Skip to content

Commit 430eeea

Browse files
jketemajketema
committed
Properly share ConceptsShared.qll 
1 parent 3d3ef94 commit 430eeea

37 files changed

+371
-902
lines changed

config/identical-files.json

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -235,12 +235,6 @@
235235
"javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll",
236236
"ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll"
237237
],
238-
"Concepts Python/Ruby/JS": [
239-
"python/ql/lib/semmle/python/internal/ConceptsShared.qll",
240-
"ruby/ql/lib/codeql/ruby/internal/ConceptsShared.qll",
241-
"javascript/ql/lib/semmle/javascript/internal/ConceptsShared.qll",
242-
"rust/ql/lib/codeql/rust/internal/ConceptsShared.qll"
243-
],
244238
"ApiGraphModels": [
245239
"javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll",
246240
"ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll",

javascript/ql/lib/semmle/javascript/Concepts.qll

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,11 @@
55
*/
66

77
import javascript
8+
private import semmle.javascript.dataflow.internal.sharedlib.DataFlowArg
89
private import codeql.threatmodels.ThreatModels
10+
private import codeql.concepts.ConceptsShared
11+
12+
private module ConceptsShared = ConceptsMake<Location, JSDataFlow>;
913

1014
/**
1115
* A data flow source, for a specific threat-model.
@@ -206,7 +210,7 @@ abstract class PersistentWriteAccess extends DataFlow::Node {
206210
* Provides models for cryptographic things.
207211
*/
208212
module Cryptography {
209-
private import semmle.javascript.internal.ConceptsShared::Cryptography as SC
213+
private import ConceptsShared::Cryptography as SC
210214

211215
/**
212216
* A data-flow node that is an application of a cryptographic algorithm. For example,

javascript/ql/lib/semmle/javascript/internal/ConceptsImports.qll

Lines changed: 0 additions & 7 deletions
This file was deleted.

javascript/ql/lib/semmle/javascript/internal/ConceptsShared.qll

Lines changed: 0 additions & 181 deletions
This file was deleted.

python/ql/lib/semmle/python/Concepts.qll

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,11 +6,16 @@
66

77
private import python
88
private import semmle.python.dataflow.new.DataFlow
9+
private import semmle.python.dataflow.new.internal.DataFlowImplSpecific
910
private import semmle.python.dataflow.new.RemoteFlowSources
1011
private import semmle.python.dataflow.new.TaintTracking
12+
private import semmle.python.Files
1113
private import semmle.python.Frameworks
1214
private import semmle.python.security.internal.EncryptionKeySizes
1315
private import codeql.threatmodels.ThreatModels
16+
private import codeql.concepts.ConceptsShared
17+
18+
private module ConceptsShared = ConceptsMake<Location, PythonDataFlow>;
1419

1520
/**
1621
* A data flow source, for a specific threat-model.
@@ -1617,7 +1622,7 @@ module Http {
16171622
}
16181623
}
16191624

1620-
import semmle.python.internal.ConceptsShared::Http::Client as Client
1625+
import ConceptsShared::Http::Client as Client
16211626
// TODO: investigate whether we should treat responses to client requests as
16221627
// remote-flow-sources in general.
16231628
}
@@ -1725,5 +1730,5 @@ module Cryptography {
17251730
}
17261731
}
17271732

1728-
import semmle.python.internal.ConceptsShared::Cryptography
1733+
import ConceptsShared::Cryptography
17291734
}

python/ql/lib/semmle/python/frameworks/Aiohttp.qll

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -758,7 +758,7 @@ module AiohttpClientModel {
758758
private API::Node instance() { result = classRef().getReturn() }
759759

760760
/** A method call on a ClientSession that sends off a request */
761-
private class OutgoingRequestCall extends Http::Client::Request::Range, API::CallNode {
761+
private class OutgoingRequestCall extends Http::Client::Request::Range instanceof API::CallNode {
762762
string methodName;
763763

764764
OutgoingRequestCall() {
@@ -767,21 +767,21 @@ module AiohttpClientModel {
767767
}
768768

769769
override DataFlow::Node getAUrlPart() {
770-
result = this.getArgByName("url")
770+
result = super.getArgByName("url")
771771
or
772772
methodName in [Http::httpVerbLower(), "ws_connect"] and
773-
result = this.getArg(0)
773+
result = super.getArg(0)
774774
or
775775
methodName = "request" and
776-
result = this.getArg(1)
776+
result = super.getArg(1)
777777
}
778778

779779
override string getFramework() { result = "aiohttp.ClientSession" }
780780

781781
override predicate disablesCertificateValidation(
782782
DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
783783
) {
784-
exists(API::Node param | param = this.getKeywordParameter(["ssl", "verify_ssl"]) |
784+
exists(API::Node param | param = super.getKeywordParameter(["ssl", "verify_ssl"]) |
785785
disablingNode = param.asSink() and
786786
argumentOrigin = param.getAValueReachingSink() and
787787
// aiohttp.client treats `None` as the default and all other "falsey" values as `False`.

