Python: Modernize via CallCfgNode

Author: yoff

python/ql/src/Security/CWE-327/PyOpenSSL.qll

@@ -2,13 +2,12 @@
  * Provides modeling of SSL/TLS functionality of the `OpenSSL` module from the `pyOpenSSL` PyPI package.
  * See https://www.pyopenssl.org/en/stable/
  */
+
 private import python
 private import semmle.python.ApiGraphs
 import TlsLibraryModel
 
-class PyOpenSSLContextCreation extends ContextCreation {
-  override CallNode node;
-
+class PyOpenSSLContextCreation extends ContextCreation, DataFlow::CallCfgNode {
   PyOpenSSLContextCreation() {
     this = API::moduleImport("OpenSSL").getMember("SSL").getMember("Context").getACall()
   }
@@ -22,9 +21,7 @@ class PyOpenSSLContextCreation extends ContextCreation {
   }
 }
 
-class ConnectionCall extends ConnectionCreation {
-  override CallNode node;
-
+class ConnectionCall extends ConnectionCreation, DataFlow::CallCfgNode {
   ConnectionCall() {
     this = API::moduleImport("OpenSSL").getMember("SSL").getMember("Connection").getACall()
   }
@@ -36,9 +33,7 @@ class ConnectionCall extends ConnectionCreation {
 
 // This cannot be used to unrestrict,
 // see https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_options
-class SetOptionsCall extends ProtocolRestriction {
-  override CallNode node;
-
+class SetOptionsCall extends ProtocolRestriction, DataFlow::CallCfgNode {
   SetOptionsCall() { node.getFunction().(AttrNode).getName() = "set_options" }
 
   override DataFlow::CfgNode getContext() {

python/ql/src/Security/CWE-327/Ssl.qll

@@ -2,13 +2,12 @@
  * Provides modeling of SSL/TLS functionality of the `ssl` module from the standard library.
  * See https://docs.python.org/3.9/library/ssl.html
  */
+
 private import python
 private import semmle.python.ApiGraphs
 import TlsLibraryModel
 
-class SSLContextCreation extends ContextCreation {
-  override CallNode node;
-
+class SSLContextCreation extends ContextCreation, DataFlow::CallCfgNode {
   SSLContextCreation() { this = API::moduleImport("ssl").getMember("SSLContext").getACall() }
 
   override string getProtocol() {
@@ -46,7 +45,7 @@ class WrapSocketCall extends ConnectionCreation, DataFlow::CallCfgNode {
   }
 }
 
-class OptionsAugOr extends ProtocolRestriction {
+class OptionsAugOr extends ProtocolRestriction, DataFlow::CallCfgNode {
   ProtocolVersion restriction;
 
   OptionsAugOr() {
@@ -69,7 +68,7 @@ class OptionsAugOr extends ProtocolRestriction {
   override ProtocolVersion getRestriction() { result = restriction }
 }
 
-class OptionsAugAndNot extends ProtocolUnrestriction {
+class OptionsAugAndNot extends ProtocolUnrestriction, DataFlow::CallCfgNode {
   ProtocolVersion restriction;
 
   OptionsAugAndNot() {
@@ -127,7 +126,7 @@ predicate impliesBitSet(BinaryExpr whole, Expr part, boolean partHasBitSet, bool
   )
 }
 
-class ContextSetVersion extends ProtocolRestriction, ProtocolUnrestriction {
+class ContextSetVersion extends ProtocolRestriction, ProtocolUnrestriction, DataFlow::CallCfgNode {
   ProtocolVersion restriction;
 
   ContextSetVersion() {
@@ -189,8 +188,7 @@ class Ssl extends TlsLibrary {
 
   override DataFlow::CfgNode insecure_connection_creation(ProtocolVersion version) {
     result = API::moduleImport("ssl").getMember("wrap_socket").getACall() and
-    this.specific_version(version) =
-      result.(DataFlow::CallCfgNode).getArgByName("ssl_version") and
+    this.specific_version(version) = result.(DataFlow::CallCfgNode).getArgByName("ssl_version") and
     version.isInsecure()
   }
 

python/ql/src/Security/CWE-327/TlsLibraryModel.qll

@@ -30,30 +30,30 @@ class ProtocolFamily extends string {
 }
 
 /** The creation of a context. */
-abstract class ContextCreation extends DataFlow::CfgNode {
+abstract class ContextCreation extends DataFlow::Node {
   /** Gets the protocol version or family for this context. */
   abstract string getProtocol();
 }
 
 /** The creation of a connection from a context. */
-abstract class ConnectionCreation extends DataFlow::CfgNode {
+abstract class ConnectionCreation extends DataFlow::Node {
   /** Gets the context used to create the connection. */
-  abstract DataFlow::CfgNode getContext();
+  abstract DataFlow::Node getContext();
 }
 
 /** A context is being restricted on which protocols it can accepts. */
-abstract class ProtocolRestriction extends DataFlow::CfgNode {
+abstract class ProtocolRestriction extends DataFlow::Node {
   /** Gets the context being restricted. */
-  abstract DataFlow::CfgNode getContext();
+  abstract DataFlow::Node getContext();
 
   /** Gets the protocol version being disallowed. */
   abstract ProtocolVersion getRestriction();
 }
 
 /** A context is being relaxed on which protocols it can accepts. */
-abstract class ProtocolUnrestriction extends DataFlow::CfgNode {
+abstract class ProtocolUnrestriction extends DataFlow::Node {
   /** Gets the context being relaxed. */
-  abstract DataFlow::CfgNode getContext();
+  abstract DataFlow::Node getContext();
 
   /** Gets the protocol version being allowed. */
   abstract ProtocolVersion getUnrestriction();