Merge pull request #8336 from tausbn/python-fix-a-bunch-of-ql-warnings

Python: Fix a bunch of QL warnings
2025-12-22 03:36:30 +01:00 · 2022-03-09 16:31:28 +01:00
parent 17cec52af8 063a8bbc43
commit 7b877fb317
102 changed files with 399 additions and 357 deletions
--- a/python/ql/lib/semmle/python/security/strings/Basic.qll
+++ b/python/ql/lib/semmle/python/security/strings/Basic.qll
@@ -45,7 +45,7 @@ abstract deprecated class StringKind extends TaintKind {
 deprecated private class StringEqualitySanitizer extends Sanitizer {
  StringEqualitySanitizer() { this = "string equality sanitizer" }

-  /** The test `if untrusted == "KNOWN_VALUE":` sanitizes `untrusted` on its `true` edge. */
+  /* The test `if untrusted == "KNOWN_VALUE":` sanitizes `untrusted` on its `true` edge. */
  override predicate sanitizingEdge(TaintKind taint, PyEdgeRefinement test) {
    taint instanceof StringKind and
    exists(ControlFlowNode const, Cmpop op | const.getNode() instanceof StrConst |
--- a/python/ql/lib/semmle/python/security/strings/External.qll
+++ b/python/ql/lib/semmle/python/security/strings/External.qll
@@ -79,18 +79,12 @@ deprecated class ExternalUrlSplitResult extends ExternalStringSequenceKind {
  override TaintKind getTaintOfAttribute(string name) {
    result = super.getTaintOfAttribute(name)
    or
-    (
-      // namedtuple field names
-      name = "scheme" or
-      name = "netloc" or
-      name = "path" or
-      name = "query" or
-      name = "fragment" or
-      // class methods
-      name = "username" or
-      name = "password" or
-      name = "hostname"
-    ) and
+    name in [
+        // namedtuple field names
+        "scheme", "netloc", "path", "query", "fragment",
+        // class methods
+        "password", "username", "hostname",
+      ] and
    result instanceof ExternalStringKind
  }

@@ -108,19 +102,12 @@ deprecated class ExternalUrlParseResult extends ExternalStringSequenceKind {
  override TaintKind getTaintOfAttribute(string name) {
    result = super.getTaintOfAttribute(name)
    or
-    (
-      // namedtuple field names
-      name = "scheme" or
-      name = "netloc" or
-      name = "path" or
-      name = "params" or
-      name = "query" or
-      name = "fragment" or
-      // class methods
-      name = "username" or
-      name = "password" or
-      name = "hostname"
-    ) and
+    name in [
+        // namedtuple field names
+        "scheme", "netloc", "path", "params", "query", "fragment",
+        // class methods
+        "username", "password", "hostname",
+      ] and
    result instanceof ExternalStringKind
  }