Skip to content

Commit 6805fb6

Browse files
committed
Python: Use modern pattern for RawSQL class
1 parent e44247b commit 6805fb6

File tree

1 file changed

+30
-21
lines changed
  • python/ql/src/experimental/semmle/python/frameworks

1 file changed

+30
-21
lines changed

python/ql/src/experimental/semmle/python/frameworks/Django.qll

Lines changed: 30 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -239,7 +239,7 @@ private module Django {
239239
result = objects_attr(DataFlow::TypeTracker::end(), attr_name)
240240
}
241241

242-
/** Gets a reference to the `django.db.models.expressions` object. */
242+
/** Gets a reference to the `django.db.models.expressions` module. */
243243
private DataFlow::Node expressions(DataFlow::TypeTracker t) {
244244
t.start() and
245245
result = DataFlow::importNode("django.db.models.expressions")
@@ -250,28 +250,37 @@ private module Django {
250250
exists(DataFlow::TypeTracker t2 | result = expressions(t2).track(t2, t))
251251
}
252252

253-
/** Gets a reference to the `django.db.models.expressions` object. */
253+
/** Gets a reference to the `django.db.models.expressions` module. */
254254
DataFlow::Node expressions() { result = expressions(DataFlow::TypeTracker::end()) }
255255

256-
/** Gets a reference to the `django.db.models.expressions.RawSQL` class. */
257-
private DataFlow::Node classRawSQL(DataFlow::TypeTracker t) {
258-
t.start() and
259-
result = DataFlow::importNode("django.db.models.expressions.RawSQL")
260-
or
261-
t.startInAttr("RawSQL") and
262-
result = expressions()
263-
or
264-
exists(DataFlow::TypeTracker t2 | result = classRawSQL(t2).track(t2, t))
265-
}
256+
/** Provides models for the `django.db.models.expressions` module. */
257+
module expressions {
258+
/** Provides models for the `django.db.models.expressions.RawSQL` class. */
259+
module RawSQL {
260+
/** Gets a reference to the `django.db.models.expressions.RawSQL` class. */
261+
private DataFlow::Node classRef(DataFlow::TypeTracker t) {
262+
t.start() and
263+
result = DataFlow::importNode("django.db.models.expressions.RawSQL")
264+
or
265+
t.start() and
266+
result = DataFlow::importNode("django.db.models.RawSQL") // Commonly used alias
267+
or
268+
t.startInAttr("RawSQL") and
269+
result = expressions()
270+
or
271+
exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
272+
}
266273

267-
/**
268-
* Gets a reference to the `django.db.models.expressions.RawSQL` class.
269-
*
270-
* See
271-
* - https://docs.djangoproject.com/en/3.1/topics/db/sql/#executing-custom-sql-directly
272-
* - https://docs.djangoproject.com/en/3.1/topics/db/sql/#connections-and-cursors
273-
*/
274-
DataFlow::Node classRawSQL() { result = classRawSQL(DataFlow::TypeTracker::end()) }
274+
/**
275+
* Gets a reference to the `django.db.models.expressions.RawSQL` class.
276+
*
277+
* See
278+
* - https://docs.djangoproject.com/en/3.1/topics/db/sql/#executing-custom-sql-directly
279+
* - https://docs.djangoproject.com/en/3.1/topics/db/sql/#connections-and-cursors
280+
*/
281+
DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
282+
}
283+
}
275284
}
276285
}
277286
}
@@ -299,7 +308,7 @@ private module Django {
299308
ObjectsAnnotate() {
300309
node.getFunction() = django::db::models::objects_attr("annotate").asCfgNode() and
301310
raw in [node.getArg(0), node.getArgByName(_)] and
302-
raw.getFunction() = django::db::models::classRawSQL().asCfgNode()
311+
raw.getFunction() = django::db::models::expressions::RawSQL::classRef().asCfgNode()
303312
}
304313

305314
override DataFlow::Node getSql() { result.asCfgNode() = raw.getArg(0) }

0 commit comments

Comments
 (0)