Python: Fix problem if import is used

RasmusWL · RasmusWL · commit 6ef9a2b11e89 · 2023-12-08T11:27:52.000+01:00
I fixed it in both predicates... I think we might still be able to remove
`newDirectAlias` -- but with it being better, it will allow us to better test if `newImportAlias` actually cover everything we need!
diff --git a/python/ql/lib/semmle/python/frameworks/internal/SubclassFinder.qll b/python/ql/lib/semmle/python/frameworks/internal/SubclassFinder.qll
@@ -156,29 +156,28 @@ module NotExposed {
    * ```
    */
   predicate newDirectAlias(
-    FindSubclassesSpec spec, string newAliasFullyQualified, ImportMember importMember, Module mod,
-    Location loc
+    FindSubclassesSpec spec, string newAliasFullyQualified, Expr value, Module mod, Location loc
   ) {
-    importMember =
-      newOrExistingModeling(spec).getASubclass*().getAValueReachableFromSource().asExpr() and
-    importMember.getScope() = mod and
-    loc = importMember.getLocation() and
-    exists(Alias alias, string base |
-      mod.isPackageInit() and base = mod.getPackageName()
-      or
-      not mod.isPackageInit() and base = mod.getName()
-    |
-      alias.getValue() = importMember and
-      newAliasFullyQualified = base + "." + alias.getAsname()
-    ) and
-    (
-      not hasAllStatement(mod)
-      or
-      mod.declaredInAll(importMember.getName())
-    ) and
-    not alreadyExplicitlyModeled(spec, newAliasFullyQualified) and
-    not isTestCode(importMember) and
-    isAllowedModule(mod)
+    exists(Alias alias | value = alias.getValue() |
+      value = newOrExistingModeling(spec).getASubclass*().getAValueReachableFromSource().asExpr() and
+      value.getScope() = mod and
+      loc = value.getLocation() and
+      exists(string base |
+        mod.isPackageInit() and base = mod.getPackageName()
+        or
+        not mod.isPackageInit() and base = mod.getName()
+      |
+        newAliasFullyQualified = base + "." + alias.getAsname().(Name).getId()
+      ) and
+      (
+        not hasAllStatement(mod)
+        or
+        mod.declaredInAll(alias.getAsname().(Name).getId())
+      ) and
+      not alreadyExplicitlyModeled(spec, newAliasFullyQualified) and
+      not isTestCode(value) and
+      isAllowedModule(mod)
+    )
   }
 
   /**
@@ -191,11 +190,15 @@ module NotExposed {
     string relevantName, Location loc
   ) {
     loc = mod.getLocation() and
-    exists(API::Node relevantClass, Expr value |
+    exists(API::Node relevantClass, ControlFlowNode value |
       relevantClass = newOrExistingModeling(spec).getASubclass*() and
       ImportResolution::module_export(mod, relevantName, def) and
-      value = relevantClass.getAValueReachableFromSource().asExpr() and
-      value = def.asVar().getDefinition().(AssignmentDefinition).getValue().getNode()
+      value = relevantClass.getAValueReachableFromSource().asCfgNode() and
+      (
+        value = def.asVar().getDefinition().(AssignmentDefinition).getValue()
+        or
+        value = def.asCfgNode()
+      )
       // value could be a ClassExpr if a new class is defined, or a Name if defining an alias
     ) and
     (
diff --git a/python/ql/test/experimental/library-tests/FindSubclass/Find.expected b/python/ql/test/experimental/library-tests/FindSubclass/Find.expected
@@ -6,9 +6,11 @@
 | flask.View~Subclass | find_subclass_test | Member[B] |
 | flask.View~Subclass | find_subclass_test | Member[ViewAliasInExcept] |
 | flask.View~Subclass | find_subclass_test | Member[ViewAliasInTry] |
+| flask.View~Subclass | find_subclass_test | Member[ViewAlias] |
 | flask.View~Subclass | find_subclass_test | Member[ViewAlias_no_use] |
 | flask.View~Subclass | find_subclass_test | Member[View] |
 | flask.View~Subclass | find_subclass_test | Member[clash2] |
 | flask.View~Subclass | find_subclass_test | Member[clash3] |
 | flask.View~Subclass | find_subclass_test | Member[clash] |
+| flask.View~Subclass | find_subclass_test | Member[complete_module_alias] |
 | flask.View~Subclass | find_subclass_test | Member[complete_module_alias_no_use] |
