Python: getAValueReachingRhs -> getAValueReachingSink

asgerf · asgerf · commit 3a669a8d213e · 2022-06-21T12:44:06.000+02:00
diff --git a/python/ql/lib/semmle/python/ApiGraphs.qll b/python/ql/lib/semmle/python/ApiGraphs.qll
@@ -134,7 +134,7 @@ module API {
      * Gets a data-flow node that may interprocedurally flow to the right-hand side of a definition
      * of the API component represented by this node.
      */
-    DataFlow::Node getAValueReachingRhs() { result = Impl::trackDefNode(this.asSink()) }
+    DataFlow::Node getAValueReachingSink() { result = Impl::trackDefNode(this.asSink()) }
 
     /**
      * Gets an immediate use of the API component represented by this node.
diff --git a/python/ql/lib/semmle/python/frameworks/Aiohttp.qll b/python/ql/lib/semmle/python/frameworks/Aiohttp.qll
@@ -685,8 +685,8 @@ private module AiohttpClientModel {
         DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
       ) {
         exists(API::Node param | param = this.getKeywordParameter(["ssl", "verify_ssl"]) |
-          disablingNode = param.getARhs() and
-          argumentOrigin = param.getAValueReachingRhs() and
+          disablingNode = param.asSink() and
+          argumentOrigin = param.getAValueReachingSink() and
           // aiohttp.client treats `None` as the default and all other "falsey" values as `False`.
           argumentOrigin.asExpr().(ImmutableLiteral).booleanValue() = false and
           not argumentOrigin.asExpr() instanceof None
diff --git a/python/ql/lib/semmle/python/frameworks/Httpx.qll b/python/ql/lib/semmle/python/frameworks/Httpx.qll
@@ -44,8 +44,8 @@ private module HttpxModel {
     override predicate disablesCertificateValidation(
       DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
     ) {
-      disablingNode = this.getKeywordParameter("verify").getARhs() and
-      argumentOrigin = this.getKeywordParameter("verify").getAValueReachingRhs() and
+      disablingNode = this.getKeywordParameter("verify").asSink() and
+      argumentOrigin = this.getKeywordParameter("verify").getAValueReachingSink() and
       // unlike `requests`, httpx treats `None` as turning off verify (and not as the default)
       argumentOrigin.asExpr().(ImmutableLiteral).booleanValue() = false
       // TODO: Handling of insecure SSLContext passed to verify argument
@@ -89,8 +89,8 @@ private module HttpxModel {
           constructor = classRef().getACall() and
           this = constructor.getReturn().getMember(methodName).getACall()
         |
-          disablingNode = constructor.getKeywordParameter("verify").getARhs() and
-          argumentOrigin = constructor.getKeywordParameter("verify").getAValueReachingRhs() and
+          disablingNode = constructor.getKeywordParameter("verify").asSink() and
+          argumentOrigin = constructor.getKeywordParameter("verify").getAValueReachingSink() and
           // unlike `requests`, httpx treats `None` as turning off verify (and not as the default)
           argumentOrigin.asExpr().(ImmutableLiteral).booleanValue() = false
           // TODO: Handling of insecure SSLContext passed to verify argument
diff --git a/python/ql/lib/semmle/python/frameworks/Lxml.qll b/python/ql/lib/semmle/python/frameworks/Lxml.qll
@@ -141,17 +141,18 @@ private module Lxml {
           // resolve_entities has default True
           not exists(this.getArgByName("resolve_entities"))
           or
-          this.getKeywordParameter("resolve_entities").getAValueReachingRhs().asExpr() = any(True t)
+          this.getKeywordParameter("resolve_entities").getAValueReachingSink().asExpr() =
+            any(True t)
         )
         or
         kind.isXmlBomb() and
-        this.getKeywordParameter("huge_tree").getAValueReachingRhs().asExpr() = any(True t) and
-        not this.getKeywordParameter("resolve_entities").getAValueReachingRhs().asExpr() =
+        this.getKeywordParameter("huge_tree").getAValueReachingSink().asExpr() = any(True t) and
+        not this.getKeywordParameter("resolve_entities").getAValueReachingSink().asExpr() =
           any(False t)
         or
         kind.isDtdRetrieval() and
-        this.getKeywordParameter("load_dtd").getAValueReachingRhs().asExpr() = any(True t) and
-        this.getKeywordParameter("no_network").getAValueReachingRhs().asExpr() = any(False t)
+        this.getKeywordParameter("load_dtd").getAValueReachingSink().asExpr() = any(True t) and
+        this.getKeywordParameter("no_network").getAValueReachingSink().asExpr() = any(False t)
       }
     }
 
