Merge pull request #15044 from RasmusWL/automated-subclass-models

Python: Automated subclass models

Author: RasmusWL

.gitattributes

@@ -71,3 +71,6 @@ go/extractor/opencsv/CSVReader.java -text
 # `javascript/ql/experimental/adaptivethreatmodeling/test/update_endpoint_test_files.py`.
 javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.js linguist-generated=true -merge
 javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.ts linguist-generated=true -merge
+
+# Auto-generated modeling for Python
+python/ql/lib/semmle/python/frameworks/data/internal/subclass-capture/*.yml linguist-generated=true

python/ql/lib/change-notes/2023-12-08-automated-subclass-models.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Captured subclass relationships ahead-of-time for most popular PyPI packages so we are able to resolve subclass relationships even without having the packages installed. For example we have captured that `flask_restful.Resource` is a subclass of `flask.views.MethodView`, so our Flask modeling will still consider a function named `post` on a `class Foo(flask_restful.Resource):` as a HTTP request handler.

python/ql/lib/semmle/python/Module.qll

@@ -177,7 +177,7 @@ private predicate legalDottedName(string name) {
 }
 
 bindingset[name]
-private predicate legalShortName(string name) { name.regexpMatch("(\\p{L}|_)(\\p{L}|\\d|_)*") }
+predicate legalShortName(string name) { name.regexpMatch("(\\p{L}|_)(\\p{L}|\\d|_)*") }
 
 private string moduleNameFromBase(Container file) {
   // We used to also require `isPotentialPackage(f)` to hold in this case,

python/ql/lib/semmle/python/frameworks/Aioch.qll

@@ -9,6 +9,7 @@ private import python
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.ClickhouseDriver
+private import semmle.python.frameworks.data.ModelsAsData
 
 /**
  * INTERNAL: Do not use.
@@ -24,6 +25,8 @@ module Aioch {
     /** Gets a reference to the `aioch.Client` class or any subclass. */
     API::Node subclassRef() {
       result = API::moduleImport("aioch").getMember("Client").getASubclass*()
+      or
+      result = ModelOutput::getATypeNode("aioch.Client~Subclass").getASubclass*()
     }
 
     /** Gets a reference to an instance of `clickhouse_driver.Client` or any subclass. */

python/ql/lib/semmle/python/frameworks/Aiohttp.qll

@@ -14,6 +14,7 @@ private import semmle.python.frameworks.internal.SelfRefMixin
 private import semmle.python.frameworks.Multidict
 private import semmle.python.frameworks.Yarl
 private import semmle.python.frameworks.internal.InstanceTaintStepsHelper
+private import semmle.python.frameworks.data.ModelsAsData
 
 /**
  * INTERNAL: Do not use.
@@ -31,6 +32,8 @@ module AiohttpWebModel {
     /** Gets a reference to the `aiohttp.web.View` class or any subclass. */
     API::Node subclassRef() {
       result = API::moduleImport("aiohttp").getMember("web").getMember("View").getASubclass*()
+      or
+      result = ModelOutput::getATypeNode("aiohttp.web.View~Subclass").getASubclass*()
     }
   }
 
@@ -706,19 +709,23 @@ module AiohttpWebModel {
 }
 
 /**
+ * INTERNAL: Do not use.
+ *
  * Provides models for the web server part (`aiohttp.client`) of the `aiohttp` PyPI package.
  * See https://docs.aiohttp.org/en/stable/client.html
  */
-private module AiohttpClientModel {
+module AiohttpClientModel {
   /**
    * Provides models for the `aiohttp.ClientSession` class
    *
    * See https://docs.aiohttp.org/en/stable/client_reference.html#aiohttp.ClientSession.
    */
   module ClientSession {
     /** Gets a reference to the `aiohttp.ClientSession` class. */
-    private API::Node classRef() {
+    API::Node classRef() {
       result = API::moduleImport("aiohttp").getMember("ClientSession")
+      or
+      result = ModelOutput::getATypeNode("aiohttp.ClientSession~Subclass").getASubclass*()
     }
 
