hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: Add getName to RegexExecution concept

Browse Source
This commit is contained in:
Rasmus Lerchedahl Petersen
2021-09-14 11:53:40 +02:00
parent 8f152a5bfb
commit a30f697537
2 changed files with 21 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
python/ql/lib/semmle/python/Concepts.qll
View File

@@ -371,6 +371,12 @@ class RegexExecution extends DataFlow::Node {
/** Gets a dataflow node for the string to be searched or matched against. */
DataFlow::Node getString() { result = range.getString() }
/**
* Gets the name of this regex execution, typically the name of an executing method.
* This is used for nice alert messages and should include the module if possible.
*/
string getName() { result = range.getName() }
}
/** Provides classes for modeling new regular-expression execution APIs. */
@@ -387,6 +393,12 @@ module RegexExecution {
/** Gets a dataflow node for the string to be searched or matched against. */
abstract DataFlow::Node getString();
/**
* Gets the name of this regex execution, typically the name of an executing method.
* This is used for nice alert messages and should include the module if possible.
*/
abstract string getName();
}
}

13
python/ql/lib/semmle/python/frameworks/Stdlib.qll
View File

@@ -1537,16 +1537,19 @@ private class DirectRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
override DataFlow::Node getString() {
result in [this.getArg(stringArg(method)), this.getArgByName("string")]
}
override string getName() { result = "re." + method }
}
/** Helper module for tracking compiled regexes. */
private module CompiledRegexes {
private import semmle.python.dataflow.new.DataFlow2
private import semmle.python.dataflow.new.DataFlow4
private import semmle.python.RegexTreeView
// TODO: This module should be refactored once API graphs are more expressinve.
// TODO: This module should be refactored once API graphs are more expressive.
// For now it uses data flow, so we pick the verion with least change of collision (4) .
/** A configuration for finding uses of compiled regexes. */
class RegexDefinitionConfiguration extends DataFlow2::Configuration {
class RegexDefinitionConfiguration extends DataFlow4::Configuration {
RegexDefinitionConfiguration() { this = "RegexDefinitionConfiguration" }
override predicate isSource(DataFlow::Node source) { source instanceof RegexDefinitonSource }
@@ -1608,7 +1611,7 @@ private import CompiledRegexes
*
* See https://docs.python.org/3/library/re.html#regular-expression-objects
*/
private class CompiledRegex extends DataFlow::CallCfgNode, RegexExecution {
private class CompiledRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
DataFlow::Node regexNode;
RegexExecutionMethod method;
@@ -1628,6 +1631,8 @@ private class CompiledRegex extends DataFlow::CallCfgNode, RegexExecution {
override DataFlow::Node getString() {
result in [this.getArg(stringArg(method) - 1), this.getArgByName("string")]
}
override string getName() { result = "re." + method }
}
/**