Move xmltodict to its own file under frameworks/

2026-04-30 03:05:15 +02:00 · 2021-06-28 21:08:43 +02:00
parent 350440897c
commit 51395d155f
2 changed files with 34 additions and 23 deletions
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -8,7 +8,6 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import experimental.semmle.python.Concepts
-private import semmle.python.Concepts
 private import semmle.python.ApiGraphs

 /**
@@ -99,25 +98,3 @@ private module Re {
    override DataFlow::Node getRegexNode() { result = regexNode }
  }
 }
-
-// ---------------------------------------------------------------------------
-// xmltodict
-// ---------------------------------------------------------------------------
-/** Gets a reference to the `xmltodict` module. */
-API::Node xmltodict() { result = API::moduleImport("xmltodict") }
-
-/**
- * A call to `xmltodict.parse`
- * See https://github.com/martinblech/xmltodict/blob/ae19c452ca000bf243bfc16274c060bf3bf7cf51/xmltodict.py#L198
- */
-private class XmlToDictParseCall extends Decoding::Range, DataFlow::CallCfgNode {
-  XmlToDictParseCall() { this = xmltodict().getMember("parse").getACall() }
-
-  override predicate mayExecuteInput() { none() }
-
-  override DataFlow::Node getAnInput() { result = this.getArg(0) }
-
-  override DataFlow::Node getOutput() { result = this }
-
-  override string getFormat() { result = "XML" }
-}
--- a/python/ql/src/experimental/semmle/python/frameworks/Xmltodict.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Xmltodict.qll
@@ -0,0 +1,34 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `xmltodict` PyPI package.
+ * See https://pypi.org/project/xmltodict/
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides models for the `xmltodict` PyPI package.
+ * See https://pypi.org/project/xmltodict/
+ */
+private module XmlToDictModel {
+  /** Gets a reference to the `xmltodict` module. */
+  API::Node xmltodict() { result = API::moduleImport("xmltodict") }
+
+  /**
+   * A call to `xmltodict.parse`
+   * See https://github.com/martinblech/xmltodict/blob/ae19c452ca000bf243bfc16274c060bf3bf7cf51/xmltodict.py#L198
+   */
+  private class XmlToDictParseCall extends Decoding::Range, DataFlow::CallCfgNode {
+    XmlToDictParseCall() { this = xmltodict().getMember("parse").getACall() }
+
+    override predicate mayExecuteInput() { none() }
+
+    override DataFlow::Node getAnInput() { result = this.getArg(0) }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getFormat() { result = "XML" }
+  }
+}