Python: Modernise django library

Author: RasmusWL

python/ql/src/semmle/python/web/django/Db.qll

@@ -11,8 +11,8 @@ class DjangoDbCursor extends DbCursor {
 
 }
 
-private Object theDjangoConnectionObject() {
-    ModuleObject::named("django.db").attr("connection") = result
+private Value theDjangoConnectionObject() {
+    result = Value::named("django.db.connection")
 }
 
 /** A kind of taint source representing sources of django cursor objects.
@@ -22,7 +22,7 @@ class DjangoDbCursorSource extends DbConnectionSource {
     DjangoDbCursorSource() {
         exists(AttrNode cursor |
             this.(CallNode).getFunction()= cursor and
-            cursor.getObject("cursor").refersTo(theDjangoConnectionObject())
+            cursor.getObject("cursor").pointsTo(theDjangoConnectionObject())
         )
     }
 
@@ -37,8 +37,8 @@ class DjangoDbCursorSource extends DbConnectionSource {
 }
 
 
-ClassObject theDjangoRawSqlClass() {
-    result = ModuleObject::named("django.db.models.expressions").attr("RawSQL")
+ClassValue theDjangoRawSqlClass() {
+    result = Value::named("django.db.models.expressions.RawSQL")
 }
 
 /**

python/ql/src/semmle/python/web/django/Model.qll

@@ -6,10 +6,10 @@ import semmle.python.web.Http
 import semmle.python.security.injection.Sql
 
 /** A django model class */
-class DjangoModel extends ClassObject {
+class DjangoModel extends ClassValue {
 
     DjangoModel() {
-        ModuleObject::named("django.db.models").attr("Model") = this.getAnImproperSuperType()
+        Value::named("django.db.models.Model") = this.getASuperType()
     }
 
 }
@@ -55,7 +55,7 @@ class DjangoDbTableObjects extends TaintKind {
 class DjangoModelObjects extends TaintSource {
 
     DjangoModelObjects() {
-        this.(AttrNode).isLoad() and this.(AttrNode).getObject("objects").refersTo(any(DjangoModel m))
+        this.(AttrNode).isLoad() and this.(AttrNode).getObject("objects").pointsTo(any(DjangoModel m))
     }
 
     override predicate isSourceOf(TaintKind kind) {
@@ -73,7 +73,7 @@ class DjangoModelFieldWrite extends SqlInjectionSink {
 
     DjangoModelFieldWrite() {
         exists(AttrNode attr, DjangoModel model |
-            this = attr and attr.isStore() and attr.getObject(_).refersTo(model)
+            this = attr and attr.isStore() and attr.getObject(_).pointsTo(model)
         )
     }
 
@@ -87,7 +87,7 @@ class DjangoModelFieldWrite extends SqlInjectionSink {
 
 }
 
-/** A direct reference to a django model object, which is a vulnerable to external data. */
+/** A direct reference to a django model object, which is vulnerable to external data. */
 class DjangoModelDirectObjectReference extends TaintSink {
 
     DjangoModelDirectObjectReference() {
@@ -111,7 +111,6 @@ class DjangoModelDirectObjectReference extends TaintSink {
  * A call to the `raw` method on a django model. This allows a raw SQL query 
  * to be sent to the database, which is a security risk.
  */
-
 class DjangoModelRawCall extends SqlInjectionSink {
 
     DjangoModelRawCall() {
@@ -135,8 +134,6 @@ class DjangoModelRawCall extends SqlInjectionSink {
  * A call to the `extra` method on a django model. This allows a raw SQL query 
  * to be sent to the database, which is a security risk.
  */
-
-
 class DjangoModelExtraCall extends SqlInjectionSink {
 
     DjangoModelExtraCall() {

python/ql/src/semmle/python/web/django/Request.qll

@@ -67,9 +67,9 @@ abstract class DjangoRequestSource extends HttpRequestTaintSource {
 private class DjangoFunctionBasedViewRequestArgument extends DjangoRequestSource {
 
     DjangoFunctionBasedViewRequestArgument() {
-        exists(FunctionObject view |
+        exists(FunctionValue view |
             url_dispatch(_, _, view) and
-            this = view.getFunction().getArg(0).asName().getAFlowNode()
+            this = view.getScope().getArg(0).asName().getAFlowNode()
         )
     }
 
@@ -79,23 +79,24 @@ private class DjangoFunctionBasedViewRequestArgument extends DjangoRequestSource
  * https://docs.djangoproject.com/en/1.11/topics/class-based-views/
  * 
  */
-private class DjangoView extends ClassObject {
+private class DjangoView extends ClassValue {
 
