Merge pull request #5504 from RasmusWL/type-tracking-first-predicate-private

Python: Ensure first type-tracking predicate is private
2025-12-20 10:46:30 +01:00 · 2021-03-24 14:23:27 +01:00
parent 1473778bb8 59200386a7
commit b023d73016
5 changed files with 14 additions and 12 deletions
--- a/python/ql/src/semmle/python/Concepts.qll
+++ b/python/ql/src/semmle/python/Concepts.qll
@@ -563,7 +563,9 @@ module Cryptography {
    /** Provides classes for modeling new key-pair generation APIs. */
    module KeyGeneration {
      /** Gets a back-reference to the keysize argument `arg` that was used to generate a new key-pair. */
-      DataFlow::LocalSourceNode keysizeBacktracker(DataFlow::TypeBackTracker t, DataFlow::Node arg) {
+      private DataFlow::LocalSourceNode keysizeBacktracker(
+        DataFlow::TypeBackTracker t, DataFlow::Node arg
+      ) {
        t.start() and
        arg = any(KeyGeneration::Range r).getKeySizeArg() and
        result = arg.getALocalSource()
--- a/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
+++ b/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
@@ -180,7 +180,7 @@ private newtype TTypeTracker = MkTypeTracker(Boolean hasCall, OptionalAttributeN
 * It is recommended that all uses of this type are written in the following form,
 * for tracking some type `myType`:
 * ```
- * DataFlow::LocalSourceNode myType(DataFlow::TypeTracker t) {
+ * private DataFlow::LocalSourceNode myType(DataFlow::TypeTracker t) {
 *   t.start() and
 *   result = < source of myType >
 *   or
@@ -341,7 +341,7 @@ private newtype TTypeBackTracker = MkTypeBackTracker(Boolean hasReturn, Optional
 * for back-tracking some callback type `myCallback`:
 *
 * ```
- * DataFlow::LocalSourceNode myCallback(DataFlow::TypeBackTracker t) {
+ * private DataFlow::LocalSourceNode myCallback(DataFlow::TypeBackTracker t) {
 *   t.start() and
 *   result = (< some API call >).getArgument(< n >).getALocalSource()
 *   or
--- a/python/ql/src/semmle/python/frameworks/Cryptography.qll
+++ b/python/ql/src/semmle/python/frameworks/Cryptography.qll
@@ -76,11 +76,11 @@ private module CryptographyModel {
    }

    /** Gets a reference to a predefined curve class instance with a specific key size (in bits), as well as the origin of the class. */
-    private DataFlow::Node curveClassInstanceWithKeySize(
+    private DataFlow::LocalSourceNode curveClassInstanceWithKeySize(
      DataFlow::TypeTracker t, int keySize, DataFlow::Node origin
    ) {
      t.start() and
-      result.asCfgNode().(CallNode).getFunction() = curveClassWithKeySize(keySize).asCfgNode() and
+      result.(DataFlow::CallCfgNode).getFunction() = curveClassWithKeySize(keySize) and
      origin = result
      or
      // Due to bad performance when using normal setup with we have inlined that code and forced a join
@@ -102,7 +102,7 @@ private module CryptographyModel {

    /** Gets a reference to a predefined curve class instance with a specific key size (in bits), as well as the origin of the class. */
    DataFlow::Node curveClassInstanceWithKeySize(int keySize, DataFlow::Node origin) {
-      result = curveClassInstanceWithKeySize(DataFlow::TypeTracker::end(), keySize, origin)
+      curveClassInstanceWithKeySize(DataFlow::TypeTracker::end(), keySize, origin).flowsTo(result)
    }
  }