jorgectf
diff --git a/‎python/.vscode/ql.code-snippets‎
Lines changed: 45 additions & 3 deletions b/‎python/.vscode/ql.code-snippets‎
Lines changed: 45 additions & 3 deletions
diff --git a/‎python/ql/test/experimental/dataflow/TestUtil/PrintNode.qll‎ renamed to ‎python/ql/lib/semmle/python/dataflow/new/internal/PrintNode.qll‎
Lines changed: 22 additions & 4 deletions b/‎python/ql/test/experimental/dataflow/TestUtil/PrintNode.qll‎ renamed to ‎python/ql/lib/semmle/python/dataflow/new/internal/PrintNode.qll‎
Lines changed: 22 additions & 4 deletions
diff --git a/‎python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll‎
Lines changed: 10 additions & 23 deletions b/‎python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll‎
Lines changed: 10 additions & 23 deletions
diff --git a/‎python/ql/lib/semmle/python/frameworks/Aiohttp.qll‎
Lines changed: 74 additions & 98 deletions b/‎python/ql/lib/semmle/python/frameworks/Aiohttp.qll‎
Lines changed: 74 additions & 98 deletions
@@ -180,8 +180,6 @@
             "",
             "  /** A direct instantiation of `${TM_SELECTED_TEXT}`. */",
             "  private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {",
-            "      override CallNode node;",
-            "",
             "      ClassInstantiation() { this = classRef().getACall() }",
             "  }",
             "",
@@ -195,11 +193,55 @@
             "",
             "  /** Gets a reference to an instance of `${TM_SELECTED_TEXT}`. */",
             "  DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }",
+            "",
+            "  /**",
+            "   * Taint propagation for `${TM_SELECTED_TEXT}`.",
+            "   */",
+            "  private class InstanceTaintSteps extends InstanceTaintStepsHelper {",
+            "    InstanceTaintSteps() { this = \"${TM_SELECTED_TEXT}\" }",
+            "    ",
+            "    override DataFlow::Node getInstance() { result = instance() }",
+            "    ",
+            "    override string getAttributeName() { none() }",
+            "    ",
+            "    override string getMethodName() { none() }",
+            "    ",
+            "    override string getAsyncMethodName() { none() }",
+            "  }",
+            "",
+            "  /**",
+            "   * Extra taint propagation for `${TM_SELECTED_TEXT}`, not covered by `InstanceTaintSteps`.",
+            "   */",
+            "  private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {",
+            "    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {",
+            "      // TODO",
+            "      none()",
+            "    }",
+            "  }",
             "}",
         ],
         "description": "Type tracking class (select full class path before inserting)",
     },
-
+    "foo": {
+        "scope": "ql",
+        "prefix": "foo",
+        "body": [
+            "    /**",
+            "     * Taint propagation for `$1`.",
+            "     */",
+            "     private class InstanceTaintSteps extends InstanceTaintStepsHelper {",
+            "        InstanceTaintSteps() { this = \"$1\" }",
+            "",
+            "        override DataFlow::Node getInstance() { result = instance() }",
+            "",
+            "        override string getAttributeName() { none() }",
+            "",
+            "        override string getMethodName() { none() }",
+            "",
+            "        override string getAsyncMethodName() { none() }",
+            "      }",
+        ],
+    },
     "API graph .getMember chain": {
         "scope": "ql",
         "prefix": "api graph .getMember chain",
 
@@ -1,6 +1,20 @@
-import python
-import semmle.python.dataflow.new.DataFlow
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides helper predicates for pretty-printing `DataFlow::Node`s.
+ *
+ * Since these have not been performance optimized, please only use them for
+ * debug-queries or in tests.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
 
+/**
+ * INTERNAL: Do not use.
+ *
+ * Gets the pretty-printed version of the Expr `e`.
+ */
 string prettyExpr(Expr e) {
   not e instanceof Num and
   not e instanceof StrConst and
@@ -27,15 +41,19 @@ string prettyExpr(Expr e) {
 }
 
