Merge branch 'main' into shared-http-client-request

2025-12-22 03:36:30 +01:00 · 2022-08-22 12:05:37 +02:00
parent 9790594984 584037737e
commit 61bf2154cd
192 changed files with 10953 additions and 1801 deletions
--- a/python/ql/lib/semmle/python/Comprehensions.qll
+++ b/python/ql/lib/semmle/python/Comprehensions.qll
@@ -68,8 +68,6 @@ class ListComp extends ListComp_, Comp {

  override Expr getIterable() { result = ListComp_.super.getIterable() }

-  override string toString() { result = ListComp_.super.toString() }
-
  override Expr getElt() { result = Comp.super.getElt() }
 }

--- a/python/ql/lib/semmle/python/Exprs.qll
+++ b/python/ql/lib/semmle/python/Exprs.qll
@@ -616,6 +616,9 @@ private string non_byte_prefix() {
  not result.charAt(_) in ["b", "B"]
 }

+/** A string constant. This is a placeholder class -- use `StrConst` instead. */
+class Str = StrConst;
+
 /** A string constant. */
 class StrConst extends Str_, ImmutableLiteral {
  /* syntax: "hello" */
--- a/python/ql/lib/semmle/python/Keywords.qll
+++ b/python/ql/lib/semmle/python/Keywords.qll
@@ -2,8 +2,6 @@ import python

 class KeyValuePair extends KeyValuePair_, DictDisplayItem {
  /* syntax: Expr : Expr */
-  override Location getLocation() { result = KeyValuePair_.super.getLocation() }
-
  override string toString() { result = KeyValuePair_.super.toString() }

  /** Gets the value of this dictionary unpacking. */
@@ -20,8 +18,6 @@ class KeyValuePair extends KeyValuePair_, DictDisplayItem {

 /** A double-starred expression in a call or dict literal. */
 class DictUnpacking extends DictUnpacking_, DictUnpackingOrKeyword, DictDisplayItem {
-  override Location getLocation() { result = DictUnpacking_.super.getLocation() }
-
  override string toString() { result = DictUnpacking_.super.toString() }

  /** Gets the value of this dictionary unpacking. */
@@ -47,8 +43,6 @@ abstract class DictDisplayItem extends DictItem {
 /** A keyword argument in a call. For example `arg=expr` in `foo(0, arg=expr)` */
 class Keyword extends Keyword_, DictUnpackingOrKeyword {
  /* syntax: name = Expr */
-  override Location getLocation() { result = Keyword_.super.getLocation() }
-
  override string toString() { result = Keyword_.super.toString() }

  /** Gets the value of this keyword argument. */
--- a/python/ql/lib/semmle/python/dataflow/new/internal/Attributes.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/Attributes.qll
@@ -70,9 +70,7 @@ abstract class AttrWrite extends AttrRef {
 * ```
 * Also gives access to the `value` being written, by extending `DefinitionNode`.
 */
-private class AttributeAssignmentNode extends DefinitionNode, AttrNode {
-  override ControlFlowNode getValue() { result = DefinitionNode.super.getValue() }
-}
+private class AttributeAssignmentNode extends DefinitionNode, AttrNode { }

 /** A simple attribute assignment: `object.attr = value`. */
 private class AttributeAssignmentAsAttrWrite extends AttrWrite, CfgNode {
--- a/python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheckLib.qll
+++ b/python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheckLib.qll
@@ -2,7 +2,6 @@ private import python
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.dataflow.new.RemoteFlowSources
-private import semmle.python.dataflow.new.DataFlow

 /**
 * A data flow source of the client ip obtained according to the remote endpoint identifier specified
--- a/python/ql/test/TestUtilities/InlineExpectationsTest.qll
+++ b/python/ql/test/TestUtilities/InlineExpectationsTest.qll
@@ -330,6 +330,19 @@ abstract private class Expectation extends FailureLocatable {
  override Location getLocation() { result = comment.getLocation() }
 }

+private predicate onSameLine(ValidExpectation a, ActualResult b) {
+  exists(string fname, int line, Location la, Location lb |
+    // Join order intent:
+    // Take the locations of ActualResults,
+    // join with locations in the same file / on the same line,
+    // then match those against ValidExpectations.
+    la = a.getLocation() and
+    pragma[only_bind_into](lb) = b.getLocation() and
+    pragma[only_bind_into](la).hasLocationInfo(fname, line, _, _, _) and
+    lb.hasLocationInfo(fname, line, _, _, _)
+  )
+}
+
 private class ValidExpectation extends Expectation, TValidExpectation {
  string tag;
  string value;
@@ -344,8 +357,7 @@ private class ValidExpectation extends Expectation, TValidExpectation {
  string getKnownFailure() { result = knownFailure }

  predicate matchesActualResult(ActualResult actualResult) {
-    getLocation().getStartLine() = actualResult.getLocation().getStartLine() and
-    getLocation().getFile() = actualResult.getLocation().getFile() and
+    onSameLine(pragma[only_bind_into](this), actualResult) and
    getTag() = actualResult.getTag() and
    getValue() = actualResult.getValue()
  }
--- a/python/ql/test/TestUtilities/VerifyApiGraphs.qll
+++ b/python/ql/test/TestUtilities/VerifyApiGraphs.qll
@@ -84,8 +84,8 @@ class Assertion extends Comment {
  string tryExplainFailure() {
    exists(int i, API::Node nd, string prefix, string suffix |
      nd = this.lookup(i) and
-      i < getPathLength() and
-      not exists(this.lookup([i + 1 .. getPathLength()])) and
+      i < this.getPathLength() and
+      not exists(this.lookup([i + 1 .. this.getPathLength()])) and
      prefix = nd + " has no outgoing edge labelled " + this.getEdgeLabel(i) + ";" and
      if exists(nd.getASuccessor())
      then