Merge branch 'main' of github.com:github/codeql into python/port-modification-of-default-value

To get the subpaths.
2026-05-02 04:05:14 +02:00 · 2021-09-10 14:03:02 +02:00
parent 7cfa08abc8 db78e3a7da
commit 02fd63ce20
428 changed files with 10058 additions and 4043 deletions
--- a/python/ql/test/experimental/dataflow/import-helper/dataflow-consistency.expected
+++ b/python/ql/test/experimental/dataflow/import-helper/dataflow-consistency.expected
--- a/python/ql/test/experimental/dataflow/import-helper/dataflow-consistency.ql
+++ b/python/ql/test/experimental/dataflow/import-helper/dataflow-consistency.ql
--- a/python/ql/test/experimental/dataflow/ApiGraphs/test.py
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test.py
@@ -74,12 +74,6 @@ def f():
    change_foo()
    sink(foo) #$ use=moduleImport("danger").getMember("SOURCE")

-# Star imports
-
-from unknown import * #$ use=moduleImport("unknown")
-
-hello() #$ MISSING: use=moduleImport("unknown").getMember("hello").getReturn()
-

 # Subclasses

--- a/python/ql/test/experimental/dataflow/ApiGraphs/test_import_star.py
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test_import_star.py
@@ -0,0 +1,36 @@
+# Star imports
+
+from unknown import * #$ use=moduleImport("unknown")
+
+# Currently missing, as we do not consider `hello` to be a `LocalSourceNode`, since it has flow
+# going into it from its corresponding `GlobalSsaVariable`.
+hello() #$ MISSING: use=moduleImport("unknown").getMember("hello").getReturn()
+
+# We don't want our analysis to think that either `non_module_member` or `outer_bar` can
+# come from `from unknown import *`
+non_module_member
+
+outer_bar = 5
+outer_bar
+
+def foo():
+    world() #$ use=moduleImport("unknown").getMember("world").getReturn()
+    bar = 5
+    bar
+    non_module_member
+    print(bar) #$ use=moduleImport("builtins").getMember("print").getReturn()
+
+def quux():
+    global non_module_member
+    non_module_member = 5
+
+def func1():
+    var() #$ use=moduleImport("unknown").getMember("var").getReturn()
+    def func2():
+        var = "FOO"
+
+def func3():
+    var2 = print #$ use=moduleImport("builtins").getMember("print")
+    def func4():
+        var2() #$ MISSING: use=moduleImport("builtins").getMember("print").getReturn()
+    func4()
--- a/python/ql/test/experimental/dataflow/ApiGraphs/test_import_star2.py
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test_import_star2.py
@@ -0,0 +1,15 @@
+# Star imports in local scope
+
+hello2() 
+
+def foo():
+    from unknown2 import * #$ use=moduleImport("unknown2")
+    world2() #$ use=moduleImport("unknown2").getMember("world2").getReturn()
+    bar2 = 5
+    bar2
+    non_module_member2
+    print(bar2) #$ use=moduleImport("builtins").getMember("print").getReturn()
+
+def quux2():
+    global non_module_member2
+    non_module_member2 = 5
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting1.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting1.expected
@@ -196,6 +196,7 @@ nodes
 | classes.py:860:15:860:18 | ControlFlowNode for self | semmle.label | ControlFlowNode for self |
 | classes.py:866:5:866:11 | SSA variable with_or | semmle.label | SSA variable with_or |
 | classes.py:868:5:868:11 | ControlFlowNode for with_or | semmle.label | ControlFlowNode for with_or |
+subpaths
 #select
 | argumentPassing.py:89:22:89:25 | ControlFlowNode for arg1 | argumentPassing.py:89:22:89:25 | ControlFlowNode for arg1 | argumentPassing.py:75:11:75:11 | ControlFlowNode for a | Flow found |
 | argumentPassing.py:94:22:94:25 | ControlFlowNode for arg1 | argumentPassing.py:94:22:94:25 | ControlFlowNode for arg1 | argumentPassing.py:75:11:75:11 | ControlFlowNode for a | Flow found |
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting2.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting2.expected
@@ -121,6 +121,7 @@ nodes
 | classes.py:858:22:858:26 | ControlFlowNode for other | semmle.label | ControlFlowNode for other |
 | classes.py:859:15:859:19 | ControlFlowNode for other | semmle.label | ControlFlowNode for other |
 | classes.py:868:15:868:18 | ControlFlowNode for arg2 | semmle.label | ControlFlowNode for arg2 |
+subpaths
 #select
 | argumentPassing.py:94:28:94:31 | ControlFlowNode for arg2 | argumentPassing.py:94:28:94:31 | ControlFlowNode for arg2 | argumentPassing.py:76:11:76:11 | ControlFlowNode for b | Flow found |
 | argumentPassing.py:104:25:104:28 | ControlFlowNode for arg2 | argumentPassing.py:104:25:104:28 | ControlFlowNode for arg2 | argumentPassing.py:99:11:99:11 | ControlFlowNode for b | Flow found |
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting3.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting3.expected
@@ -53,6 +53,7 @@ nodes
 | classes.py:570:32:570:36 | ControlFlowNode for value | semmle.label | ControlFlowNode for value |
 | classes.py:571:15:571:19 | ControlFlowNode for value | semmle.label | ControlFlowNode for value |
 | classes.py:581:26:581:29 | ControlFlowNode for arg3 | semmle.label | ControlFlowNode for arg3 |
+subpaths
 #select
 | argumentPassing.py:94:34:94:37 | ControlFlowNode for arg3 | argumentPassing.py:94:34:94:37 | ControlFlowNode for arg3 | argumentPassing.py:77:11:77:11 | ControlFlowNode for c | Flow found |
 | argumentPassing.py:117:37:117:40 | ControlFlowNode for arg3 | argumentPassing.py:117:37:117:40 | ControlFlowNode for arg3 | argumentPassing.py:112:11:112:11 | ControlFlowNode for c | Flow found |
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting4.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting4.expected
@@ -1,3 +1,4 @@
 edges
 nodes
+subpaths
 #select
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting5.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting5.expected
@@ -1,3 +1,4 @@
 edges
 nodes
+subpaths
 #select
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting6.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting6.expected
@@ -1,3 +1,4 @@
 edges
 nodes
+subpaths
 #select
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting7.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting7.expected
@@ -11,5 +11,6 @@ nodes
 | argumentPassing.py:89:5:89:81 | KwOverflowNode for argument_passing() [Dictionary element at key g] | semmle.label | KwOverflowNode for argument_passing() [Dictionary element at key g] |
 | argumentPassing.py:89:59:89:80 | ControlFlowNode for Dict [Dictionary element at key g] | semmle.label | ControlFlowNode for Dict [Dictionary element at key g] |
 | argumentPassing.py:89:76:89:79 | ControlFlowNode for arg7 | semmle.label | ControlFlowNode for arg7 |
+subpaths
 #select
 | argumentPassing.py:89:76:89:79 | ControlFlowNode for arg7 | argumentPassing.py:89:76:89:79 | ControlFlowNode for arg7 | argumentPassing.py:82:15:82:20 | ControlFlowNode for Subscript | Flow found |
--- a/python/ql/test/experimental/dataflow/coverage/dataflow.expected
+++ b/python/ql/test/experimental/dataflow/coverage/dataflow.expected
@@ -1,8 +1,16 @@
 edges
+| datamodel.py:35:7:35:7 | ControlFlowNode for a | datamodel.py:36:10:36:10 | ControlFlowNode for a |
+| datamodel.py:38:8:38:13 | ControlFlowNode for SOURCE | datamodel.py:35:7:35:7 | ControlFlowNode for a |
 | datamodel.py:38:8:38:13 | ControlFlowNode for SOURCE | datamodel.py:38:6:38:17 | ControlFlowNode for f() |
+| datamodel.py:44:22:44:22 | ControlFlowNode for x | datamodel.py:46:16:46:16 | ControlFlowNode for x |
+| datamodel.py:49:26:49:26 | ControlFlowNode for x | datamodel.py:50:16:50:16 | ControlFlowNode for x |
+| datamodel.py:71:15:71:20 | ControlFlowNode for SOURCE | datamodel.py:44:22:44:22 | ControlFlowNode for x |
 | datamodel.py:71:15:71:20 | ControlFlowNode for SOURCE | datamodel.py:71:6:71:24 | ControlFlowNode for Attribute() |
+| datamodel.py:72:18:72:23 | ControlFlowNode for SOURCE | datamodel.py:44:22:44:22 | ControlFlowNode for x |
 | datamodel.py:72:18:72:23 | ControlFlowNode for SOURCE | datamodel.py:72:6:72:27 | ControlFlowNode for Attribute() |
+| datamodel.py:80:20:80:25 | ControlFlowNode for SOURCE | datamodel.py:49:26:49:26 | ControlFlowNode for x |
 | datamodel.py:80:20:80:25 | ControlFlowNode for SOURCE | datamodel.py:80:6:80:26 | ControlFlowNode for Attribute() |
+| datamodel.py:81:20:81:25 | ControlFlowNode for SOURCE | datamodel.py:49:26:49:26 | ControlFlowNode for x |
 | datamodel.py:81:20:81:25 | ControlFlowNode for SOURCE | datamodel.py:81:6:81:26 | ControlFlowNode for Attribute() |
 | datamodel.py:152:5:152:8 | [post store] ControlFlowNode for self [Attribute b] | datamodel.py:155:14:155:25 | ControlFlowNode for Customized() [Attribute b] |
 | datamodel.py:152:14:152:19 | ControlFlowNode for SOURCE | datamodel.py:152:5:152:8 | [post store] ControlFlowNode for self [Attribute b] |
@@ -121,25 +129,49 @@ edges
 | test.py:353:11:353:16 | ControlFlowNode for SOURCE | test.py:353:10:353:17 | ControlFlowNode for List [List element] |
 | test.py:357:10:357:22 | ControlFlowNode for Dict [Dictionary element at key s] | test.py:357:10:357:27 | ControlFlowNode for Subscript |
 | test.py:357:16:357:21 | ControlFlowNode for SOURCE | test.py:357:10:357:22 | ControlFlowNode for Dict [Dictionary element at key s] |
+| test.py:375:15:375:15 | ControlFlowNode for b | test.py:376:12:376:12 | ControlFlowNode for b |
+| test.py:380:28:380:33 | ControlFlowNode for SOURCE | test.py:375:15:375:15 | ControlFlowNode for b |
 | test.py:380:28:380:33 | ControlFlowNode for SOURCE | test.py:380:10:380:34 | ControlFlowNode for second() |
+| test.py:388:30:388:35 | ControlFlowNode for SOURCE | test.py:375:15:375:15 | ControlFlowNode for b |
 | test.py:388:30:388:35 | ControlFlowNode for SOURCE | test.py:388:10:388:36 | ControlFlowNode for second() |
+| test.py:396:10:396:43 | KwUnpacked b | test.py:375:15:375:15 | ControlFlowNode for b |
 | test.py:396:10:396:43 | KwUnpacked b | test.py:396:10:396:43 | ControlFlowNode for second() |
 | test.py:396:30:396:42 | ControlFlowNode for Dict [Dictionary element at key b] | test.py:396:10:396:43 | KwUnpacked b |
 | test.py:396:36:396:41 | ControlFlowNode for SOURCE | test.py:396:30:396:42 | ControlFlowNode for Dict [Dictionary element at key b] |
+| test.py:399:21:399:21 | ControlFlowNode for b [Tuple element at index 0] | test.py:400:12:400:12 | ControlFlowNode for b [Tuple element at index 0] |
+| test.py:400:12:400:12 | ControlFlowNode for b [Tuple element at index 0] | test.py:400:12:400:15 | ControlFlowNode for Subscript |
+| test.py:404:10:404:39 | PosOverflowNode for f_extra_pos() [Tuple element at index 0] | test.py:399:21:399:21 | ControlFlowNode for b [Tuple element at index 0] |
 | test.py:404:10:404:39 | PosOverflowNode for f_extra_pos() [Tuple element at index 0] | test.py:404:10:404:39 | ControlFlowNode for f_extra_pos() |
 | test.py:404:33:404:38 | ControlFlowNode for SOURCE | test.py:404:10:404:39 | PosOverflowNode for f_extra_pos() [Tuple element at index 0] |
+| test.py:407:26:407:26 | ControlFlowNode for b [Dictionary element at key b] | test.py:408:12:408:12 | ControlFlowNode for b [Dictionary element at key b] |
+| test.py:408:12:408:12 | ControlFlowNode for b [Dictionary element at key b] | test.py:408:12:408:17 | ControlFlowNode for Subscript |
