Python: Remove duplicate results from azure blob query

RasmusWL · RasmusWL · commit 86333e3ba528 · 2023-03-29T11:47:29.000+02:00
diff --git a/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql b/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
@@ -15,14 +15,16 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.ApiGraphs
 
-API::Node getBlobServiceClient() {
+API::Node getBlobServiceClient(boolean isSource) {
+  isSource = true and
   result =
     API::moduleImport("azure")
         .getMember("storage")
         .getMember("blob")
         .getMember("BlobServiceClient")
         .getReturn()
   or
+  isSource = true and
   result =
     API::moduleImport("azure")
         .getMember("storage")
@@ -33,21 +35,24 @@ API::Node getBlobServiceClient() {
 }
 
 API::CallNode getTransitionToContainerClient() {
-  result = getBlobServiceClient().getMember("get_container_client").getACall()
+  result = getBlobServiceClient(_).getMember("get_container_client").getACall()
   or
-  result = getBlobClient().getMember("_get_container_client").getACall()
+  result = getBlobClient(_).getMember("_get_container_client").getACall()
 }
 
-API::Node getContainerClient() {
+API::Node getContainerClient(boolean isSource) {
+  isSource = false and
   result = getTransitionToContainerClient().getReturn()
   or
+  isSource = true and
   result =
     API::moduleImport("azure")
         .getMember("storage")
         .getMember("blob")
         .getMember("ContainerClient")
         .getReturn()
   or
+  isSource = true and
   result =
     API::moduleImport("azure")
         .getMember("storage")
@@ -58,19 +63,22 @@ API::Node getContainerClient() {
 }
 
 API::CallNode getTransitionToBlobClient() {
-  result = [getBlobServiceClient(), getContainerClient()].getMember("get_blob_client").getACall()
+  result = [getBlobServiceClient(_), getContainerClient(_)].getMember("get_blob_client").getACall()
 }
 
-API::Node getBlobClient() {
+API::Node getBlobClient(boolean isSource) {
+  isSource = false and
   result = getTransitionToBlobClient().getReturn()
   or
+  isSource = true and
   result =
     API::moduleImport("azure")
         .getMember("storage")
         .getMember("blob")
         .getMember("BlobClient")
         .getReturn()
   or
+  isSource = true and
   result =
     API::moduleImport("azure")
         .getMember("storage")
@@ -80,7 +88,9 @@ API::Node getBlobClient() {
         .getReturn()
 }
 
-API::Node anyClient() { result in [getBlobServiceClient(), getContainerClient(), getBlobClient()] }
+API::Node anyClient(boolean isSource) {
+  result in [getBlobServiceClient(isSource), getContainerClient(isSource), getBlobClient(isSource)]
+}
 
 newtype TAzureFlowState =
   MkUsesV1Encryption() or
@@ -91,13 +101,13 @@ module AzureBlobClientConfig implements DataFlow::StateConfigSig {
 
   predicate isSource(DataFlow::Node node, FlowState state) {
     state = MkUsesNoEncryption() and
-    node = anyClient().asSource()
+    node = anyClient(true).asSource()
   }
 
   predicate isBarrier(DataFlow::Node node, FlowState state) {
     exists(state) and
     exists(DataFlow::AttrWrite attr |
-      node = anyClient().getAValueReachableFromSource() and
+      node = anyClient(_).getAValueReachableFromSource() and
       attr.accesses(node, "encryption_version") and
       attr.getValue().asExpr().(StrConst).getText() in ["'2.0'", "2.0"]
     )
@@ -118,15 +128,15 @@ module AzureBlobClientConfig implements DataFlow::StateConfigSig {
     state1 = MkUsesNoEncryption() and
     state2 = MkUsesV1Encryption() and
     exists(DataFlow::AttrWrite attr |
-      node1 = anyClient().getAValueReachableFromSource() and
+      node1 = anyClient(_).getAValueReachableFromSource() and
       attr.accesses(node1, ["key_encryption_key", "key_resolver_function"])
     )
   }
 
