Merge remote-tracking branch 'origin/main' into jorgectf/python/insecure-cookie

2026-04-30 19:26:02 +02:00 · 2021-10-27 19:00:55 +02:00
parent 54ed25a925 c9b50f3c2f
commit 28ec8c9dee
5978 changed files with 580332 additions and 251971 deletions
--- a/python/ql/test/TestUtilities/InlineExpectationsTest.qll
+++ b/python/ql/test/TestUtilities/InlineExpectationsTest.qll
@@ -4,7 +4,7 @@
 * (in that the `.expected` file should always be empty).
 *
 * To add this framework to a new language:
- * - Add a file `InlineExpectationsTestPrivate.qll` that defines a `LineComment` class. This class
+ * - Add a file `InlineExpectationsTestPrivate.qll` that defines a `ExpectationComment` class. This class
 *   must support a `getContents` method that returns the contents of the given comment, _excluding_
 *   the comment indicator itself. It should also define `toString` and `getLocation` as usual.
 *
@@ -60,8 +60,8 @@
 *
 * Example:
 * ```cpp
- * int i = x + 5;  // $const=5
- * int j = y + (7 - 3)  // $const=7 const=3 const=4  // The result of the subtraction is a constant.
+ * int i = x + 5;  // $ const=5
+ * int j = y + (7 - 3)  // $ const=7 const=3 const=4  // The result of the subtraction is a constant.
 * ```
 *
 * For tests that contain known missing and spurious results, it is possible to further
@@ -194,7 +194,7 @@ private int getEndOfColumnPosition(int start, string content) {
 }

 private predicate getAnExpectation(
-  LineComment comment, TColumn column, string expectation, string tags, string value
+  ExpectationComment comment, TColumn column, string expectation, string tags, string value
 ) {
  exists(string content |
    content = comment.getContents().regexpCapture(expectationCommentPattern(), 1) and
@@ -247,14 +247,14 @@ private newtype TFailureLocatable =
  ) {
    test.hasActualResult(location, element, tag, value)
  } or
-  TValidExpectation(LineComment comment, string tag, string value, string knownFailure) {
+  TValidExpectation(ExpectationComment comment, string tag, string value, string knownFailure) {
    exists(TColumn column, string tags |
      getAnExpectation(comment, column, _, tags, value) and
      tag = tags.splitAt(",") and
      knownFailure = getColumnString(column)
    )
  } or
-  TInvalidExpectation(LineComment comment, string expectation) {
+  TInvalidExpectation(ExpectationComment comment, string expectation) {
    getAnExpectation(comment, _, expectation, _, _) and
    not expectation.regexpMatch(expectationPattern())
  }
@@ -292,7 +292,7 @@ class ActualResult extends FailureLocatable, TActualResult {
 }

 abstract private class Expectation extends FailureLocatable {
-  LineComment comment;
+  ExpectationComment comment;

  override string toString() { result = comment.toString() }

--- a/python/ql/test/TestUtilities/InlineExpectationsTestPrivate.qll
+++ b/python/ql/test/TestUtilities/InlineExpectationsTestPrivate.qll
@@ -4,4 +4,4 @@ import python
 * A class representing line comments in Python. As this is the only form of comment Python
 * permits, we simply reuse the `Comment` class.
 */
-class LineComment = Comment;
+class ExpectationComment = Comment;
--- a/python/ql/test/experimental/dataflow/import-helper/dataflow-consistency.expected
+++ b/python/ql/test/experimental/dataflow/import-helper/dataflow-consistency.expected
--- a/python/ql/test/experimental/dataflow/import-helper/dataflow-consistency.ql
+++ b/python/ql/test/experimental/dataflow/import-helper/dataflow-consistency.ql
--- a/python/ql/test/experimental/dataflow/ApiGraphs/test.py
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test.py
@@ -74,12 +74,6 @@ def f():
    change_foo()
    sink(foo) #$ use=moduleImport("danger").getMember("SOURCE")

-# Star imports
-
-from unknown import * #$ use=moduleImport("unknown")
-
-hello() #$ MISSING: use=moduleImport("unknown").getMember("hello").getReturn()
-

 # Subclasses

--- a/python/ql/test/experimental/dataflow/ApiGraphs/test_import_star.py
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test_import_star.py
@@ -0,0 +1,36 @@
+# Star imports
+
+from unknown import * #$ use=moduleImport("unknown")
+
+# Currently missing, as we do not consider `hello` to be a `LocalSourceNode`, since it has flow
+# going into it from its corresponding `GlobalSsaVariable`.