 /**
- * Gets pretty-printed version of the DataFlow::Node `node`
+ * INTERNAL: Do not use.
+ *
+ * Gets the pretty-printed version of the DataFlow::Node `node`
  */
 bindingset[node]
 string prettyNode(DataFlow::Node node) {
   if exists(node.asExpr()) then result = prettyExpr(node.asExpr()) else result = node.toString()
 }
 
 /**
- * Gets pretty-printed version of the DataFlow::Node `node`, that is suitable for use
+ * INTERNAL: Do not use.
+ *
+ * Gets the pretty-printed version of the DataFlow::Node `node`, that is suitable for use
  * with `TestUtilities.InlineExpectationsTest` (that is, no spaces unless required).
  */
 bindingset[node]
 
@@ -46,9 +46,13 @@ private module Cached {
     or
     copyStep(nodeFrom, nodeTo)
     or
-    forStep(nodeFrom, nodeTo)
+    DataFlowPrivate::forReadStep(nodeFrom, _, nodeTo)
     or
-    unpackingAssignmentStep(nodeFrom, nodeTo)
+    DataFlowPrivate::iterableUnpackingReadStep(nodeFrom, _, nodeTo)
+    or
+    DataFlowPrivate::iterableUnpackingStoreStep(nodeFrom, _, nodeTo)
+    or
+    awaitStep(nodeFrom, nodeTo)
   }
 }
 
@@ -201,26 +205,9 @@ predicate copyStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
 }
 
 /**
- * Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to `for`-iteration,
- * for example `for x in xs`, or `for x,y in points`.
- */
-predicate forStep(DataFlow::CfgNode nodeFrom, DataFlow::EssaNode nodeTo) {
-  exists(EssaNodeDefinition defn, For for |
-    for.getTarget().getAChildNode*() = defn.getDefiningNode().getNode() and
-    nodeTo.getVar() = defn and
-    nodeFrom.asExpr() = for.getIter()
-  )
-}
-
-/**
- * Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to iterable unpacking.
- * Only handles normal assignment (`x,y = calc_point()`), since `for x,y in points` is handled by `forStep`.
+ * Holds if taint can flow from `nodeFrom` to `nodeTo` with an `await`-step,
+ * such that the whole expression `await x` is tainted if `x` is tainted.
  */
-predicate unpackingAssignmentStep(DataFlow::CfgNode nodeFrom, DataFlow::EssaNode nodeTo) {
-  // `a, b = myiterable` or `head, *tail = myiterable` (only Python 3)
-  exists(MultiAssignmentDefinition defn, Assign assign |
-    assign.getATarget().contains(defn.getDefiningNode().getNode()) and
-    nodeTo.getVar() = defn and
-    nodeFrom.asExpr() = assign.getValue()
-  )
+predicate awaitStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  nodeTo.asExpr().(Await).getValue() = nodeFrom.asExpr()
 }
@@ -13,6 +13,7 @@ private import semmle.python.frameworks.internal.PoorMansFunctionResolution
 private import semmle.python.frameworks.internal.SelfRefMixin
 private import semmle.python.frameworks.Multidict
 private import semmle.python.frameworks.Yarl
+private import semmle.python.frameworks.internal.InstanceTaintStepsHelper
 