+| test.py:412:10:412:45 | KwOverflowNode for f_extra_keyword() [Dictionary element at key b] | test.py:407:26:407:26 | ControlFlowNode for b [Dictionary element at key b] |
 | test.py:412:10:412:45 | KwOverflowNode for f_extra_keyword() [Dictionary element at key b] | test.py:412:10:412:45 | ControlFlowNode for f_extra_keyword() |
 | test.py:412:39:412:44 | ControlFlowNode for SOURCE | test.py:412:10:412:45 | KwOverflowNode for f_extra_keyword() [Dictionary element at key b] |
 | test.py:433:10:433:15 | ControlFlowNode for SOURCE | test.py:433:10:433:38 | ControlFlowNode for IfExp |
 | test.py:441:34:441:39 | ControlFlowNode for SOURCE | test.py:441:10:441:39 | ControlFlowNode for IfExp |
+| test.py:462:11:462:11 | ControlFlowNode for x | test.py:463:16:463:16 | ControlFlowNode for x |
+| test.py:465:12:465:17 | ControlFlowNode for SOURCE | test.py:462:11:462:11 | ControlFlowNode for x |
 | test.py:465:12:465:17 | ControlFlowNode for SOURCE | test.py:465:10:465:18 | ControlFlowNode for f() |
+| test.py:469:19:469:19 | ControlFlowNode for b | test.py:470:16:470:16 | ControlFlowNode for b |
+| test.py:472:28:472:33 | ControlFlowNode for SOURCE | test.py:469:19:469:19 | ControlFlowNode for b |
 | test.py:472:28:472:33 | ControlFlowNode for SOURCE | test.py:472:10:472:34 | ControlFlowNode for second() |
+| test.py:483:19:483:19 | ControlFlowNode for b | test.py:484:16:484:16 | ControlFlowNode for b |
+| test.py:486:30:486:35 | ControlFlowNode for SOURCE | test.py:483:19:483:19 | ControlFlowNode for b |
 | test.py:486:30:486:35 | ControlFlowNode for SOURCE | test.py:486:10:486:36 | ControlFlowNode for second() |
+| test.py:497:19:497:19 | ControlFlowNode for b | test.py:498:16:498:16 | ControlFlowNode for b |
+| test.py:500:10:500:43 | KwUnpacked b | test.py:497:19:497:19 | ControlFlowNode for b |
 | test.py:500:10:500:43 | KwUnpacked b | test.py:500:10:500:43 | ControlFlowNode for second() |
 | test.py:500:30:500:42 | ControlFlowNode for Dict [Dictionary element at key b] | test.py:500:10:500:43 | KwUnpacked b |
 | test.py:500:36:500:41 | ControlFlowNode for SOURCE | test.py:500:30:500:42 | ControlFlowNode for Dict [Dictionary element at key b] |
+| test.py:504:30:504:30 | ControlFlowNode for b [Tuple element at index 0] | test.py:504:33:504:33 | ControlFlowNode for b [Tuple element at index 0] |
+| test.py:504:33:504:33 | ControlFlowNode for b [Tuple element at index 0] | test.py:504:33:504:36 | ControlFlowNode for Subscript |
+| test.py:505:10:505:39 | PosOverflowNode for f_extra_pos() [Tuple element at index 0] | test.py:504:30:504:30 | ControlFlowNode for b [Tuple element at index 0] |
 | test.py:505:10:505:39 | PosOverflowNode for f_extra_pos() [Tuple element at index 0] | test.py:505:10:505:39 | ControlFlowNode for f_extra_pos() |
 | test.py:505:33:505:38 | ControlFlowNode for SOURCE | test.py:505:10:505:39 | PosOverflowNode for f_extra_pos() [Tuple element at index 0] |
+| test.py:509:35:509:35 | ControlFlowNode for b [Dictionary element at key b] | test.py:509:38:509:38 | ControlFlowNode for b [Dictionary element at key b] |
+| test.py:509:38:509:38 | ControlFlowNode for b [Dictionary element at key b] | test.py:509:38:509:43 | ControlFlowNode for Subscript |
+| test.py:510:10:510:45 | KwOverflowNode for f_extra_keyword() [Dictionary element at key b] | test.py:509:35:509:35 | ControlFlowNode for b [Dictionary element at key b] |
 | test.py:510:10:510:45 | KwOverflowNode for f_extra_keyword() [Dictionary element at key b] | test.py:510:10:510:45 | ControlFlowNode for f_extra_keyword() |
 | test.py:510:39:510:44 | ControlFlowNode for SOURCE | test.py:510:10:510:45 | KwOverflowNode for f_extra_keyword() [Dictionary element at key b] |
 | test.py:522:9:522:14 | ControlFlowNode for SOURCE | test.py:524:10:524:10 | ControlFlowNode for a |
@@ -348,8 +380,14 @@ edges
 | test.py:686:51:686:51 | ControlFlowNode for s | test.py:686:3:686:52 | PosOverflowNode for iterate_star_args() [Tuple element at index 1] |
 | test.py:757:16:757:21 | ControlFlowNode for SOURCE | test.py:760:10:760:36 | ControlFlowNode for return_from_inner_scope() |
 nodes
+| datamodel.py:35:7:35:7 | ControlFlowNode for a | semmle.label | ControlFlowNode for a |
+| datamodel.py:36:10:36:10 | ControlFlowNode for a | semmle.label | ControlFlowNode for a |
 | datamodel.py:38:6:38:17 | ControlFlowNode for f() | semmle.label | ControlFlowNode for f() |
 | datamodel.py:38:8:38:13 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| datamodel.py:44:22:44:22 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| datamodel.py:46:16:46:16 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| datamodel.py:49:26:49:26 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| datamodel.py:50:16:50:16 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
 | datamodel.py:71:6:71:24 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | datamodel.py:71:15:71:20 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | datamodel.py:72:6:72:27 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
@@ -501,6 +539,8 @@ nodes
 | test.py:357:10:357:22 | ControlFlowNode for Dict [Dictionary element at key s] | semmle.label | ControlFlowNode for Dict [Dictionary element at key s] |
 | test.py:357:10:357:27 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | test.py:357:16:357:21 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:375:15:375:15 | ControlFlowNode for b | semmle.label | ControlFlowNode for b |
+| test.py:376:12:376:12 | ControlFlowNode for b | semmle.label | ControlFlowNode for b |
 | test.py:380:10:380:34 | ControlFlowNode for second() | semmle.label | ControlFlowNode for second() |
 | test.py:380:28:380:33 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | test.py:388:10:388:36 | ControlFlowNode for second() | semmle.label | ControlFlowNode for second() |
@@ -509,9 +549,15 @@ nodes
 | test.py:396:10:396:43 | KwUnpacked b | semmle.label | KwUnpacked b |
 | test.py:396:30:396:42 | ControlFlowNode for Dict [Dictionary element at key b] | semmle.label | ControlFlowNode for Dict [Dictionary element at key b] |
 | test.py:396:36:396:41 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:399:21:399:21 | ControlFlowNode for b [Tuple element at index 0] | semmle.label | ControlFlowNode for b [Tuple element at index 0] |
+| test.py:400:12:400:12 | ControlFlowNode for b [Tuple element at index 0] | semmle.label | ControlFlowNode for b [Tuple element at index 0] |
+| test.py:400:12:400:15 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | test.py:404:10:404:39 | ControlFlowNode for f_extra_pos() | semmle.label | ControlFlowNode for f_extra_pos() |
 | test.py:404:10:404:39 | PosOverflowNode for f_extra_pos() [Tuple element at index 0] | semmle.label | PosOverflowNode for f_extra_pos() [Tuple element at index 0] |
 | test.py:404:33:404:38 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:407:26:407:26 | ControlFlowNode for b [Dictionary element at key b] | semmle.label | ControlFlowNode for b [Dictionary element at key b] |
+| test.py:408:12:408:12 | ControlFlowNode for b [Dictionary element at key b] | semmle.label | ControlFlowNode for b [Dictionary element at key b] |
+| test.py:408:12:408:17 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | test.py:412:10:412:45 | ControlFlowNode for f_extra_keyword() | semmle.label | ControlFlowNode for f_extra_keyword() |
 | test.py:412:10:412:45 | KwOverflowNode for f_extra_keyword() [Dictionary element at key b] | semmle.label | KwOverflowNode for f_extra_keyword() [Dictionary element at key b] |
 | test.py:412:39:412:44 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
@@ -519,19 +565,33 @@ nodes
 | test.py:433:10:433:38 | ControlFlowNode for IfExp | semmle.label | ControlFlowNode for IfExp |
 | test.py:441:10:441:39 | ControlFlowNode for IfExp | semmle.label | ControlFlowNode for IfExp |
 | test.py:441:34:441:39 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:462:11:462:11 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| test.py:463:16:463:16 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
 | test.py:465:10:465:18 | ControlFlowNode for f() | semmle.label | ControlFlowNode for f() |
 | test.py:465:12:465:17 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:469:19:469:19 | ControlFlowNode for b | semmle.label | ControlFlowNode for b |
+| test.py:470:16:470:16 | ControlFlowNode for b | semmle.label | ControlFlowNode for b |
 | test.py:472:10:472:34 | ControlFlowNode for second() | semmle.label | ControlFlowNode for second() |
 | test.py:472:28:472:33 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:483:19:483:19 | ControlFlowNode for b | semmle.label | ControlFlowNode for b |
+| test.py:484:16:484:16 | ControlFlowNode for b | semmle.label | ControlFlowNode for b |
 | test.py:486:10:486:36 | ControlFlowNode for second() | semmle.label | ControlFlowNode for second() |
 | test.py:486:30:486:35 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:497:19:497:19 | ControlFlowNode for b | semmle.label | ControlFlowNode for b |
+| test.py:498:16:498:16 | ControlFlowNode for b | semmle.label | ControlFlowNode for b |
 | test.py:500:10:500:43 | ControlFlowNode for second() | semmle.label | ControlFlowNode for second() |
 | test.py:500:10:500:43 | KwUnpacked b | semmle.label | KwUnpacked b |
 | test.py:500:30:500:42 | ControlFlowNode for Dict [Dictionary element at key b] | semmle.label | ControlFlowNode for Dict [Dictionary element at key b] |
 | test.py:500:36:500:41 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:504:30:504:30 | ControlFlowNode for b [Tuple element at index 0] | semmle.label | ControlFlowNode for b [Tuple element at index 0] |
+| test.py:504:33:504:33 | ControlFlowNode for b [Tuple element at index 0] | semmle.label | ControlFlowNode for b [Tuple element at index 0] |
+| test.py:504:33:504:36 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | test.py:505:10:505:39 | ControlFlowNode for f_extra_pos() | semmle.label | ControlFlowNode for f_extra_pos() |
 | test.py:505:10:505:39 | PosOverflowNode for f_extra_pos() [Tuple element at index 0] | semmle.label | PosOverflowNode for f_extra_pos() [Tuple element at index 0] |
 | test.py:505:33:505:38 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:509:35:509:35 | ControlFlowNode for b [Dictionary element at key b] | semmle.label | ControlFlowNode for b [Dictionary element at key b] |
+| test.py:509:38:509:38 | ControlFlowNode for b [Dictionary element at key b] | semmle.label | ControlFlowNode for b [Dictionary element at key b] |
+| test.py:509:38:509:43 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | test.py:510:10:510:45 | ControlFlowNode for f_extra_keyword() | semmle.label | ControlFlowNode for f_extra_keyword() |
 | test.py:510:10:510:45 | KwOverflowNode for f_extra_keyword() [Dictionary element at key b] | semmle.label | KwOverflowNode for f_extra_keyword() [Dictionary element at key b] |
 | test.py:510:39:510:44 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
@@ -758,6 +818,23 @@ nodes
