Python: Revert manual pickle modeling

This reverts commit 62910f0cab525ca4d4901c4c27f6e6b22c3375fc. This reverts commit 75a8197879ec47094d9b18f3dab7bcc1c1cdba28. We don't find `kombu.serialization.pickle_load` since we respect `__all__`. I think that was an attempt to not flood the captured modeling with useless re-exports, but I think we've ended up doing that anyway... we should consider to remove that restriction! see 21d7df29c7/kombu/serialization.py (L29)
2026-04-25 16:55:19 +02:00 · 2023-10-20 14:45:09 +02:00
parent f74581ad09
commit aa5eee1eac
2 changed files with 43 additions and 10 deletions
--- a/python/ql/lib/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -1299,20 +1299,35 @@ module StdlibPrivate {
  // ---------------------------------------------------------------------------
  /** Gets a reference to any of the `pickle` modules. */
  API::Node pickle() {
-    result = API::moduleImport(["pickle", "cPickle", "_pickle", "cloudpickle"]) or
-    result = API::moduleImport("kombu").getMember("serialization").getMember("pickle")
+    result = API::moduleImport(["pickle", "cPickle", "_pickle"])
+    or
+    result = ModelOutput::getATypeNode("pickle~Alias")
+  }
+
+  /**
+   * A reference to `pickle.load`
+   */
+  API::Node pickle_load() {
+    result = pickle().getMember("load")
+    or
+    result = ModelOutput::getATypeNode("pickle.load~Alias")
+  }
+
+  /**
+   * A reference to `pickle.loads`
+   */
+  API::Node pickle_loads() {
+    result = pickle().getMember("loads")
+    or
+    result = ModelOutput::getATypeNode("pickle.loads~Alias")
  }

  /**
   * A call to `pickle.load`
   * See https://docs.python.org/3/library/pickle.html#pickle.load
   */
-  private class PickleLoadCall extends Decoding::Range, DataFlow::CallCfgNode {
-    PickleLoadCall() {
-      this = pickle().getMember("load").getACall() or
-      this =
-        API::moduleImport("kombu").getMember("serialization").getMember("pickle_load").getACall()
-    }
+  private class PickleLoadCall extends Decoding::Range, API::CallNode {
+    PickleLoadCall() { this = pickle_load().getACall() }

    override predicate mayExecuteInput() { any() }

@@ -1327,8 +1342,8 @@ module StdlibPrivate {
   * A call to `pickle.loads`
   * See https://docs.python.org/3/library/pickle.html#pickle.loads
   */
-  private class PickleLoadsCall extends Decoding::Range, DataFlow::CallCfgNode {
-    PickleLoadsCall() { this = pickle().getMember("loads").getACall() }
+  private class PickleLoadsCall extends Decoding::Range, API::CallNode {
+    PickleLoadsCall() { this = pickle_loads().getACall() }

    override predicate mayExecuteInput() { any() }

--- a/python/ql/src/meta/ClassHierarchy/Find.ql
+++ b/python/ql/src/meta/ClassHierarchy/Find.ql
@@ -464,6 +464,24 @@ class LxmlETreeAlias extends FindSubclassesSpec {
  override API::Node getAlreadyModeledClass() { result = Lxml::etreeRef() }
 }

+class PickleAlias extends FindSubclassesSpec {
+  PickleAlias() { this = "pickle~Alias" }
+
+  override API::Node getAlreadyModeledClass() { result = StdlibPrivate::pickle() }
+}
+
+class PickleLoadAlias extends FindSubclassesSpec {
+  PickleLoadAlias() { this = "pickle.load~Alias" }
+
+  override API::Node getAlreadyModeledClass() { result = StdlibPrivate::pickle_load() }
+}
+
+class PickleLoadsAlias extends FindSubclassesSpec {
+  PickleLoadsAlias() { this = "pickle.loads~Alias" }
+
+  override API::Node getAlreadyModeledClass() { result = StdlibPrivate::pickle_loads() }
+}
+
 bindingset[fullyQualified]
 predicate fullyQualifiedToYamlFormat(string fullyQualified, string type2, string path) {
  exists(int firstDot | firstDot = fullyQualified.indexOf(".", 0, 0) |