 /**
  * INTERNAL: Do not use.
@@ -293,6 +294,65 @@ module AiohttpWebModel {
 
     /** Gets a reference to an instance of `aiohttp.web.Request`. */
     DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
+
+    /**
+     * Taint propagation for `aiohttp.web.Request`.
+     */
+    private class InstanceTaintSteps extends InstanceTaintStepsHelper {
+      InstanceTaintSteps() { this = "aiohttp.web.Request" }
+
+      override DataFlow::Node getInstance() { result = instance() }
+
+      override string getAttributeName() {
+        result in [
+            "url", "rel_url", "forwarded", "host", "remote", "path", "path_qs", "raw_path", "query",
+            "headers", "transport", "cookies", "content", "_payload", "content_type", "charset",
+            "http_range", "if_modified_since", "if_unmodified_since", "if_range", "match_info"
+          ]
+      }
+
+      override string getMethodName() { result in ["clone", "get_extra_info"] }
+
+      override string getAsyncMethodName() {
+        result in ["read", "text", "json", "multipart", "post"]
+      }
+    }
+
+    /** An attribute read on an `aiohttp.web.Request` that is a `MultiDictProxy` instance. */
+    class AiohttpRequestMultiDictProxyInstances extends Multidict::MultiDictProxy::InstanceSource {
+      AiohttpRequestMultiDictProxyInstances() {
+        this.(DataFlow::AttrRead).getObject() = Request::instance() and
+        this.(DataFlow::AttrRead).getAttributeName() in ["query", "headers"]
+        or
+        // Handle the common case of `x = await request.post()`
+        // but don't try to handle anything else, since we don't have an easy way to do this yet.
+        // TODO: more complete handling of `await request.post()`
+        exists(Await await, DataFlow::CallCfgNode call, DataFlow::AttrRead read |
+          this.asExpr() = await
+        |
+          read.(DataFlow::AttrRead).getObject() = Request::instance() and
+          read.(DataFlow::AttrRead).getAttributeName() = "post" and
+          call.getFunction() = read and
+          await.getValue() = call.asExpr()
+        )
+      }
+    }
+
+    /** An attribute read on an `aiohttp.web.Request` that is a `yarl.URL` instance. */
+    class AiohttpRequestYarlUrlInstances extends Yarl::Url::InstanceSource {
+      AiohttpRequestYarlUrlInstances() {
+        this.(DataFlow::AttrRead).getObject() = Request::instance() and
+        this.(DataFlow::AttrRead).getAttributeName() in ["url", "rel_url"]
+      }
+    }
+
+    /** An attribute read on an `aiohttp.web.Request` that is a `aiohttp.StreamReader` instance. */
+    class AiohttpRequestStreamReaderInstances extends StreamReader::InstanceSource {
+      AiohttpRequestStreamReaderInstances() {
+        this.(DataFlow::AttrRead).getObject() = Request::instance() and
+        this.(DataFlow::AttrRead).getAttributeName() in ["content", "_payload"]
+      }
+    }
   }
 
   /**
@@ -357,30 +417,20 @@ module AiohttpWebModel {
     /**
      * Taint propagation for `aiohttp.StreamReader`.
      */
-    private class AiohttpStreamReaderAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
-      override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-        // Methods
-        //
-        // TODO: When we have tools that make it easy, model these properly to handle
-        // `meth = obj.meth; meth()`. Until then, we'll use this more syntactic approach
-        // (since it allows us to at least capture the most common cases).
-        nodeFrom = StreamReader::instance() and
-        exists(DataFlow::AttrRead attr | attr.getObject() = nodeFrom |
-          // normal methods
-          attr.getAttributeName() in ["read_nowait"] and
-          nodeTo.(DataFlow::CallCfgNode).getFunction() = attr
-          or
-          // async methods
-          exists(Await await, DataFlow::CallCfgNode call |
-            attr.getAttributeName() in [
-                "read", "readany", "readexactly", "readline", "readchunk", "iter_chunked",
-                "iter_any", "iter_chunks"
-              ] and
-            call.getFunction() = attr and
-            await.getValue() = call.asExpr() and
-            nodeTo.asExpr() = await
-          )
-        )
+    private class InstanceTaintSteps extends InstanceTaintStepsHelper {
+      InstanceTaintSteps() { this = "aiohttp.StreamReader" }
+
+      override DataFlow::Node getInstance() { result = instance() }
+
+      override string getAttributeName() { none() }
+
+      override string getMethodName() { result in ["read_nowait"] }
+
+      override string getAsyncMethodName() {
+        result in [
+            "read", "readany", "readexactly", "readline", "readchunk", "iter_chunked", "iter_any",
+            "iter_chunks"
+          ]
       }
     }
   }
@@ -431,80 +481,6 @@ module AiohttpWebModel {
     }
   }
 
