Python: Provide internal InstanceTaintStepsHelper

I realized that if you ever wanted to the way taint-steps works again,
you would have to go to all the 117 places it has been implemented, and
change EVERY ONE OF THEM :( so trying to solve that problem here.

Not super happy with the name, but that was just the best I could come up with :D

Author: RasmusWL

python/.vscode/ql.code-snippets

@@ -199,31 +199,51 @@
             "  /**",
             "   * Taint propagation for `${TM_SELECTED_TEXT}`.",
             "   */",
+            "  private class InstanceTaintSteps extends InstanceTaintStepsHelper {",
+            "    InstanceTaintSteps() { this = \"${TM_SELECTED_TEXT}\" }",
+            "    ",
+            "    override DataFlow::Node getInstance() { result = instance() }",
+            "    ",
+            "    override string getAttributeName() { none() }",
+            "    ",
+            "    override string getMethodName() { none() }",
+            "    ",
+            "    override string getAsyncMethodName() { none() }",
+            "  }",
+            "",
+            "  /**",
+            "   * Extra taint propagation for `${TM_SELECTED_TEXT}`, not covered by `InstanceTaintSteps`.",
+            "   */",
             "  private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {",
             "    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {",
-            "      // normal (non-async) methods",
-            "      nodeFrom = instance() and",
-            "      nodeTo.(DataFlow::MethodCallNode).calls(nodeFrom, [\"TODO\"])",
-            "      or",
-            "      // async methods",
-            "      exists(DataFlow::MethodCallNode call, Await await |",
-            "        nodeTo.asExpr() = await and",
-            "        nodeFrom = instance()",
-            "      |",
-            "        await.getValue() = any(DataFlow::Node awaitable | call.flowsTo(awaitable)).asExpr() and",
-            "        call.calls(nodeFrom, [\"TODO\"])",
-            "      )",
-            "      or",
-            "      // Attributes",
-            "      nodeFrom = instance() and",
-            "      nodeTo.(DataFlow::AttrRead).getObject() = nodeFrom and",
-            "      nodeTo.(DataFlow::AttrRead).getAttributeName() in [\"TODO\"]",
+            "      // TODO",
+            "      none()",
             "    }",
             "  }",
             "}",
         ],
         "description": "Type tracking class (select full class path before inserting)",
     },
+    "foo": {
+        "scope": "ql",
+        "prefix": "foo",
+        "body": [
+            "    /**",
+            "     * Taint propagation for `$1`.",
+            "     */",
+            "     private class InstanceTaintSteps extends InstanceTaintStepsHelper {",
+            "        InstanceTaintSteps() { this = \"$1\" }",
+            "",
+            "        override DataFlow::Node getInstance() { result = instance() }",
+            "",
+            "        override string getAttributeName() { none() }",
+            "",
+            "        override string getMethodName() { none() }",
+            "",
+            "        override string getAsyncMethodName() { none() }",
+            "      }",
+        ],
+    },
     "API graph .getMember chain": {
         "scope": "ql",
         "prefix": "api graph .getMember chain",

python/ql/src/semmle/python/frameworks/Aiohttp.qll

@@ -13,6 +13,7 @@ private import semmle.python.frameworks.internal.PoorMansFunctionResolution
 private import semmle.python.frameworks.internal.SelfRefMixin
 private import semmle.python.frameworks.Multidict
 private import semmle.python.frameworks.Yarl
+private import semmle.python.frameworks.internal.InstanceTaintStepsHelper
 
