Python: Rename getAUse -> getAValueReachableFromSource

2026-04-28 02:05:14 +02:00 · 2022-06-13 10:02:14 +02:00
parent 181a53bd03
commit b096f9ec72
25 changed files with 103 additions and 65 deletions
--- a/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql
+++ b/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql
@@ -29,7 +29,7 @@ where
  call = paramikoSSHClientInstance().getMember("set_missing_host_key_policy").getACall() and
  arg in [call.getArg(0), call.getArgByName("policy")] and
  (
-    arg = unsafe_paramiko_policy(name).getAUse() or
-    arg = unsafe_paramiko_policy(name).getReturn().getAUse()
+    arg = unsafe_paramiko_policy(name).getAValueReachableFromSource() or
+    arg = unsafe_paramiko_policy(name).getReturn().getAValueReachableFromSource()
  )
 select call, "Setting missing host key policy to " + name + " may be unsafe."
--- a/python/ql/src/Security/CWE-327/PyOpenSSL.qll
+++ b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
@@ -17,7 +17,8 @@ class PyOpenSSLContextCreation extends ContextCreation, DataFlow::CallCfgNode {
      protocolArg in [this.getArg(0), this.getArgByName("method")]
    |
      protocolArg in [
-          pyo.specific_version(result).getAUse(), pyo.unspecific_version(result).getAUse()
+          pyo.specific_version(result).getAValueReachableFromSource(),
+          pyo.unspecific_version(result).getAValueReachableFromSource()
        ]
    )
  }
@@ -43,9 +44,10 @@ class SetOptionsCall extends ProtocolRestriction, DataFlow::CallCfgNode {
  }

  override ProtocolVersion getRestriction() {
-    API::moduleImport("OpenSSL").getMember("SSL").getMember("OP_NO_" + result).getAUse() in [
-        this.getArg(0), this.getArgByName("options")
-      ]
+    API::moduleImport("OpenSSL")
+          .getMember("SSL")
+          .getMember("OP_NO_" + result)
+          .getAValueReachableFromSource() in [this.getArg(0), this.getArgByName("options")]
  }
 }

--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -15,7 +15,10 @@ class SSLContextCreation extends ContextCreation, DataFlow::CallCfgNode {
      protocolArg in [this.getArg(0), this.getArgByName("protocol")]
    |
      protocolArg =
-        [ssl.specific_version(result).getAUse(), ssl.unspecific_version(result).getAUse()]
+        [
+          ssl.specific_version(result).getAValueReachableFromSource(),
+          ssl.unspecific_version(result).getAValueReachableFromSource()
+        ]
    )
    or
    not exists(this.getArg(_)) and
@@ -54,7 +57,11 @@ class OptionsAugOr extends ProtocolRestriction, DataFlow::CfgNode {
      aa.getTarget() = attr.getNode() and
      attr.getName() = "options" and
      attr.getObject() = node and
-      flag = API::moduleImport("ssl").getMember("OP_NO_" + restriction).getAUse().asExpr() and
+      flag =
+        API::moduleImport("ssl")
+            .getMember("OP_NO_" + restriction)
+            .getAValueReachableFromSource()
+            .asExpr() and
      (
        aa.getValue() = flag
        or
@@ -79,7 +86,11 @@ class OptionsAugAndNot extends ProtocolUnrestriction, DataFlow::CfgNode {
      attr.getObject() = node and
      notFlag.getOp() instanceof Invert and
      notFlag.getOperand() = flag and
-      flag = API::moduleImport("ssl").getMember("OP_NO_" + restriction).getAUse().asExpr() and
+      flag =
+        API::moduleImport("ssl")
+            .getMember("OP_NO_" + restriction)
+            .getAValueReachableFromSource()
+            .asExpr() and
      (
        aa.getValue() = notFlag
        or
@@ -134,7 +145,10 @@ class ContextSetVersion extends ProtocolRestriction, ProtocolUnrestriction, Data
      this = aw.getObject() and
      aw.getAttributeName() = "minimum_version" and
      aw.getValue() =
-        API::moduleImport("ssl").getMember("TLSVersion").getMember(restriction).getAUse()
+        API::moduleImport("ssl")
+            .getMember("TLSVersion")
+            .getMember(restriction)
+            .getAValueReachableFromSource()
    )
  }

@@ -188,7 +202,8 @@ class Ssl extends TlsLibrary {

  override DataFlow::CallCfgNode insecure_connection_creation(ProtocolVersion version) {
    result = API::moduleImport("ssl").getMember("wrap_socket").getACall() and
-    this.specific_version(version).getAUse() = result.getArgByName("ssl_version") and
+    this.specific_version(version).getAValueReachableFromSource() =
+      result.getArgByName("ssl_version") and
    version.isInsecure()
  }

--- a/python/ql/src/experimental/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Django.qll
@@ -86,11 +86,13 @@ private module ExperimentalPrivateDjango {
            t.start() and
            (
              exists(SubscriptNode subscript |
-                subscript.getObject() = baseClassRef().getReturn().getAUse().asCfgNode() and
+                subscript.getObject() =
+                  baseClassRef().getReturn().getAValueReachableFromSource().asCfgNode() and
                result.asCfgNode() = subscript
              )
              or
-              result.(DataFlow::AttrRead).getObject() = baseClassRef().getReturn().getAUse()
+              result.(DataFlow::AttrRead).getObject() =
+                baseClassRef().getReturn().getAValueReachableFromSource()
            )
            or
            exists(DataFlow::TypeTracker t2 | result = headerInstance(t2).track(t2, t))
--- a/python/ql/src/experimental/semmle/python/frameworks/Flask.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Flask.qll
@@ -29,7 +29,11 @@ module ExperimentalFlask {

  /** Gets a reference to a header instance. */
  private DataFlow::LocalSourceNode headerInstance() {
-    result = [Flask::Response::classRef(), flaskMakeResponse()].getReturn().getAMember().getAUse()
+    result =
+      [Flask::Response::classRef(), flaskMakeResponse()]
+          .getReturn()
+          .getAMember()
+          .getAValueReachableFromSource()
  }

  /** Gets a reference to a header instance call/subscript */
--- a/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll
@@ -90,7 +90,9 @@ private module LDAP {

    /**List of SSL-demanding options */
    private class LDAPSSLOptions extends DataFlow::Node {
-      LDAPSSLOptions() { this = ldap().getMember("OPT_X_TLS_" + ["DEMAND", "HARD"]).getAUse() }
+      LDAPSSLOptions() {
+        this = ldap().getMember("OPT_X_TLS_" + ["DEMAND", "HARD"]).getAValueReachableFromSource()
+      }
    }

    /**
--- a/python/ql/src/experimental/semmle/python/frameworks/NoSQL.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/NoSQL.qll
@@ -50,11 +50,11 @@ private module NoSql {
    t.start() and
    (
      exists(SubscriptNode subscript |
-        subscript.getObject() = mongoClientInstance().getAUse().asCfgNode() and
+        subscript.getObject() = mongoClientInstance().getAValueReachableFromSource().asCfgNode() and
        result.asCfgNode() = subscript
      )
      or
-      result.(DataFlow::AttrRead).getObject() = mongoClientInstance().getAUse()
+      result.(DataFlow::AttrRead).getObject() = mongoClientInstance().getAValueReachableFromSource()
      or
      result = mongoEngine().getMember(["get_db", "connect"]).getACall()
      or