@@ -318,11 +319,11 @@ private module Lxml {
       kind.isXxe()
       or
       kind.isXmlBomb() and
-      this.getKeywordParameter("huge_tree").getAValueReachingRhs().asExpr() = any(True t)
+      this.getKeywordParameter("huge_tree").getAValueReachingSink().asExpr() = any(True t)
       or
       kind.isDtdRetrieval() and
-      this.getKeywordParameter("load_dtd").getAValueReachingRhs().asExpr() = any(True t) and
-      this.getKeywordParameter("no_network").getAValueReachingRhs().asExpr() = any(False t)
+      this.getKeywordParameter("load_dtd").getAValueReachingSink().asExpr() = any(True t) and
+      this.getKeywordParameter("no_network").getAValueReachingSink().asExpr() = any(False t)
     }
 
     override predicate mayExecuteInput() { none() }
diff --git a/python/ql/lib/semmle/python/frameworks/Requests.qll b/python/ql/lib/semmle/python/frameworks/Requests.qll
@@ -62,7 +62,7 @@ private module Requests {
       DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
     ) {
       disablingNode = this.getKeywordParameter("verify").asSink() and
-      argumentOrigin = this.getKeywordParameter("verify").getAValueReachingRhs() and
+      argumentOrigin = this.getKeywordParameter("verify").getAValueReachingSink() and
       // requests treats `None` as the default and all other "falsey" values as `False`.
       argumentOrigin.asExpr().(ImmutableLiteral).booleanValue() = false and
       not argumentOrigin.asExpr() instanceof None
diff --git a/python/ql/lib/semmle/python/frameworks/Stdlib.qll b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -2657,7 +2657,7 @@ private module StdlibPrivate {
   /** Gets a call to `hashlib.new` with `algorithmName` as the first argument. */
   private API::CallNode hashlibNewCall(string algorithmName) {
     algorithmName =
-      result.getParameter(0, "name").getAValueReachingRhs().asExpr().(StrConst).getText() and
+      result.getParameter(0, "name").getAValueReachingSink().asExpr().(StrConst).getText() and
     result = API::moduleImport("hashlib").getMember("new").getACall()
   }
 
@@ -3443,7 +3443,7 @@ private module StdlibPrivate {
             .getMember("handler")
             .getMember("feature_external_ges")
             .getAValueReachableFromSource() and
-      call.getStateArg().getAValueReachingRhs().asExpr().(BooleanLiteral).booleanValue() = true and
+      call.getStateArg().getAValueReachingSink().asExpr().(BooleanLiteral).booleanValue() = true and
       result = call.getObject()
     )
     or
@@ -3459,7 +3459,7 @@ private module StdlibPrivate {
             .getMember("handler")
             .getMember("feature_external_ges")
             .getAValueReachableFromSource() and
-      call.getStateArg().getAValueReachingRhs().asExpr().(BooleanLiteral).booleanValue() = false
+      call.getStateArg().getAValueReachingSink().asExpr().(BooleanLiteral).booleanValue() = false
     )
   }
 
