Python: Rename vulnerable predicate => vulnerableTo

RasmusWL · RasmusWL · commit 3f6c55e8aeb3 · 2022-03-03T22:09:31.000+01:00
diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -53,7 +53,7 @@ module XML {
     /**
      * Holds if this XML parsing is vulnerable to `kind`.
      */
-    predicate vulnerable(XMLVulnerabilityKind kind) { super.vulnerable(kind) }
+    predicate vulnerableTo(XMLVulnerabilityKind kind) { super.vulnerableTo(kind) }
   }
 
   /** Provides classes for modeling XML parsing APIs. */
@@ -73,7 +73,7 @@ module XML {
       /**
        * Holds if this XML parsing is vulnerable to `kind`.
        */
-      abstract predicate vulnerable(XMLVulnerabilityKind kind);
+      abstract predicate vulnerableTo(XMLVulnerabilityKind kind);
     }
   }
 }
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Xml.qll b/python/ql/src/experimental/semmle/python/frameworks/Xml.qll
@@ -66,7 +66,7 @@ private module XmlEtree {
 
       override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }
 
-      override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
+      override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
         kind.isBillionLaughs() or kind.isQuadraticBlowup()
       }
     }
@@ -103,7 +103,7 @@ private module XmlEtree {
         ]
     }
 
-    override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
+    override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
       // note: it does not matter what `xml.etree` parser you are using, you cannot
       // change the security features anyway :|
       kind.isBillionLaughs() or kind.isQuadraticBlowup()
@@ -218,7 +218,7 @@ private module SaxBasedParsing {
 
     override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("source")] }
 
-    override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
+    override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
       // always vuln to these
       (kind.isBillionLaughs() or kind.isQuadraticBlowup())
       or
@@ -251,7 +251,7 @@ private module SaxBasedParsing {
         ]
     }
 
-    override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
+    override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
       // always vuln to these
       (kind.isBillionLaughs() or kind.isQuadraticBlowup())
       or
@@ -290,7 +290,7 @@ private module SaxBasedParsing {
 
     DataFlow::Node getParserArg() { result in [this.getArg(1), this.getArgByName("parser")] }
 
-    override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
+    override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
       this.getParserArg() = saxParserWithFeatureExternalGesTurnedOn() and
       (kind.isXxe() or kind.isDtdRetrieval())
       or
@@ -317,7 +317,7 @@ private module Lxml {
      */
     abstract class InstanceSource extends DataFlow::LocalSourceNode {
       /** Holds if this instance is vulnerable to `kind`. */
-      abstract predicate vulnerable(XML::XMLVulnerabilityKind kind);
+      abstract predicate vulnerableTo(XML::XMLVulnerabilityKind kind);
     }
 
     /**
@@ -331,7 +331,7 @@ private module Lxml {
       }
 
       // NOTE: it's not possible to change settings of a parser after constructing it
-      override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
+      override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
         kind.isXxe() and
         (
           // resolve_entities has default True
@@ -360,7 +360,7 @@ private module Lxml {
           API::moduleImport("lxml").getMember("etree").getMember("get_default_parser").getACall()
       }
 
-      override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
+      override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
         // as highlighted by
         // https://lxml.de/apidoc/lxml.etree.html?highlight=xmlparser#lxml.etree.XMLParser
         // by default XXE is allow. so as long as the default parser has not been
@@ -385,7 +385,7 @@ private module Lxml {
 
     /** Gets a reference to an `lxml.etree` parser instance, that is vulnerable to `kind`. */
     DataFlow::Node instanceVulnerableTo(XML::XMLVulnerabilityKind kind) {
-      exists(InstanceSource origin | result = instance(origin) and origin.vulnerable(kind))
+      exists(InstanceSource origin | result = instance(origin) and origin.vulnerableTo(kind))
     }
 
     /**
@@ -396,7 +396,7 @@ private module Lxml {
 
       override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }
 
-      override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
+      override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
         this.calls(instanceVulnerableTo(kind), "feed")
       }
     }
@@ -435,7 +435,7 @@ private module Lxml {
 
     DataFlow::Node getParserArg() { result in [this.getArg(1), this.getArgByName("parser")] }
 
-    override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
+    override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
       this.getParserArg() = XMLParser::instanceVulnerableTo(kind)
       or
       kind.isXxe() and
@@ -455,7 +455,7 @@ private module Xmltodict {
       result in [this.getArg(0), this.getArgByName("xml_input")]
     }
 
