Python: Update queries to be compatible with the new dependencies.

Author: michaelnebel

python/lib/ghsl/DefaultPasswordDB.qll

@@ -1,43 +1,38 @@
 private import python
 
 // password = db.Column(..., server_default=...)
-
 class DBColumn extends Call {
-    CallNode call;
-    string name;
-    ControlFlowNode object;
-    Name var;
-    string id;
+  CallNode call;
+  string name;
+  ControlFlowNode object;
+  Name var;
+  string id;
 
-    DBColumn() {
-        call.getFunction().(AttrNode).getObject(name) = object
-        and name = "Column"
-        and call = this.getAFlowNode()
-        and object.getNode() = var.getVariable().getAnAccess()
-        and var.getId() = id
-    }
+  DBColumn() {
+    call.getFunction().(AttrNode).getObject(name) = object and
+    name = "Column" and
+    call = this.getAFlowNode() and
+    object.getNode() = var.getVariable().getAnAccess() and
+    var.getId() = id
+  }
 
-    string getDbId() {
-        result = id
-    }
+  string getDbId() { result = id }
 
-    predicate hasStaticDefault() {
-        exists(DictItem arg |
-            arg = call.getNode().getANamedArg()
-            and arg.(Keyword).getArg() in ["server_default", "default"]
-            and arg.(Keyword).getValue() instanceof ImmutableLiteral
-        )
-    }
+  predicate hasStaticDefault() {
+    exists(DictItem arg |
+      arg = call.getNode().getANamedArg() and
+      arg.(Keyword).getArg() in ["server_default", "default"] and
+      arg.(Keyword).getValue() instanceof ImmutableLiteral
+    )
+  }
 
-    string assignedToVariable() {
-        exists(AssignStmt assign, Variable v|
-            assign.defines(v)
-            and v.getId() = result
-            and assign.getValue() = this
-        )
-    }
+  string assignedToVariable() {
+    exists(AssignStmt assign, Variable v |
+      assign.defines(v) and
+      v.getId() = result and
+      assign.getValue() = this
+    )
+  }
 
-    string getColumnName() {
-        result = call.getNode().getArg(0).(StrConst).getText()
-    }
+  string getColumnName() { result = call.getNode().getArg(0).(StringLiteral).getText() }
 }

python/lib/ghsl/HardcodedSecretSinks.qll

@@ -5,7 +5,6 @@ private import semmle.python.Concepts
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.ApiGraphs
-private import DataFlow::PathGraph
 private import semmle.python.frameworks.Flask
 
 abstract class CredentialSink extends DataFlow::Node { }
@@ -14,7 +13,7 @@ Expr getDictValueByKey(Dict dict, string key) {
   exists(KeyValuePair item |
     // d = {KEY: VALUE}
     item = dict.getAnItem() and
-    key = item.getKey().(StrConst).getS() and
+    key = item.getKey().(StringLiteral).getS() and
     result = item.getValue()
   )
 }
@@ -25,7 +24,7 @@ Expr getAssignStmtByKey(AssignStmt assign, string key) {
     sub = assign.getASubExpression() and
     // Make sure the keys match
     // TODO: What happens if this value itself is not static?
-    key = sub.getASubExpression().(StrConst).getS() and
+    key = sub.getASubExpression().(StringLiteral).getS() and
     // TODO: Only supports static strings, resolve the value??
     // result = assign.getASubExpression().(StrConst)
     result = sub.getValue()

python/lib/ghsl/InsecurelyStoredPassword.qll

@@ -5,6 +5,7 @@ private import semmle.python.ApiGraphs
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.pointsto.CallGraph
 
+//private import InsecureHash::PathGraph
 class User extends ClassDef {
   Class class_;
   string name;
@@ -57,16 +58,16 @@ class User extends ClassDef {
 
   predicate hasSecureInit() {
     this.hasInit() and
-    not exists(InsecureHashTrackingConfiguration conf, DataFlow::Node source, DataFlow::Node sink |
+    not exists(DataFlow::Node source, DataFlow::Node sink |
       this.inInit(sink) and
       this.isPasswordArg(source) and
-      conf.hasFlow(source, sink)
+      InsecureHashTaint::flow(source, sink)
     )
   }
 
   predicate usedSecurely() {
-    not exists(InsecureTaintTrackingConfiguration conf, DataFlow::Node source, DataFlow::Node sink |
-      conf.hasFlow(source, sink) and
+    not exists(DataFlow::Node source, DataFlow::Node sink |
+      InsecurelyStoredPasswordTaint::flow(source, sink) and
       sink.(PasswordArg).getUser() = this
     )
   }
@@ -78,15 +79,13 @@ class User extends ClassDef {
   }
 }
 