   predicate isSink(DataFlow::Node node, FlowState state) {
     state = MkUsesV1Encryption() and
     exists(DataFlow::MethodCallNode call |
-      call = getBlobClient().getMember("upload_blob").getACall() and
+      call = getBlobClient(_).getMember("upload_blob").getACall() and
       node = call.getObject()
     )
   }
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/UnsafeUsageOfClientSideEncryptionVersion.expected b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/UnsafeUsageOfClientSideEncryptionVersion.expected
@@ -5,7 +5,6 @@ edges
 | test.py:3:1:3:3 | GSSA Variable BSC | test.py:0:0:0:0 | ModuleVariableNode for test.BSC |
 | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:3:1:3:3 | GSSA Variable BSC |
 | test.py:7:19:7:21 | ControlFlowNode for BSC | test.py:8:5:8:15 | ControlFlowNode for blob_client |
-| test.py:7:19:7:42 | ControlFlowNode for Attribute() | test.py:8:5:8:15 | ControlFlowNode for blob_client |
 | test.py:8:5:8:15 | ControlFlowNode for blob_client | test.py:9:5:9:15 | ControlFlowNode for blob_client |
 | test.py:9:5:9:15 | ControlFlowNode for blob_client | test.py:9:5:9:15 | ControlFlowNode for blob_client |
 | test.py:9:5:9:15 | ControlFlowNode for blob_client | test.py:11:9:11:19 | ControlFlowNode for blob_client |
@@ -18,12 +17,10 @@ edges
 | test.py:27:5:27:20 | ControlFlowNode for container_client | test.py:27:5:27:20 | ControlFlowNode for container_client |
 | test.py:27:5:27:20 | ControlFlowNode for container_client | test.py:31:9:31:19 | ControlFlowNode for blob_client |
 | test.py:35:19:35:21 | ControlFlowNode for BSC | test.py:36:5:36:15 | ControlFlowNode for blob_client |
-| test.py:35:19:35:42 | ControlFlowNode for Attribute() | test.py:36:5:36:15 | ControlFlowNode for blob_client |
 | test.py:36:5:36:15 | ControlFlowNode for blob_client | test.py:37:5:37:15 | ControlFlowNode for blob_client |
 | test.py:37:5:37:15 | ControlFlowNode for blob_client | test.py:37:5:37:15 | ControlFlowNode for blob_client |
 | test.py:37:5:37:15 | ControlFlowNode for blob_client | test.py:43:9:43:19 | ControlFlowNode for blob_client |
 | test.py:66:19:66:21 | ControlFlowNode for BSC | test.py:67:5:67:15 | ControlFlowNode for blob_client |
-| test.py:66:19:66:42 | ControlFlowNode for Attribute() | test.py:67:5:67:15 | ControlFlowNode for blob_client |
 | test.py:67:5:67:15 | ControlFlowNode for blob_client | test.py:68:5:68:15 | ControlFlowNode for blob_client |
 | test.py:68:5:68:15 | ControlFlowNode for blob_client | test.py:68:5:68:15 | ControlFlowNode for blob_client |
 | test.py:68:5:68:15 | ControlFlowNode for blob_client | test.py:69:12:69:22 | ControlFlowNode for blob_client |
@@ -34,7 +31,6 @@ nodes
 | test.py:3:1:3:3 | GSSA Variable BSC | semmle.label | GSSA Variable BSC |
 | test.py:3:7:3:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | test.py:7:19:7:21 | ControlFlowNode for BSC | semmle.label | ControlFlowNode for BSC |
-| test.py:7:19:7:42 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | test.py:8:5:8:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
 | test.py:9:5:9:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
 | test.py:9:5:9:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
@@ -50,13 +46,11 @@ nodes
 | test.py:27:5:27:20 | ControlFlowNode for container_client | semmle.label | ControlFlowNode for container_client |
 | test.py:31:9:31:19 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
 | test.py:35:19:35:21 | ControlFlowNode for BSC | semmle.label | ControlFlowNode for BSC |
-| test.py:35:19:35:42 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | test.py:36:5:36:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
 | test.py:37:5:37:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
 | test.py:37:5:37:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
 | test.py:43:9:43:19 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
 | test.py:66:19:66:21 | ControlFlowNode for BSC | semmle.label | ControlFlowNode for BSC |
-| test.py:66:19:66:42 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | test.py:67:5:67:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
 | test.py:68:5:68:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
 | test.py:68:5:68:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
@@ -66,10 +60,7 @@ nodes
 subpaths
 #select
 | test.py:11:9:11:19 | ControlFlowNode for blob_client | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:11:9:11:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption |
-| test.py:11:9:11:19 | ControlFlowNode for blob_client | test.py:7:19:7:42 | ControlFlowNode for Attribute() | test.py:11:9:11:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption |
 | test.py:21:9:21:19 | ControlFlowNode for blob_client | test.py:15:27:15:71 | ControlFlowNode for Attribute() | test.py:21:9:21:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption |
 | test.py:31:9:31:19 | ControlFlowNode for blob_client | test.py:25:24:25:66 | ControlFlowNode for Attribute() | test.py:31:9:31:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption |
 | test.py:43:9:43:19 | ControlFlowNode for blob_client | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:43:9:43:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption |
-| test.py:43:9:43:19 | ControlFlowNode for blob_client | test.py:35:19:35:42 | ControlFlowNode for Attribute() | test.py:43:9:43:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption |
 | test.py:75:9:75:10 | ControlFlowNode for bc | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:75:9:75:10 | ControlFlowNode for bc | Unsafe usage of v1 version of Azure Storage client-side encryption |
-| test.py:75:9:75:10 | ControlFlowNode for bc | test.py:66:19:66:42 | ControlFlowNode for Attribute() | test.py:75:9:75:10 | ControlFlowNode for bc | Unsafe usage of v1 version of Azure Storage client-side encryption |
