Python: Fix ql4ql alerts

The rest will be ignored.
2025-12-20 10:46:30 +01:00 · 2022-11-22 16:24:47 +01:00
parent 00ec3a23ba
commit 69b43f147a
3 changed files with 8 additions and 9 deletions
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll
@@ -478,7 +478,7 @@ private TypeTrackingNode classTracker(TypeTracker t, Class cls) {
    or
    // when a class is decorated, it's the result of the (last) decorator call that
    // is used
-    result.asExpr() = cls.getParent().(ClassExpr).getADecoratorCall()
+    result.asExpr() = cls.getParent().getADecoratorCall()
    or
    // `type(obj)`, where obj is an instance of this class
    result = getTypeCall() and
@@ -1102,8 +1102,8 @@ predicate normalCallArg(CallNode call, Node arg, ArgumentPosition apos) {
 }

 /**
- * Gets the argument of `call` at position `apos`, if any, where we can resolve `call`
- * to `target` with CallType `type`.
+ * Gets the argument `arg` of `call` at position `apos`, if any. Requires that we can
+ * resolve `call` to `target` with CallType `type`.
 *
 * It might seem like it's enough to know the CallType to resolve arguments. The reason
 * we also need the `target`, is to avoid cross-talk. In the example below, assuming
--- a/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
+++ b/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
@@ -157,11 +157,10 @@ class UnresolvedCall extends InterestingExternalApiCall, TUnresolvedCall {

 /** A node representing data being passed to an external API through a call. */
 class ExternalApiDataNode extends DataFlow::Node {
-  InterestingExternalApiCall call;
-  DataFlowPrivate::ArgumentPosition apos;
-
  ExternalApiDataNode() {
-    this = call.getArgument(apos) and
+    exists(InterestingExternalApiCall call, DataFlowPrivate::ArgumentPosition apos |
+      this = call.getArgument(apos)
+    ) and
    // Not already modeled as a taint step
    not exists(DataFlow::Node next | TaintTrackingPrivate::defaultAdditionalTaintStep(this, next)) and
    // for `list.append(x)`, we have a additional taint step from x -> [post] list.
--- a/python/ql/src/meta/analysis-quality/CallGraphQuality.qll
+++ b/python/ql/src/meta/analysis-quality/CallGraphQuality.qll
@@ -81,7 +81,7 @@ module PointsToBasedCallGraph {
   */
  class ResolvableCallRelevantTarget extends ResolvableCall {
    ResolvableCallRelevantTarget() {
-      exists(Target target | target = getTarget() |
+      exists(Target target | target = this.getTarget() |
        exists(target.getLocation().getFile().getRelativePath())
      )
    }
@@ -137,7 +137,7 @@ module TypeTrackingBasedCallGraph {
   */
  class ResolvableCallRelevantTarget extends ResolvableCall {
    ResolvableCallRelevantTarget() {
-      exists(Target target | target = getTarget() |
+      exists(Target target | target = this.getTarget() |
        exists(target.getLocation().getFile().getRelativePath())
      )
    }