modelling frameworks

[hack136]

Hi i have a question about libraries model, what do these provide?
like this here https://github.com/github/codeql/blob/main/python/ql/lib/semmle/python/frameworks/Yarl.qll.

[intrigus-lgtm]

CodeQL only analyzes the source code you provide it.
This means that it will/can not analyze the source code of dependencies of your code!
(Unless you also compile the source code of your dependencies at the same time, as far as I know)
All calls to such external functions are treated as a black box by CodeQL.
This means that if you have code such as this (sorry, this is in Java):

public void someMethod(String untrustedUserInput) {
  externalLibraryCall(untrustedUserInput);
}

CodeQL's data flow and taint analysis stops at the externalLibraryCall call.
But what happens, if externalLibraryCall takes the untrusted user input and passes it to a function that executes a shell, leading to arbitrary code execution?
Right now, CodeQL can not catch this, because it can not look into externalLibraryCall (because it is defined in an external dependency) and see that externalLibraryCall will end up calling a dangerous function.

This is of course an unsatisfying situation!
That's exactly why framework models exist.
Framework models allow the user to tell CodeQL which effect calls to external functions/dependencies will have.

As an example, this model of the pyinvoke framework adds invoke.run and invoke.sudo as a sink for command injections such that users will be alerted!
Without this, CodeQL would not know that invoke.[run|sudo] is insecure.