromSource().asCfgNode()
|
||||
or
|
||||
this = files.getMember("get").getACall()
|
||||
or
|
||||
this.asCfgNode().(SubscriptNode).getObject() =
|
||||
files.getMember("getlist").getReturn().getAValueReachableFromSource().asCfgNode()
|
||||
)
|
||||
this = requestFileStorage().getAValueReachableFromSource()
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -1725,39 +1725,21 @@ private module StdlibPrivate {
|
||||
API::Node getlistResult() { result = getlistRef().getReturn() }
|
||||
|
||||
/** Gets a reference to a list of fields. */
|
||||
private DataFlow::TypeTrackingNode fieldList(DataFlow::TypeTracker t) {
|
||||
t.start() and
|
||||
// TODO: Should have better handling of subscripting
|
||||
result.asCfgNode().(SubscriptNode).getObject() =
|
||||
instance().getAValueReachableFromSource().asCfgNode()
|
||||
API::Node fieldList() {
|
||||
result = getlistResult()
|
||||
or
|
||||
exists(DataFlow::TypeTracker t2 | result = fieldList(t2).track(t2, t))
|
||||
}
|
||||
|
||||
/** Gets a reference to a list of fields. */
|
||||
DataFlow::Node fieldList() {
|
||||
result = getlistResult().getAValueReachableFromSource() or
|
||||
result = getvalueResult().getAValueReachableFromSource() or
|
||||
fieldList(DataFlow::TypeTracker::end()).flowsTo(result)
|
||||
result = getvalueResult()
|
||||
or
|
||||
result = instance().getASubscript()
|
||||
}
|
||||
|
||||
/** Gets a reference to a field. */
|
||||
private DataFlow::TypeTrackingNode field(DataFlow::TypeTracker t) {
|
||||
t.start() and
|
||||
// TODO: Should have better handling of subscripting
|
||||
result.asCfgNode().(SubscriptNode).getObject() =
|
||||
[instance().getAValueReachableFromSource(), fieldList()].asCfgNode()
|
||||
API::Node field() {
|
||||
result = getfirstResult()
|
||||
or
|
||||
exists(DataFlow::TypeTracker t2 | result = field(t2).track(t2, t))
|
||||
}
|
||||
|
||||
/** Gets a reference to a field. */
|
||||
DataFlow::Node field() {
|
||||
result = getfirstResult().getAValueReachableFromSource()
|
||||
result = getvalueResult()
|
||||
or
|
||||
result = getvalueResult().getAValueReachableFromSource()
|
||||
or
|
||||
field(DataFlow::TypeTracker::end()).flowsTo(result)
|
||||
result = [instance(), fieldList()].getASubscript()
|
||||
}
|
||||
|
||||
private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
|
||||
@@ -1780,11 +1762,13 @@ private module StdlibPrivate {
|
||||
)
|
||||
or
|
||||
// Indexing
|
||||
nodeFrom in [instance().getAValueReachableFromSource(), fieldList()] and
|
||||
nodeFrom in [
|
||||
instance().getAValueReachableFromSource(), fieldList().getAValueReachableFromSource()
|
||||
] and
|
||||
nodeTo.asCfgNode().(SubscriptNode).getObject() = nodeFrom.asCfgNode()
|
||||
or
|
||||
// Attributes on Field
|
||||
nodeFrom = field() and
|
||||
nodeFrom = field().getAValueReachableFromSource() and
|
||||
exists(DataFlow::AttrRead read | nodeTo = read and read.getObject() = nodeFrom |
|
||||
read.getAttributeName() in ["value", "file", "filename"]
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user