From ba19f95d3ec00fcd45497ca2a93511fc6b70e05d Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 18 Sep 2023 12:05:20 +0200
Subject: [PATCH] Python: Improve `SelfRefMixin`

This is important to model mixins correctly, for example when they help
handle incoming requests, and therefore need to know that `self.kwargs`
contains data controlled by a user.
---
 .../python/frameworks/internal/SelfRefMixin.qll   | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/python/ql/lib/semmle/python/frameworks/internal/SelfRefMixin.qll b/python/ql/lib/semmle/python/frameworks/internal/SelfRefMixin.qll
index 2fd9ece8580..da5befd6577 100644
--- a/python/ql/lib/semmle/python/frameworks/internal/SelfRefMixin.qll
+++ b/python/ql/lib/semmle/python/frameworks/internal/SelfRefMixin.qll
@@ -6,6 +6,7 @@
 
 private import python
 private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.internal.DataFlowDispatch
 
 /**
  * INTERNAL: Do not use.
@@ -16,13 +17,16 @@ abstract class SelfRefMixin extends Class {
   /**
    * Gets a reference to instances of this class, originating from a self parameter of
    * a method defined on this class.
-   *
-   * Note: TODO: This doesn't take MRO into account
-   * Note: TODO: This doesn't take staticmethod/classmethod into account
    */
   private DataFlow::TypeTrackingNode getASelfRef(DataFlow::TypeTracker t) {
     t.start() and
-    result.(DataFlow::ParameterNode).getParameter() = this.getAMethod().getArg(0)
+    exists(Class cls, Function meth |
+      cls = getADirectSuperclass*(this) and
+      meth = cls.getAMethod() and
+      not isStaticmethod(meth) and
+      not isClassmethod(meth) and
+      result.(DataFlow::ParameterNode).getParameter() = meth.getArg(0)
+    )
     or
     exists(DataFlow::TypeTracker t2 | result = this.getASelfRef(t2).track(t2, t))
   }
@@ -30,9 +34,6 @@ abstract class SelfRefMixin extends Class {
   /**
    * Gets a reference to instances of this class, originating from a self parameter of
    * a method defined on this class.
-   *
-   * Note: TODO: This doesn't take MRO into account
-   * Note: TODO: This doesn't take staticmethod/classmethod into account
    */
   DataFlow::Node getASelfRef() { this.getASelfRef(DataFlow::TypeTracker::end()).flowsTo(result) }
 }