+hello() #$ MISSING: use=moduleImport("unknown").getMember("hello").getReturn()
+
+# We don't want our analysis to think that either `non_module_member` or `outer_bar` can
+# come from `from unknown import *`
+non_module_member
+
+outer_bar = 5
+outer_bar
+
+def foo():
+    world() #$ use=moduleImport("unknown").getMember("world").getReturn()
+    bar = 5
+    bar
+    non_module_member
+    print(bar) #$ use=moduleImport("builtins").getMember("print").getReturn()
+
+def quux():
+    global non_module_member
+    non_module_member = 5
+
+def func1():
+    var() #$ use=moduleImport("unknown").getMember("var").getReturn()
+    def func2():
+        var = "FOO"
+
+def func3():
+    var2 = print #$ use=moduleImport("builtins").getMember("print")
+    def func4():
+        var2() #$ MISSING: use=moduleImport("builtins").getMember("print").getReturn()
+    func4()
--- a/python/ql/test/experimental/dataflow/ApiGraphs/test_import_star2.py
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test_import_star2.py
@@ -0,0 +1,15 @@
+# Star imports in local scope
+
+hello2() 
+
+def foo():
+    from unknown2 import * #$ use=moduleImport("unknown2")
+    world2() #$ use=moduleImport("unknown2").getMember("world2").getReturn()
+    bar2 = 5
+    bar2
+    non_module_member2
+    print(bar2) #$ use=moduleImport("builtins").getMember("print").getReturn()
+
+def quux2():
+    global non_module_member2
+    non_module_member2 = 5
--- a/python/ql/test/experimental/dataflow/TestUtil/FlowTest.qll
+++ b/python/ql/test/experimental/dataflow/TestUtil/FlowTest.qll
@@ -1,7 +1,7 @@
 import python
 import semmle.python.dataflow.new.DataFlow
 import TestUtilities.InlineExpectationsTest
-import experimental.dataflow.TestUtil.PrintNode
+private import semmle.python.dataflow.new.internal.PrintNode

 abstract class FlowTest extends InlineExpectationsTest {
  bindingset[this]
--- a/python/ql/test/experimental/dataflow/TestUtil/PrintNode.qll
+++ b/python/ql/test/experimental/dataflow/TestUtil/PrintNode.qll
@@ -1,55 +0,0 @@
-import python
-import semmle.python.dataflow.new.DataFlow
-
-string prettyExpr(Expr e) {
-  not e instanceof Num and
-  not e instanceof StrConst and
-  not e instanceof Subscript and
-  not e instanceof Call and
-  not e instanceof Attribute and
-  result = e.toString()
-  or
-  result = e.(Num).getN()
-  or
-  result =
-    e.(StrConst).getPrefix() + e.(StrConst).getText() +
-      e.(StrConst).getPrefix().regexpReplaceAll("[a-zA-Z]+", "")
-  or
-  result = prettyExpr(e.(Subscript).getObject()) + "[" + prettyExpr(e.(Subscript).getIndex()) + "]"
-  or
-  (
-    if exists(e.(Call).getAnArg()) or exists(e.(Call).getANamedArg())
-    then result = prettyExpr(e.(Call).getFunc()) + "(..)"
-    else result = prettyExpr(e.(Call).getFunc()) + "()"
-  )
-  or
-  result = prettyExpr(e.(Attribute).getObject()) + "." + e.(Attribute).getName()
-}
-
-/**
- * Gets pretty-printed version of the DataFlow::Node `node`
- */
-bindingset[node]
-string prettyNode(DataFlow::Node node) {
-  if exists(node.asExpr()) then result = prettyExpr(node.asExpr()) else result = node.toString()
-}
-
-/**
- * Gets pretty-printed version of the DataFlow::Node `node`, that is suitable for use
- * with `TestUtilities.InlineExpectationsTest` (that is, no spaces unless required).
