Python: Fix flask request modeling

This takes us part of the way. We still get multiple paths for the same alert, but that will be fixed in a different PR.
2025-12-20 18:56:32 +01:00 · 2022-09-29 17:41:21 +02:00
parent 9b03e1c0b1
commit 0cb8e121e9
2 changed files with 5 additions and 7 deletions
--- a/python/ql/lib/semmle/python/frameworks/Flask.qll
+++ b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -354,13 +354,7 @@ module Flask {
   * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Request
   */
  private class FlaskRequestSource extends RemoteFlowSource::Range {
-    FlaskRequestSource() {
-      this = request().getAValueReachableFromSource() and
-      not any(Import imp).contains(this.asExpr()) and
-      not exists(ControlFlowNode def | this.asVar().getSourceVariable().hasDefiningNode(def) |
-        any(Import imp).contains(def.getNode())
-      )
-    }
+    FlaskRequestSource() { this = request().asSource() }

    override string getSourceType() { result = "flask.request" }
  }
--- a/python/ql/src/change-notes/2022-09-29-flask-source-modeling.md
+++ b/python/ql/src/change-notes/2022-09-29-flask-source-modeling.md
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed how `flask.request` is modeled as a RemoteFlowSource, such that we show fewer duplicated alert messages for Code Scanning alerts. The import, such as `from flask import request`, will now be shown as the first step in a path explanation.