Py/JS/RB: Use instanceof in more places

2026-05-04 05:05:12 +02:00 · 2022-12-12 16:06:57 +01:00
parent 4ff823c36b
commit b3a9c1ca06
88 changed files with 256 additions and 574 deletions
--- a/python/ql/lib/semmle/python/SpecialMethods.qll
+++ b/python/ql/lib/semmle/python/SpecialMethods.qll
@@ -11,9 +11,7 @@
 private import python

 /** A control flow node which might correspond to a special method call. */
-class PotentialSpecialMethodCallNode extends ControlFlowNode {
-  PotentialSpecialMethodCallNode() { this instanceof SpecialMethod::Potential }
-}
+class PotentialSpecialMethodCallNode extends ControlFlowNode instanceof SpecialMethod::Potential { }

 /**
 * Machinery for detecting special method calls.
--- a/python/ql/lib/semmle/python/dataflow/new/RemoteFlowSources.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/RemoteFlowSources.qll
@@ -15,13 +15,9 @@ private import semmle.python.Concepts
 * Extend this class to refine existing API models. If you want to model new APIs,
 * extend `RemoteFlowSource::Range` instead.
 */
-class RemoteFlowSource extends DataFlow::Node {
-  RemoteFlowSource::Range self;
-
-  RemoteFlowSource() { this = self }
-
+class RemoteFlowSource extends DataFlow::Node instanceof RemoteFlowSource::Range {
  /** Gets a string that describes the type of this remote flow source. */
-  string getSourceType() { result = self.getSourceType() }
+  string getSourceType() { result = super.getSourceType() }
 }

 /** Provides a class for modeling new sources of remote user input. */
--- a/python/ql/lib/semmle/python/dataflow/new/SensitiveDataSources.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -21,11 +21,8 @@ module SensitiveDataClassification = SensitiveDataHeuristics::SensitiveDataClass
 * Extend this class to refine existing API models. If you want to model new APIs,
 * extend `SensitiveDataSource::Range` instead.
 */
-class SensitiveDataSource extends DataFlow::Node {
-  SensitiveDataSource::Range range;
-
+class SensitiveDataSource extends DataFlow::Node instanceof SensitiveDataSource::Range {
  SensitiveDataSource() {
-    this = range and
    // ignore sensitive password sources in getpass.py, that can escape through `getpass.getpass()` return value,
    // since `getpass.getpass()` is considered a source itself.
    not exists(Module getpass |
@@ -39,7 +36,7 @@ class SensitiveDataSource extends DataFlow::Node {
  /**
   * Gets the classification of the sensitive data.
   */
-  SensitiveDataClassification getClassification() { result = range.getClassification() }
+  SensitiveDataClassification getClassification() { result = super.getClassification() }
 }

 /** Provides a class for modeling new sources of sensitive data, such as secrets, certificates, or passwords. */
--- a/python/ql/lib/semmle/python/dataflow/new/internal/IterableUnpacking.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/IterableUnpacking.qll
@@ -207,16 +207,13 @@ class AssignmentTarget extends ControlFlowNode {
 }

 /** A direct (or top-level) target of an unpacking assignment. */
-class UnpackingAssignmentDirectTarget extends ControlFlowNode {
+class UnpackingAssignmentDirectTarget extends ControlFlowNode instanceof SequenceNode {
  Expr value;

  UnpackingAssignmentDirectTarget() {
-    this instanceof SequenceNode and
-    (
-      value = this.(AssignmentTarget).getValue()
-      or
-      value = this.(ForTarget).getSource()
-    )
+    value = this.(AssignmentTarget).getValue()
+    or
+    value = this.(ForTarget).getSource()
  }

