Python: Use DefinitionNode instead of Assign

Based on https://github.com/github/codeql/pull/6155#discussion_r660964666: > Hmm... Would it be better to do this using DefinitionNode instead of > Assign? The latter is fairly limited in what it can represent, and also > raises questions of whether this definition is sound with regard to > control-flow splitting.
2026-04-30 11:15:13 +02:00 · 2021-06-30 12:07:56 +02:00
parent 94bcda3bae
commit e5d65992b4
2 changed files with 18 additions and 18 deletions
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -645,16 +645,14 @@ module AiohttpWebModel {
    DataFlow::Node value;

    AiohttpResponseCookieSubscriptWrite() {
-      exists(Assign assign, Subscript subscript |
-        // Since there is no `DataFlow::Node` for the assign (since it's a statement,
-        // and not an expression) there doesn't seem to be any _good_ choice for `this`,
-        // so just picking the whole subscript...
-        this.asExpr() = subscript
+      exists(SubscriptNode subscript |
+        // To give `this` a value, we need to choose between either LHS or RHS,
+        // and just go with the LHS
+        this.asCfgNode() = subscript
      |
-        assign.getATarget() = subscript and
-        subscript.getObject() = aiohttpResponseInstance().getMember("cookies").getAUse().asExpr() and
-        index.asExpr() = subscript.getIndex() and
-        value.asExpr() = assign.getValue()
+        subscript.getObject() = aiohttpResponseInstance().getMember("cookies").getAUse().asCfgNode() and
+        value.asCfgNode() = subscript.(DefinitionNode).getValue() and
+        index.asCfgNode() = subscript.getIndex()
      )
    }

--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -1412,18 +1412,20 @@ private module PrivateDjango {
          DataFlow::Node value;

          DjangoResponseCookieSubscriptWrite() {
-            exists(Assign assign, Subscript subscript, DataFlow::AttrRead cookieLookup |
-              // Since there is no `DataFlow::Node` for the assign (since it's a statement,
-              // and not an expression) there doesn't seem to be any _good_ choice for `this`,
-              // so just picking the whole subscript...
-              this.asExpr() = subscript
+            exists(SubscriptNode subscript, DataFlow::AttrRead cookieLookup |
+              // To give `this` a value, we need to choose between either LHS or RHS,
+              // and just go with the LHS
+              this.asCfgNode() = subscript
            |
              cookieLookup.getAttributeName() = "cookies" and
              cookieLookup.getObject() = django::http::response::HttpResponse::instance() and
-              assign.getATarget() = subscript and
-              cookieLookup.flowsTo(DataFlow::exprNode(subscript.getObject())) and
-              index.asExpr() = subscript.getIndex() and
-              value.asExpr() = assign.getValue()
+              exists(DataFlow::Node subscriptObj |
+                subscriptObj.asCfgNode() = subscript.getObject()
+              |
+                cookieLookup.flowsTo(subscriptObj)
+              ) and
+              value.asCfgNode() = subscript.(DefinitionNode).getValue() and
+              index.asCfgNode() = subscript.getIndex()
            )
          }