 /**
  * INTERNAL: Do not use.
@@ -296,33 +297,25 @@ module AiohttpWebModel {
 
     /**
      * Taint propagation for `aiohttp.web.Request`.
-     *
-     * See https://docs.aiohttp.org/en/stable/web_reference.html#request-and-base-request
      */
-    private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
-      override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-        // normal (non-async) methods
-        nodeFrom = Request::instance() and
-        nodeTo.(DataFlow::MethodCallNode).calls(nodeFrom, ["clone", "get_extra_info"])
-        or
-        // async methods
-        exists(DataFlow::MethodCallNode call, Await await |
-          nodeTo.asExpr() = await and
-          nodeFrom = Request::instance()
-        |
-          await.getValue() = any(DataFlow::Node awaitable | call.flowsTo(awaitable)).asExpr() and
-          call.calls(nodeFrom, ["read", "text", "json", "multipart", "post"])
-        )
-        or
-        // Attributes
-        nodeFrom = Request::instance() and
-        nodeTo.(DataFlow::AttrRead).getObject() = nodeFrom and
-        nodeTo.(DataFlow::AttrRead).getAttributeName() in [
+    private class InstanceTaintSteps extends InstanceTaintStepsHelper {
+      InstanceTaintSteps() { this = "aiohttp.web.Request" }
+
+      override DataFlow::Node getInstance() { result = instance() }
+
+      override string getAttributeName() {
+        result in [
             "url", "rel_url", "forwarded", "host", "remote", "path", "path_qs", "raw_path", "query",
             "headers", "transport", "cookies", "content", "_payload", "content_type", "charset",
             "http_range", "if_modified_since", "if_unmodified_since", "if_range", "match_info"
           ]
       }
+
+      override string getMethodName() { result in ["clone", "get_extra_info"] }
+
+      override string getAsyncMethodName() {
+        result in ["read", "text", "json", "multipart", "post"]
+      }
     }
 
     /** An attribute read on an `aiohttp.web.Request` that is a `MultiDictProxy` instance. */
@@ -424,24 +417,20 @@ module AiohttpWebModel {
     /**
      * Taint propagation for `aiohttp.StreamReader`.
      */
-    private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
-      override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-        // normal (non-async) methods
-        nodeFrom = instance() and
-        nodeTo.(DataFlow::MethodCallNode).calls(nodeFrom, ["read_nowait"])
-        or
-        // async methods
-        exists(DataFlow::MethodCallNode call, Await await |
-          nodeTo.asExpr() = await and
-          nodeFrom = instance()
-        |
-          await.getValue() = any(DataFlow::Node awaitable | call.flowsTo(awaitable)).asExpr() and
-          call.calls(nodeFrom,
-            [
-              "read", "readany", "readexactly", "readline", "readchunk", "iter_chunked", "iter_any",
-              "iter_chunks"
-            ])
-        )
+    private class InstanceTaintSteps extends InstanceTaintStepsHelper {
+      InstanceTaintSteps() { this = "aiohttp.StreamReader" }
+
+      override DataFlow::Node getInstance() { result = instance() }
+
+      override string getAttributeName() { none() }
+
+      override string getMethodName() { result in ["read_nowait"] }
+
+      override string getAsyncMethodName() {
+        result in [
+            "read", "readany", "readexactly", "readline", "readchunk", "iter_chunked", "iter_any",
+            "iter_chunks"
+          ]
       }
     }
   }

python/ql/src/semmle/python/frameworks/Django.qll

@@ -14,6 +14,7 @@ private import semmle.python.frameworks.Stdlib
 private import semmle.python.regex
 private import semmle.python.frameworks.internal.PoorMansFunctionResolution
 private import semmle.python.frameworks.internal.SelfRefMixin
+private import semmle.python.frameworks.internal.InstanceTaintStepsHelper
 
 /**
  * Provides models for the `django` PyPI package.
@@ -340,19 +341,30 @@ private module Django {
     /**
      * Taint propagation for `django.utils.datastructures.MultiValueDict`.
      */
+    private class InstanceTaintSteps extends InstanceTaintStepsHelper {
+      InstanceTaintSteps() { this = "django.utils.datastructures.MultiValueDict" }
+
+      override DataFlow::Node getInstance() { result = instance() }
+
+      override string getAttributeName() { none() }
+
+      override string getMethodName() {
+        result in ["getlist", "lists", "popitem", "dict", "urlencode"]
+      }
+
+      override string getAsyncMethodName() { none() }
+    }
+
+    /**
+     * Extra taint propagation for `django.utils.datastructures.MultiValueDict`, not covered by `InstanceTaintSteps`.
+     */
     private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
       override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
         // class instantiation
         exists(ClassInstantiation call |
           nodeFrom = call.getArg(0) and
           nodeTo = call
         )
-        or
-        // normal (non-async) methods
-        nodeFrom = instance() and
-        nodeTo
-            .(DataFlow::MethodCallNode)
-            .calls(nodeFrom, ["getlist", "lists", "popitem", "dict", "urlencode"])
       }
     }
   }
@@ -388,15 +400,20 @@ private module Django {
     /**
      * Taint propagation for `django.core.files.uploadedfile.UploadedFile`.
      */
-    private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
-      override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-        // Attributes
-        nodeFrom = instance() and
-        nodeTo.(DataFlow::AttrRead).getObject() = nodeFrom and
-        nodeTo.(DataFlow::AttrRead).getAttributeName() in [
+    private class InstanceTaintSteps extends InstanceTaintStepsHelper {
+      InstanceTaintSteps() { this = "django.core.files.uploadedfile.UploadedFile" }
+
+      override DataFlow::Node getInstance() { result = instance() }
+
+      override string getAttributeName() {
+        result in [
             "content_type", "content_type_extra", "content_type_extra", "charset", "name", "file"
           ]
       }
+
+      override string getMethodName() { none() }
+
+      override string getAsyncMethodName() { none() }
     }
 
