Python: Fully disallow API::moduleImport of module with dots

RasmusWL · RasmusWL · commit f8253f5fefd1 · 2022-05-12T13:30:26.000+02:00
Inspired by discussion about this for MaD in github#8883 (comment)
diff --git a/python/ql/lib/semmle/python/ApiGraphs.qll b/python/ql/lib/semmle/python/ApiGraphs.qll
@@ -280,7 +280,13 @@ module API {
    * you should use `.getMember` on the parent module. For example, for nodes corresponding to the module `foo.bar`,
    * use `moduleImport("foo").getMember("bar")`.
    */
-  Node moduleImport(string m) { result = Impl::MkModuleImport(m) }
+  Node moduleImport(string m) {
+    result = Impl::MkModuleImport(m) and
+    // restrict `moduleImport` so it will never give results for a dotted name. Note
+    // that we cannot move this logic to the `MkModuleImport` construction, since we
+    // need the intermediate API graph nodes for the prefixes in `import foo.bar.baz`.
+    not m.matches("%.%")
+  }
 
   /** Gets a node corresponding to the built-in with the given name, if any. */
   Node builtin(string n) { result = moduleImport("builtins").getMember(n) }
diff --git a/python/ql/test/library-tests/ApiGraphs/py3/ModuleImportWithDots.expected b/python/ql/test/library-tests/ApiGraphs/py3/ModuleImportWithDots.expected
@@ -1,7 +1,5 @@
 moduleImportWithDots
-| file://:0:0:0:0 | ModuleImport moduleImport("a").getMember("b").getMember("c").getMember("d") |
 doesntFullyWork
-| test.py:28:10:28:17 | ControlFlowNode for method() |
 works
 | test.py:25:6:25:18 | ControlFlowNode for Attribute() |
 | test.py:28:10:28:17 | ControlFlowNode for method() |