-class InsecureTaintTrackingConfiguration extends TaintTracking::Configuration {
+module InsecurelyStoredPasswordTaintConfig implements DataFlow::ConfigSig {
   // is the password used in the init of the User protected by a secure hash?
-  InsecureTaintTrackingConfiguration() { this = "InsecureTaintTrackingConfiguration" }
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSink(DataFlow::Node sink) { sink instanceof PasswordArg }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof PasswordArg }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node a, DataFlow::Node b) {
+  predicate isAdditionalFlowStep(DataFlow::Node a, DataFlow::Node b) {
     // from a dict key to the dict, if the key is "password"
     exists(Dict dict, KeyValuePair pair |
       dict.getAnItem() = pair and
@@ -96,25 +95,25 @@ class InsecureTaintTrackingConfiguration extends TaintTracking::Configuration {
     )
   }
 
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof HashSanitizer }
+  predicate isBarrier(DataFlow::Node node) { node instanceof HashSanitizer }
 }
 
-class InsecureHashTrackingConfiguration extends TaintTracking::Configuration {
-  User user;
-
-  // does the body of the init of the User hash the password?
-  InsecureHashTrackingConfiguration() { this = "InsecureHashTrackingConfiguration" }
+module InsecurelyStoredPasswordTaint = TaintTracking::Global<InsecurelyStoredPasswordTaintConfig>;
 
-  override predicate isSource(DataFlow::Node source) { user.isPasswordArg(source) }
+// does the body of the init of the User hash the password?
+module InsecureHashTaintConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { any(User x).isPasswordArg(source) }
 
-  override predicate isSink(DataFlow::Node sink) {
-    user.passwordAssignedFrom(sink) and
+  predicate isSink(DataFlow::Node sink) {
+    any(User x).passwordAssignedFrom(sink) and
     not sink instanceof HashSanitizer
   }
 
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof HashSanitizer }
+  predicate isBarrier(DataFlow::Node node) { node instanceof HashSanitizer }
 }
 
+module InsecureHashTaint = TaintTracking::Global<InsecureHashTaintConfig>;
+
 // assigment to self.password
 class SelfPasswordAttribute extends DataFlow::Node {
   Variable self;
@@ -204,8 +203,8 @@ private import semmle.python.dataflow.new.internal.DataFlowDispatch as DataFlowD
 
 /** Holds if the `call` is a call to the function `target`. */
 private predicate resolveCall(CallNode call, Function target) {
-    // TODO: This should be exposed better from the standard library API
-    DataFlowDispatch::resolveCall(call, target, _)
+  // TODO: This should be exposed better from the standard library API
+  DataFlowDispatch::resolveCall(call, target, _)
 }
 
 /**
@@ -219,9 +218,9 @@ private predicate resolveCall(CallNode call, Function target) {
 class HashSanitizerWrapperFunction extends HashSanitizer {
   HashSanitizerWrapperFunction() {
     exists(CallNode hashCall, Function hashWrapper |
-        hashWrapper.contains(any(HashSanitizerConcrete hsc).asExpr()) and
-        resolveCall(hashCall, hashWrapper) and
-        this.asCfgNode() = hashCall.getArg(0)
+      hashWrapper.contains(any(HashSanitizerConcrete hsc).asExpr()) and
+      resolveCall(hashCall, hashWrapper) and
+      this.asCfgNode() = hashCall.getArg(0)
     )
   }
 }

python/lib/ghsl/LocalSources.qll

@@ -7,7 +7,6 @@ module LocalSources {
   private import semmle.python.Concepts
   private import semmle.python.dataflow.new.BarrierGuards
   private import semmle.python.ApiGraphs
-  private import DataFlow::PathGraph
 
