Python: ExternalAPIs.qll: Swap order of classes

RasmusWL · yoff · RasmusWL · commit ae1d4decc368 · 2023-01-17T11:01:47.000+01:00
Co-authored-by: yoff &lt;lerchedahl@gmail.com&gt;
diff --git a/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll b/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
@@ -111,44 +111,44 @@ abstract class InterestingExternalApiCall extends TInterestingExternalApiCall {
   abstract string getApiName();
 }
 
-class ResolvedCall extends InterestingExternalApiCall, TResolvedCall {
-  DataFlowPrivate::DataFlowCall dfCall;
+class UnresolvedCall extends InterestingExternalApiCall, TUnresolvedCall {
+  DataFlow::CallCfgNode call;
 
-  ResolvedCall() { this = TResolvedCall(dfCall) }
+  UnresolvedCall() { this = TUnresolvedCall(call) }
 
   override DataFlow::Node getArgument(DataFlowPrivate::ArgumentPosition apos) {
-    result = dfCall.getArgument(apos)
+    exists(int i | apos.isPositional(i) | result = call.getArg(i))
+    or
+    exists(string name | apos.isKeyword(name) | result = call.getArgByName(name))
   }
 
   override string toString() {
-    result = "ExternalAPI:ResolvedCall: " + dfCall.getNode().getNode().toString()
+    result = "ExternalAPI:UnresolvedCall: " + call.getNode().getNode().toString()
   }
 
   override string getApiName() {
-    exists(DataFlow::CallCfgNode call, API::Node apiNode | dfCall.getNode() = call.getNode() |
+    exists(API::Node apiNode |
       result = apiNodeToStringRepr(apiNode) and
       apiNode.getACall() = call
     )
   }
 }
 
-class UnresolvedCall extends InterestingExternalApiCall, TUnresolvedCall {
-  DataFlow::CallCfgNode call;
+class ResolvedCall extends InterestingExternalApiCall, TResolvedCall {
+  DataFlowPrivate::DataFlowCall dfCall;
 
-  UnresolvedCall() { this = TUnresolvedCall(call) }
+  ResolvedCall() { this = TResolvedCall(dfCall) }
 
   override DataFlow::Node getArgument(DataFlowPrivate::ArgumentPosition apos) {
-    exists(int i | apos.isPositional(i) | result = call.getArg(i))
-    or
-    exists(string name | apos.isKeyword(name) | result = call.getArgByName(name))
+    result = dfCall.getArgument(apos)
   }
 
   override string toString() {
-    result = "ExternalAPI:UnresolvedCall: " + call.getNode().getNode().toString()
+    result = "ExternalAPI:ResolvedCall: " + dfCall.getNode().getNode().toString()
   }
 
   override string getApiName() {
-    exists(API::Node apiNode |
+    exists(DataFlow::CallCfgNode call, API::Node apiNode | dfCall.getNode() = call.getNode() |
       result = apiNodeToStringRepr(apiNode) and
       apiNode.getACall() = call
     )

Original file line number	Diff line number	Diff line change
`@@ -111,44 +111,44 @@ abstract class InterestingExternalApiCall extends TInterestingExternalApiCall {`
`111`	`111`	`abstract string getApiName();`
`112`	`112`	`}`
`113`	`113`
`114`		`-class ResolvedCall extends InterestingExternalApiCall, TResolvedCall {`
`115`		`- DataFlowPrivate::DataFlowCall dfCall;`
	`114`	`+class UnresolvedCall extends InterestingExternalApiCall, TUnresolvedCall {`
	`115`	`+ DataFlow::CallCfgNode call;`
`116`	`116`
`117`		`- ResolvedCall() { this = TResolvedCall(dfCall) }`
	`117`	`+ UnresolvedCall() { this = TUnresolvedCall(call) }`
`118`	`118`
`119`	`119`	`override DataFlow::Node getArgument(DataFlowPrivate::ArgumentPosition apos) {`
`120`		`- result = dfCall.getArgument(apos)`
	`120`	`+ exists(int i \| apos.isPositional(i) \| result = call.getArg(i))`
	`121`	`+ or`
	`122`	`+ exists(string name \| apos.isKeyword(name) \| result = call.getArgByName(name))`
`121`	`123`	`}`
`122`	`124`
`123`	`125`	`override string toString() {`
`124`		`- result = "ExternalAPI:ResolvedCall: " + dfCall.getNode().getNode().toString()`
	`126`	`+ result = "ExternalAPI:UnresolvedCall: " + call.getNode().getNode().toString()`
`125`	`127`	`}`
`126`	`128`
`127`	`129`	`override string getApiName() {`
`128`		`- exists(DataFlow::CallCfgNode call, API::Node apiNode \| dfCall.getNode() = call.getNode() \|`
	`130`	`+ exists(API::Node apiNode \|`
`129`	`131`	`result = apiNodeToStringRepr(apiNode) and`
`130`	`132`	`apiNode.getACall() = call`
`131`	`133`	`)`
`132`	`134`	`}`
`133`	`135`	`}`
`134`	`136`
`135`		`-class UnresolvedCall extends InterestingExternalApiCall, TUnresolvedCall {`
`136`		`- DataFlow::CallCfgNode call;`
	`137`	`+class ResolvedCall extends InterestingExternalApiCall, TResolvedCall {`
	`138`	`+ DataFlowPrivate::DataFlowCall dfCall;`
`137`	`139`
`138`		`- UnresolvedCall() { this = TUnresolvedCall(call) }`
	`140`	`+ ResolvedCall() { this = TResolvedCall(dfCall) }`
`139`	`141`
`140`	`142`	`override DataFlow::Node getArgument(DataFlowPrivate::ArgumentPosition apos) {`
`141`		`- exists(int i \| apos.isPositional(i) \| result = call.getArg(i))`
`142`		`- or`
`143`		`- exists(string name \| apos.isKeyword(name) \| result = call.getArgByName(name))`
	`143`	`+ result = dfCall.getArgument(apos)`
`144`	`144`	`}`
`145`	`145`
`146`	`146`	`override string toString() {`
`147`		`- result = "ExternalAPI:UnresolvedCall: " + call.getNode().getNode().toString()`
	`147`	`+ result = "ExternalAPI:ResolvedCall: " + dfCall.getNode().getNode().toString()`
`148`	`148`	`}`
`149`	`149`
`150`	`150`	`override string getApiName() {`
`151`		`- exists(API::Node apiNode \|`
	`151`	`+ exists(DataFlow::CallCfgNode call, API::Node apiNode \| dfCall.getNode() = call.getNode() \|`
`152`	`152`	`result = apiNodeToStringRepr(apiNode) and`
`153`	`153`	`apiNode.getACall() = call`
`154`	`154`	`)`