     /** Gets a reference to an instance of `aiohttp.ClientSession`. */

python/ql/lib/semmle/python/frameworks/ClickhouseDriver.qll

@@ -9,6 +9,7 @@ private import python
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.PEP249
+private import semmle.python.frameworks.data.ModelsAsData
 
 /**
  * INTERNAL: Do not use.
@@ -37,6 +38,9 @@ module ClickhouseDriver {
         or
         // commonly used alias
         classRef = API::moduleImport("clickhouse_driver").getMember("Client")
+        or
+        // Models-as-Data subclass
+        classRef = ModelOutput::getATypeNode("clickhouse_driver.client.Client~Subclass")
       |
         result = classRef.getASubclass*()
       )

python/ql/lib/semmle/python/frameworks/Django.qll

@@ -16,6 +16,7 @@ private import semmle.python.frameworks.internal.PoorMansFunctionResolution
 private import semmle.python.frameworks.internal.SelfRefMixin
 private import semmle.python.frameworks.internal.InstanceTaintStepsHelper
 private import semmle.python.security.dataflow.UrlRedirectCustomizations
+private import semmle.python.frameworks.data.ModelsAsData
 
 /**
  * INTERNAL: Do not use.
@@ -85,6 +86,10 @@ module Django {
         }
       }
 
+      private class MaDSubclass extends ModeledSubclass {
+        MaDSubclass() { this = ModelOutput::getATypeNode("Django.Views.View~Subclass") }
+      }
+
       /** Gets a reference to the `django.views.generic.View` class or any subclass. */
       API::Node subclassRef() { result = any(ModeledSubclass subclass).getASubclass*() }
     }
@@ -185,6 +190,10 @@ module Django {
         }
       }
 
+      private class MaDSubclass extends ModeledSubclass {
+        MaDSubclass() { this = ModelOutput::getATypeNode("django.forms.BaseForm~Subclass") }
+      }
+
       /** Gets a reference to the `django.forms.forms.BaseForm` class or any subclass. */
       API::Node subclassRef() { result = any(ModeledSubclass subclass).getASubclass*() }
     }
@@ -290,6 +299,10 @@ module Django {
         }
       }
 
+      private class MaDSubclass extends ModeledSubclass {
+        MaDSubclass() { this = ModelOutput::getATypeNode("Django.Forms.Field~Subclass") }
+      }
+
       /** Gets a reference to the `django.forms.fields.Field` class or any subclass. */
       API::Node subclassRef() { result = any(ModeledSubclass subclass).getASubclass*() }
     }
@@ -596,6 +609,8 @@ module PrivateDjango {
                   .getMember("models")
                   .getMember("PolymorphicModel")
                   .getASubclass*()
+            or
+            result = ModelOutput::getATypeNode("Django.db.models.Model~Subclass").getASubclass*()
           }
 
           /**
@@ -766,6 +781,9 @@ module PrivateDjango {
                     .getMember(className)
                     .getASubclass*()
             )
+            or
+            result =
+              ModelOutput::getATypeNode("django.db.models.FileField~Subclass").getASubclass*()
           }
         }
 
@@ -823,6 +841,10 @@ module PrivateDjango {
               or
               // Commonly used alias
               result = models().getMember("RawSQL")
+              or
+              result =
+                ModelOutput::getATypeNode("django.db.models.expressions.RawSQL~Subclass")
+                    .getASubclass*()
             }
 
             /**
@@ -1157,6 +1179,9 @@ module PrivateDjango {
             or
             // handle django.http.HttpRequest alias
             result = http().getMember("HttpRequest")
+            or
+            result =
+              ModelOutput::getATypeNode("django.http.request.HttpRequest~Subclass").getASubclass*()
           }
 