  Expr getValue() { result = value }
--- a/python/ql/lib/semmle/python/dataflow/old/Implementation.qll
+++ b/python/ql/lib/semmle/python/dataflow/old/Implementation.qll
@@ -197,9 +197,7 @@ class TaintTrackingNode extends TTaintTrackingNode {
 * It is implemented as a separate class for clarity and to keep the code
 * in `TaintTracking::Configuration` simpler.
 */
-class TaintTrackingImplementation extends string {
-  TaintTrackingImplementation() { this instanceof TaintTracking::Configuration }
-
+class TaintTrackingImplementation extends string instanceof TaintTracking::Configuration {
  /**
   * Hold if there is a flow from `source`, which is a taint source, to
   * `sink`, which is a taint sink, with this configuration.
@@ -218,7 +216,7 @@ class TaintTrackingImplementation extends string {
  ) {
    context = TNoParam() and
    path = TNoAttribute() and
-    this.(TaintTracking::Configuration).isSource(node, kind)
+    super.isSource(node, kind)
  }

  /** Hold if `source` is a source of taint. */
@@ -234,7 +232,7 @@ class TaintTrackingImplementation extends string {
    exists(DataFlow::Node node, AttributePath path, TaintKind kind |
      sink = TTaintTrackingNode_(node, _, path, kind, this) and
      path = TNoAttribute() and
-      this.(TaintTracking::Configuration).isSink(node, kind)
+      super.isSink(node, kind)
    )
  }

@@ -259,11 +257,11 @@ class TaintTrackingImplementation extends string {
  ) {
    this.unprunedStep(src, node, context, path, kind, edgeLabel) and
    node.getBasicBlock().likelyReachable() and
-    not this.(TaintTracking::Configuration).isBarrier(node) and
+    not super.isBarrier(node) and
    (
      not path = TNoAttribute()
      or
-      not this.(TaintTracking::Configuration).isBarrier(node, kind) and
+      not super.isBarrier(node, kind) and
      exists(DataFlow::Node srcnode, TaintKind srckind |
        src = TTaintTrackingNode_(srcnode, _, _, srckind, this) and
        not this.prunedEdge(srcnode, node, srckind, kind)
@@ -274,9 +272,9 @@ class TaintTrackingImplementation extends string {
  private predicate prunedEdge(
    DataFlow::Node srcnode, DataFlow::Node destnode, TaintKind srckind, TaintKind destkind
  ) {
-    this.(TaintTracking::Configuration).isBarrierEdge(srcnode, destnode, srckind, destkind)
+    super.isBarrierEdge(srcnode, destnode, srckind, destkind)
    or
-    srckind = destkind and this.(TaintTracking::Configuration).isBarrierEdge(srcnode, destnode)
+    srckind = destkind and super.isBarrierEdge(srcnode, destnode)
  }

  private predicate unprunedStep(
@@ -314,14 +312,14 @@ class TaintTrackingImplementation extends string {
    this.legacyExtensionStep(src, node, context, path, kind, edgeLabel)
    or
    exists(DataFlow::Node srcnode, TaintKind srckind |
-      this.(TaintTracking::Configuration).isAdditionalFlowStep(srcnode, node, srckind, kind) and
+      super.isAdditionalFlowStep(srcnode, node, srckind, kind) and
      src = TTaintTrackingNode_(srcnode, context, path, srckind, this) and
      path.noAttribute() and
      edgeLabel = "additional with kind"
    )
    or
    exists(DataFlow::Node srcnode |
-      this.(TaintTracking::Configuration).isAdditionalFlowStep(srcnode, node) and
+      super.isAdditionalFlowStep(srcnode, node) and
      src = TTaintTrackingNode_(srcnode, context, path, kind, this) and
      path.noAttribute() and
      edgeLabel = "additional"
@@ -618,7 +616,7 @@ class TaintTrackingImplementation extends string {
    TaintKind kind, string edgeLabel
  ) {
    exists(TaintTracking::Extension extension, DataFlow::Node srcnode, TaintKind srckind |
-      this.(TaintTracking::Configuration).isExtension(extension) and
+      super.isExtension(extension) and
      src = TTaintTrackingNode_(srcnode, context, path, srckind, this) and
      srcnode.asCfgNode() = extension
    |
@@ -646,9 +644,7 @@ class TaintTrackingImplementation extends string {
 * Another taint-tracking class to help partition the code for clarity
 * This class handle tracking of ESSA variables.
 */
-private class EssaTaintTracking extends string {
-  EssaTaintTracking() { this instanceof TaintTracking::Configuration }
-
+private class EssaTaintTracking extends string instanceof TaintTracking::Configuration {
  pragma[noinline]
  predicate taintedDefinition(
    TaintTrackingNode src, EssaDefinition defn, TaintTrackingContext context, AttributePath path,
@@ -691,7 +687,7 @@ private class EssaTaintTracking extends string {
      defn = phi.asVariable().getDefinition() and
      predvar = defn.getInput(pred) and
      not pred.unlikelySuccessor(defn.getBasicBlock()) and
-      not this.(TaintTracking::Configuration).isBarrierEdge(srcnode, phi) and
+      not super.isBarrierEdge(srcnode, phi) and
      srcnode.asVariable() = predvar
    )
  }
@@ -781,7 +777,7 @@ private class EssaTaintTracking extends string {
    exists(DataFlow::Node srcnode |
      src = TTaintTrackingNode_(srcnode, context, path, kind, this) and
      srcnode.asVariable() = defn.getInput() and
-      not this.(TaintTracking::Configuration).isBarrierTest(defn.getTest(), defn.getSense())
+      not super.isBarrierTest(defn.getTest(), defn.getSense())
    )
  }

