Merge branch 'github:main' into jty/python/emailInjection

python/ql/src/Expressions/CallArgs.qll

@@ -99,14 +99,14 @@ private ControlFlowNode get_a_call(Value callable) {
 
 /** Gets the function object corresponding to the given class or function. */
 FunctionObject get_function_or_initializer_objectapi(Object func_or_cls) {
-  result = func_or_cls.(FunctionObject)
+  result = func_or_cls
   or
   result = func_or_cls.(ClassObject).declaredAttribute("__init__")
 }
 
 /** Gets the function object corresponding to the given class or function. */
 FunctionValue get_function_or_initializer(Value func_or_cls) {
-  result = func_or_cls.(FunctionValue)
+  result = func_or_cls
   or
   result = func_or_cls.(ClassValue).declaredAttribute("__init__")
 }

python/ql/src/Lexical/CommentedOutCode.qll

@@ -210,9 +210,9 @@ class CommentedOutCodeBlock extends @py_comment {
 
   /** Whether this commented-out code block is likely to be example code embedded in a larger comment. */
   predicate maybeExampleCode() {
-    exists(CommentBlock block | block.contains(this.(Comment)) |
+    exists(CommentBlock block | block.contains(this) |
       exists(int all_code |
-        all_code = sum(CommentedOutCodeBlock code | block.contains(code.(Comment)) | code.length()) and
+        all_code = sum(CommentedOutCodeBlock code | block.contains(code) | code.length()) and
         /* This ratio may need fine tuning */
         block.length() > all_code * 2
       )

python/ql/src/Security/CWE-295/RequestWithoutValidation.ql

@@ -11,17 +11,46 @@
  */
 
 import python
-import semmle.python.web.Http
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
 
-FunctionValue requestFunction() { result = Module::named("requests").attr(httpVerbLower()) }
+/**
+ * Gets a call to a method that makes an outgoing request using the `requests` module,
+ * such as `requests.get` or `requests.put`, with the specified HTTP verb `verb`
+ */
+DataFlow::CallCfgNode outgoingRequestCall(string verb) {
+  verb = HTTP::httpVerbLower() and
+  result = API::moduleImport("requests").getMember(verb).getACall()
+}
 
-/** requests treats None as the default and all other "falsey" values as False */
-predicate falseNotNone(Value v) { v.getDefiniteBooleanValue() = false and not v = Value::none_() }
+/** Gets the "verfiy" argument to a outgoingRequestCall. */
+DataFlow::Node verifyArg(DataFlow::CallCfgNode call) {
+  call = outgoingRequestCall(_) and
+  result = call.getArgByName("verify")
+}
 
-from CallNode call, FunctionValue func, Value falsey, ControlFlowNode origin
+/** Gets a back-reference to the verify argument `arg`. */
+private DataFlow::TypeTrackingNode verifyArgBacktracker(
+  DataFlow::TypeBackTracker t, DataFlow::Node arg
+) {
+  t.start() and
+  arg = verifyArg(_) and
+  result = arg.getALocalSource()
+  or
+  exists(DataFlow::TypeBackTracker t2 | result = verifyArgBacktracker(t2, arg).backtrack(t2, t))
+}
+
+/** Gets a back-reference to the verify argument `arg`. */
+DataFlow::LocalSourceNode verifyArgBacktracker(DataFlow::Node arg) {
+  result = verifyArgBacktracker(DataFlow::TypeBackTracker::end(), arg)
+}
+
+from DataFlow::CallCfgNode call, DataFlow::Node falseyOrigin, string verb
 where
-  func = requestFunction() and
-  func.getACall() = call and
-  falseNotNone(falsey) and
-  call.getArgByName("verify").pointsTo(falsey, origin)
-select call, "Call to $@ with verify=$@", func, "requests." + func.getName(), origin, "False"
+  call = outgoingRequestCall(verb) and
+  falseyOrigin = verifyArgBacktracker(verifyArg(call)) and
+  // requests treats `None` as the default and all other "falsey" values as `False`.
+  falseyOrigin.asExpr().(ImmutableLiteral).booleanValue() = false and
+  not falseyOrigin.asExpr() instanceof None
+select call, "Call to requests." + verb + " with verify=$@", falseyOrigin, "False"

python/ql/src/Statements/RedundantAssignment.ql

@@ -70,10 +70,11 @@ predicate same_attribute(Attribute a1, Attribute a2) {
   not is_property_access(a1)
 }
 
+pragma[nomagic]
+Comment pyflakes_comment() { result.getText().toLowerCase().matches("%pyflakes%") }
+
 int pyflakes_commented_line(File file) {
-  exists(Comment c | c.getText().toLowerCase().matches("%pyflakes%") |
-    c.getLocation().hasLocationInfo(file.getAbsolutePath(), result, _, _, _)
-  )
+  pyflakes_comment().getLocation().hasLocationInfo(file.getAbsolutePath(), result, _, _, _)
 }
 
 predicate pyflakes_commented(AssignStmt assignment) {

python/ql/src/experimental/semmle/python/frameworks/Django.qll

@@ -10,7 +10,7 @@ private import experimental.semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.dataflow.new.RemoteFlowSources
 
-private module PrivateDjango {
+private module ExperimentalPrivateDjango {
   private module django {
     API::Node http() { result = API::moduleImport("django").getMember("http") }
 

python/ql/src/meta/alerts/RequestHandlers.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Request Handlers
+ * @description HTTP Server Request Handlers
+ * @kind problem
+ * @problem.severity recommendation
+ * @id py/meta/alerts/request-handlers
+ * @tags meta
+ * @precision very-low
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import meta.MetaMetrics
+
+from HTTP::Server::RequestHandler requestHandler, string title
+where
+  not requestHandler.getLocation().getFile() instanceof IgnoredFile and
+  if requestHandler.isMethod()
+  then
+    title = "Method " + requestHandler.getScope().(Class).getName() + "." + requestHandler.getName()
+  else title = requestHandler.toString()
+select requestHandler, "RequestHandler: " + title