           /**
@@ -1322,7 +1347,13 @@ module PrivateDjango {
           }
 
           /** Gets a reference to the `django.http.response.HttpResponse` class or any subclass. */
-          API::Node classRef() { result = baseClassRef().getASubclass*() }
+          API::Node classRef() {
+            result = baseClassRef().getASubclass*()
+            or
+            result =
+              ModelOutput::getATypeNode("django.http.response.HttpResponse~Subclass")
+                  .getASubclass*()
+          }
 
           /**
            * A source of instances of `django.http.response.HttpResponse`, extend this class to model new instances.
@@ -1383,7 +1414,12 @@ module PrivateDjango {
           }
 
           /** Gets a reference to a subclass of the `django.http.response.HttpResponseRedirect` class. */
-          API::Node classRef() { result = baseClassRef().getASubclass*() }
+          API::Node classRef() {
+            result = baseClassRef().getASubclass*() or
+            result =
+              ModelOutput::getATypeNode("django.http.response.HttpResponseRedirect~Subclass")
+                  .getASubclass*()
+          }
 
           /**
            * A source of instances of `django.http.response.HttpResponseRedirect`, extend this class to model new instances.
@@ -1446,7 +1482,12 @@ module PrivateDjango {
           }
 
           /** Gets a reference to the `django.http.response.HttpResponsePermanentRedirect` class. */
-          API::Node classRef() { result = baseClassRef().getASubclass*() }
+          API::Node classRef() {
+            result = baseClassRef().getASubclass*() or
+            result =
+              ModelOutput::getATypeNode("django.http.response.HttpResponsePermanentRedirect~Subclass")
+                  .getASubclass*()
+          }
 
           /**
            * A source of instances of `django.http.response.HttpResponsePermanentRedirect`, extend this class to model new instances.
@@ -1510,7 +1551,12 @@ module PrivateDjango {
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseNotModified` class. */
-          API::Node classRef() { result = baseClassRef().getASubclass*() }
+          API::Node classRef() {
+            result = baseClassRef().getASubclass*() or
+            result =
+              ModelOutput::getATypeNode("django.http.response.HttpResponseNotModified~Subclass")
+                  .getASubclass*()
+          }
 
           /**
            * A source of instances of `django.http.response.HttpResponseNotModified`, extend this class to model new instances.
@@ -1562,7 +1608,12 @@ module PrivateDjango {
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseBadRequest` class. */
-          API::Node classRef() { result = baseClassRef().getASubclass*() }
+          API::Node classRef() {
+            result = baseClassRef().getASubclass*() or
+            result =
+              ModelOutput::getATypeNode("django.http.response.HttpResponseBadRequest~Subclass")
+                  .getASubclass*()
+          }
 
           /**
            * A source of instances of `django.http.response.HttpResponseBadRequest`, extend this class to model new instances.
@@ -1616,7 +1667,12 @@ module PrivateDjango {
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseNotFound` class. */
-          API::Node classRef() { result = baseClassRef().getASubclass*() }
+          API::Node classRef() {
+            result = baseClassRef().getASubclass*() or
+            result =
+              ModelOutput::getATypeNode("django.http.response.HttpResponseNotFound~Subclass")
+                  .getASubclass*()
+          }
 
           /**
            * A source of instances of `django.http.response.HttpResponseNotFound`, extend this class to model new instances.
@@ -1670,7 +1726,12 @@ module PrivateDjango {
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseForbidden` class. */
-          API::Node classRef() { result = baseClassRef().getASubclass*() }
+          API::Node classRef() {
+            result = baseClassRef().getASubclass*() or
+            result =
+              ModelOutput::getATypeNode("django.http.response.HttpResponseForbidden~Subclass")
+                  .getASubclass*()
+          }
 
           /**
            * A source of instances of `django.http.response.HttpResponseForbidden`, extend this class to model new instances.
@@ -1724,7 +1785,12 @@ module PrivateDjango {
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseNotAllowed` class. */
-          API::Node classRef() { result = baseClassRef().getASubclass*() }
+          API::Node classRef() {
+            result = baseClassRef().getASubclass*() or
+            result =
+              ModelOutput::getATypeNode("django.http.response.HttpResponseNotAllowed~Subclass")
+                  .getASubclass*()
+          }
 
