Python: Modernise tornado library

Author: RasmusWL

python/ql/src/semmle/python/web/tornado/Tornado.qll

@@ -3,26 +3,25 @@ import python
 import semmle.python.security.TaintTracking
 import semmle.python.web.Http
 
-private ClassObject theTornadoRequestHandlerClass() {
-    result = ModuleObject::named("tornado.web").attr("RequestHandler")
+private ClassValue theTornadoRequestHandlerClass() {
+    result = Value::named("tornado.web.RequestHandler")
 }
 
-ClassObject aTornadoRequestHandlerClass() {
-    result.getASuperType() = theTornadoRequestHandlerClass()
+ClassValue aTornadoRequestHandlerClass() {
+    result.getABaseType+() = theTornadoRequestHandlerClass()
 }
 
-/** Holds if `node` is likely to refer to an instance of a tornado 
+/** Holds if `node` is likely to refer to an instance of a tornado
  * `RequestHandler` class.
  */
-
 predicate isTornadoRequestHandlerInstance(ControlFlowNode node) {
-    node.refersTo(_, aTornadoRequestHandlerClass(), _)
+    node.pointsTo().getClass() = aTornadoRequestHandlerClass()
     or
     /* In some cases, the points-to analysis won't capture all instances we care
-     * about. For these, we use the following syntactic check. First, that 
-     * `node` appears inside a method of a subclass of 
+     * about. For these, we use the following syntactic check. First, that
+     * `node` appears inside a method of a subclass of
      * `tornado.web.RequestHandler`:*/
-    node.getScope().getEnclosingScope().(Class).getClassObject() = aTornadoRequestHandlerClass() and
+    node.getScope().getEnclosingScope() = aTornadoRequestHandlerClass().getScope() and
     /* Secondly, that `node` refers to the `self` argument: */
     node.isLoad() and node.(NameNode).isSelf()
 }

python/ql/test/library-tests/web/tornado/Classes.expected

@@ -1,3 +1,4 @@
+| class DeepInheritance | test.py:23 |
 | class Handler1 | test.py:4 |
 | class Handler2 | test.py:8 |
 | class Handler3 | test.py:14 |

python/ql/test/library-tests/web/tornado/Classes.ql

@@ -4,6 +4,6 @@ import python
 import semmle.python.TestUtils
 
 import semmle.python.web.tornado.Tornado
-from ClassObject cls
+from ClassValue cls
 where cls = aTornadoRequestHandlerClass()
-select cls.toString(), remove_library_prefix(cls.getPyClass().getLocation())
+select cls.toString(), remove_library_prefix(cls.getScope().getLocation())

python/ql/test/library-tests/web/tornado/Sinks.expected

@@ -1,3 +1,4 @@
 | test.py:6 | Attribute() | externally controlled string |
 | test.py:12 | name | externally controlled string |
 | test.py:20 | url | externally controlled string |
+| test.py:26 | Attribute() | externally controlled string |

python/ql/test/library-tests/web/tornado/Sources.expected

@@ -1,3 +1,4 @@
 | test.py:6 | Attribute() | externally controlled string |
 | test.py:10 | Attribute() | [externally controlled string] |
 | test.py:17 | Attribute | tornado.request.HttpRequest |
+| test.py:26 | Attribute() | externally controlled string |

python/ql/test/library-tests/web/tornado/Taint.expected

@@ -9,3 +9,4 @@
 | test.py:19 | Subscript | externally controlled string |
 | test.py:19 | h | {externally controlled string} |
 | test.py:20 | url | externally controlled string |
+| test.py:26 | Attribute() | externally controlled string |

python/ql/test/library-tests/web/tornado/test.py

@@ -18,3 +18,9 @@ def get(self):
         h = req.headers
         url = h["url"]
         self.redirect(url)
+
+
+class DeepInheritance(Handler3):
+
+    def get(self):
+        self.write(self.get_argument("also_xss"))