Python: Some renaming of flow states

yoff · yoff · commit 3043633d9c16 · 2023-09-28T14:24:49.000+02:00
diff --git a/python/ql/lib/semmle/python/security/dataflow/NoSQLInjectionCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/NoSQLInjectionCustomizations.qll
@@ -17,7 +17,7 @@ import semmle.python.Concepts
 module NoSqlInjection {
   private newtype TFlowState =
     TStringInput() or
-    TDictInput()
+    TInterpretedStringInput()
 
   /** A flow state, tracking the structure of the input. */
   abstract class FlowState extends TFlowState {
@@ -30,29 +30,33 @@ module NoSqlInjection {
     override string toString() { result = "StringInput" }
   }
 
-  /** A state where input is a dictionary. */
-  class DictInput extends FlowState, TDictInput {
-    override string toString() { result = "DictInput" }
+  /**
+   * A state where input is a string that has been interpreted.
+   * For instance, it could have been turned into a dictionary,
+   * or evaluated as javascript code.
+   */
+  class InterpretedStringInput extends FlowState, TInterpretedStringInput {
+    override string toString() { result = "InterpretedStringInput" }
   }
 
   /** A source allowing string inputs. */
   abstract class StringSource extends DataFlow::Node { }
 
-  /** A source allowing dictionary inputs. */
-  abstract class DictSource extends DataFlow::Node { }
+  /** A source of interpreted strings. */
+  abstract class InterpretedStringSource extends DataFlow::Node { }
 
   /** A sink vulnerable to user controlled strings. */
   abstract class StringSink extends DataFlow::Node { }
 
-  /** A sink vulnerable to user controlled dictionaries. */
-  abstract class DictSink extends DataFlow::Node { }
+  /** A sink vulnerable to user controlled interpreted strings. */
+  abstract class InterpretedStringSink extends DataFlow::Node { }
 
-  /** A data flow node where a string is converted into a dictionary. */
-  abstract class StringToDictConversion extends DataFlow::Node {
-    /** Gets the argument that specifies the string to be converted. */
+  /** A data flow node where a string is being interpreted. */
+  abstract class StringInterpretation extends DataFlow::Node {
+    /** Gets the argument that specifies the string to be interpreted. */
     abstract DataFlow::Node getAnInput();
 
-    /** Gets the resulting dictionary. */
+    /** Gets the result of interpreting the string. */
     abstract DataFlow::Node getOutput();
   }
 
@@ -68,14 +72,23 @@ module NoSqlInjection {
     }
   }
 
-  /** A NoSQL query that is vulnerable to user controlled dictionaries. */
-  class NoSqlExecutionAsDictSink extends DictSink {
-    NoSqlExecutionAsDictSink() { this = any(NoSqlExecution noSqlExecution).getQuery() }
+  /** A NoSQL query that is vulnerable to user controlled InterpretedStringionaries. */
+  class NoSqlExecutionAsInterpretedStringSink extends InterpretedStringSink {
+    NoSqlExecutionAsInterpretedStringSink() { this = any(NoSqlExecution noSqlExecution).getQuery() }
   }
 
-  /** A JSON decoding converts a string to a dictionary. */
-  class JsonDecoding extends Decoding, StringToDictConversion {
-    JsonDecoding() { this.getFormat() in ["JSON", "NoSQL"] }
+  /** A JSON decoding converts a string to a Dictionary. */
+  class JsonDecoding extends Decoding, StringInterpretation {
+    JsonDecoding() { this.getFormat() = "JSON" }
+
+    override DataFlow::Node getAnInput() { result = Decoding.super.getAnInput() }
+
+    override DataFlow::Node getOutput() { result = Decoding.super.getOutput() }
+  }
+
+  /** A NoSQL decoding interprets a string. */
+  class NoSqlDecoding extends Decoding, StringInterpretation {
+    NoSqlDecoding() { this.getFormat() = "NoSQL" }
 
     override DataFlow::Node getAnInput() { result = Decoding.super.getAnInput() }
 
diff --git a/python/ql/lib/semmle/python/security/dataflow/NoSQLInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/NoSQLInjectionQuery.qll
@@ -18,38 +18,39 @@ module NoSqlInjectionConfig implements DataFlow::StateConfigSig {
     source instanceof C::StringSource and
     state instanceof C::StringInput
     or
-    source instanceof C::DictSource and
-    state instanceof C::DictInput
+    source instanceof C::InterpretedStringSource and
+    state instanceof C::InterpretedStringInput
   }
 
   predicate isSink(DataFlow::Node sink, FlowState state) {
     sink instanceof C::StringSink and
     (
       state instanceof C::StringInput
       or
-      // since dictionaries can encode strings
-      state instanceof C::DictInput
+      // since InterpretedStrings can include strings,
+      // e.g. JSON objects can encode strings.
+      state instanceof C::InterpretedStringInput
     )
     or
-    sink instanceof C::DictSink and
-    state instanceof C::DictInput
+    sink instanceof C::InterpretedStringSink and
+    state instanceof C::InterpretedStringInput
   }
 
   predicate isBarrier(DataFlow::Node node, FlowState state) {
-    // Block `StringInput` paths here, since they change state to `DictInput`
-    exists(C::StringToDictConversion c | node = c.getOutput()) and
+    // Block `StringInput` paths here, since they change state to `InterpretedStringInput`
+    exists(C::StringInterpretation c | node = c.getOutput()) and
     state instanceof C::StringInput
   }
 
   predicate isAdditionalFlowStep(
     DataFlow::Node nodeFrom, FlowState stateFrom, DataFlow::Node nodeTo, FlowState stateTo
   ) {
-    exists(C::StringToDictConversion c |
+    exists(C::StringInterpretation c |
       nodeFrom = c.getAnInput() and
       nodeTo = c.getOutput()
     ) and
     stateFrom instanceof C::StringInput and
-    stateTo instanceof C::DictInput
+    stateTo instanceof C::InterpretedStringInput
   }
 
   predicate isBarrier(DataFlow::Node node) {
