Python points-to. Move extension to prevent points-to being recomputed.

2025-12-18 01:33:15 +01:00 · 2019-05-31 14:19:52 +01:00
parent f311c2013e
commit f6cc0be4a4
4 changed files with 42 additions and 36 deletions
--- a/python/ql/src/semmle/python/types/Extensions.qll
+++ b/python/ql/src/semmle/python/types/Extensions.qll
@@ -14,6 +14,7 @@ private import semmle.python.pointsto.PointsTo
 private import semmle.python.pointsto.PointsToContext
 private import semmle.python.objects.TObject
 private import semmle.python.objects.ObjectInternal
+private import semmle.python.web.HttpConstants

 abstract class PointsToExtension extends @py_flow_node {

@@ -96,6 +97,33 @@ class RangeIterationVariableFact extends PointsToExtension {

 }

+/* bottle module route constants */
+
+class BottleRoutePointToExtension extends PointsToExtension {
+
+    string name;
+
+    BottleRoutePointToExtension() {
+        exists(DefinitionNode defn |
+            defn.getScope().(Module).getName() = "bottle" and
+            this = defn.getValue() and
+            name = defn.(NameNode).getId()
+            |
+            name = "route" or
+            name = httpVerbLower()
+        )
+    }
+
+    override predicate pointsTo(Context context, ObjectInternal value, ControlFlowNode origin) {
+        context.isImport() and
+        exists(CfgOrigin orig |
+            Module::named("bottle").attr("Bottle").(ClassObjectInternal).attribute(name, value, orig) and
+            origin = orig.asCfgNodeOrHere(this)
+        )
+    }
+
+}
+
 /* Python 3.6+ regex module constants */

 class ReModulePointToExtension extends PointsToExtension {
--- a/python/ql/src/semmle/python/web/Http.qll
+++ b/python/ql/src/semmle/python/web/Http.qll
@@ -1,25 +1,13 @@
 import python
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.External
+import HttpConstants

 /** Generic taint source from a http request */
 abstract class HttpRequestTaintSource extends TaintSource {

 }

-/** Gets an http verb */
-string httpVerb() {
-    result = "GET" or result = "POST" or
-    result = "PUT" or result = "PATCH" or
-    result = "DELETE" or result = "OPTIONS" or
-    result = "HEAD"
-}
-
-/** Gets an http verb, in lower case */
-string httpVerbLower() {
-    result = httpVerb().toLowerCase()
-}
-
 /** Taint kind representing the WSGI environment.
 * As specified in PEP 3333. https://www.python.org/dev/peps/pep-3333/#environ-variables
 */
--- a/python/ql/src/semmle/python/web/HttpConstants.qll
+++ b/python/ql/src/semmle/python/web/HttpConstants.qll
@@ -0,0 +1,13 @@
+
+/** Gets an http verb */
+string httpVerb() {
+    result = "GET" or result = "POST" or
+    result = "PUT" or result = "PATCH" or
+    result = "DELETE" or result = "OPTIONS" or
+    result = "HEAD"
+}
+
+/** Gets an http verb, in lower case */
+string httpVerbLower() {
+    result = httpVerb().toLowerCase()
+}
--- a/python/ql/src/semmle/python/web/bottle/General.qll
+++ b/python/ql/src/semmle/python/web/bottle/General.qll
@@ -54,26 +54,3 @@ class BottleRoute extends ControlFlowNode {
 }


-/* bottle module route constants */
-
-class BottleRoutePointToExtension extends CustomPointsToFact {
-
-    string name;
-
-    BottleRoutePointToExtension() {
-        exists(DefinitionNode defn |
-            defn.getScope().(Module).getName() = "bottle" and
-            this = defn.getValue() and
-            name = defn.(NameNode).getId()
-            |
-            name = "route" or
-            name = httpVerbLower()
-        )
-    }
-
-    override predicate pointsTo(Context context, Object value, ClassObject cls, ControlFlowNode origin) {
-        context.isImport() and
-        ModuleObject::named("bottle").attr("Bottle").(ClassObject).attributeRefersTo(name, value, cls, origin)
-    }
-}
-