python: remove TaintStepFromSummary

as it should be covered by `SummarizedCallableFromModel`

Also move things around, to look more like the Ruby code.

Author: yoff

python/ql/lib/semmle/python/dataflow/new/FlowSummary.qll

@@ -2,7 +2,6 @@
 
 private import python
 private import semmle.python.dataflow.new.DataFlow
-private import semmle.python.frameworks.data.ModelsAsData
 private import semmle.python.ApiGraphs
 private import internal.FlowSummaryImpl as Impl
 private import internal.DataFlowUtil
@@ -11,6 +10,7 @@ private import internal.DataFlowPrivate
 // import all instances below
 private module Summaries {
   private import semmle.python.Frameworks
+  private import semmle.python.frameworks.data.ModelsAsData
 }
 
 deprecated class SummaryComponent = Impl::Private::SummaryComponent;
@@ -36,32 +36,3 @@ abstract class SummarizedCallable extends LibraryCallable, Impl::Public::Summari
 }
 
 deprecated class RequiredSummaryComponentStack = Impl::Private::RequiredSummaryComponentStack;
-
-private class SummarizedCallableFromModel extends SummarizedCallable {
-  string type;
-  string path;
-
-  SummarizedCallableFromModel() {
-    ModelOutput::relevantSummaryModel(type, path, _, _, _) and
-    this = type + ";" + path
-  }
-
-  override CallCfgNode getACall() { ModelOutput::resolvedSummaryBase(type, path, result) }
-
-  override ArgumentNode getACallback() {
-    exists(API::Node base |
-      ModelOutput::resolvedSummaryRefBase(type, path, base) and
-      result = base.getAValueReachableFromSource()
-    )
-  }
-
-  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-    exists(string kind | ModelOutput::relevantSummaryModel(type, path, input, output, kind) |
-      kind = "value" and
-      preservesValue = true
-      or
-      kind = "taint" and
-      preservesValue = false
-    )
-  }
-}

python/ql/lib/semmle/python/frameworks/data/ModelsAsData.qll

@@ -17,7 +17,7 @@ import Shared::ModelOutput as ModelOutput
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.ApiGraphs
-private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.dataflow.new.FlowSummary
 
 /**
  * A remote flow source originating from a CSV source row.
@@ -28,20 +28,31 @@ private class RemoteFlowSourceFromCsv extends RemoteFlowSource {
   override string getSourceType() { result = "Remote flow (from model)" }
 }
 
-/**
- * Like `ModelOutput::summaryStep` but with API nodes mapped to data-flow nodes.
- */
-private predicate summaryStepNodes(DataFlow::Node pred, DataFlow::Node succ, string kind) {
-  exists(API::Node predNode, API::Node succNode |
-    Specific::summaryStep(predNode, succNode, kind) and
-    pred = predNode.asSink() and
-    succ = succNode.asSource()
-  )
-}
+private class SummarizedCallableFromModel extends SummarizedCallable {
+  string type;
+  string path;
+
+  SummarizedCallableFromModel() {
+    ModelOutput::relevantSummaryModel(type, path, _, _, _) and
+    this = type + ";" + path
+  }
+
+  override DataFlow::CallCfgNode getACall() { ModelOutput::resolvedSummaryBase(type, path, result) }
+
+  override DataFlow::ArgumentNode getACallback() {
+    exists(API::Node base |
+      ModelOutput::resolvedSummaryRefBase(type, path, base) and
+      result = base.getAValueReachableFromSource()
+    )
+  }
 
-/** Taint steps induced by summary models of kind `taint`. */
-private class TaintStepFromSummary extends TaintTracking::AdditionalTaintStep {
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    summaryStepNodes(pred, succ, "taint")
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+    exists(string kind | ModelOutput::relevantSummaryModel(type, path, input, output, kind) |
+      kind = "value" and
+      preservesValue = true
+      or
+      kind = "taint" and
+      preservesValue = false
+    )
   }
 }