Python: Refactor SaxParserSetFeatureCall

Originally made by @erik-krogh in https://github.com/github/codeql/pull/8693/files#diff-9627c1fb9a1cc77fb93e6b7e31af1a4fa908f2a60362cfb34377d24debb97398 Could not be applied directly to this PR, since this PR deletes the file.
2025-12-24 04:36:35 +01:00 · 2022-05-02 11:29:00 +02:00
parent 5f01fc24e4
commit 714465bf39
1 changed files with 7 additions and 31 deletions
--- a/python/ql/lib/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -3408,7 +3408,7 @@ private module StdlibPrivate {
   *
   * See https://docs.python.org/3.10/library/xml.sax.reader.html#xml.sax.xmlreader.XMLReader.setFeature
   */
-  private class SaxParserSetFeatureCall extends DataFlow::MethodCallNode {
+  private class SaxParserSetFeatureCall extends API::CallNode, DataFlow::MethodCallNode {
    SaxParserSetFeatureCall() {
      this =
        API::moduleImport("xml")
@@ -3421,27 +3421,9 @@ private module StdlibPrivate {
    // The keyword argument names does not match documentation. I checked (with Python
    // 3.9.5) that the names used here actually works.
-    DataFlow::Node getFeatureArg() { result in [this.getArg(0), this.getArgByName("name")] }
+    API::Node getFeatureArg() { result = this.getParameter(0, "name") }
-    DataFlow::Node getStateArg() { result in [this.getArg(1), this.getArgByName("state")] }
+    API::Node getStateArg() { result = this.getParameter(1, "state") }
  }
  /** Gets a back-reference to the `setFeature` state argument `arg`. */
  private DataFlow::TypeTrackingNode saxParserSetFeatureStateArgBacktracker(
    DataFlow::TypeBackTracker t, DataFlow::Node arg
  ) {
    t.start() and
    arg = any(SaxParserSetFeatureCall c).getStateArg() and
    result = arg.getALocalSource()
    or
    exists(DataFlow::TypeBackTracker t2 |
      result = saxParserSetFeatureStateArgBacktracker(t2, arg).backtrack(t2, t)
    )
  }
  /** Gets a back-reference to the `setFeature` state argument `arg`. */
  DataFlow::LocalSourceNode saxParserSetFeatureStateArgBacktracker(DataFlow::Node arg) {
    result = saxParserSetFeatureStateArgBacktracker(DataFlow::TypeBackTracker::end(), arg)
  }
  /**
@@ -3452,16 +3434,13 @@ private module StdlibPrivate {
  private DataFlow::Node saxParserWithFeatureExternalGesTurnedOn(DataFlow::TypeTracker t) {
    t.start() and
    exists(SaxParserSetFeatureCall call |
-      call.getFeatureArg() =
+      call.getFeatureArg().getARhs() =
        API::moduleImport("xml")
            .getMember("sax")
            .getMember("handler")
            .getMember("feature_external_ges")
            .getAUse() and
-      saxParserSetFeatureStateArgBacktracker(call.getStateArg())
+      call.getStateArg().getAValueReachingRhs().asExpr().(BooleanLiteral).booleanValue() = true and
          .asExpr()
          .(BooleanLiteral)
          .booleanValue() = true and
      result = call.getObject()
    )
    or
@@ -3471,16 +3450,13 @@ private module StdlibPrivate {
    // take account of that we can set the feature to False, which makes the parser safe again
    not exists(SaxParserSetFeatureCall call |
      call.getObject() = result and
-      call.getFeatureArg() =
+      call.getFeatureArg().getARhs() =
        API::moduleImport("xml")
            .getMember("sax")
            .getMember("handler")
            .getMember("feature_external_ges")
            .getAUse() and
-      saxParserSetFeatureStateArgBacktracker(call.getStateArg())
+      call.getStateArg().getAValueReachingRhs().asExpr().(BooleanLiteral).booleanValue() = false
          .asExpr()
          .(BooleanLiteral)
          .booleanValue() = false
    )
  }