Python: Use API graphs in Werkzeug

tausbn · web-flow · commit 5f7d3d0d3686 · 2021-04-13T15:57:21.000Z
diff --git a/python/ql/src/semmle/python/frameworks/Flask.qll b/python/ql/src/semmle/python/frameworks/Flask.qll
@@ -401,13 +401,15 @@ module Flask {
     }
   }
 
-  private class RequestAttrMultiDict extends Werkzeug::werkzeug::datastructures::MultiDict::InstanceSource {
+  private class RequestAttrMultiDict extends Werkzeug::werkzeug::datastructures::MultiDict::InstanceSourceApiNode {
     string attr_name;
 
     RequestAttrMultiDict() {
       attr_name in ["args", "values", "form", "files"] and
-      this = request().getMember(attr_name).getAnImmediateUse()
+      this = request().getMember(attr_name)
     }
+
+    override string toString() { result = this.(API::Node).toString() }
   }
 
   private class RequestAttrFiles extends RequestAttrMultiDict {
diff --git a/python/ql/src/semmle/python/frameworks/Werkzeug.qll b/python/ql/src/semmle/python/frameworks/Werkzeug.qll
@@ -5,6 +5,7 @@
 private import python
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.ApiGraphs
 
 /**
  * Provides models for the `Werkzeug` PyPI package.
@@ -23,6 +24,9 @@ module Werkzeug {
        * See https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.MultiDict.
        */
       module MultiDict {
+        /** DEPRECATED. Use `InstanceSourceApiNode` instead. */
+        abstract deprecated class InstanceSource extends DataFlow::Node { }
+
         /**
          * A source of instances of `werkzeug.datastructures.MultiDict`, extend this class to model new instances.
          *
@@ -32,37 +36,16 @@ module Werkzeug {
          *
          * Use the predicate `MultiDict::instance()` to get references to instances of `werkzeug.datastructures.MultiDict`.
          */
-        abstract class InstanceSource extends DataFlow::Node { }
-
-        /** Gets a reference to an instance of `werkzeug.datastructures.MultiDict`. */
-        private DataFlow::Node instance(DataFlow::TypeTracker t) {
-          t.start() and
-          result instanceof InstanceSource
-          or
-          exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
-        }
-
-        /** Gets a reference to an instance of `werkzeug.datastructures.MultiDict`. */
-        DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+        abstract class InstanceSourceApiNode extends API::Node { }
 
         /**
          * Gets a reference to the `getlist` method on an instance of `werkzeug.datastructures.MultiDict`.
          *
          * See https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.Headers.getlist
          */
-        private DataFlow::Node getlist(DataFlow::TypeTracker t) {
-          t.startInAttr("getlist") and
-          result = instance()
-          or
-          exists(DataFlow::TypeTracker t2 | result = getlist(t2).track(t2, t))
+        DataFlow::Node getlist() {
+          result = any(InstanceSourceApiNode a).getMember("getlist").getAUse()
         }
-
-        /**
-         * Gets a reference to the `getlist` method on an instance of `werkzeug.datastructures.MultiDict`.
-         *
-         * See https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.Headers.getlist
-         */
-        DataFlow::Node getlist() { result = getlist(DataFlow::TypeTracker::end()) }
       }
 
       /**
@@ -71,6 +54,9 @@ module Werkzeug {
        * See https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.FileStorage.
        */
       module FileStorage {
+        /** DEPRECATED. Use `InstanceSourceApiNode` instead. */
+        abstract deprecated class InstanceSource extends DataFlow::Node { }
+
         /**
          * A source of instances of `werkzeug.datastructures.FileStorage`, extend this class to model new instances.
          *
@@ -80,18 +66,10 @@ module Werkzeug {
          *
          * Use the predicate `FileStorage::instance()` to get references to instances of `werkzeug.datastructures.FileStorage`.
          */
-        abstract class InstanceSource extends DataFlow::Node { }
-
-        /** Gets a reference to an instance of `werkzeug.datastructures.FileStorage`. */
-        private DataFlow::Node instance(DataFlow::TypeTracker t) {
-          t.start() and
-          result instanceof InstanceSource
-          or
-          exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
-        }
+        abstract class InstanceSourceApiNode extends API::Node { }
 
         /** Gets a reference to an instance of `werkzeug.datastructures.FileStorage`. */
-        DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+        DataFlow::Node instance() { result = any(InstanceSourceApiNode a).getAUse() }
       }
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -401,13 +401,15 @@ module Flask {`
`401`	`401`	`}`
`402`	`402`	`}`
`403`	`403`
`404`		`- private class RequestAttrMultiDict extends Werkzeug::werkzeug::datastructures::MultiDict::InstanceSource {`
	`404`	`+ private class RequestAttrMultiDict extends Werkzeug::werkzeug::datastructures::MultiDict::InstanceSourceApiNode {`
`405`	`405`	`string attr_name;`
`406`	`406`
`407`	`407`	`RequestAttrMultiDict() {`
`408`	`408`	`attr_name in ["args", "values", "form", "files"] and`
`409`		`- this = request().getMember(attr_name).getAnImmediateUse()`
	`409`	`+ this = request().getMember(attr_name)`
`410`	`410`	`}`
	`411`	`+`
	`412`	`+ override string toString() { result = this.(API::Node).toString() }`
`411`	`413`	`}`
`412`	`414`
`413`	`415`	`private class RequestAttrFiles extends RequestAttrMultiDict {`