Apply getItem(_) and extend verifiesSignature readability

jorgectf · jorgectf · commit a6c285ad3283 · 2021-10-28T17:40:27.000+02:00
diff --git a/python/ql/src/experimental/semmle/python/libraries/Authlib.qll b/python/ql/src/experimental/semmle/python/libraries/Authlib.qll
@@ -42,7 +42,7 @@ private module Authlib {
 
     override DataFlow::Node getAlgorithm() {
       exists(KeyValuePair headerDict |
-        headerDict = this.getArg(0).asExpr().(Dict).getItems().getAnItem() and
+        headerDict = this.getArg(0).asExpr().(Dict).getItem(_) and
         headerDict.getKey().(Str_).getS().matches("alg") and
         result.asExpr() = headerDict.getValue()
       )
diff --git a/python/ql/src/experimental/semmle/python/libraries/PyJWT.qll b/python/ql/src/experimental/semmle/python/libraries/PyJWT.qll
@@ -101,7 +101,7 @@ private module PyJWT {
     predicate hasVerifySignatureSetToFalse() {
       exists(KeyValuePair optionsDict, NameConstant falseName |
         falseName.getId() = "False" and
-        optionsDict = this.getOptions().asExpr().(Dict).getItems().getAnItem() and
+        optionsDict = this.getOptions().asExpr().(Dict).getItem(_) and
         optionsDict.getKey().(Str_).getS().matches("%verify%") and
         falseName = optionsDict.getValue()
       )
diff --git a/python/ql/src/experimental/semmle/python/libraries/PythonJose.qll b/python/ql/src/experimental/semmle/python/libraries/PythonJose.qll
@@ -88,12 +88,18 @@ private module PythonJose {
 
     override predicate verifiesSignature() {
       // jwt.decode(token, "key", "HS256")
-      not exists(this.getOptions())
+      this.hasNoOptions()
       or
       // jwt.decode(token, key, options={"verify_signature": False})
-      not exists(KeyValuePair optionsDict, NameConstant falseName |
+      not this.hasVerifySignatureSetToFalse()
+    }
+
+    predicate hasNoOptions() { not exists(this.getOptions()) }
+
+    predicate hasVerifySignatureSetToFalse() {
+      exists(KeyValuePair optionsDict, NameConstant falseName |
         falseName.getId() = "False" and
-        optionsDict = this.getOptions().asExpr().(Dict).getItems().getAnItem() and
+        optionsDict = this.getOptions().asExpr().(Dict).getItem(_) and
         optionsDict.getKey().(Str_).getS().matches("%verify%") and
         falseName = optionsDict.getValue()
       )

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ private module Authlib {`
`42`	`42`
`43`	`43`	`override DataFlow::Node getAlgorithm() {`
`44`	`44`	`exists(KeyValuePair headerDict \|`
`45`		`- headerDict = this.getArg(0).asExpr().(Dict).getItems().getAnItem() and`
	`45`	`+ headerDict = this.getArg(0).asExpr().(Dict).getItem(_) and`
`46`	`46`	`headerDict.getKey().(Str_).getS().matches("alg") and`
`47`	`47`	`result.asExpr() = headerDict.getValue()`
`48`	`48`	`)`
Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ private module PyJWT {`
`101`	`101`	`predicate hasVerifySignatureSetToFalse() {`
`102`	`102`	`exists(KeyValuePair optionsDict, NameConstant falseName \|`
`103`	`103`	`falseName.getId() = "False" and`
`104`		`- optionsDict = this.getOptions().asExpr().(Dict).getItems().getAnItem() and`
	`104`	`+ optionsDict = this.getOptions().asExpr().(Dict).getItem(_) and`
`105`	`105`	`optionsDict.getKey().(Str_).getS().matches("%verify%") and`
`106`	`106`	`falseName = optionsDict.getValue()`
`107`	`107`	`)`