Constrain the object & the call

Sim4n6 · Sim4n6 · commit 207ed3da9c3c · 2023-01-27T15:07:20.000+01:00
diff --git a/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll b/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll
@@ -61,13 +61,6 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
   }
 
   override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    // Reading the response
-    exists(MethodCallNode mc |
-      nodeFrom = mc.getObject() and
-      mc.getMethodName() = "read" and
-      nodeTo = mc
-    )
-    or
     // Open for access
     exists(MethodCallNode cn |
       nodeTo = cn.getObject() and
@@ -77,21 +70,20 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
     or
     // Write for access
     exists(MethodCallNode cn |
-      nodeFrom = cn.getObject() and
-      cn.getMethodName() = "write" and
+      cn.calls(nodeFrom, "write") and
       nodeTo = cn.getArg(0)
     )
     or
     // Retrieve Django uploaded files
-    // see HttpRequest.FILES.getlist(): https://docs.djangoproject.com/en/4.1/ref/request-response/#django.http.QueryDict.getlist
-    exists(MethodCallNode mc |
-      nodeFrom = mc.getObject() and
-      mc.getMethodName() = ["getlist", "get"] and
-      nodeTo = mc
-    )
+    // see getlist(): https://docs.djangoproject.com/en/4.1/ref/request-response/#django.http.QueryDict.getlist
+    // see chunks(): https://docs.djangoproject.com/en/4.1/ref/files/uploads/#django.core.files.uploadedfile.UploadedFile.chunks
+    nodeTo.(MethodCallNode).calls(nodeFrom, ["getlist", "get", "chunks"])
+    or
+    // Reading the response
+    nodeTo.(MethodCallNode).calls(nodeFrom, "read")
     or
     // Accessing the name or raw content
-    exists(AttrRead ar | ar.accesses(nodeFrom, ["name", "raw"]) and ar.flowsTo(nodeTo))
+    nodeTo.(AttrRead).accesses(nodeFrom, ["name", "raw"])
     or
     // Considering the use of "fs"
     exists(API::CallNode fs, MethodCallNode mcn |
@@ -109,21 +101,12 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
     )
     or
     //Use of join of filename
-    exists(API::CallNode mcn |
-      mcn = API::moduleImport("os").getMember("path").getMember("join").getACall() and
-      nodeFrom = mcn.getArg(1) and
-      mcn.flowsTo(nodeTo)
-    )
-    or
-    // Read by chunks
-    exists(MethodCallNode mc |
-      nodeFrom = mc.getObject() and mc.getMethodName() = "chunks" and mc.flowsTo(nodeTo)
-    )
+    nodeTo = API::moduleImport("os").getMember("path").getMember("join").getACall() and
+    nodeFrom = nodeTo.(API::CallNode).getArg(1)
     or
     // Write access
     exists(MethodCallNode cn |
-      nodeTo = cn.getObject() and
-      cn.getMethodName() = "write" and
+      cn.calls(nodeTo, "write") and
       nodeFrom = cn.getArg(0)
     )
     or