     DjangoView() {
-        ModuleObject::named("django.views.generic").attr("View") = this.getAnImproperSuperType()
+        Value::named("django.views.generic.View") = this.getASuperType()
     }
+    
 }
 
-private FunctionObject djangoViewHttpMethod() {
+private FunctionValue djangoViewHttpMethod() {
     exists(DjangoView view |
-        view.lookupAttribute(httpVerbLower()) = result
+        view.attr(httpVerbLower()) = result
     )
 }
 
 class DjangoClassBasedViewRequestArgument extends DjangoRequestSource {
 
     DjangoClassBasedViewRequestArgument() {
-        this = djangoViewHttpMethod().getFunction().getArg(1).asName().getAFlowNode()
+        this = djangoViewHttpMethod().getScope().getArg(1).asName().getAFlowNode()
     }
 
 }
@@ -107,11 +108,11 @@ class DjangoClassBasedViewRequestArgument extends DjangoRequestSource {
 
 
 /* Function based views */
-predicate url_dispatch(CallNode call, ControlFlowNode regex, FunctionObject view) {
-    exists(FunctionObject url |
-        ModuleObject::named("django.conf.urls").attr("url") = url and
+predicate url_dispatch(CallNode call, ControlFlowNode regex, FunctionValue view) {
+    exists(FunctionValue url |
+        Value::named("django.conf.urls.url") = url and
         url.getArgumentForCall(call, 0) = regex and
-        url.getArgumentForCall(call, 1).refersTo(view)
+        url.getArgumentForCall(call, 1).pointsTo(view)
     )
 }
 
@@ -130,7 +131,7 @@ class UrlRouting extends CallNode {
         url_dispatch(this, _, _)
     }
 
-    FunctionObject getViewFunction() {
+    FunctionValue getViewFunction() {
         url_dispatch(this, _, result)
     }
 
@@ -149,7 +150,7 @@ class HttpRequestParameter extends HttpRequestTaintSource {
     HttpRequestParameter() {
         exists(UrlRouting url |
             this.(ControlFlowNode).getNode() = 
-            url.getViewFunction().getFunction().getArgByName(url.getNamedArgument())
+            url.getViewFunction().getScope().getArgByName(url.getNamedArgument())
         )
     }
 

python/ql/src/semmle/python/web/django/Response.qll

@@ -17,17 +17,17 @@ class DjangoResponse extends TaintKind {
 
 }
 
-private ClassObject theDjangoHttpResponseClass() {
-    result = ModuleObject::named("django.http.response").attr("HttpResponse") and
+private ClassValue theDjangoHttpResponseClass() {
+    result = Value::named("django.http.response.HttpResponse") and
     not result = theDjangoHttpRedirectClass()
 }
 
 /** Instantiation of a django response. */
 class DjangoResponseSource extends TaintSource {
 
     DjangoResponseSource() {
-        exists(ClassObject cls |
-            cls.getAnImproperSuperType() = theDjangoHttpResponseClass() and
+        exists(ClassValue cls |
+            cls.getASuperType() = theDjangoHttpResponseClass() and
             cls.getACall() = this
         )
     }
@@ -64,9 +64,9 @@ class DjangoResponseWrite extends HttpResponseTaintSink {
 class DjangoResponseContent extends HttpResponseTaintSink {
 
     DjangoResponseContent() {
-        exists(CallNode call, ClassObject cls |
-            cls.getAnImproperSuperType() = theDjangoHttpResponseClass() and
-            call.getFunction().refersTo(cls) |
+        exists(CallNode call, ClassValue cls |
+            cls.getASuperType() = theDjangoHttpResponseClass() and
+            call.getFunction().pointsTo(cls) |
             call.getArg(0) = this
             or
             call.getArgByName("content") = this

python/ql/src/semmle/python/web/django/Shared.qll

@@ -1,9 +1,10 @@
 import python
 
-FunctionObject redirect() {
-    result = ModuleObject::named("django.shortcuts").attr("redirect")
+/** django.shortcuts.redirect */
+FunctionValue redirect() {
+    result = Value::named("django.shortcuts.redirect")
 }
 
-ClassObject theDjangoHttpRedirectClass() {
-    result = ModuleObject::named("django.http.response").attr("HttpResponseRedirectBase")
+ClassValue theDjangoHttpRedirectClass() {
+    result = Value::named("django.http.response.HttpResponseRedirectBase")
 }