python/ql/lib/semmle/python/frameworks/Cryptodome.qll

Lines changed: 15 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -107,8 +107,7 @@ private module CryptodomeModel {
107107
/**
108108
* A cryptographic operation on an instance from the `Cipher` subpackage of `Cryptodome`/`Crypto`.
109109
*/
110-
class CryptodomeGenericCipherOperation extends Cryptography::CryptographicOperation::Range,
111-
DataFlow::CallCfgNode
110+
class CryptodomeGenericCipherOperation extends Cryptography::CryptographicOperation::Range instanceof DataFlow::CallCfgNode
112111
{
113112
string methodName;
114113
string cipherName;
@@ -134,31 +133,31 @@ private module CryptodomeModel {
134133

135134
override DataFlow::Node getAnInput() {
136135
methodName = "encrypt" and
137-
result in [this.getArg(0), this.getArgByName(["message", "plaintext"])]
136+
result in [super.getArg(0), super.getArgByName(["message", "plaintext"])]
138137
or
139138
methodName = "decrypt" and
140-
result in [this.getArg(0), this.getArgByName("ciphertext")]
139+
result in [super.getArg(0), super.getArgByName("ciphertext")]
141140
or
142141
// for the following methods, method signatures can be found in
143142
// https://pycryptodome.readthedocs.io/en/latest/src/cipher/modern.html
144143
methodName = "update" and
145-
result in [this.getArg(0), this.getArgByName("data")]
144+
result in [super.getArg(0), super.getArgByName("data")]
146145
or
147146
// although `mac_tag` is used as the parameter name in the spec above, some implementations use `received_mac_tag`, for an example, see
148147
// https://github.com/Legrandin/pycryptodome/blob/5dace638b70ac35bb5d9b565f3e75f7869c9d851/lib/Crypto/Cipher/ChaCha20_Poly1305.py#L207
149148
methodName = "verify" and
150-
result in [this.getArg(0), this.getArgByName(["mac_tag", "received_mac_tag"])]
149+
result in [super.getArg(0), super.getArgByName(["mac_tag", "received_mac_tag"])]
151150
or
152151
methodName = "hexverify" and
153-
result in [this.getArg(0), this.getArgByName("mac_tag_hex")]
152+
result in [super.getArg(0), super.getArgByName("mac_tag_hex")]
154153
or
155154
methodName = "encrypt_and_digest" and
156-
result in [this.getArg(0), this.getArgByName("plaintext")]
155+
result in [super.getArg(0), super.getArgByName("plaintext")]
157156
or
158157
methodName = "decrypt_and_verify" and
159158
result in [
160-
this.getArg(0), this.getArgByName("ciphertext"), this.getArg(1),
161-
this.getArgByName("mac_tag")
159+
super.getArg(0), super.getArgByName("ciphertext"), super.getArg(1),
160+
super.getArgByName("mac_tag")
162161
]
163162
}
164163

@@ -180,8 +179,7 @@ private module CryptodomeModel {
180179
/**
181180
* A cryptographic operation on an instance from the `Signature` subpackage of `Cryptodome`/`Crypto`.
182181
*/
183-
class CryptodomeGenericSignatureOperation extends Cryptography::CryptographicOperation::Range,
184-
DataFlow::CallCfgNode
182+
class CryptodomeGenericSignatureOperation extends Cryptography::CryptographicOperation::Range instanceof DataFlow::CallCfgNode
185183
{
186184
API::CallNode newCall;
187185
string methodName;
@@ -206,13 +204,13 @@ private module CryptodomeModel {
206204

207205
override DataFlow::Node getAnInput() {
208206
methodName = "sign" and
209-
result in [this.getArg(0), this.getArgByName("msg_hash")] // Cryptodome.Hash instance
207+
result in [super.getArg(0), super.getArgByName("msg_hash")] // Cryptodome.Hash instance
210208
or
211209
methodName = "verify" and
212210
(
213-
result in [this.getArg(0), this.getArgByName("msg_hash")] // Cryptodome.Hash instance
211+
result in [super.getArg(0), super.getArgByName("msg_hash")] // Cryptodome.Hash instance
214212
or
215-
result in [this.getArg(1), this.getArgByName("signature")]
213+
result in [super.getArg(1), super.getArgByName("signature")]
216214
)
217215
}
218216

@@ -222,8 +220,7 @@ private module CryptodomeModel {
222220
/**
223221
* A cryptographic operation on an instance from the `Hash` subpackage of `Cryptodome`/`Crypto`.
224222
*/
225-
class CryptodomeGenericHashOperation extends Cryptography::CryptographicOperation::Range,
226-
DataFlow::CallCfgNode
223+
class CryptodomeGenericHashOperation extends Cryptography::CryptographicOperation::Range instanceof DataFlow::CallCfgNode
227224
{
228225
API::CallNode newCall;
229226
string hashName;
@@ -244,7 +241,7 @@ private module CryptodomeModel {
244241

245242
override Cryptography::CryptographicAlgorithm getAlgorithm() { result.matchesName(hashName) }
246243

247-
override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }
244+
override DataFlow::Node getAnInput() { result in [super.getArg(0), super.getArgByName("data")] }
248245

249246
override Cryptography::BlockMode getBlockMode() { none() }
250247
}

0 commit comments

Comments
 (0)