Python: Move PyYAML modeling classes within module

RasmusWL · RasmusWL · commit 25b15d74709e · 2021-03-18T11:48:30.000+01:00
For now, this is how we're trying to structure things -- all in all it doesn't
matter too much, since everything is still marked as private.
diff --git a/python/ql/src/semmle/python/frameworks/Yaml.qll b/python/ql/src/semmle/python/frameworks/Yaml.qll
@@ -21,49 +21,49 @@ private import semmle.python.ApiGraphs
  * - https://pyyaml.org/wiki/PyYAMLDocumentation
  * - https://pyyaml.docsforge.com/master/documentation/
  */
-private module Yaml { }
-
-/**
- * A call to any of the loading functions in `yaml` (`load`, `load_all`, `full_load`,
- * `full_load_all`, `unsafe_load`, `unsafe_load_all`, `safe_load`, `safe_load_all`)
- *
- * See https://pyyaml.org/wiki/PyYAMLDocumentation (you will have to scroll down).
- */
-private class YamlLoadCall extends Decoding::Range, DataFlow::CallCfgNode {
-  override CallNode node;
-  string func_name;
-
-  YamlLoadCall() {
-    func_name in [
-        "load", "load_all", "full_load", "full_load_all", "unsafe_load", "unsafe_load_all",
-        "safe_load", "safe_load_all"
-      ] and
-    this = API::moduleImport("yaml").getMember(func_name).getACall()
-  }
-
+private module Yaml {
   /**
-   * This function was thought safe from the 5.1 release in 2017, when the default loader was changed to `FullLoader`.
-   * In 2020 new exploits were found, meaning it's not safe. The Current plan is to change the default to `SafeLoader` in release 6.0
-   * (as explained in https://github.com/yaml/pyyaml/issues/420#issuecomment-696752389).
-   * Until 6.0 is released, we will mark `yaml.load` as possibly leading to arbitrary code execution.
-   * See https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation for more details.
+   * A call to any of the loading functions in `yaml` (`load`, `load_all`, `full_load`,
+   * `full_load_all`, `unsafe_load`, `unsafe_load_all`, `safe_load`, `safe_load_all`)
+   *
+   * See https://pyyaml.org/wiki/PyYAMLDocumentation (you will have to scroll down).
    */
-  override predicate mayExecuteInput() {
-    func_name in ["full_load", "full_load_all", "unsafe_load", "unsafe_load_all"]
-    or
-    func_name in ["load", "load_all"] and
-    // If the `Loader` is not set to either `SafeLoader` or `BaseLoader` or not set at all,
-    // then the default loader will be used, which is not safe.
-    not exists(DataFlow::Node loader_arg |
-      loader_arg in [this.getArg(1), this.getArgByName("Loader")]
-    |
-      loader_arg = API::moduleImport("yaml").getMember(["SafeLoader", "BaseLoader"]).getAUse()
-    )
-  }
+  private class YamlLoadCall extends Decoding::Range, DataFlow::CallCfgNode {
+    override CallNode node;
+    string func_name;
+
+    YamlLoadCall() {
+      func_name in [
+          "load", "load_all", "full_load", "full_load_all", "unsafe_load", "unsafe_load_all",
+          "safe_load", "safe_load_all"
+        ] and
+      this = API::moduleImport("yaml").getMember(func_name).getACall()
+    }
 
-  override DataFlow::Node getAnInput() { result = this.getArg(0) }
+    /**
+     * This function was thought safe from the 5.1 release in 2017, when the default loader was changed to `FullLoader`.
+     * In 2020 new exploits were found, meaning it's not safe. The Current plan is to change the default to `SafeLoader` in release 6.0
+     * (as explained in https://github.com/yaml/pyyaml/issues/420#issuecomment-696752389).
+     * Until 6.0 is released, we will mark `yaml.load` as possibly leading to arbitrary code execution.
+     * See https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation for more details.
+     */
+    override predicate mayExecuteInput() {
+      func_name in ["full_load", "full_load_all", "unsafe_load", "unsafe_load_all"]
+      or
+      func_name in ["load", "load_all"] and
+      // If the `Loader` is not set to either `SafeLoader` or `BaseLoader` or not set at all,
+      // then the default loader will be used, which is not safe.
+      not exists(DataFlow::Node loader_arg |
+        loader_arg in [this.getArg(1), this.getArgByName("Loader")]
+      |
+        loader_arg = API::moduleImport("yaml").getMember(["SafeLoader", "BaseLoader"]).getAUse()
+      )
+    }
 
-  override DataFlow::Node getOutput() { result = this }
+    override DataFlow::Node getAnInput() { result = this.getArg(0) }
 
-  override string getFormat() { result = "YAML" }
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getFormat() { result = "YAML" }
+  }
 }