-    override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
+    override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
       (kind.isBillionLaughs() or kind.isQuadraticBlowup()) and
       this.getArgByName("disable_entities").getALocalSource().asExpr() = any(False f)
     }
diff --git a/python/ql/src/experimental/semmle/python/security/dataflow/XmlEntityInjectionCustomizations.qll b/python/ql/src/experimental/semmle/python/security/dataflow/XmlEntityInjectionCustomizations.qll
@@ -58,7 +58,7 @@ module XmlEntityInjection {
 
     XMLParsingInputAsSink() { this = xmlParsing.getAnInput() }
 
-    override string getVulnerableKind() { xmlParsing.vulnerable(result) }
+    override string getVulnerableKind() { xmlParsing.vulnerableTo(result) }
   }
 
   /**
diff --git a/python/ql/test/experimental/library-tests/frameworks/XML/ExperimentalXmlConceptsTests.ql b/python/ql/test/experimental/library-tests/frameworks/XML/ExperimentalXmlConceptsTests.ql
@@ -22,7 +22,7 @@ class XmlParsingTest extends InlineExpectationsTest {
       )
       or
       exists(XML::XMLVulnerabilityKind kind |
-        parsing.vulnerable(kind) and
+        parsing.vulnerableTo(kind) and
         location = parsing.getLocation() and
         element = parsing.toString() and
         value = "'" + kind + "'" and

