separate each new FileSystemAccess packages.

am0o0 · am0o0 · commit 637c52d10a8c · 2023-11-06T19:03:55.000+01:00
diff --git a/python/ql/lib/semmle/python/frameworks/Aiofile.qll b/python/ql/lib/semmle/python/frameworks/Aiofile.qll
@@ -0,0 +1,42 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `aiofile` PyPI package.
+ *
+ * See https://pypi.org/project/aiofile.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides models for the `aiofile` PyPI package.
+ *
+ * See https://pypi.org/project/aiofile.
+ */
+private module Aiofile {
+  /**
+   * A call to the `async_open` function or `AIOFile` constructor from `aiofile` as a sink for Filesystem access.
+   */
+  class FileResponseCall extends FileSystemAccess::Range, API::CallNode {
+    string methodName;
+
+    FileResponseCall() {
+      this = API::moduleImport("aiofile").getMember("async_open").getACall() and
+      methodName = "async_open"
+      or
+      this = API::moduleImport("aiofile").getMember("AIOFile").getACall() and
+      methodName = "AIOFile"
+    }
+
+    override DataFlow::Node getAPathArgument() {
+      result = this.getParameter(0, "file_specifier").asSink() and
+      methodName = "async_open"
+      or
+      result = this.getParameter(0, "filename").asSink() and
+      methodName = "AIOFile"
+    }
+  }
+}
diff --git a/python/ql/lib/semmle/python/frameworks/Aiofiles.qll b/python/ql/lib/semmle/python/frameworks/Aiofiles.qll
@@ -0,0 +1,28 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `aiofiles` PyPI package.
+ *
+ * See https://pypi.org/project/aiofiles.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides models for the `aiofiles` PyPI package.
+ *
+ * See https://pypi.org/project/aiofiles.
+ */
+private module Aiofiles {
+  /**
+   * A call to the `open` function from `aiofiles` as a sink for Filesystem access.
+   */
+  class FileResponseCall extends FileSystemAccess::Range, API::CallNode {
+    FileResponseCall() { this = API::moduleImport("aiofiles").getMember("open").getACall() }
+
+    override DataFlow::Node getAPathArgument() { result = this.getParameter(0, "file").asSink() }
+  }
+}
diff --git a/python/ql/lib/semmle/python/frameworks/Anyio.qll b/python/ql/lib/semmle/python/frameworks/Anyio.qll
@@ -1,5 +1,7 @@
 /**
- * Provides classes modeling security-relevant aspects of the I/O file write or file read operations
+ * Provides classes modeling security-relevant aspects of the `anyio` PyPI package.
+ *
+ * See https://pypi.org/project/anyio.
  */
 
 private import python
@@ -9,53 +11,10 @@ private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 
-/**
- * Provides models for the `aiofile` PyPI package.
- * See https://github.com/agronholm/anyio.
- */
-private module Aiofile {
-  /**
-   * A call to the `async_open` function or `AIOFile` constructor from `aiofile` as a sink for Filesystem access.
-   */
-  class FileResponseCall extends FileSystemAccess::Range, API::CallNode {
-    string methodName;
-
-    FileResponseCall() {
-      this = API::moduleImport("aiofile").getMember("async_open").getACall() and
-      methodName = "async_open"
-      or
-      this = API::moduleImport("aiofile").getMember("AIOFile").getACall() and
-      methodName = "AIOFile"
-    }
-
-    override DataFlow::Node getAPathArgument() {
-      result = this.getParameter(0, "file_specifier").asSink() and
-      methodName = "async_open"
-      or
-      result = this.getParameter(0, "filename").asSink() and
-      methodName = "AIOFile"
-    }
-  }
-}
-
-/**
- * Provides models for the `aiofiles` PyPI package.
- * See https://github.com/Tinche/aiofiles.
- */
-private module Aiofiles {
-  /**
-   * A call to the `open` function from `aiofiles` as a sink for Filesystem access.
-   */
-  class FileResponseCall extends FileSystemAccess::Range, API::CallNode {
-    FileResponseCall() { this = API::moduleImport("aiofiles").getMember("open").getACall() }
-
-    override DataFlow::Node getAPathArgument() { result = this.getParameter(0, "file").asSink() }
-  }
-}
-
 /**
  * Provides models for the `anyio` PyPI package.
- * See https://github.com/agronholm/anyio.
+ *
+ * See https://pypi.org/project/anyio.
  */
 private module Anyio {
   /**
diff --git a/python/ql/lib/semmle/python/frameworks/Starlette.qll b/python/ql/lib/semmle/python/frameworks/Starlette.qll
@@ -175,19 +175,4 @@ module Starlette {
 
     override DataFlow::Node getAPathArgument() { result = this.getParameter(0, "path").asSink() }
   }
-
-  /**
-   * A call to the `baize.asgi.FileResponse` constructor as a sink for Filesystem access.
-   *
-   * it is not contained to Starlette source code but it is mentioned in documents as an alternative to Starlette FileResponse
-   */
-  class BaizeFileResponseCall extends FileSystemAccess::Range, API::CallNode {
-    BaizeFileResponseCall() {
-      this = API::moduleImport("baize").getMember("asgi").getMember("FileResponse").getACall()
-    }
-
-    override DataFlow::Node getAPathArgument() {
-      result = this.getParameter(0, "filepath").asSink()
-    }
-  }
 }
diff --git a/python/ql/lib/semmle/python/frameworks/baize.qll b/python/ql/lib/semmle/python/frameworks/baize.qll
@@ -0,0 +1,35 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `baize` PyPI package.
+ *
+ * See https://pypi.org/project/baize.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.internal.InstanceTaintStepsHelper
+private import semmle.python.frameworks.Stdlib
+
+/**
+ * Provides models for `baize` PyPI package.
+ *
+ * See https://pypi.org/project/baize.
+ */
+module Starlette {
+  /**
+   * A call to the `baize.asgi.FileResponse` constructor as a sink for Filesystem access.
+   *
+   * it is not contained to Starlette source code but it is mentioned in documents as an alternative to Starlette FileResponse
+   */
+  class BaizeFileResponseCall extends FileSystemAccess::Range, API::CallNode {
+    BaizeFileResponseCall() {
+      this = API::moduleImport("baize").getMember("asgi").getMember("FileResponse").getACall()
+    }
+
+    override DataFlow::Node getAPathArgument() {
+      result = this.getParameter(0, "filepath").asSink()
+    }
+  }
+}
