Merge pull request #2190 from RasmusWL/python-modernise-tornado-library

Python: modernise tornado library

Author: tausbn

python/ql/src/semmle/python/web/tornado/Redirect.qll

@@ -1,23 +1,20 @@
-/** Provides class representing the `tornado.redirect` function.
+/**
+ * Provides class representing the `tornado.redirect` function.
  * This module is intended to be imported into a taint-tracking query
  * to extend `TaintSink`.
  */
-import python
 
+import python
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Basic
 import semmle.python.web.Http
 import Tornado
 
-
 /**
  * Represents an argument to the `tornado.redirect` function.
  */
 class TornadoRedirect extends HttpRedirectTaintSink {
-
-    override string toString() {
-        result = "tornado.redirect"
-    }
+    override string toString() { result = "tornado.redirect" }
 
     TornadoRedirect() {
         exists(CallNode call, ControlFlowNode node |
@@ -26,5 +23,4 @@ class TornadoRedirect extends HttpRedirectTaintSink {
             this = call.getAnArg()
         )
     }
-
 }

python/ql/src/semmle/python/web/tornado/Request.qll

@@ -1,15 +1,11 @@
 import python
-
 import semmle.python.security.TaintTracking
 import semmle.python.web.Http
 import Tornado
 
 /** A tornado.request.HttpRequest object */
 class TornadoRequest extends TaintKind {
-
-    TornadoRequest() {
-        this = "tornado.request.HttpRequest"
-    }
+    TornadoRequest() { this = "tornado.request.HttpRequest" }
 
     override TaintKind getTaintOfAttribute(string name) {
         result instanceof ExternalStringDictKind and
@@ -32,68 +28,45 @@ class TornadoRequest extends TaintKind {
             name = "body_arguments"
         )
     }
-
 }
 
-
 class TornadoRequestSource extends TaintSource {
+    TornadoRequestSource() { isTornadoRequestHandlerInstance(this.(AttrNode).getObject("request")) }
 
-    TornadoRequestSource() {
-        isTornadoRequestHandlerInstance(this.(AttrNode).getObject("request"))
-    }
-
-    override string toString() {
-        result = "Tornado request source"
-    }
-
-    override predicate isSourceOf(TaintKind kind) {
-        kind instanceof TornadoRequest
-    }
+    override string toString() { result = "Tornado request source" }
 
+    override predicate isSourceOf(TaintKind kind) { kind instanceof TornadoRequest }
 }
 
 class TornadoExternalInputSource extends TaintSource {
-
     TornadoExternalInputSource() {
         exists(string name |
             name = "get_argument" or
             name = "get_query_argument" or
             name = "get_body_argument" or
             name = "decode_argument"
-            |
+        |
             this = callToNamedTornadoRequestHandlerMethod(name)
         )
     }
 
-    override string toString() {
-        result = "Tornado request method"
-    }
-
-    override predicate isSourceOf(TaintKind kind) {
-        kind instanceof ExternalStringKind
-    }
+    override string toString() { result = "Tornado request method" }
 
+    override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
 }
 
 class TornadoExternalInputListSource extends TaintSource {
-
     TornadoExternalInputListSource() {
         exists(string name |
             name = "get_arguments" or
             name = "get_query_arguments" or
             name = "get_body_arguments"
-            |
+        |
             this = callToNamedTornadoRequestHandlerMethod(name)
         )
     }
 
-    override string toString() {
-        result = "Tornado request method"
-    }
-
-    override predicate isSourceOf(TaintKind kind) {
-        kind instanceof ExternalStringSequenceKind
-    }
+    override string toString() { result = "Tornado request method" }
 
