hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Remove usage of .getASuccessor() in XSLT.qll

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2020-06-25 12:06:52 +02:00
parent 1e5eeb8009
commit 22ad8f717f
1 changed files with 1 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
python/ql/src/experimental/semmle/python/security/injection/XSLT.qll
View File

@@ -41,12 +41,7 @@ module XSLTInjection {
}
private predicate etreeXML(ControlFlowNode fromnode, CallNode tonode) {
exists(CallNode call, AttrNode atr |
atr = etree().getAReference().getASuccessor() and
// XML(text, parser=None, base_url=None)
atr.getName() = "XML" and
atr = call.getFunction()
|
exists(CallNode call | call.getFunction().(AttrNode).getObject("XML").pointsTo(etree()) |
call.getArg(0) = fromnode and
call = tonode
)