Merge pull request #2043 from RasmusWL/python-modernise-django

Python: modernise django library

Author: taus-semmle

python/ql/src/semmle/python/web/django/Db.qll

@@ -1,51 +1,37 @@
 import python
 import semmle.python.security.injection.Sql
 
-/** A taint kind representing a django cursor object.
+/**
+ * A taint kind representing a django cursor object.
  */
 class DjangoDbCursor extends DbCursor {
-
-    DjangoDbCursor() {
-        this = "django.db.connection.cursor"
-    }
-
+    DjangoDbCursor() { this = "django.db.connection.cursor" }
 }
 
-private Object theDjangoConnectionObject() {
-    ModuleObject::named("django.db").attr("connection") = result
-}
+private Value theDjangoConnectionObject() { result = Value::named("django.db.connection") }
 
-/** A kind of taint source representing sources of django cursor objects.
+/**
+ * A kind of taint source representing sources of django cursor objects.
  */
 class DjangoDbCursorSource extends DbConnectionSource {
-
     DjangoDbCursorSource() {
         exists(AttrNode cursor |
-            this.(CallNode).getFunction()= cursor and
-            cursor.getObject("cursor").refersTo(theDjangoConnectionObject())
+            this.(CallNode).getFunction() = cursor and
+            cursor.getObject("cursor").pointsTo(theDjangoConnectionObject())
         )
     }
 
-    override string toString() {
-        result = "django.db.connection.cursor"
-    }
-
-    override predicate isSourceOf(TaintKind kind) {
-        kind instanceof DjangoDbCursor
-    }
+    override string toString() { result = "django.db.connection.cursor" }
 
+    override predicate isSourceOf(TaintKind kind) { kind instanceof DjangoDbCursor }
 }
 
-
-ClassObject theDjangoRawSqlClass() {
-    result = ModuleObject::named("django.db.models.expressions").attr("RawSQL")
-}
+ClassValue theDjangoRawSqlClass() { result = Value::named("django.db.models.expressions.RawSQL") }
 
 /**
  * A sink of taint on calls to `django.db.models.expressions.RawSQL`. This
  * allows arbitrary SQL statements to be executed, which is a security risk.
  */
-
 class DjangoRawSqlSink extends SqlInjectionSink {
     DjangoRawSqlSink() {
         exists(CallNode call |
@@ -54,12 +40,7 @@ class DjangoRawSqlSink extends SqlInjectionSink {
         )
     }
 
-    override predicate sinks(TaintKind kind) {
-        kind instanceof ExternalStringKind
-    }
+    override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
 
-    override string toString() {
-        result = "django.db.models.expressions.RawSQL(sink,...)"
-    }
+    override string toString() { result = "django.db.models.expressions.RawSQL(sink,...)" }
 }
-

python/ql/src/semmle/python/web/django/Model.qll

@@ -1,25 +1,17 @@
 import python
-
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Basic
 import semmle.python.web.Http
 import semmle.python.security.injection.Sql
 
 /** A django model class */
-class DjangoModel extends ClassObject {
-
-    DjangoModel() {
-        ModuleObject::named("django.db.models").attr("Model") = this.getAnImproperSuperType()
-    }
-
+class DjangoModel extends ClassValue {
+    DjangoModel() { Value::named("django.db.models.Model") = this.getASuperType() }
 }
 
 /** A "taint" for django database tables */
 class DjangoDbTableObjects extends TaintKind {
-
-    DjangoDbTableObjects() {
-        this = "django.db.models.Model.objects"
-    }
+    DjangoDbTableObjects() { this = "django.db.models.Model.objects" }
 
     override TaintKind getTaintOfMethodResult(string name) {
         result = this and
@@ -53,105 +45,72 @@ class DjangoDbTableObjects extends TaintKind {
 
 /** Django model objects, which are sources of django database table "taint" */
 class DjangoModelObjects extends TaintSource {
-
     DjangoModelObjects() {
-        this.(AttrNode).isLoad() and this.(AttrNode).getObject("objects").refersTo(any(DjangoModel m))
+        this.(AttrNode).isLoad() and this.(AttrNode).getObject("objects").pointsTo(any(DjangoModel m))
     }
 
-    override predicate isSourceOf(TaintKind kind) {
-        kind instanceof DjangoDbTableObjects
-    }
-
-    override string toString() {
-        result = "django.db.models.Model.objects"
-    }
+    override predicate isSourceOf(TaintKind kind) { kind instanceof DjangoDbTableObjects }
 