+    override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringSequenceKind }
 }
-

python/ql/src/semmle/python/web/tornado/Response.qll

@@ -1,63 +1,42 @@
 import python
-
-
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Basic
 private import semmle.python.web.Http
-
 import Tornado
 
 class TornadoConnection extends TaintKind {
-
-    TornadoConnection() {
-        this = "tornado.http.connection"
-    }
-
+    TornadoConnection() { this = "tornado.http.connection" }
 }
 
 class TornadoConnectionSource extends TaintSource {
-
     TornadoConnectionSource() {
         isTornadoRequestHandlerInstance(this.(AttrNode).getObject("connection"))
     }
 
-    override string toString() {
-        result = "Tornado http connection source"
-    }
-
-    override predicate isSourceOf(TaintKind kind) {
-        kind instanceof TornadoConnection
-    }
+    override string toString() { result = "Tornado http connection source" }
 
+    override predicate isSourceOf(TaintKind kind) { kind instanceof TornadoConnection }
 }
 
 class TornadoConnectionWrite extends HttpResponseTaintSink {
-
-    override string toString() {
-        result = "tornado.connection.write"
-    }
+    override string toString() { result = "tornado.connection.write" }
 
     TornadoConnectionWrite() {
         exists(CallNode call, ControlFlowNode conn |
             conn = call.getFunction().(AttrNode).getObject("write") and
-            this = call.getAnArg() |
+            this = call.getAnArg()
+        |
             exists(TornadoConnection tc | tc.taints(conn))
             or
             isTornadoRequestHandlerInstance(conn)
         )
     }
 
-    override predicate sinks(TaintKind kind) {
-        kind instanceof StringKind
-    }
-
+    override predicate sinks(TaintKind kind) { kind instanceof StringKind }
 }
 
 class TornadoHttpRequestHandlerWrite extends HttpResponseTaintSink {
-
-    override string toString() {
-        result = "tornado.HttpRequesHandler.write"
-    }
+    override string toString() { result = "tornado.HttpRequesHandler.write" }
 
     TornadoHttpRequestHandlerWrite() {
         exists(CallNode call, ControlFlowNode node |
@@ -67,17 +46,11 @@ class TornadoHttpRequestHandlerWrite extends HttpResponseTaintSink {
         )
     }
 
-    override predicate sinks(TaintKind kind) {
-        kind instanceof StringKind
-    }
-
+    override predicate sinks(TaintKind kind) { kind instanceof StringKind }
 }
 
 class TornadoHttpRequestHandlerRedirect extends HttpResponseTaintSink {
-
-    override string toString() {
-        result = "tornado.HttpRequesHandler.redirect"
-    }
+    override string toString() { result = "tornado.HttpRequesHandler.redirect" }
 
     TornadoHttpRequestHandlerRedirect() {
         exists(CallNode call, ControlFlowNode node |
@@ -87,11 +60,5 @@ class TornadoHttpRequestHandlerRedirect extends HttpResponseTaintSink {
         )
     }
 
-    override predicate sinks(TaintKind kind) {
-        kind instanceof StringKind
-    }
-
+    override predicate sinks(TaintKind kind) { kind instanceof StringKind }
 }
-
-
-

python/ql/src/semmle/python/web/tornado/Tornado.qll

@@ -1,43 +1,40 @@
 import python
-
 import semmle.python.security.TaintTracking
 import semmle.python.web.Http
 
-private ClassObject theTornadoRequestHandlerClass() {
-    result = ModuleObject::named("tornado.web").attr("RequestHandler")
-}
-
-ClassObject aTornadoRequestHandlerClass() {
-    result.getASuperType() = theTornadoRequestHandlerClass()
+private ClassValue theTornadoRequestHandlerClass() {
+    result = Value::named("tornado.web.RequestHandler")
 }
 
-FunctionObject getTornadoRequestHandlerMethod(string name) {
-    result = theTornadoRequestHandlerClass().declaredAttribute(name)
+ClassValue aTornadoRequestHandlerClass() {
+    result.getABaseType+() = theTornadoRequestHandlerClass()
 }
 