diff --git a/python/ql/lib/semmle/python/frameworks/Urllib3.qll b/python/ql/lib/semmle/python/frameworks/Urllib3.qll
@@ -71,14 +71,15 @@ private module Urllib3 {
         |
           // cert_reqs
           // see https://urllib3.readthedocs.io/en/stable/user-guide.html?highlight=cert_reqs#certificate-verification
-          disablingNode = constructor.getKeywordParameter("cert_reqs").getARhs() and
-          argumentOrigin = constructor.getKeywordParameter("cert_reqs").getAValueReachingRhs() and
+          disablingNode = constructor.getKeywordParameter("cert_reqs").asSink() and
+          argumentOrigin = constructor.getKeywordParameter("cert_reqs").getAValueReachingSink() and
           argumentOrigin.asExpr().(StrConst).getText() = "CERT_NONE"
           or
           // assert_hostname
           // see https://urllib3.readthedocs.io/en/stable/reference/urllib3.connectionpool.html?highlight=assert_hostname#urllib3.HTTPSConnectionPool
-          disablingNode = constructor.getKeywordParameter("assert_hostname").getARhs() and
-          argumentOrigin = constructor.getKeywordParameter("assert_hostname").getAValueReachingRhs() and
+          disablingNode = constructor.getKeywordParameter("assert_hostname").asSink() and
+          argumentOrigin =
+            constructor.getKeywordParameter("assert_hostname").getAValueReachingSink() and
           argumentOrigin.asExpr().(BooleanLiteral).booleanValue() = false
         )
       }
diff --git a/python/ql/lib/semmle/python/frameworks/Xmltodict.qll b/python/ql/lib/semmle/python/frameworks/Xmltodict.qll
@@ -29,7 +29,7 @@ private module Xmltodict {
 
     override predicate vulnerableTo(XML::XmlParsingVulnerabilityKind kind) {
       kind.isXmlBomb() and
-      this.getKeywordParameter("disable_entities").getAValueReachingRhs().asExpr() = any(False f)
+      this.getKeywordParameter("disable_entities").getAValueReachingSink().asExpr() = any(False f)
     }
 
     override predicate mayExecuteInput() { none() }
diff --git a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
@@ -42,7 +42,7 @@ where
     not exists(call.getArgByName("autoescape"))
     or
     call.getKeywordParameter("autoescape")
-        .getAValueReachingRhs()
+        .getAValueReachingSink()
         .asExpr()
         .(ImmutableLiteral)
         .booleanValue() = false
diff --git a/python/ql/src/Security/CWE-285/PamAuthorization.ql b/python/ql/src/Security/CWE-285/PamAuthorization.ql
@@ -18,9 +18,9 @@ import semmle.python.dataflow.new.TaintTracking
 API::Node libPam() {
   exists(API::CallNode findLibCall, API::CallNode cdllCall |
     findLibCall = API::moduleImport("ctypes").getMember("util").getMember("find_library").getACall() and
-    findLibCall.getParameter(0).getAValueReachingRhs().asExpr().(StrConst).getText() = "pam" and
+    findLibCall.getParameter(0).getAValueReachingSink().asExpr().(StrConst).getText() = "pam" and
     cdllCall = API::moduleImport("ctypes").getMember("CDLL").getACall() and
-    cdllCall.getParameter(0).getAValueReachingRhs() = findLibCall
+    cdllCall.getParameter(0).getAValueReachingSink() = findLibCall
   |
     result = cdllCall.getReturn()
   )
diff --git a/python/ql/src/Security/CWE-732/WeakFilePermissions.ql b/python/ql/src/Security/CWE-732/WeakFilePermissions.ql
@@ -36,13 +36,13 @@ string permissive_permission(int p) {
 
 predicate chmod_call(API::CallNode call, string name, int mode) {
   call = API::moduleImport("os").getMember("chmod").getACall() and
-  mode = call.getParameter(1, "mode").getAValueReachingRhs().asExpr().(IntegerLiteral).getValue() and
+  mode = call.getParameter(1, "mode").getAValueReachingSink().asExpr().(IntegerLiteral).getValue() and
   name = "chmod"
 }
 
 predicate open_call(API::CallNode call, string name, int mode) {
   call = API::moduleImport("os").getMember("open").getACall() and
-  mode = call.getParameter(2, "mode").getAValueReachingRhs().asExpr().(IntegerLiteral).getValue() and
+  mode = call.getParameter(2, "mode").getAValueReachingSink().asExpr().(IntegerLiteral).getValue() and
   name = "open"
 }
 

