Apply suggestions from code review

Co-authored-by: yoff <lerchedahl@gmail.com>
2026-04-26 01:05:15 +02:00 · 2024-05-10 12:07:32 +02:00
parent 944f8842b7
commit 52ceb7fb89
2 changed files with 21 additions and 13 deletions
--- a/python/ql/lib/semmle/python/frameworks/Gradio.qll
+++ b/python/ql/lib/semmle/python/frameworks/Gradio.qll
@@ -47,9 +47,7 @@ module Gradio {
   */
  class GradioInputList extends RemoteFlowSource::Range {
    GradioInputList() {
-      exists(API::CallNode call |
-        call instanceof GradioInput
-        and
+      exists(GradioInput call |
        // limit only to lists of parameters given to `inputs`.
        (
          (
@@ -74,9 +72,7 @@ module Gradio {
   */
  class GradioInputParameter extends RemoteFlowSource::Range {
    GradioInputParameter() {
-      exists(API::CallNode call |
-        call instanceof GradioInput
-        and
+      exists(GradioInput call |
        this = call.getParameter(0, "fn").getParameter(_).asSource() and
        // exclude lists of parameters given to `inputs`
        not call.getKeywordParameter("inputs").asSink().asCfgNode() instanceof ListNode and
@@ -92,8 +88,7 @@ module Gradio {
   */
  class GradioInputDecorator extends RemoteFlowSource::Range {
    GradioInputDecorator() {
-      exists(API::CallNode call |
-        call instanceof GradioInput and
+      exists(GradioInput call |
        this = call.getReturn().getACall().getParameter(0).getParameter(_).asSource()
      )
    }
@@ -106,9 +101,7 @@ module Gradio {
   */
  private class ListTaintStep extends TaintTracking::AdditionalTaintStep {
    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-      exists(API::CallNode node |
-        node instanceof GradioInput
-        and
+      exists(GradioInput node |
        // handle cases where there are multiple arguments passed as a list to `inputs`
        (
          (
--- a/python/ql/test/library-tests/frameworks/gradio/source_test.ql
+++ b/python/ql/test/library-tests/frameworks/gradio/source_test.ql
@@ -1,5 +1,20 @@
 import python
 import semmle.python.dataflow.new.RemoteFlowSources
+import TestUtilities.InlineExpectationsTest
+private import semmle.python.dataflow.new.internal.PrintNode

-from RemoteFlowSource rfs
-select rfs
+module SourceTest implements TestSig {
+  string getARelevantTag() { result = "source" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(RemoteFlowSource rfs |
+      location = rfs.getLocation() and
+      element = rfs.toString() and
+      value = prettyNode(rfs) and
+      tag = "source"
+    )
+  }
+}
+
+import MakeTest<SourceTest>