Python: Fix flask request modeling

This takes us part of the way. We still get multiple paths for the same alert, but that will be fixed in a different PR.
2026-05-02 20:25:13 +02:00 · 2022-09-29 17:41:21 +02:00
parent 9b03e1c0b1
commit 0cb8e121e9
2 changed files with 5 additions and 7 deletions
--- a/python/ql/lib/semmle/python/frameworks/Flask.qll
+++ b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -354,13 +354,7 @@ module Flask {
   * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Request
   */
  private class FlaskRequestSource extends RemoteFlowSource::Range {
-    FlaskRequestSource() {
-      this = request().getAValueReachableFromSource() and
-      not any(Import imp).contains(this.asExpr()) and
-      not exists(ControlFlowNode def | this.asVar().getSourceVariable().hasDefiningNode(def) |
-        any(Import imp).contains(def.getNode())
-      )
-    }
+    FlaskRequestSource() { this = request().asSource() }

    override string getSourceType() { result = "flask.request" }
  }