Python: Improve SelfRefMixin

This is important to model mixins correctly, for example when they help handle incoming requests, and therefore need to know that `self.kwargs` contains data controlled by a user.
2025-12-24 12:46:34 +01:00 · 2023-09-18 12:05:20 +02:00
parent dfdb66f723
commit ba19f95d3e
1 changed files with 8 additions and 7 deletions
--- a/python/ql/lib/semmle/python/frameworks/internal/SelfRefMixin.qll
+++ b/python/ql/lib/semmle/python/frameworks/internal/SelfRefMixin.qll
@@ -6,6 +6,7 @@

 private import python
 private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.internal.DataFlowDispatch

 /**
 * INTERNAL: Do not use.
@@ -16,13 +17,16 @@ abstract class SelfRefMixin extends Class {
  /**
   * Gets a reference to instances of this class, originating from a self parameter of
   * a method defined on this class.
-   *
-   * Note: TODO: This doesn't take MRO into account
-   * Note: TODO: This doesn't take staticmethod/classmethod into account
   */
  private DataFlow::TypeTrackingNode getASelfRef(DataFlow::TypeTracker t) {
    t.start() and
-    result.(DataFlow::ParameterNode).getParameter() = this.getAMethod().getArg(0)
+    exists(Class cls, Function meth |
+      cls = getADirectSuperclass*(this) and
+      meth = cls.getAMethod() and
+      not isStaticmethod(meth) and
+      not isClassmethod(meth) and
+      result.(DataFlow::ParameterNode).getParameter() = meth.getArg(0)
+    )
    or
    exists(DataFlow::TypeTracker t2 | result = this.getASelfRef(t2).track(t2, t))
  }
@@ -30,9 +34,6 @@ abstract class SelfRefMixin extends Class {
  /**
   * Gets a reference to instances of this class, originating from a self parameter of
   * a method defined on this class.
-   *
-   * Note: TODO: This doesn't take MRO into account
-   * Note: TODO: This doesn't take staticmethod/classmethod into account
   */
  DataFlow::Node getASelfRef() { this.getASelfRef(DataFlow::TypeTracker::end()).flowsTo(result) }
 }