python: add concept for XPath construction

also small fixup in `SqlConstruction`
2026-04-30 19:26:02 +02:00 · 2022-02-08 12:31:37 +01:00
parent 7d287f1698
commit 8665fe4817
1 changed files with 54 additions and 7 deletions
--- a/python/ql/lib/semmle/python/Concepts.qll
+++ b/python/ql/lib/semmle/python/Concepts.qll
@@ -334,6 +334,7 @@ module CodeExecution {

 /**
 * A data-flow node that constructs an SQL statement.
+ *
 * Often, it is worthy of an alert if an SQL statement is constructed such that
 * executing it would be a security risk.
 *
@@ -355,11 +356,14 @@ class SqlConstruction extends DataFlow::Node {
 module SqlConstruction {
  /**
   * A data-flow node that constructs an SQL statement.
+   *
   * Often, it is worthy of an alert if an SQL statement is constructed such that
   * executing it would be a security risk.
   *
+   * If it is important that the SQL statement is indeed executed, then use `SQLExecution`.
+   *
   * Extend this class to model new APIs. If you want to refine existing API models,
-   * extend `SqlExecution` instead.
+   * extend `SqlConstruction` instead.
   */
  abstract class Range extends DataFlow::Node {
    /** Gets the argument that specifies the SQL statements to be constructed. */
@@ -449,9 +453,49 @@ module RegexExecution {
  }
 }

+/**
+ * A data-flow node that constructs an XPath expression.
+ *
+ * Often, it is worthy of an alert if an XPath expression is constructed such that
+ * executing it would be a security risk.
+ *
+ * If it is important that the XPath expression is indeed executed, then use `XPathExecution`.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `XPathConstruction::Range` instead.
+ */
+class XPathConstruction extends DataFlow::Node {
+  XPathConstruction::Range range;
+
+  XPathConstruction() { this = range }
+
+  /** Gets the argument that specifies the XPath expressions to be constructed. */
+  DataFlow::Node getXPath() { result = range.getXPath() }
+}
+
+/** Provides a class for modeling new XPath construction APIs. */
+module XPathConstruction {
+  /**
+   * A data-flow node that constructs an XPath expression.
+   *
+   * Often, it is worthy of an alert if an XPath expression is constructed such that
+   * executing it would be a security risk.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `XPathConstruction` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the argument that specifies the XPath expressions to be constructed. */
+    abstract DataFlow::Node getXPath();
+  }
+}
+
 /**
 * A data-flow node that executes a xpath expression.
 *
+ * If the context of interest is such that merely constructing an XPath expression
+ * would be valuabe to report, then consider using `XPathConstruction`.
+ *
 * Extend this class to refine existing API models. If you want to model new APIs,
 * extend `XPathExecution::Range` instead.
 */
@@ -460,14 +504,14 @@ class XPathExecution extends DataFlow::Node {

  XPathExecution() { this = range }

-  /** Gets the data flow node for the xpath expression being executed by this node. */
+  /** Gets the data flow node for the XPath expression being executed by this node. */
  DataFlow::Node getXPath() { result = range.getXPath() }

-  /** Gets a dataflow node for the tree in which the xpath is being evaluated. */
+  /** Gets a dataflow node for the tree in which the XPath expression is being evaluated. */
  DataFlow::Node getTree() { result = range.getTree() }

  /**
-   * Gets the name of this xpath expression execution, typically the name of an executing method.
+   * Gets the name of this XPath expression execution, typically the name of an executing method.
   * This is used for nice alert messages and should include the module if possible.
   */
  string getName() { result = range.getName() }
@@ -476,16 +520,19 @@ class XPathExecution extends DataFlow::Node {
 /** Provides classes for modeling new regular-expression execution APIs. */
 module XPathExecution {
  /**
-   * A data-flow node that executes a xpath expression.
+   * A data-flow node that executes a XPath expression.
+   *
+   * If the context of interest is such that merely constructing an XPath expression
+   * would be valuabe to report, then consider using `XPathConstruction`.
   *
   * Extend this class to model new APIs. If you want to refine existing API models,
   * extend `XPathExecution` instead.
   */
  abstract class Range extends DataFlow::Node {
-    /** Gets the data flow node for the xpath expression being executed by this node. */
+    /** Gets the data flow node for the XPath expression being executed by this node. */
    abstract DataFlow::Node getXPath();

-    /** Gets a dataflow node for the tree in which the xpath is being evaluated. */
+    /** Gets a dataflow node for the tree in which the XPath expression is being evaluated. */
    abstract DataFlow::Node getTree();

    /**