 | test.py:686:51:686:51 | ControlFlowNode for s | semmle.label | ControlFlowNode for s |
 | test.py:757:16:757:21 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | test.py:760:10:760:36 | ControlFlowNode for return_from_inner_scope() | semmle.label | ControlFlowNode for return_from_inner_scope() |
+subpaths
+| datamodel.py:38:8:38:13 | ControlFlowNode for SOURCE | datamodel.py:35:7:35:7 | ControlFlowNode for a | datamodel.py:36:10:36:10 | ControlFlowNode for a | datamodel.py:38:6:38:17 | ControlFlowNode for f() |
+| datamodel.py:71:15:71:20 | ControlFlowNode for SOURCE | datamodel.py:44:22:44:22 | ControlFlowNode for x | datamodel.py:46:16:46:16 | ControlFlowNode for x | datamodel.py:71:6:71:24 | ControlFlowNode for Attribute() |
+| datamodel.py:72:18:72:23 | ControlFlowNode for SOURCE | datamodel.py:44:22:44:22 | ControlFlowNode for x | datamodel.py:46:16:46:16 | ControlFlowNode for x | datamodel.py:72:6:72:27 | ControlFlowNode for Attribute() |
+| datamodel.py:80:20:80:25 | ControlFlowNode for SOURCE | datamodel.py:49:26:49:26 | ControlFlowNode for x | datamodel.py:50:16:50:16 | ControlFlowNode for x | datamodel.py:80:6:80:26 | ControlFlowNode for Attribute() |
+| datamodel.py:81:20:81:25 | ControlFlowNode for SOURCE | datamodel.py:49:26:49:26 | ControlFlowNode for x | datamodel.py:50:16:50:16 | ControlFlowNode for x | datamodel.py:81:6:81:26 | ControlFlowNode for Attribute() |
+| test.py:380:28:380:33 | ControlFlowNode for SOURCE | test.py:375:15:375:15 | ControlFlowNode for b | test.py:376:12:376:12 | ControlFlowNode for b | test.py:380:10:380:34 | ControlFlowNode for second() |
+| test.py:388:30:388:35 | ControlFlowNode for SOURCE | test.py:375:15:375:15 | ControlFlowNode for b | test.py:376:12:376:12 | ControlFlowNode for b | test.py:388:10:388:36 | ControlFlowNode for second() |
+| test.py:396:10:396:43 | KwUnpacked b | test.py:375:15:375:15 | ControlFlowNode for b | test.py:376:12:376:12 | ControlFlowNode for b | test.py:396:10:396:43 | ControlFlowNode for second() |
+| test.py:404:10:404:39 | PosOverflowNode for f_extra_pos() [Tuple element at index 0] | test.py:399:21:399:21 | ControlFlowNode for b [Tuple element at index 0] | test.py:400:12:400:15 | ControlFlowNode for Subscript | test.py:404:10:404:39 | ControlFlowNode for f_extra_pos() |
+| test.py:412:10:412:45 | KwOverflowNode for f_extra_keyword() [Dictionary element at key b] | test.py:407:26:407:26 | ControlFlowNode for b [Dictionary element at key b] | test.py:408:12:408:17 | ControlFlowNode for Subscript | test.py:412:10:412:45 | ControlFlowNode for f_extra_keyword() |
+| test.py:465:12:465:17 | ControlFlowNode for SOURCE | test.py:462:11:462:11 | ControlFlowNode for x | test.py:463:16:463:16 | ControlFlowNode for x | test.py:465:10:465:18 | ControlFlowNode for f() |
+| test.py:472:28:472:33 | ControlFlowNode for SOURCE | test.py:469:19:469:19 | ControlFlowNode for b | test.py:470:16:470:16 | ControlFlowNode for b | test.py:472:10:472:34 | ControlFlowNode for second() |
+| test.py:486:30:486:35 | ControlFlowNode for SOURCE | test.py:483:19:483:19 | ControlFlowNode for b | test.py:484:16:484:16 | ControlFlowNode for b | test.py:486:10:486:36 | ControlFlowNode for second() |
+| test.py:500:10:500:43 | KwUnpacked b | test.py:497:19:497:19 | ControlFlowNode for b | test.py:498:16:498:16 | ControlFlowNode for b | test.py:500:10:500:43 | ControlFlowNode for second() |
+| test.py:505:10:505:39 | PosOverflowNode for f_extra_pos() [Tuple element at index 0] | test.py:504:30:504:30 | ControlFlowNode for b [Tuple element at index 0] | test.py:504:33:504:36 | ControlFlowNode for Subscript | test.py:505:10:505:39 | ControlFlowNode for f_extra_pos() |
+| test.py:510:10:510:45 | KwOverflowNode for f_extra_keyword() [Dictionary element at key b] | test.py:509:35:509:35 | ControlFlowNode for b [Dictionary element at key b] | test.py:509:38:509:43 | ControlFlowNode for Subscript | test.py:510:10:510:45 | ControlFlowNode for f_extra_keyword() |
 #select
 | datamodel.py:38:6:38:17 | ControlFlowNode for f() | datamodel.py:38:8:38:13 | ControlFlowNode for SOURCE | datamodel.py:38:6:38:17 | ControlFlowNode for f() | Flow found |
 | datamodel.py:71:6:71:24 | ControlFlowNode for Attribute() | datamodel.py:71:15:71:20 | ControlFlowNode for SOURCE | datamodel.py:71:6:71:24 | ControlFlowNode for Attribute() | Flow found |
--- a/python/ql/test/experimental/dataflow/fieldflow/dataflow.expected
+++ b/python/ql/test/experimental/dataflow/fieldflow/dataflow.expected
@@ -1,5 +1,10 @@
 edges
+| examples.py:7:24:7:26 | ControlFlowNode for foo | examples.py:8:20:8:22 | ControlFlowNode for foo |
+| examples.py:8:20:8:22 | ControlFlowNode for foo | examples.py:8:9:8:12 | [post store] ControlFlowNode for self [Attribute foo] |
+| examples.py:20:17:20:17 | ControlFlowNode for x | examples.py:22:15:22:15 | ControlFlowNode for x |
+| examples.py:22:15:22:15 | ControlFlowNode for x | examples.py:22:5:22:7 | [post store] ControlFlowNode for obj [Attribute foo] |
 | examples.py:27:8:27:12 | [post arg] ControlFlowNode for myobj [Attribute foo] | examples.py:28:6:28:10 | ControlFlowNode for myobj [Attribute foo] |
+| examples.py:27:15:27:20 | ControlFlowNode for SOURCE | examples.py:20:17:20:17 | ControlFlowNode for x |
 | examples.py:27:15:27:20 | ControlFlowNode for SOURCE | examples.py:27:8:27:12 | [post arg] ControlFlowNode for myobj [Attribute foo] |
 | examples.py:28:6:28:10 | ControlFlowNode for myobj [Attribute foo] | examples.py:28:6:28:14 | ControlFlowNode for Attribute |
 | examples.py:31:5:31:10 | ControlFlowNode for SOURCE | examples.py:35:13:35:13 | ControlFlowNode for x |
@@ -9,13 +14,29 @@ edges
 | examples.py:37:6:37:6 | ControlFlowNode for a [Attribute obj, Attribute foo] | examples.py:37:6:37:10 | ControlFlowNode for Attribute [Attribute foo] |
 | examples.py:37:6:37:10 | ControlFlowNode for Attribute [Attribute foo] | examples.py:37:6:37:14 | ControlFlowNode for Attribute |
 | examples.py:49:7:49:19 | ControlFlowNode for MyObj() [Attribute foo] | examples.py:50:6:50:8 | ControlFlowNode for obj [Attribute foo] |
+| examples.py:49:13:49:18 | ControlFlowNode for SOURCE | examples.py:7:24:7:26 | ControlFlowNode for foo |
 | examples.py:49:13:49:18 | ControlFlowNode for SOURCE | examples.py:49:7:49:19 | ControlFlowNode for MyObj() [Attribute foo] |
 | examples.py:50:6:50:8 | ControlFlowNode for obj [Attribute foo] | examples.py:50:6:50:12 | ControlFlowNode for Attribute |
+| examples.py:53:28:53:28 | ControlFlowNode for x | examples.py:54:17:54:17 | ControlFlowNode for x |
+| examples.py:54:11:54:18 | ControlFlowNode for MyObj() [Attribute foo] | examples.py:55:9:55:11 | ControlFlowNode for obj [Attribute foo] |
+| examples.py:54:17:54:17 | ControlFlowNode for x | examples.py:7:24:7:26 | ControlFlowNode for foo |
+| examples.py:54:17:54:17 | ControlFlowNode for x | examples.py:54:11:54:18 | ControlFlowNode for MyObj() [Attribute foo] |
+| examples.py:55:9:55:11 | ControlFlowNode for obj [Attribute foo] | examples.py:55:9:55:15 | ControlFlowNode for Attribute |
+| examples.py:55:9:55:15 | ControlFlowNode for Attribute | examples.py:56:12:56:12 | ControlFlowNode for a |
+| examples.py:59:29:59:34 | ControlFlowNode for SOURCE | examples.py:53:28:53:28 | ControlFlowNode for x |
 | examples.py:59:29:59:34 | ControlFlowNode for SOURCE | examples.py:59:6:59:35 | ControlFlowNode for fields_with_local_flow() |
+| test.py:26:24:26:26 | ControlFlowNode for foo | test.py:27:20:27:22 | ControlFlowNode for foo |
+| test.py:27:20:27:22 | ControlFlowNode for foo | test.py:27:9:27:12 | [post store] ControlFlowNode for self [Attribute foo] |
+| test.py:29:22:29:24 | ControlFlowNode for foo | test.py:30:20:30:22 | ControlFlowNode for foo |
+| test.py:30:20:30:22 | ControlFlowNode for foo | test.py:30:9:30:12 | [post store] ControlFlowNode for self [Attribute foo] |
+| test.py:41:17:41:17 | ControlFlowNode for x | test.py:43:15:43:15 | ControlFlowNode for x |
+| test.py:43:15:43:15 | ControlFlowNode for x | test.py:43:5:43:7 | [post store] ControlFlowNode for obj [Attribute foo] |
 | test.py:49:12:49:16 | [post arg] ControlFlowNode for myobj [Attribute foo] | test.py:50:10:50:14 | ControlFlowNode for myobj [Attribute foo] |
+| test.py:49:19:49:24 | ControlFlowNode for SOURCE | test.py:41:17:41:17 | ControlFlowNode for x |
 | test.py:49:19:49:24 | ControlFlowNode for SOURCE | test.py:49:12:49:16 | [post arg] ControlFlowNode for myobj [Attribute foo] |
 | test.py:50:10:50:14 | ControlFlowNode for myobj [Attribute foo] | test.py:50:10:50:18 | ControlFlowNode for Attribute |
 | test.py:56:5:56:9 | [post read] ControlFlowNode for myobj [Attribute foo] | test.py:57:10:57:14 | ControlFlowNode for myobj [Attribute foo] |
+| test.py:56:18:56:23 | ControlFlowNode for SOURCE | test.py:29:22:29:24 | ControlFlowNode for foo |
 | test.py:56:18:56:23 | ControlFlowNode for SOURCE | test.py:56:5:56:9 | [post read] ControlFlowNode for myobj [Attribute foo] |
 | test.py:57:10:57:14 | ControlFlowNode for myobj [Attribute foo] | test.py:57:10:57:18 | ControlFlowNode for Attribute |
 | test.py:61:9:61:14 | ControlFlowNode for SOURCE | test.py:65:17:65:17 | ControlFlowNode for x |
@@ -31,13 +52,28 @@ edges
 | test.py:77:10:77:10 | ControlFlowNode for a [Attribute obj, Attribute foo] | test.py:77:10:77:14 | ControlFlowNode for Attribute [Attribute foo] |
 | test.py:77:10:77:14 | ControlFlowNode for Attribute [Attribute foo] | test.py:77:10:77:18 | ControlFlowNode for Attribute |
 | test.py:81:11:81:23 | ControlFlowNode for MyObj() [Attribute foo] | test.py:82:10:82:12 | ControlFlowNode for obj [Attribute foo] |
+| test.py:81:17:81:22 | ControlFlowNode for SOURCE | test.py:26:24:26:26 | ControlFlowNode for foo |
 | test.py:81:17:81:22 | ControlFlowNode for SOURCE | test.py:81:11:81:23 | ControlFlowNode for MyObj() [Attribute foo] |
 | test.py:82:10:82:12 | ControlFlowNode for obj [Attribute foo] | test.py:82:10:82:16 | ControlFlowNode for Attribute |
 | test.py:86:11:86:27 | ControlFlowNode for MyObj() [Attribute foo] | test.py:87:10:87:12 | ControlFlowNode for obj [Attribute foo] |
+| test.py:86:21:86:26 | ControlFlowNode for SOURCE | test.py:26:24:26:26 | ControlFlowNode for foo |
 | test.py:86:21:86:26 | ControlFlowNode for SOURCE | test.py:86:11:86:27 | ControlFlowNode for MyObj() [Attribute foo] |
 | test.py:87:10:87:12 | ControlFlowNode for obj [Attribute foo] | test.py:87:10:87:16 | ControlFlowNode for Attribute |
+| test.py:90:28:90:28 | ControlFlowNode for x | test.py:91:17:91:17 | ControlFlowNode for x |
+| test.py:91:11:91:18 | ControlFlowNode for MyObj() [Attribute foo] | test.py:92:9:92:11 | ControlFlowNode for obj [Attribute foo] |
+| test.py:91:17:91:17 | ControlFlowNode for x | test.py:26:24:26:26 | ControlFlowNode for foo |
+| test.py:91:17:91:17 | ControlFlowNode for x | test.py:91:11:91:18 | ControlFlowNode for MyObj() [Attribute foo] |
+| test.py:92:9:92:11 | ControlFlowNode for obj [Attribute foo] | test.py:92:9:92:15 | ControlFlowNode for Attribute |
+| test.py:92:9:92:15 | ControlFlowNode for Attribute | test.py:93:12:93:12 | ControlFlowNode for a |