- */
-bindingset[node]
-string prettyNodeForInlineTest(DataFlow::Node node) {
-  exists(node.asExpr()) and
-  result = prettyExpr(node.asExpr())
-  or
-  exists(Expr e | e = node.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() |
-    // since PostUpdateNode both has space in the `[post <thing>]` annotation, and does
-    // not pretty print the pre-update node, we do custom handling of this.
-    result = "[post]" + prettyExpr(e)
-  )
-  or
-  not exists(node.asExpr()) and
-  not exists(Expr e | e = node.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()) and
-  result = node.toString()
-}
--- a/python/ql/test/experimental/dataflow/TestUtil/RoutingTest.qll
+++ b/python/ql/test/experimental/dataflow/TestUtil/RoutingTest.qll
@@ -1,7 +1,7 @@
 import python
 import semmle.python.dataflow.new.DataFlow
 import TestUtilities.InlineExpectationsTest
-import experimental.dataflow.TestUtil.PrintNode
+private import semmle.python.dataflow.new.internal.PrintNode

 /**
 * A routing test is designed to test that values are routed to the
--- a/python/ql/test/experimental/dataflow/coverage/argumentPassing.py
+++ b/python/ql/test/experimental/dataflow/coverage/argumentPassing.py
@@ -66,9 +66,9 @@ def argument_passing(
    b,
    /,
    c,
-    d=arg4,
+    d=arg4,  #$ arg4 func=argument_passing
    *,
-    e=arg5,
+    e=arg5,  #$ arg5 func=argument_passing
    f,
    **g,
 ):
@@ -120,7 +120,7 @@ def test_multiple_kw_args():
    with_multiple_kw_args(**{"b": arg2}, **{"c": arg3}, **{"a": arg1})  #$ arg1 arg2 arg3 func=with_multiple_kw_args


-def with_default_arguments(a=arg1, b=arg2, c=arg3):  # Need a mechanism to test default arguments
+def with_default_arguments(a=arg1, b=arg2, c=arg3):  #$ arg1 arg2 arg3 func=with_default_arguments
    SINK1(a)
    SINK2(b)
    SINK3(c)
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting1.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting1.expected
@@ -14,6 +14,8 @@ edges
 | argumentPassing.py:120:59:120:69 | ControlFlowNode for Dict [Dictionary element at key a] | argumentPassing.py:120:5:120:70 | KwUnpacked a |
 | argumentPassing.py:120:65:120:68 | ControlFlowNode for arg1 | argumentPassing.py:120:59:120:69 | ControlFlowNode for Dict [Dictionary element at key a] |
 | argumentPassing.py:123:28:123:28 | ControlFlowNode for a | argumentPassing.py:124:11:124:11 | ControlFlowNode for a |
+| argumentPassing.py:123:28:123:28 | ControlFlowNode for a | argumentPassing.py:124:11:124:11 | ControlFlowNode for a |
+| argumentPassing.py:123:30:123:33 | ControlFlowNode for arg1 | argumentPassing.py:123:28:123:28 | ControlFlowNode for a |
 | argumentPassing.py:132:28:132:31 | ControlFlowNode for arg1 | argumentPassing.py:123:28:123:28 | ControlFlowNode for a |
 | argumentPassing.py:138:22:138:24 | ControlFlowNode for foo | argumentPassing.py:139:11:139:13 | ControlFlowNode for foo |
 | argumentPassing.py:160:46:160:49 | ControlFlowNode for arg1 | argumentPassing.py:138:22:138:24 | ControlFlowNode for foo |
@@ -102,6 +104,8 @@ nodes
 | argumentPassing.py:120:59:120:69 | ControlFlowNode for Dict [Dictionary element at key a] | semmle.label | ControlFlowNode for Dict [Dictionary element at key a] |
 | argumentPassing.py:120:65:120:68 | ControlFlowNode for arg1 | semmle.label | ControlFlowNode for arg1 |
 | argumentPassing.py:123:28:123:28 | ControlFlowNode for a | semmle.label | ControlFlowNode for a |
+| argumentPassing.py:123:28:123:28 | ControlFlowNode for a | semmle.label | ControlFlowNode for a |
