Python: Adopt tests to new DataflowQueryTest

RasmusWL · RasmusWL · commit 5ba8e102eba5 · 2023-08-28T15:31:08.000+02:00
Since we want to know the _sinks_ and not just the flow, we need to
expose the config as well :|
diff --git a/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll
@@ -30,7 +30,7 @@ deprecated class Configuration extends TaintTracking::Configuration {
   }
 }
 
-private module CommandInjectionConfig implements DataFlow::ConfigSig {
+module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
diff --git a/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll
@@ -88,7 +88,7 @@ class NormalizedUnchecked extends DataFlow::FlowState {
  *
  * Such checks are ineffective in the `NotNormalized` state.
  */
-private module PathInjectionConfig implements DataFlow::StateConfigSig {
+module PathInjectionConfig implements DataFlow::StateConfigSig {
   class FlowState = DataFlow::FlowState;
 
   predicate isSource(DataFlow::Node source, FlowState state) {
diff --git a/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll
@@ -35,7 +35,7 @@ deprecated class Configuration extends TaintTracking::Configuration {
   }
 }
 
-private module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
+module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
diff --git a/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll b/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll
@@ -39,7 +39,7 @@ class AllTarfileOpens extends API::CallNode {
   }
 }
 
-private module UnsafeUnpackConfig implements DataFlow::ConfigSig {
+module UnsafeUnpackConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     // A source coming from a remote location
     source instanceof RemoteFlowSource
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DataflowQueryTest.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DataflowQueryTest.expected
@@ -1,16 +1,3 @@
 missingAnnotationOnSink
 testFailures
-| UnsafeUnpack.py:19:59:19:71 | Comment # $result=BAD | Missing result:result=BAD |
-| UnsafeUnpack.py:34:52:34:64 | Comment # $result=BAD | Missing result:result=BAD |
-| UnsafeUnpack.py:48:50:48:62 | Comment # $result=BAD | Missing result:result=BAD |
-| UnsafeUnpack.py:52:50:52:62 | Comment # $result=BAD | Missing result:result=BAD |
-| UnsafeUnpack.py:66:50:66:62 | Comment # $result=BAD | Missing result:result=BAD |
-| UnsafeUnpack.py:87:42:87:54 | Comment # $result=BAD | Missing result:result=BAD |
-| UnsafeUnpack.py:105:55:105:67 | Comment # $result=BAD | Missing result:result=BAD |
-| UnsafeUnpack.py:112:56:112:68 | Comment # $result=BAD | Missing result:result=BAD |
-| UnsafeUnpack.py:120:71:120:83 | Comment # $result=BAD | Missing result:result=BAD |
-| UnsafeUnpack.py:142:54:142:66 | Comment # $result=BAD | Missing result:result=BAD |
-| UnsafeUnpack.py:167:75:167:90 | Comment # $result=BAD    | Missing result:result=BAD |
-| UnsafeUnpack.py:176:64:176:76 | Comment # $result=BAD | Missing result:result=BAD |
-| UnsafeUnpack.py:201:47:201:59 | Comment # $result=BAD | Missing result:result=BAD |
 failures
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DataflowQueryTest.ql b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DataflowQueryTest.ql
@@ -1,4 +1,4 @@
 import python
 import experimental.dataflow.TestUtil.DataflowQueryTest
 import experimental.Security.UnsafeUnpackQuery
-import FromLegacyConfiguration<UnsafeUnpackingConfig>
+import FromTaintTrackingConfig<UnsafeUnpackConfig>
diff --git a/python/ql/test/query-tests/Security/CWE-022-PathInjection/DataflowQueryTest.ql b/python/ql/test/query-tests/Security/CWE-022-PathInjection/DataflowQueryTest.ql
@@ -1,4 +1,4 @@
 import python
 import experimental.dataflow.TestUtil.DataflowQueryTest
 import semmle.python.security.dataflow.PathInjectionQuery
-import FromLegacyConfiguration<Configuration>
+import FromTaintTrackingStateConfig<PathInjectionConfig>
diff --git a/python/ql/test/query-tests/Security/CWE-078-CommandInjection/DataflowQueryTest.ql b/python/ql/test/query-tests/Security/CWE-078-CommandInjection/DataflowQueryTest.ql
@@ -1,4 +1,4 @@
 import python
 import experimental.dataflow.TestUtil.DataflowQueryTest
 import semmle.python.security.dataflow.CommandInjectionQuery
-import FromLegacyConfiguration<Configuration>
+import FromTaintTrackingConfig<CommandInjectionConfig>
diff --git a/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/DataflowQueryTest.ql b/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/DataflowQueryTest.ql
@@ -1,4 +1,4 @@
 import python
 import experimental.dataflow.TestUtil.DataflowQueryTest
 import semmle.python.security.dataflow.UnsafeShellCommandConstructionQuery
-import FromLegacyConfiguration<Configuration>
+import FromTaintTrackingConfig<UnsafeShellCommandConstructionConfig>

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ deprecated class Configuration extends TaintTracking::Configuration {`
`30`	`30`	`}`
`31`	`31`	`}`
`32`	`32`
`33`		`-private module CommandInjectionConfig implements DataFlow::ConfigSig {`
	`33`	`+module CommandInjectionConfig implements DataFlow::ConfigSig {`
`34`	`34`	`predicate isSource(DataFlow::Node source) { source instanceof Source }`
`35`	`35`
`36`	`36`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ class NormalizedUnchecked extends DataFlow::FlowState {`
`88`	`88`	`*`
`89`	`89`	* Such checks are ineffective in the `NotNormalized` state.
`90`	`90`	`*/`
`91`		`-private module PathInjectionConfig implements DataFlow::StateConfigSig {`
	`91`	`+module PathInjectionConfig implements DataFlow::StateConfigSig {`
`92`	`92`	`class FlowState = DataFlow::FlowState;`
`93`	`93`
`94`	`94`	`predicate isSource(DataFlow::Node source, FlowState state) {`
Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ deprecated class Configuration extends TaintTracking::Configuration {`
`35`	`35`	`}`
`36`	`36`	`}`
`37`	`37`
`38`		`-private module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {`
	`38`	`+module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {`
`39`	`39`	`predicate isSource(DataFlow::Node source) { source instanceof Source }`
`40`	`40`
`41`	`41`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ class AllTarfileOpens extends API::CallNode {`
`39`	`39`	`}`
`40`	`40`	`}`
`41`	`41`
`42`		`-private module UnsafeUnpackConfig implements DataFlow::ConfigSig {`
	`42`	`+module UnsafeUnpackConfig implements DataFlow::ConfigSig {`
`43`	`43`	`predicate isSource(DataFlow::Node source) {`
`44`	`44`	`// A source coming from a remote location`
`45`	`45`	`source instanceof RemoteFlowSource`