+| test.py:97:33:97:38 | ControlFlowNode for SOURCE | test.py:90:28:90:28 | ControlFlowNode for x |
 | test.py:97:33:97:38 | ControlFlowNode for SOURCE | test.py:97:10:97:39 | ControlFlowNode for fields_with_local_flow() |
 nodes
+| examples.py:7:24:7:26 | ControlFlowNode for foo | semmle.label | ControlFlowNode for foo |
+| examples.py:8:9:8:12 | [post store] ControlFlowNode for self [Attribute foo] | semmle.label | [post store] ControlFlowNode for self [Attribute foo] |
+| examples.py:8:20:8:22 | ControlFlowNode for foo | semmle.label | ControlFlowNode for foo |
+| examples.py:20:17:20:17 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| examples.py:22:5:22:7 | [post store] ControlFlowNode for obj [Attribute foo] | semmle.label | [post store] ControlFlowNode for obj [Attribute foo] |
+| examples.py:22:15:22:15 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
 | examples.py:27:8:27:12 | [post arg] ControlFlowNode for myobj [Attribute foo] | semmle.label | [post arg] ControlFlowNode for myobj [Attribute foo] |
 | examples.py:27:15:27:20 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | examples.py:28:6:28:10 | ControlFlowNode for myobj [Attribute foo] | semmle.label | ControlFlowNode for myobj [Attribute foo] |
@@ -53,8 +89,23 @@ nodes
 | examples.py:49:13:49:18 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | examples.py:50:6:50:8 | ControlFlowNode for obj [Attribute foo] | semmle.label | ControlFlowNode for obj [Attribute foo] |
 | examples.py:50:6:50:12 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| examples.py:53:28:53:28 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| examples.py:54:11:54:18 | ControlFlowNode for MyObj() [Attribute foo] | semmle.label | ControlFlowNode for MyObj() [Attribute foo] |
+| examples.py:54:17:54:17 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| examples.py:55:9:55:11 | ControlFlowNode for obj [Attribute foo] | semmle.label | ControlFlowNode for obj [Attribute foo] |
+| examples.py:55:9:55:15 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| examples.py:56:12:56:12 | ControlFlowNode for a | semmle.label | ControlFlowNode for a |
 | examples.py:59:6:59:35 | ControlFlowNode for fields_with_local_flow() | semmle.label | ControlFlowNode for fields_with_local_flow() |
 | examples.py:59:29:59:34 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:26:24:26:26 | ControlFlowNode for foo | semmle.label | ControlFlowNode for foo |
+| test.py:27:9:27:12 | [post store] ControlFlowNode for self [Attribute foo] | semmle.label | [post store] ControlFlowNode for self [Attribute foo] |
+| test.py:27:20:27:22 | ControlFlowNode for foo | semmle.label | ControlFlowNode for foo |
+| test.py:29:22:29:24 | ControlFlowNode for foo | semmle.label | ControlFlowNode for foo |
+| test.py:30:9:30:12 | [post store] ControlFlowNode for self [Attribute foo] | semmle.label | [post store] ControlFlowNode for self [Attribute foo] |
+| test.py:30:20:30:22 | ControlFlowNode for foo | semmle.label | ControlFlowNode for foo |
+| test.py:41:17:41:17 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| test.py:43:5:43:7 | [post store] ControlFlowNode for obj [Attribute foo] | semmle.label | [post store] ControlFlowNode for obj [Attribute foo] |
+| test.py:43:15:43:15 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
 | test.py:49:12:49:16 | [post arg] ControlFlowNode for myobj [Attribute foo] | semmle.label | [post arg] ControlFlowNode for myobj [Attribute foo] |
 | test.py:49:19:49:24 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | test.py:50:10:50:14 | ControlFlowNode for myobj [Attribute foo] | semmle.label | ControlFlowNode for myobj [Attribute foo] |
@@ -85,8 +136,25 @@ nodes
 | test.py:86:21:86:26 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | test.py:87:10:87:12 | ControlFlowNode for obj [Attribute foo] | semmle.label | ControlFlowNode for obj [Attribute foo] |
 | test.py:87:10:87:16 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:90:28:90:28 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| test.py:91:11:91:18 | ControlFlowNode for MyObj() [Attribute foo] | semmle.label | ControlFlowNode for MyObj() [Attribute foo] |
+| test.py:91:17:91:17 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| test.py:92:9:92:11 | ControlFlowNode for obj [Attribute foo] | semmle.label | ControlFlowNode for obj [Attribute foo] |
+| test.py:92:9:92:15 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:93:12:93:12 | ControlFlowNode for a | semmle.label | ControlFlowNode for a |
 | test.py:97:10:97:39 | ControlFlowNode for fields_with_local_flow() | semmle.label | ControlFlowNode for fields_with_local_flow() |
 | test.py:97:33:97:38 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+subpaths
+| examples.py:27:15:27:20 | ControlFlowNode for SOURCE | examples.py:20:17:20:17 | ControlFlowNode for x | examples.py:22:5:22:7 | [post store] ControlFlowNode for obj [Attribute foo] | examples.py:27:8:27:12 | [post arg] ControlFlowNode for myobj [Attribute foo] |
+| examples.py:49:13:49:18 | ControlFlowNode for SOURCE | examples.py:7:24:7:26 | ControlFlowNode for foo | examples.py:8:9:8:12 | [post store] ControlFlowNode for self [Attribute foo] | examples.py:49:7:49:19 | ControlFlowNode for MyObj() [Attribute foo] |
+| examples.py:54:17:54:17 | ControlFlowNode for x | examples.py:7:24:7:26 | ControlFlowNode for foo | examples.py:8:9:8:12 | [post store] ControlFlowNode for self [Attribute foo] | examples.py:54:11:54:18 | ControlFlowNode for MyObj() [Attribute foo] |
+| examples.py:59:29:59:34 | ControlFlowNode for SOURCE | examples.py:53:28:53:28 | ControlFlowNode for x | examples.py:56:12:56:12 | ControlFlowNode for a | examples.py:59:6:59:35 | ControlFlowNode for fields_with_local_flow() |
+| test.py:49:19:49:24 | ControlFlowNode for SOURCE | test.py:41:17:41:17 | ControlFlowNode for x | test.py:43:5:43:7 | [post store] ControlFlowNode for obj [Attribute foo] | test.py:49:12:49:16 | [post arg] ControlFlowNode for myobj [Attribute foo] |
+| test.py:56:18:56:23 | ControlFlowNode for SOURCE | test.py:29:22:29:24 | ControlFlowNode for foo | test.py:30:9:30:12 | [post store] ControlFlowNode for self [Attribute foo] | test.py:56:5:56:9 | [post read] ControlFlowNode for myobj [Attribute foo] |
+| test.py:81:17:81:22 | ControlFlowNode for SOURCE | test.py:26:24:26:26 | ControlFlowNode for foo | test.py:27:9:27:12 | [post store] ControlFlowNode for self [Attribute foo] | test.py:81:11:81:23 | ControlFlowNode for MyObj() [Attribute foo] |
+| test.py:86:21:86:26 | ControlFlowNode for SOURCE | test.py:26:24:26:26 | ControlFlowNode for foo | test.py:27:9:27:12 | [post store] ControlFlowNode for self [Attribute foo] | test.py:86:11:86:27 | ControlFlowNode for MyObj() [Attribute foo] |
+| test.py:91:17:91:17 | ControlFlowNode for x | test.py:26:24:26:26 | ControlFlowNode for foo | test.py:27:9:27:12 | [post store] ControlFlowNode for self [Attribute foo] | test.py:91:11:91:18 | ControlFlowNode for MyObj() [Attribute foo] |
+| test.py:97:33:97:38 | ControlFlowNode for SOURCE | test.py:90:28:90:28 | ControlFlowNode for x | test.py:93:12:93:12 | ControlFlowNode for a | test.py:97:10:97:39 | ControlFlowNode for fields_with_local_flow() |
 #select
 | examples.py:28:6:28:14 | ControlFlowNode for Attribute | examples.py:27:15:27:20 | ControlFlowNode for SOURCE | examples.py:28:6:28:14 | ControlFlowNode for Attribute | Flow found |
 | examples.py:37:6:37:14 | ControlFlowNode for Attribute | examples.py:31:5:31:10 | ControlFlowNode for SOURCE | examples.py:37:6:37:14 | ControlFlowNode for Attribute | Flow found |
--- a/python/ql/test/experimental/dataflow/import-helper/ImportHelper.expected
+++ b/python/ql/test/experimental/dataflow/import-helper/ImportHelper.expected
@@ -1,23 +0,0 @@
-| test1.py:1:8:1:12 | ControlFlowNode for ImportExpr | mypkg |
-| test2.py:1:6:1:10 | ControlFlowNode for ImportExpr | mypkg |
-| test2.py:1:6:1:10 | ControlFlowNode for ImportExpr | mypkg |
-| test2.py:1:19:1:21 | ControlFlowNode for ImportMember | mypkg.foo |
-| test2.py:1:24:1:26 | ControlFlowNode for ImportMember | mypkg.bar |
-| test3.py:1:8:1:16 | ControlFlowNode for ImportExpr | mypkg |
-| test3.py:2:8:2:16 | ControlFlowNode for ImportExpr | mypkg |
-| test4.py:1:8:1:16 | ControlFlowNode for ImportExpr | mypkg.foo |
-| test4.py:2:8:2:16 | ControlFlowNode for ImportExpr | mypkg.bar |
-| test5.py:1:8:1:12 | ControlFlowNode for ImportExpr | mypkg |
-| test5.py:9:6:9:10 | ControlFlowNode for ImportExpr | mypkg |
-| test5.py:9:19:9:29 | ControlFlowNode for ImportMember | mypkg.bar |
-| test6.py:1:8:1:12 | ControlFlowNode for ImportExpr | mypkg |
-| test6.py:5:8:5:16 | ControlFlowNode for ImportExpr | mypkg |
-| test7.py:1:6:1:10 | ControlFlowNode for ImportExpr | mypkg |
-| test7.py:1:19:1:21 | ControlFlowNode for ImportMember | mypkg.foo |
-| test7.py:5:8:5:16 | ControlFlowNode for ImportExpr | mypkg |
-| test7.py:9:6:9:10 | ControlFlowNode for ImportExpr | mypkg |
-| test7.py:9:19:9:21 | ControlFlowNode for ImportMember | mypkg.foo |
-| test_deep.py:1:6:1:21 | ControlFlowNode for ImportExpr | start.middle.end |
-| test_deep.py:1:6:1:21 | ControlFlowNode for ImportExpr | start.middle.end |
-| test_deep.py:1:30:1:32 | ControlFlowNode for ImportMember | start.middle.end.foo |
-| test_deep.py:1:35:1:37 | ControlFlowNode for ImportMember | start.middle.end.bar |
--- a/python/ql/test/experimental/dataflow/import-helper/ImportHelper.ql
+++ b/python/ql/test/experimental/dataflow/import-helper/ImportHelper.ql
@@ -1,4 +0,0 @@
-import python
-import semmle.python.dataflow.new.DataFlow
-
-query predicate importNode(DataFlow::Node res, string name) { res = DataFlow::importNode(name) }
--- a/python/ql/test/experimental/dataflow/import-helper/README.md
+++ b/python/ql/test/experimental/dataflow/import-helper/README.md
@@ -1 +0,0 @@
-Small tests that explore difference between `import mypkg.foo` and `from mypkg import foo`.
--- a/python/ql/test/experimental/dataflow/import-helper/mypkg/init.py
+++ b/python/ql/test/experimental/dataflow/import-helper/mypkg/init.py
@@ -1 +0,0 @@
-foo = 42
--- a/python/ql/test/experimental/dataflow/import-helper/mypkg/bar.py
+++ b/python/ql/test/experimental/dataflow/import-helper/mypkg/bar.py
@@ -1 +0,0 @@
-pass
--- a/python/ql/test/experimental/dataflow/import-helper/mypkg/foo.py
+++ b/python/ql/test/experimental/dataflow/import-helper/mypkg/foo.py
@@ -1 +0,0 @@
-pass
--- a/python/ql/test/experimental/dataflow/import-helper/test1.py
+++ b/python/ql/test/experimental/dataflow/import-helper/test1.py
@@ -1,6 +0,0 @@
-import mypkg
-print(mypkg.foo)  # 42
-try:
-    print(mypkg.bar)
-except AttributeError as e:
-    print(e)  # module 'mypkg' has no attribute 'bar'
--- a/python/ql/test/experimental/dataflow/import-helper/test2.py
+++ b/python/ql/test/experimental/dataflow/import-helper/test2.py
@@ -1,3 +0,0 @@
-from mypkg import foo, bar
-print(foo)
-print(bar)
--- a/python/ql/test/experimental/dataflow/import-helper/test3.py
+++ b/python/ql/test/experimental/dataflow/import-helper/test3.py
@@ -1,4 +0,0 @@
-import mypkg.foo
-import mypkg.bar
-print(mypkg.foo)  # <module 'mypkg.foo' ...