   abstract class Range extends DataFlow::Node { }
 
@@ -95,18 +94,26 @@ module LocalSources {
           call = API::moduleImport(["json", "simplejson"]).getMember("load").getACall()
           or
           // yaml.load
-          call = API::moduleImport("yaml").getMember(["load", "load_all", "safe_load", "safe_load_all"]).getACall()
+          call =
+            API::moduleImport("yaml")
+                .getMember(["load", "load_all", "safe_load", "safe_load_all"])
+                .getACall()
           or
           // msgpack.load
           call = API::moduleImport("msgpack").getMember("load").getACall()
           or
           // pickle.load
           // dill.load
-          call = API::moduleImport(["cPickle", "_pickle", "pickle", "dill"]).getMember("load").getACall()
+          call =
+            API::moduleImport(["cPickle", "_pickle", "pickle", "dill"]).getMember("load").getACall()
           or
           // pickle.Unpickler.load
           // dill.Unpickler.load
-          call = API::moduleImport(["cPickle", "pickle", "dill"]).getMember("Unpickler").getACall().getAMethodCall("load")
+          call =
+            API::moduleImport(["cPickle", "pickle", "dill"])
+                .getMember("Unpickler")
+                .getACall()
+                .getAMethodCall("load")
           or
           // shelve.open
           call = API::moduleImport("shelve").getMember("open").getACall()
@@ -137,45 +144,57 @@ module LocalSources {
           // pandas.read_gbq
           // pandas.read_stata
           // generate call expressions for each of the above pandas functions including ExcelFile.parse and HDFStore.* that have to be handled separately
-          call = API::moduleImport("pandas")
-                  .getMember([
-                      "read_csv", "read_fwf", "read_excel", "read_json", "read_html", "read_xml",
-                      "read_hdf", "read_feather", "read_parquet", "read_orc", "read_sas", "read_spss", "read_sql_table",
-                      "read_sql_query", "read_sql", "read_gbq", "read_stata"
-                    ])
-                  .getACall()
+          call =
+            API::moduleImport("pandas")
+                .getMember([
+                    "read_csv", "read_fwf", "read_excel", "read_json", "read_html", "read_xml",
+                    "read_hdf", "read_feather", "read_parquet", "read_orc", "read_sas", "read_spss",
+                    "read_sql_table", "read_sql_query", "read_sql", "read_gbq", "read_stata"
+                  ])
+                .getACall()
           or
           // pandas.ExcelFile.parse
-          call = API::moduleImport("pandas")
-                  .getMember("ExcelFile")
-                  .getACall()
-                  .getAMethodCall("parse")
+          call =
+            API::moduleImport("pandas").getMember("ExcelFile").getACall().getAMethodCall("parse")
           or
           // pandas.HDFStore.get
           // pandas.HDFStore.select
           // pandas.HDFStore.info
           // pandas.HDFStore.keys
           // pandas.HDFStore.groups
           // pandas.HDFStore.walk
-          call = API::moduleImport("pandas")
-                  .getMember("HDFStore")
-                  .getACall()
-                  .getAMethodCall(["get", "select", "info", "keys", "groups", "walk"])
+          call =
+            API::moduleImport("pandas")
+                .getMember("HDFStore")
+                .getACall()
+                .getAMethodCall(["get", "select", "info", "keys", "groups", "walk"])
           or
           // polars.read_csv
-          call = API::moduleImport("polars").getMember(["read_csv", "read_csv_batched", "scan_csv"]).getACall()
+          call =
+            API::moduleImport("polars")
+                .getMember(["read_csv", "read_csv_batched", "scan_csv"])
+                .getACall()
           or
           // polars.read_ipc
-          call = API::moduleImport("polars").getMember(["read_ipc", "scan_ipc", "read_ipc_schema"]).getACall()
+          call =
+            API::moduleImport("polars")
+                .getMember(["read_ipc", "scan_ipc", "read_ipc_schema"])
+                .getACall()
           or
           // polars.read_parquet, polars.scan_parquet, polars.read_parquet_schema
-          call = API::moduleImport("polars").getMember(["read_parquet", "scan_parquet", "read_parquet_schema"]).getACall()
+          call =
+            API::moduleImport("polars")
+                .getMember(["read_parquet", "scan_parquet", "read_parquet_schema"])
+                .getACall()
           or
           // polars.read_sql
           call = API::moduleImport("polars").getMember("read_sql").getACall()
           or
           // polars.read_json, polars.read_ndjson, polars.scan_ndjson
-          call = API::moduleImport("polars").getMember(["read_json", "read_ndjson", "scan_ndjson"]).getACall()
+          call =
+            API::moduleImport("polars")
+                .getMember(["read_json", "read_ndjson", "scan_ndjson"])
+                .getACall()
           or
           // polars.read_avro
           call = API::moduleImport("polars").getMember("read_avro").getACall()
@@ -186,24 +205,37 @@ module LocalSources {
           // pyarrow.csv.read_csv
           // pyarrow.csv.open_csv
           // pyarrow.csv.CSVStreamingReader
-          call = API::moduleImport("pyarrow").getMember("csv").getMember(["read_csv", "open_csv", "CSVStreamingReader"]).getACall()
+          call =
+            API::moduleImport("pyarrow")
+                .getMember("csv")
+                .getMember(["read_csv", "open_csv", "CSVStreamingReader"])
+                .getACall()
           or
           // pyarrow.feather.read_feather
           // pyarrow.feather.read_table
-          call = API::moduleImport("pyarrow").getMember("feather").getMember(["read_feather", "read_table"]).getACall()
+          call =
+            API::moduleImport("pyarrow")
+                .getMember("feather")
+                .getMember(["read_feather", "read_table"])
+                .getACall()
           or
           // pyarrow.json.read_json
           call = API::moduleImport("pyarrow").getMember("json").getMember("read_json").getACall()
+          or
           // pyarrow.parquet.ParquetDataset
           // pyarrow.parquet.ParquetFile
           // pyarrow.parquet.read_table
           // pyarrow.parquet.read_metadata
           // pyarrow.parquet.read_pandas
           // pyarrow.parquet.read_schema
-          or
-          call = API::moduleImport("pyarrow").getMember("parquet").getMember([
-              "ParquetDataset", "ParquetFile", "read_table", "read_metadata", "read_pandas", "read_schema"
-            ]).getACall()
+          call =
+            API::moduleImport("pyarrow")
+                .getMember("parquet")
+                .getMember([
+                    "ParquetDataset", "ParquetFile", "read_table", "read_metadata", "read_pandas",
+                    "read_schema"
+                  ])
+                .getACall()
         ) and
         this = call
       ) and