+| argumentPassing.py:123:30:123:33 | ControlFlowNode for arg1 | semmle.label | ControlFlowNode for arg1 |
 | argumentPassing.py:124:11:124:11 | ControlFlowNode for a | semmle.label | ControlFlowNode for a |
 | argumentPassing.py:132:28:132:31 | ControlFlowNode for arg1 | semmle.label | ControlFlowNode for arg1 |
 | argumentPassing.py:138:22:138:24 | ControlFlowNode for foo | semmle.label | ControlFlowNode for foo |
@@ -196,6 +200,7 @@ nodes
 | classes.py:860:15:860:18 | ControlFlowNode for self | semmle.label | ControlFlowNode for self |
 | classes.py:866:5:866:11 | SSA variable with_or | semmle.label | SSA variable with_or |
 | classes.py:868:5:868:11 | ControlFlowNode for with_or | semmle.label | ControlFlowNode for with_or |
+subpaths
 #select
 | argumentPassing.py:89:22:89:25 | ControlFlowNode for arg1 | argumentPassing.py:89:22:89:25 | ControlFlowNode for arg1 | argumentPassing.py:75:11:75:11 | ControlFlowNode for a | Flow found |
 | argumentPassing.py:94:22:94:25 | ControlFlowNode for arg1 | argumentPassing.py:94:22:94:25 | ControlFlowNode for arg1 | argumentPassing.py:75:11:75:11 | ControlFlowNode for a | Flow found |
@@ -206,6 +211,7 @@ nodes
 | argumentPassing.py:118:27:118:30 | ControlFlowNode for arg1 | argumentPassing.py:118:27:118:30 | ControlFlowNode for arg1 | argumentPassing.py:110:11:110:11 | ControlFlowNode for a | Flow found |
 | argumentPassing.py:119:27:119:30 | ControlFlowNode for arg1 | argumentPassing.py:119:27:119:30 | ControlFlowNode for arg1 | argumentPassing.py:110:11:110:11 | ControlFlowNode for a | Flow found |
 | argumentPassing.py:120:65:120:68 | ControlFlowNode for arg1 | argumentPassing.py:120:65:120:68 | ControlFlowNode for arg1 | argumentPassing.py:110:11:110:11 | ControlFlowNode for a | Flow found |
+| argumentPassing.py:123:30:123:33 | ControlFlowNode for arg1 | argumentPassing.py:123:30:123:33 | ControlFlowNode for arg1 | argumentPassing.py:124:11:124:11 | ControlFlowNode for a | Flow found |
 | argumentPassing.py:132:28:132:31 | ControlFlowNode for arg1 | argumentPassing.py:132:28:132:31 | ControlFlowNode for arg1 | argumentPassing.py:124:11:124:11 | ControlFlowNode for a | Flow found |
 | argumentPassing.py:160:46:160:49 | ControlFlowNode for arg1 | argumentPassing.py:160:46:160:49 | ControlFlowNode for arg1 | argumentPassing.py:139:11:139:13 | ControlFlowNode for foo | Flow found |
 | argumentPassing.py:168:14:168:17 | ControlFlowNode for arg1 | argumentPassing.py:168:14:168:17 | ControlFlowNode for arg1 | argumentPassing.py:166:15:166:15 | ControlFlowNode for a | Flow found |
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting2.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting2.expected
@@ -10,6 +10,8 @@ edges
 | argumentPassing.py:120:29:120:39 | ControlFlowNode for Dict [Dictionary element at key b] | argumentPassing.py:120:5:120:70 | KwUnpacked b |
 | argumentPassing.py:120:35:120:38 | ControlFlowNode for arg2 | argumentPassing.py:120:29:120:39 | ControlFlowNode for Dict [Dictionary element at key b] |
 | argumentPassing.py:123:36:123:36 | ControlFlowNode for b | argumentPassing.py:125:11:125:11 | ControlFlowNode for b |
+| argumentPassing.py:123:36:123:36 | ControlFlowNode for b | argumentPassing.py:125:11:125:11 | ControlFlowNode for b |
+| argumentPassing.py:123:38:123:41 | ControlFlowNode for arg2 | argumentPassing.py:123:36:123:36 | ControlFlowNode for b |
 | argumentPassing.py:133:30:133:33 | ControlFlowNode for arg2 | argumentPassing.py:123:36:123:36 | ControlFlowNode for b |
