mirror of
https://github.com/github/codeql.git
synced 2026-06-05 21:47:10 +02:00
a13dfaa44f
Preparatory refactor for the shared-CFG dataflow migration. Deprecates the AstNode.getAFlowNode() cached predicate on the public Python QL API and rewrites all ~140 internal callers across lib/, src/, test/, and tools/ from `expr.getAFlowNode() = cfgNode` to `cfgNode.getNode() = expr`, using ControlFlowNode.getNode() which already exists in Flow.qll. The predicate itself is preserved (with a deprecation note pointing at the new pattern) so external users do not experience churn — they can migrate at their own pace and the AST/CFG hierarchies still get the intended untangling once the deprecation eventually elapses. Semantic noop verified by: - All 361 lib/ + src/ queries compile clean. - All 122 ControlFlow + PointsTo library-tests pass. - All 64 dataflow library-tests pass. - All 113 Variables/Exceptions/Expressions/Statements/Functions/Imports/ Security/CWE-798/ModificationOfParameterWithDefault query-tests pass. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
80 lines
2.7 KiB
Plaintext
80 lines
2.7 KiB
Plaintext
/**
|
|
* Provides classes modeling security-relevant aspects of the `Flask-Admin` PyPI package
|
|
* (imported as `flask_admin`).
|
|
*
|
|
* See
|
|
* - https://flask-admin.readthedocs.io/en/latest/
|
|
* - https://pypi.org/project/Flask-Admin/
|
|
*/
|
|
|
|
private import python
|
|
private import semmle.python.dataflow.new.DataFlow
|
|
private import semmle.python.dataflow.new.RemoteFlowSources
|
|
private import semmle.python.dataflow.new.TaintTracking
|
|
private import semmle.python.Concepts
|
|
private import semmle.python.frameworks.Flask
|
|
private import semmle.python.ApiGraphs
|
|
|
|
/**
|
|
* Provides models for the `Flask-Admin` PyPI package (imported as `flask_admin`).
|
|
*
|
|
* See
|
|
* - https://flask-admin.readthedocs.io/en/latest/
|
|
* - https://pypi.org/project/Flask-Admin/
|
|
*/
|
|
private module FlaskAdmin {
|
|
/**
|
|
* A call to `flask_admin.expose`, which is used as a decorator to make the
|
|
* function exposed in the admin interface (and make it a request handler)
|
|
*
|
|
* See https://flask-admin.readthedocs.io/en/latest/api/mod_base/#flask_admin.base.expose
|
|
*/
|
|
private class FlaskAdminExposeCall extends Flask::FlaskRouteSetup, DataFlow::CallCfgNode {
|
|
FlaskAdminExposeCall() {
|
|
this = API::moduleImport("flask_admin").getMember("expose").getACall()
|
|
}
|
|
|
|
override DataFlow::Node getUrlPatternArg() {
|
|
result in [this.getArg(0), this.getArgByName("url")]
|
|
}
|
|
|
|
override Function getARequestHandler() { node.getNode() = result.getADecorator() }
|
|
}
|
|
|
|
/**
|
|
* A call to `flask_admin.expose_plugview`, which is used as a decorator to make the
|
|
* class (which we expect to be a flask View class) exposed in the admin interface.
|
|
*
|
|
* See https://flask-admin.readthedocs.io/en/latest/api/mod_base/#flask_admin.base.expose_plugview
|
|
*/
|
|
private class FlaskAdminExposePlugviewCall extends Flask::FlaskRouteSetup, DataFlow::CallCfgNode {
|
|
FlaskAdminExposePlugviewCall() {
|
|
this = API::moduleImport("flask_admin").getMember("expose_plugview").getACall()
|
|
}
|
|
|
|
override DataFlow::Node getUrlPatternArg() {
|
|
result in [this.getArg(0), this.getArgByName("url")]
|
|
}
|
|
|
|
override Parameter getARoutedParameter() {
|
|
result = super.getARoutedParameter() and
|
|
(
|
|
exists(this.getUrlPattern())
|
|
or
|
|
// the first argument is `self`, and the second argument `cls` will receive the
|
|
// containing flask_admin View class -- this is only relevant if the URL pattern
|
|
// is not known
|
|
not exists(this.getUrlPattern()) and
|
|
not result = this.getARequestHandler().getArg([0, 1])
|
|
)
|
|
}
|
|
|
|
override Function getARequestHandler() {
|
|
exists(Flask::FlaskViewClass cls |
|
|
node.getNode() = cls.getADecorator() and
|
|
result = cls.getARequestHandler()
|
|
)
|
|
}
|
|
}
|
|
}
|