Python: split modelling

Author: yoff

python/ql/lib/semmle/python/frameworks/BSon.qll

@@ -0,0 +1,29 @@
+/**
+ * Provides classes modeling security-relevant aspects of the PyMongo bindings.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+module BSon {
+  /**
+   * ObjectId returns a string representing an id.
+   * If at any time ObjectId can't parse it's input (like when a tainted dict in passed in),
+   * then ObjectId will throw an error preventing the query from running.
+   */
+  private class BsonObjectIdCall extends DataFlow::CallCfgNode, NoSqlSanitizer::Range {
+    BsonObjectIdCall() {
+      exists(API::Node mod |
+        mod = API::moduleImport("bson")
+        or
+        mod = API::moduleImport("bson").getMember(["objectid", "json_util"])
+      |
+        this = mod.getMember("ObjectId").getACall()
+      )
+    }
+
+    override DataFlow::Node getAnInput() { result = this.getArg(0) }
+  }
+}

python/ql/lib/semmle/python/frameworks/PyMongo.qll

@@ -274,25 +274,6 @@ private module PyMongo {
     override DataFlow::Node getAnInput() { result = this.getArg(0) }
   }
 
-  /**
-   * ObjectId returns a string representing an id.
-   * If at any time ObjectId can't parse it's input (like when a tainted dict in passed in),
-   * then ObjectId will throw an error preventing the query from running.
-   */
-  private class BsonObjectIdCall extends DataFlow::CallCfgNode, NoSqlSanitizer::Range {
-    BsonObjectIdCall() {
-      exists(API::Node mod |
-        mod = API::moduleImport("bson")
-        or
-        mod = API::moduleImport("bson").getMember(["objectid", "json_util"])
-      |
-        this = mod.getMember("ObjectId").getACall()
-      )
-    }
-
-    override DataFlow::Node getAnInput() { result = this.getArg(0) }
-  }
-
   /**
    * An equality operator can protect against dictionary interpretation.
    * For instance, in `{'password': {"$eq": password} }`, if a dictionary is injected into