     /** A file-like object instance that originates from a `UploadedFile`. */
@@ -436,13 +453,16 @@ private module Django {
     /**
      * Taint propagation for `django.urls.ResolverMatch`.
      */
-    private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
-      override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-        // Attributes
-        nodeFrom = instance() and
-        nodeTo.(DataFlow::AttrRead).getObject() = nodeFrom and
-        nodeTo.(DataFlow::AttrRead).getAttributeName() in ["args", "kwargs"]
-      }
+    private class InstanceTaintSteps extends InstanceTaintStepsHelper {
+      InstanceTaintSteps() { this = "django.urls.ResolverMatch" }
+
+      override DataFlow::Node getInstance() { result = instance() }
+
+      override string getAttributeName() { result in ["args", "kwargs"] }
+
+      override string getMethodName() { none() }
+
+      override string getAsyncMethodName() { none() }
     }
   }
 }
@@ -747,15 +767,43 @@ private module PrivateDjango {
           /**
            * Taint propagation for `django.http.request.HttpRequest`.
            */
+          private class InstanceTaintSteps extends InstanceTaintStepsHelper {
+            InstanceTaintSteps() { this = "django.http.request.HttpRequest" }
+
+            override DataFlow::Node getInstance() { result = instance() }
+
+            override string getAttributeName() {
+              result in [
+                  // str / bytes
+                  "body", "path", "path_info", "method", "encoding", "content_type",
+                  // django.http.QueryDict
+                  "GET", "POST",
+                  // dict[str, str]
+                  "content_params", "COOKIES",
+                  // dict[str, Any]
+                  "META",
+                  // HttpHeaders (case insensitive dict-like)
+                  "headers",
+                  // MultiValueDict[str, UploadedFile]
+                  "FILES",
+                  // django.urls.ResolverMatch
+                  "resolver_match"
+                ]
+              // TODO: Handle that a HttpRequest is iterable
+            }
+
+            override string getMethodName() {
+              result in ["get_full_path", "get_full_path_info", "read", "readline", "readlines"]
+            }
+
+            override string getAsyncMethodName() { none() }
+          }
+
+          /**
+           * Extra taint propagation for `django.http.request.HttpRequest`, not covered by `InstanceTaintSteps`.
+           */
           private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
             override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-              // normal (non-async) methods
-              nodeFrom = django::http::request::HttpRequest::instance() and
-              nodeTo
-                  .(DataFlow::MethodCallNode)
-                  .calls(nodeFrom,
-                    ["get_full_path", "get_full_path_info", "read", "readline", "readlines"])
-              or
               // special handling of the `build_absolute_uri` method, see
               // https://docs.djangoproject.com/en/3.0/ref/request-response/#django.http.HttpRequest.build_absolute_uri
               exists(DataFlow::AttrRead attr, DataFlow::CallCfgNode call, DataFlow::Node instance |
@@ -775,27 +823,6 @@ private module PrivateDjango {
                   nodeFrom = call.getArgByName("location")
                 )
               )
-              or
-              // Attributes
-              nodeFrom = django::http::request::HttpRequest::instance() and
-              nodeTo.(DataFlow::AttrRead).getObject() = nodeFrom and
-              nodeTo.(DataFlow::AttrRead).getAttributeName() in [
-                  // str / bytes
-                  "body", "path", "path_info", "method", "encoding", "content_type",
-                  // django.http.QueryDict
-                  "GET", "POST",
-                  // dict[str, str]
-                  "content_params", "COOKIES",
-                  // dict[str, Any]
-                  "META",
-                  // HttpHeaders (case insensitive dict-like)
-                  "headers",
-                  // MultiValueDict[str, UploadedFile]
-                  "FILES",
-                  // django.urls.ResolverMatch
-                  "resolver_match"
-                ]
-              // TODO: Handle that a HttpRequest is iterable
             }
           }