Python: Add getAReturnedNode to PythonFunctionValue

2026-04-30 19:26:02 +02:00 · 2019-12-18 10:36:37 +01:00
parent 582ef6cec9
commit 48f873e3d9
4 changed files with 11 additions and 7 deletions
--- a/python/ql/src/semmle/python/objects/ObjectAPI.qll
+++ b/python/ql/src/semmle/python/objects/ObjectAPI.qll
@@ -211,7 +211,7 @@ module Value {
    }

    /** Gets the `Value` for the integer constant `i`, if it exists.
-     * There will be no `Value` for most integers, but the following are 
+     * There will be no `Value` for most integers, but the following are
     * guaranteed to exist:
     * * From zero to 511 inclusive.
     * * All powers of 2 (up to 2**30)
@@ -486,6 +486,11 @@ class PythonFunctionValue extends FunctionValue {
        )
    }

+    /** Gets a control flow node corresponding to a return statement in this function */
+    ControlFlowNode getAReturnedNode() {
+        result = this.getScope().getAReturnValueFlowNode()
+    }
+
 }

 /** Class representing builtin functions, such as `len` or `print` */
--- a/python/ql/src/semmle/python/web/flask/Response.qll
+++ b/python/ql/src/semmle/python/web/flask/Response.qll
@@ -9,8 +9,8 @@ import semmle.python.web.flask.General
 */
 class FlaskRoutedResponse extends HttpResponseTaintSink {
    FlaskRoutedResponse() {
-        exists(PyFunctionObject response |
-            flask_routing(_, response.getFunction()) and
+        exists(PythonFunctionValue response |
+            flask_routing(_, response.getScope()) and
            this = response.getAReturnedNode()
        )
    }
--- a/python/ql/src/semmle/python/web/pyramid/Response.qll
+++ b/python/ql/src/semmle/python/web/pyramid/Response.qll
@@ -11,8 +11,8 @@ private import semmle.python.web.Http
 */
 class PyramidRoutedResponse extends HttpResponseTaintSink {
    PyramidRoutedResponse() {
-        exists(PyFunctionObject view |
-            is_pyramid_view_function(view.getFunction()) and
+        exists(PythonFunctionValue view |
+            is_pyramid_view_function(view.getScope()) and
            this = view.getAReturnedNode()
        )
    }
--- a/python/ql/src/semmle/python/web/twisted/Response.qll
+++ b/python/ql/src/semmle/python/web/twisted/Response.qll
@@ -11,8 +11,7 @@ class TwistedResponse extends TaintSink {
            isKnownRequestHandlerMethodName(name) and
            name = func.getName() and
            func = getTwistedRequestHandlerMethod(name) and
-            func.getScope() = ret.getScope() and
-            ret.getValue().getAFlowNode() = this
+            this = func.getAReturnedNode()
        )
    }