Original file line number	Diff line number	Diff line change
`@@ -2657,7 +2657,7 @@ private module StdlibPrivate {`
`2657`	`2657`	/** Gets a call to `hashlib.new` with `algorithmName` as the first argument. */
`2658`	`2658`	`private API::CallNode hashlibNewCall(string algorithmName) {`
`2659`	`2659`	`algorithmName =`
`2660`		`- result.getParameter(0, "name").getAValueReachingRhs().asExpr().(StrConst).getText() and`
	`2660`	`+ result.getParameter(0, "name").getAValueReachingSink().asExpr().(StrConst).getText() and`
`2661`	`2661`	`result = API::moduleImport("hashlib").getMember("new").getACall()`
`2662`	`2662`	`}`
`2663`	`2663`
`@@ -3443,7 +3443,7 @@ private module StdlibPrivate {`
`3443`	`3443`	`.getMember("handler")`
`3444`	`3444`	`.getMember("feature_external_ges")`
`3445`	`3445`	`.getAValueReachableFromSource() and`
`3446`		`- call.getStateArg().getAValueReachingRhs().asExpr().(BooleanLiteral).booleanValue() = true and`
	`3446`	`+ call.getStateArg().getAValueReachingSink().asExpr().(BooleanLiteral).booleanValue() = true and`
`3447`	`3447`	`result = call.getObject()`
`3448`	`3448`	`)`
`3449`	`3449`	`or`
`@@ -3459,7 +3459,7 @@ private module StdlibPrivate {`
`3459`	`3459`	`.getMember("handler")`
`3460`	`3460`	`.getMember("feature_external_ges")`
`3461`	`3461`	`.getAValueReachableFromSource() and`
`3462`		`- call.getStateArg().getAValueReachingRhs().asExpr().(BooleanLiteral).booleanValue() = false`
	`3462`	`+ call.getStateArg().getAValueReachingSink().asExpr().(BooleanLiteral).booleanValue() = false`
`3463`	`3463`	`)`
`3464`	`3464`	`}`
`3465`	`3465`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ private module Xmltodict {`
`29`	`29`
`30`	`30`	`override predicate vulnerableTo(XML::XmlParsingVulnerabilityKind kind) {`
`31`	`31`	`kind.isXmlBomb() and`
`32`		`- this.getKeywordParameter("disable_entities").getAValueReachingRhs().asExpr() = any(False f)`
	`32`	`+ this.getKeywordParameter("disable_entities").getAValueReachingSink().asExpr() = any(False f)`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`override predicate mayExecuteInput() { none() }`
Original file line number	Diff line number	Diff line change
`@@ -18,9 +18,9 @@ import semmle.python.dataflow.new.TaintTracking`
`18`	`18`	`API::Node libPam() {`
`19`	`19`	`exists(API::CallNode findLibCall, API::CallNode cdllCall \|`
`20`	`20`	`findLibCall = API::moduleImport("ctypes").getMember("util").getMember("find_library").getACall() and`
`21`		`- findLibCall.getParameter(0).getAValueReachingRhs().asExpr().(StrConst).getText() = "pam" and`
	`21`	`+ findLibCall.getParameter(0).getAValueReachingSink().asExpr().(StrConst).getText() = "pam" and`
`22`	`22`	`cdllCall = API::moduleImport("ctypes").getMember("CDLL").getACall() and`
`23`		`- cdllCall.getParameter(0).getAValueReachingRhs() = findLibCall`
	`23`	`+ cdllCall.getParameter(0).getAValueReachingSink() = findLibCall`
`24`	`24`	`\|`
`25`	`25`	`result = cdllCall.getReturn()`
`26`	`26`	`)`