           /**
            * A source of instances of `django.http.response.HttpResponseNotAllowed`, extend this class to model new instances.
@@ -1779,7 +1845,12 @@ module PrivateDjango {
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseGone` class. */
-          API::Node classRef() { result = baseClassRef().getASubclass*() }
+          API::Node classRef() {
+            result = baseClassRef().getASubclass*() or
+            result =
+              ModelOutput::getATypeNode("django.http.response.HttpResponseGone~Subclass")
+                  .getASubclass*()
+          }
 
           /**
            * A source of instances of `django.http.response.HttpResponseGone`, extend this class to model new instances.
@@ -1833,7 +1904,12 @@ module PrivateDjango {
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseServerError` class. */
-          API::Node classRef() { result = baseClassRef().getASubclass*() }
+          API::Node classRef() {
+            result = baseClassRef().getASubclass*() or
+            result =
+              ModelOutput::getATypeNode("django.http.response.HttpResponseServerError~Subclass")
+                  .getASubclass*()
+          }
 
           /**
            * A source of instances of `django.http.response.HttpResponseServerError`, extend this class to model new instances.
@@ -1887,7 +1963,12 @@ module PrivateDjango {
           }
 
           /** Gets a reference to the `django.http.response.JsonResponse` class. */
-          API::Node classRef() { result = baseClassRef().getASubclass*() }
+          API::Node classRef() {
+            result = baseClassRef().getASubclass*() or
+            result =
+              ModelOutput::getATypeNode("django.http.response.JsonResponse~Subclass")
+                  .getASubclass*()
+          }
 
           /**
            * A source of instances of `django.http.response.JsonResponse`, extend this class to model new instances.
@@ -1944,7 +2025,12 @@ module PrivateDjango {
           }
 
           /** Gets a reference to the `django.http.response.StreamingHttpResponse` class. */
-          API::Node classRef() { result = baseClassRef().getASubclass*() }
+          API::Node classRef() {
+            result = baseClassRef().getASubclass*() or
+            result =
+              ModelOutput::getATypeNode("django.http.response.StreamingHttpResponse~Subclass")
+                  .getASubclass*()
+          }
 
           /**
            * A source of instances of `django.http.response.StreamingHttpResponse`, extend this class to model new instances.
@@ -1998,7 +2084,12 @@ module PrivateDjango {
           }
 
           /** Gets a reference to the `django.http.response.FileResponse` class. */
-          API::Node classRef() { result = baseClassRef().getASubclass*() }
+          API::Node classRef() {
+            result = baseClassRef().getASubclass*() or
+            result =
+              ModelOutput::getATypeNode("django.http.response.FileResponse~Subclass")
+                  .getASubclass*()
+          }
 
           /**
            * A source of instances of `django.http.response.FileResponse`, extend this class to model new instances.

python/ql/lib/semmle/python/frameworks/Fabric.qll

@@ -12,6 +12,7 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.data.ModelsAsData
 
 /**
  * Provides classes modeling security-relevant aspects of the `fabric` PyPI package, for
@@ -65,12 +66,14 @@ private module FabricV1 {
 }
 
 /**
+ * INTERNAL: Do not use.
+ *
  * Provides classes modeling security-relevant aspects of the `fabric` PyPI package, for
  * version 2.x.
  *
  * See http://docs.fabfile.org/en/2.5/getting-st  arted.html.
  */
-private module FabricV2 {
+module FabricV2 {
   /** Gets a reference to the `fabric` module. */
   API::Node fabric() { result = API::moduleImport("fabric") }
 
@@ -95,6 +98,9 @@ private module FabricV2 {
           result = fabric().getMember("Connection")
           or
           result = connection().getMember("Connection")
+          or
+          result =
+            ModelOutput::getATypeNode("fabric.connection.Connection~Subclass").getASubclass*()
         }
 
         /**