-/** Holds if `node` is likely to refer to an instance of a tornado 
+/**
+ * Holds if `node` is likely to refer to an instance of a tornado
  * `RequestHandler` class.
  */
-
 predicate isTornadoRequestHandlerInstance(ControlFlowNode node) {
-    node.refersTo(_, aTornadoRequestHandlerClass(), _)
+    node.pointsTo().getClass() = aTornadoRequestHandlerClass()
     or
-    /* In some cases, the points-to analysis won't capture all instances we care
-     * about. For these, we use the following syntactic check. First, that 
-     * `node` appears inside a method of a subclass of 
-     * `tornado.web.RequestHandler`:*/
-    node.getScope().getEnclosingScope().(Class).getClassObject() = aTornadoRequestHandlerClass() and
+    /*
+      * In some cases, the points-to analysis won't capture all instances we care
+      * about. For these, we use the following syntactic check. First, that
+      * `node` appears inside a method of a subclass of
+      * `tornado.web.RequestHandler`:
+      */
+
+    node.getScope().getEnclosingScope() = aTornadoRequestHandlerClass().getScope() and
     /* Secondly, that `node` refers to the `self` argument: */
-    node.isLoad() and node.(NameNode).isSelf()
+    node.isLoad() and
+    node.(NameNode).isSelf()
 }
 
 CallNode callToNamedTornadoRequestHandlerMethod(string name) {
     isTornadoRequestHandlerInstance(result.getFunction().(AttrNode).getObject(name))
 }
 
-
 class TornadoCookieSet extends CookieSet, CallNode {
-
     TornadoCookieSet() {
         exists(ControlFlowNode f |
             f = this.getFunction().(AttrNode).getObject("set_cookie") and
@@ -50,5 +47,4 @@ class TornadoCookieSet extends CookieSet, CallNode {
     override ControlFlowNode getKey() { result = this.getArg(0) }
 
     override ControlFlowNode getValue() { result = this.getArg(1) }
-
 }

python/ql/test/library-tests/web/tornado/Classes.expected

@@ -0,0 +1,4 @@
+| test.py:4 | class Handler1 |
+| test.py:8 | class Handler2 |
+| test.py:14 | class Handler3 |
+| test.py:23 | class DeepInheritance |

python/ql/test/library-tests/web/tornado/Classes.ql

@@ -0,0 +1,9 @@
+
+import python
+
+import semmle.python.TestUtils
+
+import semmle.python.web.tornado.Tornado
+from ClassValue cls
+where cls = aTornadoRequestHandlerClass()
+select remove_library_prefix(cls.getScope().getLocation()), cls.toString()

python/ql/test/library-tests/web/tornado/Sinks.expected

@@ -0,0 +1,4 @@
+| test.py:6 | Attribute() | externally controlled string |
+| test.py:12 | name | externally controlled string |
+| test.py:20 | url | externally controlled string |
+| test.py:26 | Attribute() | externally controlled string |

python/ql/test/library-tests/web/tornado/Sinks.ql

@@ -0,0 +1,11 @@
+
+import python
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+import semmle.python.TestUtils
+
+from TaintSink sink, TaintKind kind
+where sink.sinks(kind)
+select remove_library_prefix(sink.getLocation()), sink.(ControlFlowNode).getNode().toString(), kind

python/ql/test/library-tests/web/tornado/Sources.expected

@@ -0,0 +1,4 @@
+| test.py:6 | Attribute() | externally controlled string |
+| test.py:10 | Attribute() | [externally controlled string] |
+| test.py:17 | Attribute | tornado.request.HttpRequest |
+| test.py:26 | Attribute() | externally controlled string |

python/ql/test/library-tests/web/tornado/Sources.ql

@@ -0,0 +1,13 @@
+
+import python
+
+import semmle.python.TestUtils
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+
+from TaintSource src, TaintKind kind
+where src.isSourceOf(kind)
+select remove_library_prefix(src.getLocation()), src.(ControlFlowNode).getNode().toString(), kind