-print(mypkg.bar)  # <module 'mypkg.bar' ...
--- a/python/ql/test/experimental/dataflow/import-helper/test4.py
+++ b/python/ql/test/experimental/dataflow/import-helper/test4.py
@@ -1,4 +0,0 @@
-import mypkg.foo as _foo
-import mypkg.bar as _bar
-print(_foo)  # <module 'mypkg.foo' ...
-print(_bar)  # <module 'mypkg.bar' ...
--- a/python/ql/test/experimental/dataflow/import-helper/test5.py
+++ b/python/ql/test/experimental/dataflow/import-helper/test5.py
@@ -1,10 +0,0 @@
-import mypkg
-
-print(mypkg.foo)  # 42
-try:
-    print(mypkg.bar)
-except AttributeError as e:
-    print(e)  # module 'mypkg' has no attribute 'bar'
-
-from mypkg import bar as _bar
-print(mypkg.bar)  # <module 'mypkg.bar' ...
--- a/python/ql/test/experimental/dataflow/import-helper/test6.py
+++ b/python/ql/test/experimental/dataflow/import-helper/test6.py
@@ -1,6 +0,0 @@
-import mypkg
-
-print(mypkg.foo) # 42
-
-import mypkg.foo
-print(mypkg.foo) # <module 'mypkg.foo' ...
--- a/python/ql/test/experimental/dataflow/import-helper/test7.py
+++ b/python/ql/test/experimental/dataflow/import-helper/test7.py
@@ -1,10 +0,0 @@
-from mypkg import foo
-
-print(foo)  # 42
-
-import mypkg.foo
-print(foo)  # 42
-print(mypkg.foo)  # <module 'mypkg.foo' ...
-
-from mypkg import foo
-print(foo)  # <module 'mypkg.foo' ...
--- a/python/ql/test/experimental/dataflow/import-helper/test_deep.py
+++ b/python/ql/test/experimental/dataflow/import-helper/test_deep.py
@@ -1,3 +0,0 @@
-from start.middle.end import foo, bar
-print(foo)
-print(bar)
--- a/python/ql/test/experimental/dataflow/typetracking/moduleattr.ql
+++ b/python/ql/test/experimental/dataflow/typetracking/moduleattr.ql
@@ -1,10 +1,11 @@
 import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TypeTracker
+import semmle.python.ApiGraphs

 private DataFlow::TypeTrackingNode module_tracker(TypeTracker t) {
  t.start() and
-  result = DataFlow::importNode("module")
+  result = API::moduleImport("module").getAUse()
  or
  exists(TypeTracker t2 | result = module_tracker(t2).track(t2, t))
 }
--- a/python/ql/test/experimental/dataflow/typetracking/tracked.ql
+++ b/python/ql/test/experimental/dataflow/typetracking/tracked.ql
@@ -2,6 +2,7 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TypeTracker
 import TestUtilities.InlineExpectationsTest
+import semmle.python.ApiGraphs

 // -----------------------------------------------------------------------------
 // tracked
@@ -119,7 +120,7 @@ class TrackedSelfTest extends InlineExpectationsTest {
 /** Gets a reference to `foo` (fictive module). */
 private DataFlow::TypeTrackingNode foo(DataFlow::TypeTracker t) {
  t.start() and
-  result = DataFlow::importNode("foo")
+  result = API::moduleImport("foo").getAUse()
  or
  exists(DataFlow::TypeTracker t2 | result = foo(t2).track(t2, t))
 }
@@ -130,7 +131,7 @@ DataFlow::Node foo() { foo(DataFlow::TypeTracker::end()).flowsTo(result) }
 /** Gets a reference to `foo.bar` (fictive module). */
 private DataFlow::TypeTrackingNode foo_bar(DataFlow::TypeTracker t) {
  t.start() and
-  result = DataFlow::importNode("foo.bar")
+  result = API::moduleImport("foo.bar").getAUse()
  or
  t.startInAttr("bar") and
  result = foo()
@@ -144,7 +145,7 @@ DataFlow::Node foo_bar() { foo_bar(DataFlow::TypeTracker::end()).flowsTo(result)
 /** Gets a reference to `foo.bar.baz` (fictive attribute on `foo.bar` module). */
 private DataFlow::TypeTrackingNode foo_bar_baz(DataFlow::TypeTracker t) {
  t.start() and
-  result = DataFlow::importNode("foo.bar.baz")
+  result = API::moduleImport("foo.bar.baz").getAUse()
  or
  t.startInAttr("baz") and
  result = foo_bar()
--- a/python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.expected
@@ -80,6 +80,7 @@ nodes
 | ldap_bad.py:48:21:48:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn |
 | ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter |
+subpaths
 #select
 | ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | $@ LDAP query parameter comes from $@. | ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | This | ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | a user-provided value |
 | ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | $@ LDAP query parameter comes from $@. | ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | This | ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | a user-provided value |
--- a/python/ql/test/experimental/query-tests/Security/CWE-730/RegexInjection.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-730/RegexInjection.expected
@@ -21,6 +21,7 @@ nodes
 | re_bad.py:36:22:36:33 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | re_bad.py:36:22:36:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | re_bad.py:37:16:37:29 | ControlFlowNode for unsafe_pattern | semmle.label | ControlFlowNode for unsafe_pattern |
+subpaths
 #select
 | re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | re_bad.py:13:22:13:28 | ControlFlowNode for request | re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | $@ regular expression is constructed from a $@ and executed by $@. | re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | This | re_bad.py:13:22:13:28 | ControlFlowNode for request | user-provided value | re_bad.py:14:5:14:13 | Attribute | re.search |
 | re_bad.py:25:35:25:48 | ControlFlowNode for unsafe_pattern | re_bad.py:24:22:24:28 | ControlFlowNode for request | re_bad.py:25:35:25:48 | ControlFlowNode for unsafe_pattern | $@ regular expression is constructed from a $@ and executed by $@. | re_bad.py:25:35:25:48 | ControlFlowNode for unsafe_pattern | This | re_bad.py:24:22:24:28 | ControlFlowNode for request | user-provided value | re_bad.py:26:5:26:27 | Attribute | re.search |
--- a/python/ql/test/library-tests/frameworks/modeling-example/NaiveModel.expected
+++ b/python/ql/test/library-tests/frameworks/modeling-example/NaiveModel.expected
@@ -26,6 +26,7 @@ nodes
 | test.py:90:11:90:14 | ControlFlowNode for bm() | semmle.label | ControlFlowNode for bm() |
 | test.py:91:10:91:12 | ControlFlowNode for val | semmle.label | ControlFlowNode for val |
 | test.py:107:11:107:18 | ControlFlowNode for source() | semmle.label | ControlFlowNode for source() |
+subpaths
 #select
 | test.py:22:10:22:24 | ControlFlowNode for Attribute() | test.py:21:11:21:18 | ControlFlowNode for source() | test.py:22:10:22:24 | ControlFlowNode for Attribute() | test flow (naive): test_simple |
 | test.py:33:10:33:12 | ControlFlowNode for val | test.py:29:11:29:18 | ControlFlowNode for source() | test.py:33:10:33:12 | ControlFlowNode for val | test flow (naive): test_alias |
--- a/python/ql/test/library-tests/frameworks/modeling-example/ProperModel.expected
+++ b/python/ql/test/library-tests/frameworks/modeling-example/ProperModel.expected
@@ -66,6 +66,7 @@ nodes
 | test.py:103:46:103:47 | ControlFlowNode for bm | semmle.label | ControlFlowNode for bm |
 | test.py:107:11:107:18 | ControlFlowNode for source() | semmle.label | ControlFlowNode for source() |
 | test.py:108:46:108:58 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+subpaths
 #select
 | test.py:22:10:22:24 | ControlFlowNode for Attribute() | test.py:21:11:21:18 | ControlFlowNode for source() | test.py:22:10:22:24 | ControlFlowNode for Attribute() | test flow (proper): test_simple |
 | test.py:33:10:33:12 | ControlFlowNode for val | test.py:29:11:29:18 | ControlFlowNode for source() | test.py:33:10:33:12 | ControlFlowNode for val | test flow (proper): test_alias |
--- a/python/ql/test/library-tests/regex/Alternation.expected
+++ b/python/ql/test/library-tests/regex/Alternation.expected
@@ -19,4 +19,4 @@
 | x\| | 0 | 2 | x\| | 0 | 1 | x |
 | x\| | 0 | 2 | x\| | 2 | 2 |  |
 | x\|(?<!\\w)l | 0 | 10 | x\|(?<!\\w)l | 0 | 1 | x |
-| x\|(?<!\\w)l | 0 | 10 | x\|(?<!\\w)l | 2 | 10 | (?<!\\w)l |
+| x\|(?<!\\w)l | 0 | 10 | x\|(?<!\\w)l | 2 | 10 | (?<!\\w)l |
--- a/python/ql/test/library-tests/regex/Characters.expected
+++ b/python/ql/test/library-tests/regex/Characters.expected
@@ -52,6 +52,8 @@
 | [^A-Z] | 2 | 3 |
 | [^A-Z] | 4 | 5 |
 | [^]] | 2 | 3 |
+| \\+0 | 0 | 2 |
+| \\+0 | 2 | 3 |
 | \\A[+-]?\\d+ | 0 | 2 |
 | \\A[+-]?\\d+ | 3 | 4 |
 | \\A[+-]?\\d+ | 4 | 5 |
--- a/python/ql/test/library-tests/regex/Consistency.expected
+++ b/python/ql/test/library-tests/regex/Consistency.expected
--- a/python/ql/test/library-tests/regex/Consistency.ql
+++ b/python/ql/test/library-tests/regex/Consistency.ql
@@ -0,0 +1,12 @@
+/**
+ * Flags regular expressions that are parsed ambigously
+ */
+
+import python
+import semmle.python.regex
+
+from string str, Location loc, int counter
+where
+  counter = strictcount(Regex term | term.getLocation() = loc and term.getText() = str) and
+  counter > 1
+select str, counter, loc
--- a/python/ql/test/library-tests/regex/FirstLast.expected
+++ b/python/ql/test/library-tests/regex/FirstLast.expected
@@ -42,6 +42,8 @@
 | [^A-Z] | last | 0 | 6 |
 | [^]] | first | 0 | 4 |
 | [^]] | last | 0 | 4 |
+| \\+0 | first | 0 | 2 |
+| \\+0 | last | 2 | 3 |
 | \\A[+-]?\\d+ | first | 0 | 2 |
 | \\A[+-]?\\d+ | last | 7 | 9 |
 | \\A[+-]?\\d+ | last | 7 | 10 |
--- a/python/ql/test/library-tests/regex/Regex.expected
+++ b/python/ql/test/library-tests/regex/Regex.expected
@@ -113,6 +113,9 @@
 | [^]] | char | 2 | 3 |
 | [^]] | char-set | 0 | 4 |
 | [^]] | sequence | 0 | 4 |
+| \\+0 | char | 0 | 2 |
+| \\+0 | char | 2 | 3 |
+| \\+0 | sequence | 0 | 3 |
 | \\A[+-]?\\d+ | char | 0 | 2 |
 | \\A[+-]?\\d+ | char | 3 | 4 |
 | \\A[+-]?\\d+ | char | 4 | 5 |
--- a/python/ql/test/library-tests/regex/charRangeTest.py
+++ b/python/ql/test/library-tests/regex/charRangeTest.py
@@ -24,7 +24,8 @@ except re.error:

 re.compile(r'[^A-Z]') #$ charRange=2:3-4:5

-re.compile(r'[\0-\09]') #$ charRange=1:3-4:7
+re.compile(r'[\0-\09]') #$ charRange=1:3-4:6
+re.compile(r'[\0-\07]') #$ charRange=1:3-4:7

 re.compile(r'[\0123-5]') #$ charRange=5:6-7:8

--- a/python/ql/test/library-tests/regex/escapedCharacterTest.py
+++ b/python/ql/test/library-tests/regex/escapedCharacterTest.py
@@ -10,8 +10,10 @@ re.compile(r'[\---]') #$ escapedCharacter=1:3
 re.compile(r'[--\-]') #$ escapedCharacter=3:5
 re.compile(r'[\--\-]') #$ escapedCharacter=1:3 escapedCharacter=4:6
 re.compile(r'[0\-9-A-Z]') #$ escapedCharacter=2:4
-re.compile(r'[\0-\09]') #$ escapedCharacter=1:3 escapedCharacter=4:7
+re.compile(r'[\0-\09]') #$ escapedCharacter=1:3 escapedCharacter=4:6
+re.compile(r'[\0-\07]') #$ escapedCharacter=1:3 escapedCharacter=4:7
 re.compile(r'[\0123-5]') #$ escapedCharacter=1:5
+re.compile(r'\1754\1854\17\18\07\08') #$ escapedCharacter=0:4 escapedCharacter=16:19 escapedCharacter=19:21

 #ODASA-3985
 #Half Surrogate pairs
@@ -21,3 +23,9 @@ re.compile(u'[\U00010000-\U0010ffff]') # not escapes

 #Misparsed on LGTM
 re.compile(r"\[(?P<txt>[^[]*)\]\((?P<uri>[^)]*)") #$ escapedCharacter=0:2 escapedCharacter=16:18 escapedCharacter=18:20
+
+#Non-raw string
+re_blank = re.compile('(\n|\r|\\s)*\n', re.M) #$ escapedCharacter=5:7
+
+#Backreference confusion
+re.compile(r'\+0') #$ escapedCharacter=0:2
--- a/python/ql/test/library-tests/regex/test.py
+++ b/python/ql/test/library-tests/regex/test.py
@@ -70,3 +70,6 @@ re.compile("", re.M) # ODASA-8056
 # FP reported in https://github.com/github/codeql/issues/3712
 # This does not define a regex (but could be used by other code to do so)
 escaped = re.escape("https://www.humblebundle.com/home/library")
+
+# Consistency check
+baz = re.compile(r'\+0')
--- a/python/ql/test/library-tests/regexparser/Consistency.expected
+++ b/python/ql/test/library-tests/regexparser/Consistency.expected
--- a/python/ql/test/library-tests/regexparser/Consistency.ql
+++ b/python/ql/test/library-tests/regexparser/Consistency.ql
@@ -0,0 +1,15 @@
+/**
+ * Flags regular expressions that are parsed ambigously
+ */
+
+import python
+import semmle.python.RegexTreeView
+
+from string str, int counter, Location loc
+where
+  counter =
+    strictcount(RegExpTerm term |
+      term.getLocation() = loc and term.isRootTerm() and term.toString() = str
+    ) and
+  counter > 1
+select str, counter, loc
--- a/python/ql/test/library-tests/regexparser/KnownCVEs.py
+++ b/python/ql/test/library-tests/regexparser/KnownCVEs.py
@@ -0,0 +1,94 @@
+import re
+
+# linear
+# https://github.com/github/codeql-python-CVE-coverage/issues/439
+rex_blame = re.compile(r'\s*(\d+)\s*(\S+) (.*)')
+
+# https://github.com/github/codeql-python-CVE-coverage/issues/402
+whitespace = br"[\000\011\012\014\015\040]"
+whitespace_optional = whitespace + b"*"
+newline_only = br"[\r\n]+"
+newline = whitespace_optional + newline_only + whitespace_optional
+toFlag = re.compile(newline)
+
+# https://github.com/github/codeql-python-CVE-coverage/issues/400
+re.compile(r'[+-]?(\d+)*\.\d+%?')
