Python: Remove ClassInstantiation from Django UploadedFile

since UploadedFile is the abstract base class, all real usage would be of one of the subclasses, so removing this to not provide a false hope that it actually works. I don't think investing the time into making this work would give any value, so that's why I didn't do it ;)
2026-04-28 18:25:24 +02:00 · 2021-07-20 10:27:33 +02:00
parent 7dc6518350
commit 6f0a622252
1 changed files with 0 additions and 17 deletions
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -369,16 +369,6 @@ private module Django {
   * See https://docs.djangoproject.com/en/3.0/ref/files/uploads/#django.core.files.uploadedfile.UploadedFile.
   */
  module UploadedFile {
-    /** Gets a reference to the `django.core.files.uploadedfile.UploadedFile` class. */
-    private API::Node classRef() {
-      result =
-        API::moduleImport("django")
-            .getMember("core")
-            .getMember("files")
-            .getMember("uploadedfile")
-            .getMember("UploadedFile")
-    }
-
    /**
     * A source of instances of `django.core.files.uploadedfile.UploadedFile`, extend this class to model new instances.
     *
@@ -390,13 +380,6 @@ private module Django {
     */
    abstract class InstanceSource extends DataFlow::LocalSourceNode { }

-    /** A direct instantiation of `django.core.files.uploadedfile.UploadedFile`. */
-    private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
-      override CallNode node;
-
-      ClassInstantiation() { this = classRef().getACall() }
-    }
-
    /** Gets a reference to an instance of `django.core.files.uploadedfile.UploadedFile`. */
    private DataFlow::TypeTrackingNode instance(DataFlow::TypeTracker t) {
      t.start() and