-  /**
-   * Taint propagation for `aiohttp.web.Request`.
-   *
-   * See https://docs.aiohttp.org/en/stable/web_reference.html#request-and-base-request
-   */
-  private class AiohttpRequestAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
-    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-      // Methods
-      //
-      // TODO: When we have tools that make it easy, model these properly to handle
-      // `meth = obj.meth; meth()`. Until then, we'll use this more syntactic approach
-      // (since it allows us to at least capture the most common cases).
-      nodeFrom = Request::instance() and
-      exists(DataFlow::AttrRead attr | attr.getObject() = nodeFrom |
-        // normal methods
-        attr.getAttributeName() in ["clone", "get_extra_info"] and
-        nodeTo.(DataFlow::CallCfgNode).getFunction() = attr
-        or
-        // async methods
-        exists(Await await, DataFlow::CallCfgNode call |
-          attr.getAttributeName() in ["read", "text", "json", "multipart", "post"] and
-          call.getFunction() = attr and
-          await.getValue() = call.asExpr() and
-          nodeTo.asExpr() = await
-        )
-      )
-      or
-      // Attributes
-      nodeFrom = Request::instance() and
-      nodeTo.(DataFlow::AttrRead).getObject() = nodeFrom and
-      nodeTo.(DataFlow::AttrRead).getAttributeName() in [
-          "url", "rel_url", "forwarded", "host", "remote", "path", "path_qs", "raw_path", "query",
-          "headers", "transport", "cookies", "content", "_payload", "content_type", "charset",
-          "http_range", "if_modified_since", "if_unmodified_since", "if_range", "match_info"
-        ]
-    }
-  }
-
-  /** An attribute read on an `aiohttp.web.Request` that is a `MultiDictProxy` instance. */
-  class AiohttpRequestMultiDictProxyInstances extends Multidict::MultiDictProxy::InstanceSource {
-    AiohttpRequestMultiDictProxyInstances() {
-      this.(DataFlow::AttrRead).getObject() = Request::instance() and
-      this.(DataFlow::AttrRead).getAttributeName() in ["query", "headers"]
-      or
-      // Handle the common case of `x = await request.post()`
-      // but don't try to handle anything else, since we don't have an easy way to do this yet.
-      // TODO: more complete handling of `await request.post()`
-      exists(Await await, DataFlow::CallCfgNode call, DataFlow::AttrRead read |
-        this.asExpr() = await
-      |
-        read.(DataFlow::AttrRead).getObject() = Request::instance() and
-        read.(DataFlow::AttrRead).getAttributeName() = "post" and
-        call.getFunction() = read and
-        await.getValue() = call.asExpr()
-      )
-    }
-  }
-
-  /** An attribute read on an `aiohttp.web.Request` that is a `yarl.URL` instance. */
-  class AiohttpRequestYarlUrlInstances extends Yarl::Url::InstanceSource {
-    AiohttpRequestYarlUrlInstances() {
-      this.(DataFlow::AttrRead).getObject() = Request::instance() and
-      this.(DataFlow::AttrRead).getAttributeName() in ["url", "rel_url"]
-    }
-  }
-
-  /** An attribute read on an `aiohttp.web.Request` that is a `aiohttp.StreamReader` instance. */
-  class AiohttpRequestStreamReaderInstances extends StreamReader::InstanceSource {
-    AiohttpRequestStreamReaderInstances() {
-      this.(DataFlow::AttrRead).getObject() = Request::instance() and
-      this.(DataFlow::AttrRead).getAttributeName() in ["content", "_payload"]
-    }
-  }
-
   // ---------------------------------------------------------------------------
   // aiohttp.web Response modeling
   // ---------------------------------------------------------------------------