+    override string toString() { result = "django.db.models.Model.objects" }
 }
 
 /** A write to a field of a django model, which is a vulnerable to external data. */
 class DjangoModelFieldWrite extends SqlInjectionSink {
-
     DjangoModelFieldWrite() {
         exists(AttrNode attr, DjangoModel model |
-            this = attr and attr.isStore() and attr.getObject(_).refersTo(model)
+            this = attr and attr.isStore() and attr.getObject(_).pointsTo(model)
         )
     }
 
-    override predicate sinks(TaintKind kind) {
-        kind instanceof ExternalStringKind
-    }
-
-    override string toString() {
-        result = "django model field write"
-    }
+    override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
 
+    override string toString() { result = "django model field write" }
 }
 
-/** A direct reference to a django model object, which is a vulnerable to external data. */
+/** A direct reference to a django model object, which is vulnerable to external data. */
 class DjangoModelDirectObjectReference extends TaintSink {
-
     DjangoModelDirectObjectReference() {
-        exists(CallNode objects_get_call, ControlFlowNode objects |
-            this = objects_get_call.getAnArg() |
+        exists(CallNode objects_get_call, ControlFlowNode objects | this = objects_get_call.getAnArg() |
             objects_get_call.getFunction().(AttrNode).getObject("get") = objects and
             any(DjangoDbTableObjects objs).taints(objects)
         )
     }
 
-    override predicate sinks(TaintKind kind) {
-        kind instanceof ExternalStringKind
-    }
+    override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
 
-    override string toString() {
-        result = "django model object reference"
-    }
+    override string toString() { result = "django model object reference" }
 }
 
 /**
- * A call to the `raw` method on a django model. This allows a raw SQL query 
+ * A call to the `raw` method on a django model. This allows a raw SQL query
  * to be sent to the database, which is a security risk.
  */
-
 class DjangoModelRawCall extends SqlInjectionSink {
-
     DjangoModelRawCall() {
-        exists(CallNode raw_call, ControlFlowNode queryset |
-            this = raw_call.getArg(0) |
+        exists(CallNode raw_call, ControlFlowNode queryset | this = raw_call.getArg(0) |
             raw_call.getFunction().(AttrNode).getObject("raw") = queryset and
             any(DjangoDbTableObjects objs).taints(queryset)
         )
     }
 
-    override predicate sinks(TaintKind kind) {
-        kind instanceof ExternalStringKind
-    }
+    override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
 
-    override string toString() {
-        result = "django.models.QuerySet.raw(sink,...)"
-    }
+    override string toString() { result = "django.models.QuerySet.raw(sink,...)" }
 }
 
 /**
- * A call to the `extra` method on a django model. This allows a raw SQL query 
+ * A call to the `extra` method on a django model. This allows a raw SQL query
  * to be sent to the database, which is a security risk.
  */
-
-
 class DjangoModelExtraCall extends SqlInjectionSink {
-
     DjangoModelExtraCall() {
-        exists(CallNode extra_call, ControlFlowNode queryset |
-            this = extra_call.getArg(0) |
+        exists(CallNode extra_call, ControlFlowNode queryset | this = extra_call.getArg(0) |
             extra_call.getFunction().(AttrNode).getObject("extra") = queryset and
             any(DjangoDbTableObjects objs).taints(queryset)
         )
     }
 
-    override predicate sinks(TaintKind kind) {
-        kind instanceof ExternalStringKind
-    }
+    override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
 
-    override string toString() {
-        result = "django.models.QuerySet.extra(sink,...)"
-    }
+    override string toString() { result = "django.models.QuerySet.extra(sink,...)" }
 }

python/ql/src/semmle/python/web/django/Redirect.qll

@@ -1,29 +1,25 @@
-/** Provides class representing the `django.redirect` function.
+/**
+ * Provides class representing the `django.redirect` function.
  * This module is intended to be imported into a taint-tracking query
  * to extend `TaintSink`.
  */
-import python
 
+import python
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Basic
 private import semmle.python.web.django.Shared
 private import semmle.python.web.Http
 
-
 /**
  * Represents an argument to the `django.redirect` function.
  */
 class DjangoRedirect extends HttpRedirectTaintSink {
-
-    override string toString() {
-        result = "django.redirect"
-    }
+    override string toString() { result = "django.redirect" }
 
     DjangoRedirect() {
         exists(CallNode call |
             redirect().getACall() = call and
-            this = call.getAnArg() 
+            this = call.getAnArg()
         )
     }
-
 }