 | argumentPassing.py:138:29:138:34 | ControlFlowNode for kwargs [Dictionary element at key bar] | argumentPassing.py:140:20:140:25 | ControlFlowNode for kwargs [Dictionary element at key bar] |
 | argumentPassing.py:140:5:140:26 | KwUnpacked bar | argumentPassing.py:145:18:145:20 | ControlFlowNode for bar |
@@ -64,6 +66,8 @@ nodes
 | argumentPassing.py:120:29:120:39 | ControlFlowNode for Dict [Dictionary element at key b] | semmle.label | ControlFlowNode for Dict [Dictionary element at key b] |
 | argumentPassing.py:120:35:120:38 | ControlFlowNode for arg2 | semmle.label | ControlFlowNode for arg2 |
 | argumentPassing.py:123:36:123:36 | ControlFlowNode for b | semmle.label | ControlFlowNode for b |
+| argumentPassing.py:123:36:123:36 | ControlFlowNode for b | semmle.label | ControlFlowNode for b |
+| argumentPassing.py:123:38:123:41 | ControlFlowNode for arg2 | semmle.label | ControlFlowNode for arg2 |
 | argumentPassing.py:125:11:125:11 | ControlFlowNode for b | semmle.label | ControlFlowNode for b |
 | argumentPassing.py:133:30:133:33 | ControlFlowNode for arg2 | semmle.label | ControlFlowNode for arg2 |
 | argumentPassing.py:138:29:138:34 | ControlFlowNode for kwargs [Dictionary element at key bar] | semmle.label | ControlFlowNode for kwargs [Dictionary element at key bar] |
@@ -121,12 +125,14 @@ nodes
 | classes.py:858:22:858:26 | ControlFlowNode for other | semmle.label | ControlFlowNode for other |
 | classes.py:859:15:859:19 | ControlFlowNode for other | semmle.label | ControlFlowNode for other |
 | classes.py:868:15:868:18 | ControlFlowNode for arg2 | semmle.label | ControlFlowNode for arg2 |
+subpaths
 #select
 | argumentPassing.py:94:28:94:31 | ControlFlowNode for arg2 | argumentPassing.py:94:28:94:31 | ControlFlowNode for arg2 | argumentPassing.py:76:11:76:11 | ControlFlowNode for b | Flow found |
 | argumentPassing.py:104:25:104:28 | ControlFlowNode for arg2 | argumentPassing.py:104:25:104:28 | ControlFlowNode for arg2 | argumentPassing.py:99:11:99:11 | ControlFlowNode for b | Flow found |
 | argumentPassing.py:105:27:105:30 | ControlFlowNode for arg2 | argumentPassing.py:105:27:105:30 | ControlFlowNode for arg2 | argumentPassing.py:99:11:99:11 | ControlFlowNode for b | Flow found |
 | argumentPassing.py:117:29:117:32 | ControlFlowNode for arg2 | argumentPassing.py:117:29:117:32 | ControlFlowNode for arg2 | argumentPassing.py:111:11:111:11 | ControlFlowNode for b | Flow found |
 | argumentPassing.py:120:35:120:38 | ControlFlowNode for arg2 | argumentPassing.py:120:35:120:38 | ControlFlowNode for arg2 | argumentPassing.py:111:11:111:11 | ControlFlowNode for b | Flow found |
+| argumentPassing.py:123:38:123:41 | ControlFlowNode for arg2 | argumentPassing.py:123:38:123:41 | ControlFlowNode for arg2 | argumentPassing.py:125:11:125:11 | ControlFlowNode for b | Flow found |
 | argumentPassing.py:133:30:133:33 | ControlFlowNode for arg2 | argumentPassing.py:133:30:133:33 | ControlFlowNode for arg2 | argumentPassing.py:125:11:125:11 | ControlFlowNode for b | Flow found |
 | argumentPassing.py:160:36:160:39 | ControlFlowNode for arg2 | argumentPassing.py:160:36:160:39 | ControlFlowNode for arg2 | argumentPassing.py:146:11:146:13 | ControlFlowNode for bar | Flow found |
 | classes.py:565:18:565:21 | ControlFlowNode for arg2 | classes.py:565:18:565:21 | ControlFlowNode for arg2 | classes.py:556:15:556:17 | ControlFlowNode for key | Flow found |
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting3.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting3.expected
@@ -10,6 +10,8 @@ edges