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ module XML {`
`53`	`53`	`/**`
`54`	`54`	* Holds if this XML parsing is vulnerable to `kind`.
`55`	`55`	`*/`
`56`		`- predicate vulnerable(XMLVulnerabilityKind kind) { super.vulnerable(kind) }`
	`56`	`+ predicate vulnerableTo(XMLVulnerabilityKind kind) { super.vulnerableTo(kind) }`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`/** Provides classes for modeling XML parsing APIs. */`
`@@ -73,7 +73,7 @@ module XML {`
`73`	`73`	`/**`
`74`	`74`	* Holds if this XML parsing is vulnerable to `kind`.
`75`	`75`	`*/`
`76`		`- abstract predicate vulnerable(XMLVulnerabilityKind kind);`
	`76`	`+ abstract predicate vulnerableTo(XMLVulnerabilityKind kind);`
`77`	`77`	`}`
`78`	`78`	`}`
`79`	`79`	`}`
Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ private module XmlEtree {`
`66`	`66`
`67`	`67`	`override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }`
`68`	`68`
`69`		`- override predicate vulnerable(XML::XMLVulnerabilityKind kind) {`
	`69`	`+ override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
`70`	`70`	`kind.isBillionLaughs() or kind.isQuadraticBlowup()`
`71`	`71`	`}`
`72`	`72`	`}`
`@@ -103,7 +103,7 @@ private module XmlEtree {`
`103`	`103`	`]`
`104`	`104`	`}`
`105`	`105`
`106`		`- override predicate vulnerable(XML::XMLVulnerabilityKind kind) {`
	`106`	`+ override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
`107`	`107`	// note: it does not matter what `xml.etree` parser you are using, you cannot
`108`	`108`	`// change the security features anyway :\|`
`109`	`109`	`kind.isBillionLaughs() or kind.isQuadraticBlowup()`
`@@ -218,7 +218,7 @@ private module SaxBasedParsing {`
`218`	`218`
`219`	`219`	`override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("source")] }`
`220`	`220`
`221`		`- override predicate vulnerable(XML::XMLVulnerabilityKind kind) {`
	`221`	`+ override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
`222`	`222`	`// always vuln to these`
`223`	`223`	`(kind.isBillionLaughs() or kind.isQuadraticBlowup())`
`224`	`224`	`or`
`@@ -251,7 +251,7 @@ private module SaxBasedParsing {`
`251`	`251`	`]`
`252`	`252`	`}`
`253`	`253`
`254`		`- override predicate vulnerable(XML::XMLVulnerabilityKind kind) {`
	`254`	`+ override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
`255`	`255`	`// always vuln to these`
`256`	`256`	`(kind.isBillionLaughs() or kind.isQuadraticBlowup())`
`257`	`257`	`or`
`@@ -290,7 +290,7 @@ private module SaxBasedParsing {`
`290`	`290`
`291`	`291`	`DataFlow::Node getParserArg() { result in [this.getArg(1), this.getArgByName("parser")] }`
`292`	`292`
`293`		`- override predicate vulnerable(XML::XMLVulnerabilityKind kind) {`
	`293`	`+ override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
`294`	`294`	`this.getParserArg() = saxParserWithFeatureExternalGesTurnedOn() and`
`295`	`295`	`(kind.isXxe() or kind.isDtdRetrieval())`
`296`	`296`	`or`
`@@ -317,7 +317,7 @@ private module Lxml {`
`317`	`317`	`*/`
`318`	`318`	`abstract class InstanceSource extends DataFlow::LocalSourceNode {`
`319`	`319`	/** Holds if this instance is vulnerable to `kind`. */
`320`		`- abstract predicate vulnerable(XML::XMLVulnerabilityKind kind);`
	`320`	`+ abstract predicate vulnerableTo(XML::XMLVulnerabilityKind kind);`
`321`	`321`	`}`
`322`	`322`
`323`	`323`	`/**`
`@@ -331,7 +331,7 @@ private module Lxml {`
`331`	`331`	`}`
`332`	`332`
`333`	`333`	`// NOTE: it's not possible to change settings of a parser after constructing it`
`334`		`- override predicate vulnerable(XML::XMLVulnerabilityKind kind) {`
	`334`	`+ override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
`335`	`335`	`kind.isXxe() and`
`336`	`336`	`(`
`337`	`337`	`// resolve_entities has default True`
`@@ -360,7 +360,7 @@ private module Lxml {`
`360`	`360`	`API::moduleImport("lxml").getMember("etree").getMember("get_default_parser").getACall()`
`361`	`361`	`}`
`362`	`362`
`363`		`- override predicate vulnerable(XML::XMLVulnerabilityKind kind) {`
	`363`	`+ override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
`364`	`364`	`// as highlighted by`
`365`	`365`	`// https://lxml.de/apidoc/lxml.etree.html?highlight=xmlparser#lxml.etree.XMLParser`
`366`	`366`	`// by default XXE is allow. so as long as the default parser has not been`
`@@ -385,7 +385,7 @@ private module Lxml {`
`385`	`385`
`386`	`386`	/** Gets a reference to an `lxml.etree` parser instance, that is vulnerable to `kind`. */
`387`	`387`	`DataFlow::Node instanceVulnerableTo(XML::XMLVulnerabilityKind kind) {`
`388`		`- exists(InstanceSource origin \| result = instance(origin) and origin.vulnerable(kind))`
	`388`	`+ exists(InstanceSource origin \| result = instance(origin) and origin.vulnerableTo(kind))`
`389`	`389`	`}`
`390`	`390`
`391`	`391`	`/**`
`@@ -396,7 +396,7 @@ private module Lxml {`
`396`	`396`
`397`	`397`	`override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }`
`398`	`398`
`399`		`- override predicate vulnerable(XML::XMLVulnerabilityKind kind) {`
	`399`	`+ override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
`400`	`400`	`this.calls(instanceVulnerableTo(kind), "feed")`
`401`	`401`	`}`
`402`	`402`	`}`
`@@ -435,7 +435,7 @@ private module Lxml {`
`435`	`435`
`436`	`436`	`DataFlow::Node getParserArg() { result in [this.getArg(1), this.getArgByName("parser")] }`
`437`	`437`
`438`		`- override predicate vulnerable(XML::XMLVulnerabilityKind kind) {`
	`438`	`+ override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
`439`	`439`	`this.getParserArg() = XMLParser::instanceVulnerableTo(kind)`
`440`	`440`	`or`
`441`	`441`	`kind.isXxe() and`
`@@ -455,7 +455,7 @@ private module Xmltodict {`
`455`	`455`	`result in [this.getArg(0), this.getArgByName("xml_input")]`
`456`	`456`	`}`
`457`	`457`
`458`		`- override predicate vulnerable(XML::XMLVulnerabilityKind kind) {`
	`458`	`+ override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
`459`	`459`	`(kind.isBillionLaughs() or kind.isQuadraticBlowup()) and`
`460`	`460`	`this.getArgByName("disable_entities").getALocalSource().asExpr() = any(False f)`
`461`	`461`	`}`
Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ module XmlEntityInjection {`
`58`	`58`
`59`	`59`	`XMLParsingInputAsSink() { this = xmlParsing.getAnInput() }`
`60`	`60`
`61`		`- override string getVulnerableKind() { xmlParsing.vulnerable(result) }`
	`61`	`+ override string getVulnerableKind() { xmlParsing.vulnerableTo(result) }`
`62`	`62`	`}`
`63`	`63`
`64`	`64`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ class XmlParsingTest extends InlineExpectationsTest {`
`22`	`22`	`)`
`23`	`23`	`or`
`24`	`24`	`exists(XML::XMLVulnerabilityKind kind \|`
`25`		`- parsing.vulnerable(kind) and`
	`25`	`+ parsing.vulnerableTo(kind) and`
`26`	`26`	`location = parsing.getLocation() and`
`27`	`27`	`element = parsing.toString() and`
`28`	`28`	`value = "'" + kind + "'" and`