+re.compile(r'"""\s+(?:.|\n)*?\s+"""')
+re.compile(r'(\{\s+)(\S+)(\s+[^}]+\s+\}\s)')
+re.compile(r'".*``.*``.*"')
+re.compile(r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)')
+re.compile(r'(%config)(\s*\(\s*)(\w+)(\s*=\s*)(.*?)(\s*\)\s*)')
+re.compile(r'(%new)(\s*)(\()(\s*.*?\s*)(\))')
+re.compile(r'(\$)(evoque|overlay)(\{(%)?)(\s*[#\w\-"\'.]+[^=,%}]+?)?')
+re.compile(r'(\.\w+\b)(\s*=\s*)([^;]*)(\s*;)')
+
+# linear
+# https://github.com/github/codeql-python-CVE-coverage/issues/392
+simple_email_re = re.compile(r"^\S+@[a-zA-Z0-9._-]+\.[a-zA-Z0-9._-]+$")
+
+# https://github.com/github/codeql-python-CVE-coverage/issues/249
+rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
+                     'realm=(["\']?)([^"\']*)\\2', re.I)
+
+# https://github.com/github/codeql-python-CVE-coverage/issues/248
+gauntlet = re.compile(
+            r"""^([-/:,#%.'"\s!\w]|\w-\w|'[\s\w]+'\s*|"[\s\w]+"|\([\d,%\.\s]+\))*$""",
+            flags=re.U
+        )
+
+# https://github.com/github/codeql-python-CVE-coverage/issues/227
+# from .compat import tobytes
+
+WS = "[ \t]"
+OWS = WS + "{0,}?"
+
+# RFC 7230 Section 3.2.6 "Field Value Components":
+# tchar          = "!" / "#" / "$" / "%" / "&" / "'" / "*"
+#                / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
+#                / DIGIT / ALPHA
+# obs-text      = %x80-FF
+TCHAR = r"[!#$%&'*+\-.^_`|~0-9A-Za-z]"
+OBS_TEXT = r"\x80-\xff"
+TOKEN = TCHAR + "{1,}"
+# RFC 5234 Appendix B.1 "Core Rules":
+# VCHAR         =  %x21-7E
+#                  ; visible (printing) characters
+VCHAR = r"\x21-\x7e"
+# header-field   = field-name ":" OWS field-value OWS
+# field-name     = token
+# field-value    = *( field-content / obs-fold )
+# field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
+# field-vchar    = VCHAR / obs-text
+# Errata from: https://www.rfc-editor.org/errata_search.php?rfc=7230&eid=4189
+# changes field-content to:
+#
+# field-content  = field-vchar [ 1*( SP / HTAB / field-vchar )
+#                  field-vchar ]
+
+FIELD_VCHAR = "[" + VCHAR + OBS_TEXT + "]"
+FIELD_CONTENT = FIELD_VCHAR + "([ \t" + VCHAR + OBS_TEXT + "]+" + FIELD_VCHAR + "){,1}"
+FIELD_VALUE = "(" + FIELD_CONTENT + "){0,}"
+
+HEADER_FIELD = re.compile(
+    #  tobytes(
+         "^(?P<name>" + TOKEN + "):" + OWS + "(?P<value>" + FIELD_VALUE + ")" + OWS + "$"
+    #  )
+ )
+
+# https://github.com/github/codeql-python-CVE-coverage/issues/224
+pattern = re.compile(
+    r'^(:?(([a-zA-Z]{1})|([a-zA-Z]{1}[a-zA-Z]{1})|'  # domain pt.1
+    r'([a-zA-Z]{1}[0-9]{1})|([0-9]{1}[a-zA-Z]{1})|'  # domain pt.2
+    r'([a-zA-Z0-9][-_a-zA-Z0-9]{0,61}[a-zA-Z0-9]))\.)+'  # domain pt.3
+    r'([a-zA-Z]{2,13}|(xn--[a-zA-Z0-9]{2,30}))$'  # TLD
+)
+
+# https://github.com/github/codeql-python-CVE-coverage/issues/189
+URL_REGEX = (
+     r'(?i)\b((?:[a-z][\w-]+:(?:/{1,3}|[a-z0-9%])|www\d{0,3}[.]|'
+     r'[a-z0-9.\-]+[.][a-z]{2,4}/)(?:[^\s()<>]+|\(([^\s()<>]+|'
+     r'(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+|(\([^\s()<>]+\)))*\)|'
+     r'[^\s`!()\[\]{};:\'".,<>?«»“”‘’]))'  # "emacs!
+)
+
+url = re.compile(URL_REGEX)
--- a/python/ql/test/library-tests/regexparser/polredos.py
+++ b/python/ql/test/library-tests/regexparser/polredos.py
@@ -0,0 +1,9 @@
+import re
+from flask import Flask, request
+app = Flask(__name__)
+
+@app.route("/poly-redos")
+def code_execution():
+    text = request.args.get("text")
+    re.sub(r"^\s+|\s+$", "", text) # NOT OK
+    re.match(r"^0\.\d+E?\d+$", text) # NOT OK
--- a/python/ql/test/library-tests/regexparser/redos.py
+++ b/python/ql/test/library-tests/regexparser/redos.py
@@ -0,0 +1,376 @@
+# This is currently a copy of the redos test-file, since that one contains many regexes.
+
+import re
+
+# NOT GOOD; attack: "_" + "__".repeat(100)
+# Adapted from marked (https://github.com/markedjs/marked), which is licensed
+# under the MIT license; see file marked-LICENSE.
+bad1 = re.compile(r'''^\b_((?:__|[\s\S])+?)_\b|^\*((?:\*\*|[\s\S])+?)\*(?!\*)''')
+
+# GOOD
+# Adapted from marked (https://github.com/markedjs/marked), which is licensed
+# under the MIT license; see file marked-LICENSE.
+good1 = re.compile(r'^\b_((?:__|[^_])+?)_\b|^\*((?:\*\*|[^*])+?)\*(?!\*)')
+
+# GOOD - there is no witness in the end that could cause the regexp to not match
+# Adapted from brace-expansion (https://github.com/juliangruber/brace-expansion),
+# which is licensed under the MIT license; see file brace-expansion-LICENSE.
+good2 = re.compile(r'(.*,)+.+')
+
+# NOT GOOD; attack: " '" + "\\\\".repeat(100)
+# Adapted from CodeMirror (https://github.com/codemirror/codemirror),
+# which is licensed under the MIT license; see file CodeMirror-LICENSE.
+bad2 = re.compile(r'''^(?:\s+(?:"(?:[^"\\]|\\\\|\\.)+"|'(?:[^'\\]|\\\\|\\.)+'|\((?:[^)\\]|\\\\|\\.)+\)))?''')
+
+# GOOD
+# Adapted from lulucms2 (https://github.com/yiifans/lulucms2).
+good2 = re.compile(r'''\(\*(?:[\s\S]*?\(\*[\s\S]*?\*\))*[\s\S]*?\*\)''')
+
+# GOOD
+# Adapted from jest (https://github.com/facebook/jest), which is licensed
+# under the MIT license; see file jest-LICENSE.
+good3 = re.compile(r'''^ *(\S.*\|.*)\n *([-:]+ *\|[-| :]*)\n((?:.*\|.*(?:\n|$))*)\n*''')
+
+# NOT GOOD, variant of good3; attack: "a|\n:|\n" + "||\n".repeat(100)
+bad4 = re.compile(r'''^ *(\S.*\|.*)\n *([-:]+ *\|[-| :]*)\n((?:.*\|.*(?:\n|$))*)a''')
+
+# NOT GOOD; attack: "/" + "\\/a".repeat(100)
+# Adapted from ANodeBlog (https://github.com/gefangshuai/ANodeBlog),
+# which is licensed under the Apache License 2.0; see file ANodeBlog-LICENSE.
+bad5 = re.compile(r'''\/(?![ *])(\\\/|.)*?\/[gim]*(?=\W|$)''')
+
+# NOT GOOD; attack: "##".repeat(100) + "\na"
+# Adapted from CodeMirror (https://github.com/codemirror/codemirror),
+# which is licensed under the MIT license; see file CodeMirror-LICENSE.
+bad6 = re.compile(r'''^([\s\[\{\(]|#.*)*$''')
+
+# GOOD
+good4 = re.compile(r'''(\r\n|\r|\n)+''')
+
+# BAD - PoC: `node -e "/((?:[^\"\']|\".*?\"|\'.*?\')*?)([(,)]|$)/.test(\"'''''''''''''''''''''''''''''''''''''''''''''\\\"\");"`. It's complicated though, because the regexp still matches something, it just matches the empty-string after the attack string.
+actuallyBad = re.compile(r'''((?:[^"']|".*?"|'.*?')*?)([(,)]|$)''')
+
+# NOT GOOD; attack: "a" + "[]".repeat(100) + ".b\n"
+# Adapted from Knockout (https://github.com/knockout/knockout), which is
+# licensed under the MIT license; see file knockout-LICENSE
+bad6 = re.compile(r'''^[\_$a-z][\_$a-z0-9]*(\[.*?\])*(\.[\_$a-z][\_$a-z0-9]*(\[.*?\])*)*$''')
+
+# GOOD
+good6 = re.compile(r'''(a|.)*''')
+
+# Testing the NFA - only some of the below are detected.
+bad7 = re.compile(r'''^([a-z]+)+$''')
+bad8 = re.compile(r'''^([a-z]*)*$''')
+bad9 = re.compile(r'''^([a-zA-Z0-9])(([\\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$''')
+bad10 = re.compile(r'''^(([a-z])+.)+[A-Z]([a-z])+$''')
+
+# NOT GOOD; attack: "[" + "][".repeat(100) + "]!"