 | argumentPassing.py:120:44:120:54 | ControlFlowNode for Dict [Dictionary element at key c] | argumentPassing.py:120:5:120:70 | KwUnpacked c |
 | argumentPassing.py:120:50:120:53 | ControlFlowNode for arg3 | argumentPassing.py:120:44:120:54 | ControlFlowNode for Dict [Dictionary element at key c] |
 | argumentPassing.py:123:44:123:44 | ControlFlowNode for c | argumentPassing.py:126:11:126:11 | ControlFlowNode for c |
+| argumentPassing.py:123:44:123:44 | ControlFlowNode for c | argumentPassing.py:126:11:126:11 | ControlFlowNode for c |
+| argumentPassing.py:123:46:123:49 | ControlFlowNode for arg3 | argumentPassing.py:123:44:123:44 | ControlFlowNode for c |
 | argumentPassing.py:134:5:134:41 | KwUnpacked c | argumentPassing.py:123:44:123:44 | ControlFlowNode for c |
 | argumentPassing.py:134:30:134:40 | ControlFlowNode for Dict [Dictionary element at key c] | argumentPassing.py:134:5:134:41 | KwUnpacked c |
 | argumentPassing.py:134:36:134:39 | ControlFlowNode for arg3 | argumentPassing.py:134:30:134:40 | ControlFlowNode for Dict [Dictionary element at key c] |
@@ -37,6 +39,8 @@ nodes
 | argumentPassing.py:120:44:120:54 | ControlFlowNode for Dict [Dictionary element at key c] | semmle.label | ControlFlowNode for Dict [Dictionary element at key c] |
 | argumentPassing.py:120:50:120:53 | ControlFlowNode for arg3 | semmle.label | ControlFlowNode for arg3 |
 | argumentPassing.py:123:44:123:44 | ControlFlowNode for c | semmle.label | ControlFlowNode for c |
+| argumentPassing.py:123:44:123:44 | ControlFlowNode for c | semmle.label | ControlFlowNode for c |
+| argumentPassing.py:123:46:123:49 | ControlFlowNode for arg3 | semmle.label | ControlFlowNode for arg3 |
 | argumentPassing.py:126:11:126:11 | ControlFlowNode for c | semmle.label | ControlFlowNode for c |
 | argumentPassing.py:134:5:134:41 | KwUnpacked c | semmle.label | KwUnpacked c |
 | argumentPassing.py:134:30:134:40 | ControlFlowNode for Dict [Dictionary element at key c] | semmle.label | ControlFlowNode for Dict [Dictionary element at key c] |
@@ -53,11 +57,13 @@ nodes
 | classes.py:570:32:570:36 | ControlFlowNode for value | semmle.label | ControlFlowNode for value |
 | classes.py:571:15:571:19 | ControlFlowNode for value | semmle.label | ControlFlowNode for value |
 | classes.py:581:26:581:29 | ControlFlowNode for arg3 | semmle.label | ControlFlowNode for arg3 |
+subpaths
 #select
 | argumentPassing.py:94:34:94:37 | ControlFlowNode for arg3 | argumentPassing.py:94:34:94:37 | ControlFlowNode for arg3 | argumentPassing.py:77:11:77:11 | ControlFlowNode for c | Flow found |
 | argumentPassing.py:117:37:117:40 | ControlFlowNode for arg3 | argumentPassing.py:117:37:117:40 | ControlFlowNode for arg3 | argumentPassing.py:112:11:112:11 | ControlFlowNode for c | Flow found |
 | argumentPassing.py:119:41:119:44 | ControlFlowNode for arg3 | argumentPassing.py:119:41:119:44 | ControlFlowNode for arg3 | argumentPassing.py:112:11:112:11 | ControlFlowNode for c | Flow found |
 | argumentPassing.py:120:50:120:53 | ControlFlowNode for arg3 | argumentPassing.py:120:50:120:53 | ControlFlowNode for arg3 | argumentPassing.py:112:11:112:11 | ControlFlowNode for c | Flow found |
+| argumentPassing.py:123:46:123:49 | ControlFlowNode for arg3 | argumentPassing.py:123:46:123:49 | ControlFlowNode for arg3 | argumentPassing.py:126:11:126:11 | ControlFlowNode for c | Flow found |
 | argumentPassing.py:134:36:134:39 | ControlFlowNode for arg3 | argumentPassing.py:134:36:134:39 | ControlFlowNode for arg3 | argumentPassing.py:126:11:126:11 | ControlFlowNode for c | Flow found |
