Python: Fix some Ql4Ql violations.

2026-04-23 15:55:18 +02:00 · 2025-09-01 15:16:25 +02:00
parent b4d6cb6e5f
commit dbd31259b3
10 changed files with 35 additions and 43 deletions
--- a/python/ql/src/Security/CWE-327/FluentApiModel.qll
+++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll
@@ -15,7 +15,7 @@ import TlsLibraryModel
 * The state is represented as a bit vector, where each bit corresponds to a
 * protocol version. The bit is set if the protocol is allowed.
 */
-module InsecureContextConfiguration implements DataFlow::StateConfigSig {
+module InsecureContextConfig implements DataFlow::StateConfigSig {
  private newtype TFlowState =
    TMkFlowState(TlsLibrary library, int bits) {
      bits in [0 .. max(any(ProtocolVersion v).getBit()) * 2 - 1]
@@ -116,7 +116,12 @@ module InsecureContextConfiguration implements DataFlow::StateConfigSig {
  }
 }

-private module InsecureContextFlow = DataFlow::GlobalWithState<InsecureContextConfiguration>;
+/**
+ * DEPRECATED: Will be removed in the future.
+ */
+deprecated module InsecureContextConfiguration = InsecureContextConfig;
+
+private module InsecureContextFlow = DataFlow::GlobalWithState<InsecureContextConfig>;

 /**
 * Holds if `conectionCreation` marks the creation of a connection based on the contex
--- a/python/ql/src/experimental/Security/CWE-022bis/TarSlipImprov.ql
+++ b/python/ql/src/experimental/Security/CWE-022bis/TarSlipImprov.ql
@@ -63,7 +63,7 @@ private module TarSlipImprovConfig implements DataFlow::ConfigSig {
      // For a call to `file.extractall` without `members` argument, `file` is considered a sink.
      exists(MethodCallNode call, AllTarfileOpens atfo |
        call = atfo.getReturn().getMember("extractall").getACall() and
-        not exists(Node arg | arg = call.getArgByName("members")) and
+        not exists(call.getArgByName("members")) and
        sink = call.getObject()
      )
      or