+# Adapted from Prototype.js (https://github.com/prototypejs/prototype), which
+# is licensed under the MIT license; see file Prototype.js-LICENSE.
+bad11 = re.compile(r'''(([\w#:.~>+()\s-]+|\*|\[.*?\])+)\s*(,|$)''')
+
+# NOT GOOD; attack: "'" + "\\a".repeat(100) + '"'
+# Adapted from Prism (https://github.com/PrismJS/prism), which is licensed
+# under the MIT license; see file Prism-LICENSE.
+bad12 = re.compile(r'''("|')(\\?.)*?\1''')
+
+# NOT GOOD
+bad13 = re.compile(r'''(b|a?b)*c''')
+
+# NOT GOOD
+bad15 = re.compile(r'''(a|aa?)*b''')
+
+# GOOD
+good7 = re.compile(r'''(.|\n)*!''')
+
+# NOT GOOD; attack: "\n".repeat(100) + "."
+bad16 = re.compile(r'''(.|\n)*!''')
+
+# GOOD
+good8 = re.compile(r'''([\w.]+)*''')
+
+# NOT GOOD
+bad17 = re.compile(r'''(a|aa?)*b''')
+
+# GOOD - not used as regexp
+good9 = '(a|aa?)*b'
+
+# NOT GOOD
+bad18 = re.compile(r'''(([\s\S]|[^a])*)"''')
+
+# GOOD - there is no witness in the end that could cause the regexp to not match
+good10 = re.compile(r'''([^"']+)*''')
+
+# NOT GOOD
+bad20 = re.compile(r'''((.|[^a])*)"''')
+
+# GOOD
+good10 = re.compile(r'''((a|[^a])*)"''')
+
+# NOT GOOD
+bad21 = re.compile(r'''((b|[^a])*)"''')
+
+# NOT GOOD
+bad22 = re.compile(r'''((G|[^a])*)"''')
+
+# NOT GOOD
+bad23 = re.compile(r'''(([0-9]|[^a])*)"''')
+
+# NOT GOOD
+bad24 = re.compile(r'''(?:=(?:([!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z]+)|"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"))?''')
+
+# NOT GOOD
+bad25 = re.compile(r'''"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"''')
+
+# GOOD
+bad26 = re.compile(r'''"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"''')
+
+# NOT GOOD
+bad27 = re.compile(r'''(([a-z]|[d-h])*)"''')
+
+# NOT GOOD
+bad27 = re.compile(r'''(([^a-z]|[^0-9])*)"''')
+
+# NOT GOOD
+bad28 = re.compile(r'''((\d|[0-9])*)"''')
+
+# NOT GOOD
+bad29 = re.compile(r'''((\s|\s)*)"''')
+
+# NOT GOOD
+bad30 = re.compile(r'''((\w|G)*)"''')
+
+# GOOD
+good11 = re.compile(r'''((\s|\d)*)"''')
+
+# NOT GOOD
+bad31 = re.compile(r'''((\d|\w)*)"''')
+
+# NOT GOOD
+bad32 = re.compile(r'''((\d|5)*)"''')
+
+# NOT GOOD
+bad33 = re.compile(r'''((\s|[\f])*)"''')
+
+# NOT GOOD
+bad34 = re.compile(r'''((\s|[\v]|\\v)*)"''')
+
+# NOT GOOD
+bad35 = re.compile(r'''((\f|[\f])*)"''')
+
+# NOT GOOD
+bad36 = re.compile(r'''((\W|\D)*)"''')
+
+# NOT GOOD
+bad37 = re.compile(r'''((\S|\w)*)"''')
+
+# NOT GOOD
+bad38 = re.compile(r'''((\S|[\w])*)"''')
+
+# NOT GOOD
+bad39 = re.compile(r'''((1s|[\da-z])*)"''')
+
+# NOT GOOD
+bad40 = re.compile(r'''((0|[\d])*)"''')
+
+# NOT GOOD
+bad41 = re.compile(r'''(([\d]+)*)"''')
+
+# GOOD - there is no witness in the end that could cause the regexp to not match
+good12 = re.compile(r'''(\d+(X\d+)?)+''')
+
+# GOOD - there is no witness in the end that could cause the regexp to not match
+good13 = re.compile(r'''([0-9]+(X[0-9]*)?)*''')
+
+# GOOD
+good15 = re.compile(r'''^([^>]+)*(>|$)''')
+
+# NOT GOOD
+bad43 = re.compile(r'''^([^>a]+)*(>|$)''')
+
+# NOT GOOD
+bad44 = re.compile(r'''(\n\s*)+$''')
+
+# NOT GOOD
+bad45 = re.compile(r'''^(?:\s+|#.*|\(\?#[^)]*\))*(?:[?*+]|{\d+(?:,\d*)?})''')
+
+# NOT GOOD
+bad46 = re.compile(r'''\{\[\s*([a-zA-Z]+)\(([a-zA-Z]+)\)((\s*([a-zA-Z]+)\: ?([ a-zA-Z{}]+),?)+)*\s*\]\}''')
+
+# NOT GOOD
+bad47 = re.compile(r'''(a+|b+|c+)*c''')
+
+# NOT GOOD
+bad48 = re.compile(r'''(((a+a?)*)+b+)''')
+
+# NOT GOOD
+bad49 = re.compile(r'''(a+)+bbbb''')
+
+# GOOD
+good16 = re.compile(r'''(a+)+aaaaa*a+''')
+
+# NOT GOOD
+bad50 = re.compile(r'''(a+)+aaaaa$''')
+
+# GOOD
+good17 = re.compile(r'''(\n+)+\n\n''')
+
+# NOT GOOD
+bad51 = re.compile(r'''(\n+)+\n\n$''')
+
+# NOT GOOD
+bad52 = re.compile(r'''([^X]+)*$''')
+
+# NOT GOOD
+bad53 = re.compile(r'''(([^X]b)+)*$''')
+
+# GOOD
+good18 = re.compile(r'''(([^X]b)+)*($|[^X]b)''')
+
+# NOT GOOD
+bad54 = re.compile(r'''(([^X]b)+)*($|[^X]c)''')
+
+# GOOD
+good20 = re.compile(r'''((ab)+)*ababab''')
+
+# GOOD
+good21 = re.compile(r'''((ab)+)*abab(ab)*(ab)+''')
+
+# GOOD
+good22 = re.compile(r'''((ab)+)*''')
+
+# NOT GOOD
+bad55 = re.compile(r'''((ab)+)*$''')
+
+# GOOD
+good23 = re.compile(r'''((ab)+)*[a1][b1][a2][b2][a3][b3]''')
+
+# NOT GOOD
+bad56 = re.compile(r'''([\n\s]+)*(.)''')
+
+# GOOD - any witness passes through the accept state.
+good24 = re.compile(r'''(A*A*X)*''')
+
+# GOOD
+good26 = re.compile(r'''([^\\\]]+)*''')
+
+# NOT GOOD
+bad59 = re.compile(r'''(\w*foobarbaz\w*foobarbaz\w*foobarbaz\w*foobarbaz\s*foobarbaz\d*foobarbaz\w*)+-''')
+
+# NOT GOOD
+bad60 = re.compile(r'''(.thisisagoddamnlongstringforstresstestingthequery|\sthisisagoddamnlongstringforstresstestingthequery)*-''')
+
+# NOT GOOD
+bad61 = re.compile(r'''(thisisagoddamnlongstringforstresstestingthequery|this\w+query)*-''')
+
+# GOOD
+good27 = re.compile(r'''(thisisagoddamnlongstringforstresstestingthequery|imanotherbutunrelatedstringcomparedtotheotherstring)*-''')
+
+# GOOD
+good28 = re.compile(r'''foo([\uDC66\uDC67]|[\uDC68\uDC69])*foo''')
+
+# GOOD
+good29 = re.compile(r'''foo((\uDC66|\uDC67)|(\uDC68|\uDC69))*foo''')
+
+# NOT GOOD (but cannot currently construct a prefix)
+bad62 = re.compile(r'''a{2,3}(b+)+X''')
+
+# NOT GOOD (and a good prefix test)
+bad63 = re.compile(r'''^<(\w+)((?:\s+\w+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|[^>\s]+))?)*)\s*(\/?)>''')
+
+# GOOD
+good30 = re.compile(r'''(a+)*[\s\S][\s\S][\s\S]?''')
+
+# GOOD - but we fail to see that repeating the attack string ends in the "accept any" state (due to not parsing the range `[\s\S]{2,3}`).
+good31 = re.compile(r'''(a+)*[\s\S]{2,3}''')
+
+# GOOD - but we spuriously conclude that a rejecting suffix exists (due to not parsing the range `[\s\S]{2,}` when constructing the NFA).
+good32 = re.compile(r'''(a+)*([\s\S]{2,}|X)$''')
+
+# GOOD
+good33 = re.compile(r'''(a+)*([\s\S]*|X)$''')
+
+# NOT GOOD
+bad64 = re.compile(r'''((a+)*$|[\s\S]+)''')
+
+# GOOD - but still flagged. The only change compared to the above is the order of alternatives, which we don't model.
+good34 = re.compile(r'''([\s\S]+|(a+)*$)''')
+
+# GOOD
+good35 = re.compile(r'''((;|^)a+)+$''')
+
+# NOT GOOD (a good prefix test)
+bad65 = re.compile(r'''(^|;)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(e+)+f''')
+
+# NOT GOOD
+bad66 = re.compile(r'''^ab(c+)+$''')
+
+# NOT GOOD
+bad67 = re.compile(r'''(\d(\s+)*){20}''')
+
+# GOOD - but we spuriously conclude that a rejecting suffix exists.
+good36 = re.compile(r'''(([^/]|X)+)(\/[\s\S]*)*$''')
+
+# GOOD - but we spuriously conclude that a rejecting suffix exists.
+good37 = re.compile(r'''^((x([^Y]+)?)*(Y|$))''')
+
+# NOT GOOD
+bad68 = re.compile(r'''(a*)+b''')
+
+# NOT GOOD
+bad69 = re.compile(r'''foo([\w-]*)+bar''')
+
+# NOT GOOD
+bad70 = re.compile(r'''((ab)*)+c''')
+
+# NOT GOOD
+bad71 = re.compile(r'''(a?a?)*b''')
+
+# GOOD
+good38 = re.compile(r'''(a?)*b''')
+
+# NOT GOOD - but not detected
+bad72 = re.compile(r'''(c?a?)*b''')
+
+# NOT GOOD
+bad73 = re.compile(r'''(?:a|a?)+b''')
+
+# NOT GOOD - but not detected.
+bad74 = re.compile(r'''(a?b?)*$''')
+
+# NOT GOOD
+bad76 = re.compile(r'''PRE(([a-c]|[c-d])T(e?e?e?e?|X))+(cTcT|cTXcTX$)''')
+
+# NOT GOOD - but not detected
+bad77 = re.compile(r'''^((a)+\w)+$''')
+
+# NOT GOOD
+bad78 = re.compile(r'''^(b+.)+$''')
+
+# GOOD
+good39 = re.compile(r'''a*b''')
+
+# All 4 bad combinations of nested * and +
+bad79 = re.compile(r'''(a*)*b''')
+bad80 = re.compile(r'''(a+)*b''')
+bad81 = re.compile(r'''(a*)+b''')
+bad82 = re.compile(r'''(a+)+b''')
+
+# GOOD
+good40 = re.compile(r'''(a|b)+''')
+good41 = re.compile(r'''(?:[\s;,"'<>(){}|[\]@=+*]|:(?![/\\]))+''') # parses wrongly, sees column 42 as a char set start
+
+# NOT GOOD
+bad83 = re.compile(r'''^((?:a{|-)|\w\{)+X$''')
+bad84 = re.compile(r'''^((?:a{0|-)|\w\{\d)+X$''')
+bad85 = re.compile(r'''^((?:a{0,|-)|\w\{\d,)+X$''')
+bad86 = re.compile(r'''^((?:a{0,2|-)|\w\{\d,\d)+X$''')
+
+# GOOD:
+good42 = re.compile(r'''^((?:a{0,2}|-)|\w\{\d,\d\})+X$''')
+
+# NOT GOOD
+bad87 = re.compile(r'X(\u0061|a)*Y')
+
+# GOOD
+good43 = re.compile(r'X(\u0061|b)+Y')
--- a/python/ql/test/library-tests/regexparser/unittests.py
+++ b/python/ql/test/library-tests/regexparser/unittests.py
@@ -0,0 +1,20 @@
+import re
+
+# Treatment of escapes
+re.compile(r"X([^\.]|\.)*$") # No ReDoS.
+re.compile(r"X(Æ|\Æ)+$") # Has ReDoS.