 | argumentPassing.py:160:26:160:29 | ControlFlowNode for arg3 | argumentPassing.py:160:26:160:29 | ControlFlowNode for arg3 | argumentPassing.py:155:11:155:13 | ControlFlowNode for baz | Flow found |
 | classes.py:581:26:581:29 | ControlFlowNode for arg3 | classes.py:581:26:581:29 | ControlFlowNode for arg3 | classes.py:571:15:571:19 | ControlFlowNode for value | Flow found |
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting4.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting4.expected
@@ -1,3 +1,10 @@
 edges
+| argumentPassing.py:69:5:69:5 | ControlFlowNode for d | argumentPassing.py:78:11:78:11 | ControlFlowNode for d |
+| argumentPassing.py:69:7:69:10 | ControlFlowNode for arg4 | argumentPassing.py:69:5:69:5 | ControlFlowNode for d |
 nodes
+| argumentPassing.py:69:5:69:5 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| argumentPassing.py:69:7:69:10 | ControlFlowNode for arg4 | semmle.label | ControlFlowNode for arg4 |
+| argumentPassing.py:78:11:78:11 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+subpaths
 #select
+| argumentPassing.py:69:7:69:10 | ControlFlowNode for arg4 | argumentPassing.py:69:7:69:10 | ControlFlowNode for arg4 | argumentPassing.py:78:11:78:11 | ControlFlowNode for d | Flow found |
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting5.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting5.expected
@@ -1,3 +1,10 @@
 edges
+| argumentPassing.py:71:5:71:5 | ControlFlowNode for e | argumentPassing.py:79:11:79:11 | ControlFlowNode for e |
+| argumentPassing.py:71:7:71:10 | ControlFlowNode for arg5 | argumentPassing.py:71:5:71:5 | ControlFlowNode for e |
 nodes
+| argumentPassing.py:71:5:71:5 | ControlFlowNode for e | semmle.label | ControlFlowNode for e |
+| argumentPassing.py:71:7:71:10 | ControlFlowNode for arg5 | semmle.label | ControlFlowNode for arg5 |
+| argumentPassing.py:79:11:79:11 | ControlFlowNode for e | semmle.label | ControlFlowNode for e |
+subpaths
 #select
+| argumentPassing.py:71:7:71:10 | ControlFlowNode for arg5 | argumentPassing.py:71:7:71:10 | ControlFlowNode for arg5 | argumentPassing.py:79:11:79:11 | ControlFlowNode for e | Flow found |
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting6.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting6.expected
@@ -1,3 +1,4 @@
 edges
 nodes
+subpaths
 #select
--- a/python/ql/test/experimental/dataflow/coverage/argumentRouting7.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRouting7.expected
@@ -11,5 +11,6 @@ nodes
 | argumentPassing.py:89:5:89:81 | KwOverflowNode for argument_passing() [Dictionary element at key g] | semmle.label | KwOverflowNode for argument_passing() [Dictionary element at key g] |
 | argumentPassing.py:89:59:89:80 | ControlFlowNode for Dict [Dictionary element at key g] | semmle.label | ControlFlowNode for Dict [Dictionary element at key g] |
 | argumentPassing.py:89:76:89:79 | ControlFlowNode for arg7 | semmle.label | ControlFlowNode for arg7 |
+subpaths
 #select
 | argumentPassing.py:89:76:89:79 | ControlFlowNode for arg7 | argumentPassing.py:89:76:89:79 | ControlFlowNode for arg7 | argumentPassing.py:82:15:82:20 | ControlFlowNode for Subscript | Flow found |
--- a/python/ql/test/experimental/dataflow/coverage/dataflow.expected
+++ b/python/ql/test/experimental/dataflow/coverage/dataflow.expected
--- a/python/ql/test/experimental/dataflow/coverage/test.py
+++ b/python/ql/test/experimental/dataflow/coverage/test.py
@@ -422,6 +422,18 @@ def test_call_extra_keyword_flow():
    SINK(f_extra_keyword_flow(**{SOURCE: None})) #$ MISSING:flow="SOURCE -> f_extra_keyword(..)"


