merge in main

python/ql/test/library-tests/frameworks/stdlib/SafeAccessCheck.py

@@ -1,8 +1,10 @@
 s = "taintedString"
 
-if s.startswith("tainted"):  # $checks=s branch=true
+if s.startswith("tainted"):
+    s2 = s  # $SafeAccessCheck=s
     pass
 
 sw = s.startswith
-if sw("safe"):  # $ MISSING: checks=s branch=true
+if sw("safe"):
+    s2 = s  # $ MISSING: SafeAccessCheck=s
     pass

python/ql/test/library-tests/frameworks/stdlib/urllib.py

@@ -1,7 +1,20 @@
+import ssl
 from urllib.request import Request, urlopen
 
 Request("url") # $ clientRequestUrlPart="url"
 Request(url="url") # $ clientRequestUrlPart="url"
 
 urlopen("url") # $ clientRequestUrlPart="url"
-urlopen(url="url") # $ clientRequestUrlPart="url"
+urlopen(url="url") # $ clientRequestUrlPart="url"
+
+# ==============================================================================
+# Certificate validation disabled
+# ==============================================================================
+
+# A manually constructed SSLContext does not have safe defaults, so is effectively the
+# same as turning off SSL validation
+context = ssl.SSLContext()
+assert context.check_hostname == False
+assert context.verify_mode == ssl.VerifyMode.CERT_NONE
+
+urlopen("url", context=context) # $ clientRequestUrlPart="url" MISSING: clientRequestCertValidationDisabled