@@ -801,7 +797,7 @@ private class EssaTaintTracking extends string {
  ) {
    exists(DataFlow::Node srcnode, ControlFlowNode use |
      src = TTaintTrackingNode_(srcnode, context, path, kind, this) and
-      not this.(TaintTracking::Configuration).isBarrierTest(defn.getTest(), defn.getSense()) and
+      not super.isBarrierTest(defn.getTest(), defn.getSense()) and
      defn.getSense() = this.testEvaluates(defn, defn.getTest(), use, src)
    )
  }
@@ -815,7 +811,7 @@ private class EssaTaintTracking extends string {
      src = TTaintTrackingNode_(srcnode, context, path, kind, this) and
      piNodeTestAndUse(defn, test, use) and
      srcnode.asVariable() = defn.getInput() and
-      not this.(TaintTracking::Configuration).isBarrierTest(test, defn.getSense()) and
+      not super.isBarrierTest(test, defn.getSense()) and
      testEvaluatesMaybe(test, use)
    )
  }
--- a/python/ql/lib/semmle/python/essa/Definitions.qll
+++ b/python/ql/lib/semmle/python/essa/Definitions.qll
@@ -205,22 +205,19 @@ class BuiltinVariable extends SsaSourceVariable {
  override CallNode redefinedAtCallSite() { none() }
 }

-class ModuleVariable extends SsaSourceVariable {
+class ModuleVariable extends SsaSourceVariable instanceof GlobalVariable {
  ModuleVariable() {
-    this instanceof GlobalVariable and
-    (
-      exists(this.(Variable).getAStore())
-      or
-      this.(Variable).getId() = "__name__"
-      or
-      this.(Variable).getId() = "__package__"
-      or
-      exists(ImportStar is | is.getScope() = this.(Variable).getScope())
-    )
+    exists(this.(Variable).getAStore())
+    or
+    this.(Variable).getId() = "__name__"
+    or
+    this.(Variable).getId() = "__package__"
+    or
+    exists(ImportStar is | is.getScope() = this.(Variable).getScope())
  }

  pragma[nomagic]
-  private Scope scope_as_global_variable() { result = this.(GlobalVariable).getScope() }
+  private Scope scope_as_global_variable() { result = GlobalVariable.super.getScope() }

  pragma[noinline]
  CallNode global_variable_callnode() { result.getScope() = this.scope_as_global_variable() }
@@ -263,7 +260,7 @@ class ModuleVariable extends SsaSourceVariable {
      class_with_global_metaclass(s, this)
      or
      /* Variable is used in scope */
-      this.(GlobalVariable).getAUse().getScope() = s
+      GlobalVariable.super.getAUse().getScope() = s
    )
    or
    exists(ImportTimeScope scope | scope.entryEdge(_, result) |
--- a/python/ql/lib/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/lib/semmle/python/frameworks/Aiohttp.qll
@@ -59,24 +59,24 @@ module AiohttpWebModel {
   * Extend this class to refine existing API models. If you want to model new APIs,
   * extend `AiohttpRouteSetup::Range` instead.
   */
-  class AiohttpRouteSetup extends Http::Server::RouteSetup::Range {
-    AiohttpRouteSetup::Range range;
-
-    AiohttpRouteSetup() { this = range }
-
+  class AiohttpRouteSetup extends Http::Server::RouteSetup::Range instanceof AiohttpRouteSetup::Range {
    override Parameter getARoutedParameter() { none() }