+
+# Treatment of line breaks
+re.compile(r'(?:.|\n)*b') # No ReDoS.
+re.compile(r'(?:.|\n)*b', re.DOTALL) # Has ReDoS.
+
+# minimal example constructed by @erik-krogh
+baz = re.compile(r'\+0')
+
+# exerpts from LGTM.com
+re.compile(r'\+0x')
+re.compile(r'\+0x.*')
+re.compile(r'+\-0+\.')
+re.compile('\s+\+0x[0-9]+')
+re.compile(r'\+0000 .*')
+re.compile('\#[0-9]+ 0x[0-9]')
--- a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected
+++ b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected
@@ -5,5 +5,6 @@ nodes
 | test.py:13:16:13:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | test.py:13:16:13:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | test.py:15:36:15:39 | ControlFlowNode for data | semmle.label | ControlFlowNode for data |
+subpaths
 #select
 | test.py:15:36:15:39 | ControlFlowNode for data | test.py:13:16:13:22 | ControlFlowNode for request | test.py:15:36:15:39 | ControlFlowNode for data | Call to hmac.new [param 1] with untrusted data from $@. | test.py:13:16:13:22 | ControlFlowNode for request | ControlFlowNode for request |
--- a/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/CommandInjection.expected
+++ b/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/CommandInjection.expected
@@ -21,6 +21,7 @@ nodes
 | command_injection.py:27:19:27:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+subpaths
 #select
 | command_injection.py:19:15:19:27 | ControlFlowNode for BinaryExpr | command_injection.py:18:13:18:19 | ControlFlowNode for request | command_injection.py:19:15:19:27 | ControlFlowNode for BinaryExpr | This command depends on $@. | command_injection.py:18:13:18:19 | ControlFlowNode for request | a user-provided value |
 | command_injection.py:20:15:20:27 | ControlFlowNode for BinaryExpr | command_injection.py:18:13:18:19 | ControlFlowNode for request | command_injection.py:20:15:20:27 | ControlFlowNode for BinaryExpr | This command depends on $@. | command_injection.py:18:13:18:19 | ControlFlowNode for request | a user-provided value |
--- a/python/ql/test/query-tests/Security/CWE-078-CommandInjection/CommandInjection.expected
+++ b/python/ql/test/query-tests/Security/CWE-078-CommandInjection/CommandInjection.expected
@@ -50,6 +50,7 @@ nodes
 | command_injection.py:78:12:78:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | command_injection.py:78:12:78:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | command_injection.py:80:19:80:30 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+subpaths
 #select
 | command_injection.py:13:15:13:27 | ControlFlowNode for BinaryExpr | command_injection.py:11:13:11:19 | ControlFlowNode for request | command_injection.py:13:15:13:27 | ControlFlowNode for BinaryExpr | This command depends on $@. | command_injection.py:11:13:11:19 | ControlFlowNode for request | a user-provided value |
 | command_injection.py:20:22:20:34 | ControlFlowNode for BinaryExpr | command_injection.py:18:13:18:19 | ControlFlowNode for request | command_injection.py:20:22:20:34 | ControlFlowNode for BinaryExpr | This command depends on $@. | command_injection.py:18:13:18:19 | ControlFlowNode for request | a user-provided value |
--- a/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected
+++ b/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected
@@ -15,6 +15,7 @@ nodes
 | reflected_xss.py:27:23:27:29 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | reflected_xss.py:27:23:27:34 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+subpaths
 #select
 | reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | reflected_xss.py:9:18:9:24 | ControlFlowNode for request | reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | Cross-site scripting vulnerability due to $@. | reflected_xss.py:9:18:9:24 | ControlFlowNode for request | a user-provided value |
 | reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | reflected_xss.py:21:23:21:29 | ControlFlowNode for request | reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | reflected_xss.py:21:23:21:29 | ControlFlowNode for request | a user-provided value |
--- a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected
+++ b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected
@@ -9,6 +9,7 @@ nodes
 | sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | sql_injection.py:25:26:25:83 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | sql_injection.py:26:28:26:85 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+subpaths
 #select
 | sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | This SQL query depends on $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | a user-provided value |
 | sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | This SQL query depends on $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | a user-provided value |
--- a/python/ql/test/query-tests/Security/CWE-094-CodeInjection/CodeInjection.expected
+++ b/python/ql/test/query-tests/Security/CWE-094-CodeInjection/CodeInjection.expected
@@ -14,6 +14,7 @@ nodes
 | code_injection.py:18:16:18:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | code_injection.py:18:16:18:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | code_injection.py:21:20:21:27 | ControlFlowNode for obj_name | semmle.label | ControlFlowNode for obj_name |
+subpaths
 #select
 | code_injection.py:7:10:7:13 | ControlFlowNode for code | code_injection.py:6:12:6:18 | ControlFlowNode for request | code_injection.py:7:10:7:13 | ControlFlowNode for code | $@ flows to here and is interpreted as code. | code_injection.py:6:12:6:18 | ControlFlowNode for request | A user-provided value |
 | code_injection.py:8:10:8:13 | ControlFlowNode for code | code_injection.py:6:12:6:18 | ControlFlowNode for request | code_injection.py:8:10:8:13 | ControlFlowNode for code | $@ flows to here and is interpreted as code. | code_injection.py:6:12:6:18 | ControlFlowNode for request | A user-provided value |
--- a/python/ql/test/query-tests/Security/CWE-209-StackTraceExposure/StackTraceExposure.expected
+++ b/python/ql/test/query-tests/Security/CWE-209-StackTraceExposure/StackTraceExposure.expected
@@ -3,6 +3,8 @@ edges
 | test.py:31:25:31:25 | SSA variable e | test.py:32:16:32:30 | ControlFlowNode for Attribute |
 | test.py:49:15:49:36 | ControlFlowNode for Attribute() | test.py:50:29:50:31 | ControlFlowNode for err |
 | test.py:50:29:50:31 | ControlFlowNode for err | test.py:50:16:50:32 | ControlFlowNode for format_error() |
+| test.py:50:29:50:31 | ControlFlowNode for err | test.py:52:18:52:20 | ControlFlowNode for msg |
+| test.py:52:18:52:20 | ControlFlowNode for msg | test.py:53:12:53:27 | ControlFlowNode for BinaryExpr |
 nodes
 | test.py:16:16:16:37 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | test.py:23:25:23:25 | SSA variable e | semmle.label | SSA variable e |
@@ -12,6 +14,10 @@ nodes
 | test.py:49:15:49:36 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | test.py:50:16:50:32 | ControlFlowNode for format_error() | semmle.label | ControlFlowNode for format_error() |
 | test.py:50:29:50:31 | ControlFlowNode for err | semmle.label | ControlFlowNode for err |
+| test.py:52:18:52:20 | ControlFlowNode for msg | semmle.label | ControlFlowNode for msg |
+| test.py:53:12:53:27 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+subpaths
+| test.py:50:29:50:31 | ControlFlowNode for err | test.py:52:18:52:20 | ControlFlowNode for msg | test.py:53:12:53:27 | ControlFlowNode for BinaryExpr | test.py:50:16:50:32 | ControlFlowNode for format_error() |
 #select
 | test.py:16:16:16:37 | ControlFlowNode for Attribute() | test.py:16:16:16:37 | ControlFlowNode for Attribute() | test.py:16:16:16:37 | ControlFlowNode for Attribute() | $@ may be exposed to an external user | test.py:16:16:16:37 | ControlFlowNode for Attribute() | Error information |
 | test.py:24:16:24:16 | ControlFlowNode for e | test.py:23:25:23:25 | SSA variable e | test.py:24:16:24:16 | ControlFlowNode for e | $@ may be exposed to an external user | test.py:23:25:23:25 | SSA variable e | Error information |
--- a/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected
+++ b/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected
@@ -15,6 +15,7 @@ nodes
 | test.py:37:11:37:24 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
 | test.py:39:22:39:35 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
 | test.py:40:22:40:35 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
+subpaths
 #select
 | test.py:20:48:20:55 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:20:48:20:55 | ControlFlowNode for password | $@ is logged here. | test.py:19:16:19:29 | ControlFlowNode for get_password() | Sensitive data (password) |
 | test.py:22:58:22:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:22:58:22:65 | ControlFlowNode for password | $@ is logged here. | test.py:19:16:19:29 | ControlFlowNode for get_password() | Sensitive data (password) |
--- a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected
+++ b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected
@@ -7,6 +7,7 @@ nodes
 | test.py:12:21:12:24 | ControlFlowNode for cert | semmle.label | ControlFlowNode for cert |
 | test.py:13:22:13:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | test.py:15:26:15:29 | ControlFlowNode for cert | semmle.label | ControlFlowNode for cert |
+subpaths
 #select
 | test.py:12:21:12:24 | ControlFlowNode for cert | test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:12:21:12:24 | ControlFlowNode for cert | $@ is stored here. | test.py:9:12:9:21 | ControlFlowNode for get_cert() | Sensitive data (certificate) |
 | test.py:13:22:13:41 | ControlFlowNode for Attribute() | test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:13:22:13:41 | ControlFlowNode for Attribute() | $@ is stored here. | test.py:9:12:9:21 | ControlFlowNode for get_cert() | Sensitive data (certificate) |
--- a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected
+++ b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected
@@ -13,6 +13,7 @@ nodes
 | test.py:8:20:8:23 | ControlFlowNode for cert | semmle.label | ControlFlowNode for cert |
 | test.py:9:17:9:29 | ControlFlowNode for List | semmle.label | ControlFlowNode for List |
 | test.py:10:25:10:29 | ControlFlowNode for lines | semmle.label | ControlFlowNode for lines |
+subpaths
 #select
 | password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | $@ is stored here. | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | Sensitive data (password) |
 | password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | $@ is stored here. | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | Sensitive data (password) |
--- a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected
+++ b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected
@@ -56,6 +56,7 @@ nodes
 | test_cryptography.py:23:17:23:28 | ControlFlowNode for get_password | semmle.label | ControlFlowNode for get_password |
 | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
 | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
+subpaths
 #select
 | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | Sensitive data (certificate) |
 | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | Sensitive data (certificate) |
--- a/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.expected
+++ b/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.expected
@@ -11,6 +11,7 @@ nodes
 | unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload |
 | unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload |
 | unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload |
+subpaths
 #select
 | unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | unsafe_deserialization.py:14:15:14:21 | ControlFlowNode for request | unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | Deserializing of $@. | unsafe_deserialization.py:14:15:14:21 | ControlFlowNode for request | untrusted input |
 | unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | unsafe_deserialization.py:14:15:14:21 | ControlFlowNode for request | unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | Deserializing of $@. | unsafe_deserialization.py:14:15:14:21 | ControlFlowNode for request | untrusted input |
--- a/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.expected
+++ b/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.expected
@@ -40,6 +40,7 @@ nodes
 | test.py:81:17:81:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | test.py:81:17:81:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | test.py:83:21:83:26 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe |
+subpaths
 #select
 | test.py:8:21:8:26 | ControlFlowNode for target | test.py:7:14:7:20 | ControlFlowNode for request | test.py:8:21:8:26 | ControlFlowNode for target | Untrusted URL redirection due to $@. | test.py:7:14:7:20 | ControlFlowNode for request | A user-provided value |
 | test.py:32:21:32:24 | ControlFlowNode for safe | test.py:30:17:30:23 | ControlFlowNode for request | test.py:32:21:32:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:30:17:30:23 | ControlFlowNode for request | A user-provided value |
--- a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/PolynomialReDoS.expected
+++ b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/PolynomialReDoS.expected
@@ -7,6 +7,7 @@ nodes
 | test.py:7:12:7:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | test.py:8:30:8:33 | ControlFlowNode for text | semmle.label | ControlFlowNode for text |
 | test.py:9:32:9:35 | ControlFlowNode for text | semmle.label | ControlFlowNode for text |
+subpaths
 #select
 | test.py:8:30:8:33 | ControlFlowNode for text | test.py:7:12:7:18 | ControlFlowNode for request | test.py:8:30:8:33 | ControlFlowNode for text | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | test.py:8:21:8:23 | \\s+ | regular expression | test.py:7:12:7:18 | ControlFlowNode for request | a user-provided value |
 | test.py:9:32:9:35 | ControlFlowNode for text | test.py:7:12:7:18 | ControlFlowNode for request | test.py:9:32:9:35 | ControlFlowNode for text | This $@ that depends on $@ may run slow on strings with many repetitions of '99'. | test.py:9:27:9:29 | \\d+ | regular expression | test.py:7:12:7:18 | ControlFlowNode for request | a user-provided value |
				`@@ -1 +0,0 @@`
				Small tests that explore difference between `import mypkg.foo` and `from mypkg import foo`.