Merge pull request github#5103 from tausbn/python-port-flask-to-api-graphs

Python: Port Flask models to use API graphs

Author: RasmusWL

python/ql/src/semmle/python/ApiGraphs.qll

@@ -92,6 +92,11 @@ module API {
      */
     Node getReturn() { result = getASuccessor(Label::return()) }
 
+    /**
+     * Gets a node representing a subclass of the class represented by this node.
+     */
+    Node getASubclass() { result = getASuccessor(Label::subclass()) }
+
     /**
      * Gets a string representation of the lexicographically least among all shortest access paths
      * from the root to this node.
@@ -312,12 +317,11 @@ module API {
      * For instance, `prefix_member("foo.bar", "baz", "foo.bar.baz")` would hold.
      */
     private predicate prefix_member(TApiNode base, string member, TApiNode sub) {
-      exists(string base_str, string sub_str |
-        base = MkModuleImport(base_str) and
+      exists(string sub_str, string regexp |
+        regexp = "(.+)[.]([^.]+)" and
+        base = MkModuleImport(sub_str.regexpCapture(regexp, 1)) and
+        member = sub_str.regexpCapture(regexp, 2) and
         sub = MkModuleImport(sub_str)
-      |
-        base_str + "." + member = sub_str and
-        not member.matches("%.%")
       )
     }
 
@@ -351,13 +355,19 @@ module API {
         // the relationship between `pred` and `ref`.
         use(base, src) and pred = trackUseNode(src)
       |
-        // Reading an attribute on a node that is a use of `base`:
+        // Referring to an attribute on a node that is a use of `base`:
         lbl = Label::memberFromRef(ref) and
-        ref = pred.getAnAttributeRead()
+        ref = pred.getAnAttributeReference()
         or
         // Calling a node that is a use of `base`
         lbl = Label::return() and
         ref = pred.getACall()
+        or
+        // Subclassing a node
+        lbl = Label::subclass() and
+        exists(DataFlow::Node superclass | pred.flowsTo(superclass) |
+          ref.asExpr().(ClassExpr).getABase() = superclass.asExpr()
+        )
       )
     }
 
@@ -468,4 +478,6 @@ private module Label {
 
   /** Gets the `return` edge label. */
   string return() { result = "getReturn()" }
+
+  string subclass() { result = "getASubclass()" }
 }

python/ql/src/semmle/python/dataflow/new/internal/Attributes.qll

@@ -159,7 +159,9 @@ private class SetAttrCallAsAttrWrite extends AttrWrite, CfgNode {
  * Instances of this class correspond to the `NameNode` for `attr`, and also gives access to `value` by
  * virtue of being a `DefinitionNode`.
  */
-private class ClassAttributeAssignmentNode extends DefinitionNode, NameNode { }
+private class ClassAttributeAssignmentNode extends DefinitionNode, NameNode {
+  ClassAttributeAssignmentNode() { this.getScope() = any(ClassExpr c).getInnerScope() }
+}
 
 /**
  * An attribute assignment via a class field, e.g.

python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll

@@ -165,6 +165,23 @@ class CfgNode extends Node, TCfgNode {
   override Location getLocation() { result = node.getLocation() }
 }
 
+/** A data-flow node corresponding to a `CallNode` in the control-flow graph. */
+class CallCfgNode extends CfgNode {
+  override CallNode node;
+
+  /**
+   * Gets the data-flow node for the function component of the call corresponding to this data-flow
+   * node.
+   */
+  Node getFunction() { result.asCfgNode() = node.getFunction() }
+
+  /** Gets the data-flow node corresponding to the i'th argument of the call corresponding to this data-flow node */
+  Node getArg(int i) { result.asCfgNode() = node.getArg(i) }
+
+  /** Gets the data-flow node corresponding to the named argument of the call corresponding to this data-flow node */
+  Node getArgByName(string name) { result.asCfgNode() = node.getArgByName(name) }
+}
+
 /**
  * An expression, viewed as a node in a data flow graph.
  *
@@ -481,7 +498,7 @@ class LocalSourceNode extends Node {
   /**
    * Gets a call to this node.
    */
-  Node getACall() { Cached::call(this, result) }
+  CallCfgNode getACall() { Cached::call(this, result) }
 }
 
 cached
@@ -526,10 +543,10 @@ private module Cached {
    * Holds if `func` flows to the callee of `call`.
    */
   cached
-  predicate call(LocalSourceNode func, Node call) {
+  predicate call(LocalSourceNode func, CallCfgNode call) {
     exists(CfgNode n |
       func.flowsTo(n) and
-      n.asCfgNode() = call.asCfgNode().(CallNode).getFunction()
+      n = call.getFunction()
     )
   }
 }