    override string getFramework() { result = "aiohttp.web" }

    /** Gets the argument specifying the handler (either a coroutine or a view-class). */
-    DataFlow::Node getHandlerArg() { result = range.getHandlerArg() }
+    DataFlow::Node getHandlerArg() { result = super.getHandlerArg() }

-    override DataFlow::Node getUrlPatternArg() { result = range.getUrlPatternArg() }
+    override DataFlow::Node getUrlPatternArg() {
+      result = AiohttpRouteSetup::Range.super.getUrlPatternArg()
+    }

    /** Gets the view-class that is referenced in the view-class handler argument, if any. */
-    Class getViewClass() { result = range.getViewClass() }
+    Class getViewClass() { result = super.getViewClass() }

-    override Function getARequestHandler() { result = range.getARequestHandler() }
+    override Function getARequestHandler() {
+      result = AiohttpRouteSetup::Range.super.getARequestHandler()
+    }
  }

  /** Provides a class for modeling new aiohttp.web route setups. */
--- a/python/ql/lib/semmle/python/frameworks/Django.qll
+++ b/python/ql/lib/semmle/python/frameworks/Django.qll
@@ -2526,11 +2526,10 @@ module PrivateDjango {
   *
   * Needs this subclass to be considered a RegexString.
   */
-  private class DjangoRouteRegex extends RegexString {
+  private class DjangoRouteRegex extends RegexString instanceof StrConst {
    DjangoRegexRouteSetup rePathCall;

    DjangoRouteRegex() {
-      this instanceof StrConst and
      rePathCall.getUrlPatternArg().getALocalSource() = DataFlow::exprNode(this)
    }

--- a/python/ql/lib/semmle/python/frameworks/Tornado.qll
+++ b/python/ql/lib/semmle/python/frameworks/Tornado.qll
@@ -385,13 +385,10 @@ module Tornado {
   *
   * Needs this subclass to be considered a RegexString.
   */
-  private class TornadoRouteRegex extends RegexString {
+  private class TornadoRouteRegex extends RegexString instanceof StrConst {
    TornadoRouteSetup setup;

-    TornadoRouteRegex() {
-      this instanceof StrConst and
-      setup.getUrlPatternArg().getALocalSource() = DataFlow::exprNode(this)
-    }
+    TornadoRouteRegex() { setup.getUrlPatternArg().getALocalSource() = DataFlow::exprNode(this) }

    TornadoRouteSetup getRouteSetup() { result = setup }
  }
--- a/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureCustomizations.qll
@@ -41,9 +41,7 @@ module StackTraceExposure {
  /**
   * A source of exception info, considered as a flow source.
   */
-  class ExceptionInfoAsSource extends Source {
-    ExceptionInfoAsSource() { this instanceof ExceptionInfo }
-  }
+  class ExceptionInfoAsSource extends Source instanceof ExceptionInfo { }

  /**
   * The body of a HTTP response that will be returned from a server, considered as a flow sink.
--- a/python/ql/lib/semmle/python/security/dataflow/XmlBombCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/XmlBombCustomizations.qll
@@ -30,9 +30,7 @@ module XmlBomb {
  abstract class Sanitizer extends DataFlow::Node { }

  /** A source of remote user input, considered as a flow source for XML bomb vulnerabilities. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
-  }
+  class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource { }

  /**
   * A call to an XML parser that is vulnerable to XML bombs.
--- a/python/ql/lib/semmle/python/security/dataflow/XxeCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/XxeCustomizations.qll
@@ -30,9 +30,7 @@ module Xxe {
  abstract class Sanitizer extends DataFlow::Node { }

  /** A source of remote user input, considered as a flow source for XXE vulnerabilities. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
-  }
+  class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource { }

  /**
   * A call to an XML parser that is vulnerable to XXE.