Apply suggestions from code review

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2025-12-17 01:03:14 +01:00 · 2020-10-21 15:08:16 +02:00
parent 53ff1a32c1
commit ee5221abb4
2 changed files with 6 additions and 5 deletions
--- a/python/ql/src/experimental/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Django.qll
@@ -280,19 +280,19 @@ private module Django {
            DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }

            /** Gets an instance of the `django.db.models.expressions.RawSQL` class. */
-            private DataFlow::Node classInstance(DataFlow::TypeTracker t, ControlFlowNode sql) {
+            private DataFlow::Node instance(DataFlow::TypeTracker t, ControlFlowNode sql) {
              t.start() and
              exists(CallNode c | result.asCfgNode() = c |
                c.getFunction() = classRef().asCfgNode() and
                c.getArg(0) = sql
              )
              or
-              exists(DataFlow::TypeTracker t2 | result = classInstance(t2, sql).track(t2, t))
+              exists(DataFlow::TypeTracker t2 | result = instance(t2, sql).track(t2, t))
            }

            /** Gets an instance of the `django.db.models.expressions.RawSQL` class. */
-            DataFlow::Node classInstance(ControlFlowNode sql) {
-              result = classInstance(DataFlow::TypeTracker::end(), sql)
+            DataFlow::Node instance(ControlFlowNode sql) {
+              result = instance(DataFlow::TypeTracker::end(), sql)
            }
          }
        }
@@ -327,7 +327,7 @@ private module Django {

      ObjectsAnnotate() {
        node.getFunction() = django::db::models::objects_attr("annotate").asCfgNode() and
-        django::db::models::expressions::RawSQL::classInstance(sql).asCfgNode() in [node.getArg(_),
+        django::db::models::expressions::RawSQL::instance(sql).asCfgNode() in [node.getArg(_),
              node.getArgByName(_)]
      }

--- a/python/ql/test/experimental/library-tests/frameworks/django/SqlExecution.py
+++ b/python/ql/test/experimental/library-tests/frameworks/django/SqlExecution.py
@@ -20,6 +20,7 @@ class User(models.Model):
 def test_model():
    User.objects.raw("some sql")  # $getSql="some sql"
    User.objects.annotate(RawSQL("some sql"))  # $getSql="some sql"
+    User.objects.annotate(RawSQL("foo"), RawSQL("bar"))  # $getSql="foo" $getSql="bar"
    User.objects.annotate(val=RawSQL("some sql"))  # $getSql="some sql"
    User.objects.extra("some sql")  # $getSql="some sql"
    User.objects.extra(select="select", where="where", tables="tables", order_by="order_by")  # $getSql="select" $getSql="where" $getSql="tables" $getSql="order_by"