+# 6.11. Boolean operations
+
+def test_or(x = False):
+    # if we don't know the value of the lhs, we should always add flow
+    SINK(x or SOURCE) #$ flow="SOURCE -> BoolExpr"
+
+
+def test_and(x = True):
+    # if we don't know the value of the lhs, we should always add flow
+    SINK(x and SOURCE) #$ flow="SOURCE -> BoolExpr"
+
+
 # 6.12. Assignment expressions
 def test_assignment_expression():
    x = NONSOURCE
@@ -793,6 +805,6 @@ def test_reverse_read_subscript_cls():

@expects(3)
 def test_with_default_param_value(x=SOURCE, /, y=SOURCE, *, z=SOURCE):
-    SINK(x) #$ MISSING:flow="SOURCE, l:-1 -> x"
-    SINK(y) #$ MISSING:flow="SOURCE, l:-2 -> y"
-    SINK(z) #$ MISSING:flow="SOURCE, l:-3 -> z"
+    SINK(x) #$ flow="SOURCE, l:-1 -> x"
+    SINK(y) #$ flow="SOURCE, l:-2 -> y"
+    SINK(z) #$ flow="SOURCE, l:-3 -> z"
--- a/python/ql/test/experimental/dataflow/fieldflow/allLocalFlow.expected
+++ b/python/ql/test/experimental/dataflow/fieldflow/allLocalFlow.expected
@@ -72,9 +72,14 @@
 | test.py:6:15:6:15 | ControlFlowNode for x | test.py:6:15:6:15 | SSA variable x |
 | test.py:6:15:6:15 | SSA variable x | test.py:7:12:7:12 | ControlFlowNode for x |
 | test.py:7:12:7:12 | ControlFlowNode for x | test.py:7:29:7:29 | ControlFlowNode for x |
+| test.py:7:12:7:24 | ControlFlowNode for Compare | test.py:7:12:7:78 | ControlFlowNode for BoolExpr |
 | test.py:7:29:7:29 | ControlFlowNode for x | test.py:7:47:7:47 | ControlFlowNode for x |
+| test.py:7:29:7:42 | ControlFlowNode for Compare | test.py:7:12:7:78 | ControlFlowNode for BoolExpr |
 | test.py:7:47:7:47 | ControlFlowNode for x | test.py:7:58:7:58 | ControlFlowNode for x |
+| test.py:7:47:7:53 | ControlFlowNode for Compare | test.py:7:12:7:78 | ControlFlowNode for BoolExpr |
 | test.py:7:58:7:58 | ControlFlowNode for x | test.py:7:71:7:71 | ControlFlowNode for x |
+| test.py:7:58:7:66 | ControlFlowNode for Compare | test.py:7:12:7:78 | ControlFlowNode for BoolExpr |
+| test.py:7:71:7:78 | ControlFlowNode for Compare | test.py:7:12:7:78 | ControlFlowNode for BoolExpr |
 | test.py:10:1:10:12 | ControlFlowNode for FunctionExpr | test.py:10:5:10:8 | GSSA Variable SINK |
 | test.py:10:1:10:12 | GSSA Variable is_source | test.py:11:8:11:16 | ControlFlowNode for is_source |
 | test.py:10:10:10:10 | ControlFlowNode for x | test.py:10:10:10:10 | SSA variable x |
--- a/python/ql/test/experimental/dataflow/fieldflow/dataflow.expected
+++ b/python/ql/test/experimental/dataflow/fieldflow/dataflow.expected
@@ -1,5 +1,10 @@
 edges
+| examples.py:7:24:7:26 | ControlFlowNode for foo | examples.py:8:20:8:22 | ControlFlowNode for foo |
+| examples.py:8:20:8:22 | ControlFlowNode for foo | examples.py:8:9:8:12 | [post store] ControlFlowNode for self [Attribute foo] |
+| examples.py:20:17:20:17 | ControlFlowNode for x | examples.py:22:15:22:15 | ControlFlowNode for x |
+| examples.py:22:15:22:15 | ControlFlowNode for x | examples.py:22:5:22:7 | [post store] ControlFlowNode for obj [Attribute foo] |
 | examples.py:27:8:27:12 | [post arg] ControlFlowNode for myobj [Attribute foo] | examples.py:28:6:28:10 | ControlFlowNode for myobj [Attribute foo] |
+| examples.py:27:15:27:20 | ControlFlowNode for SOURCE | examples.py:20:17:20:17 | ControlFlowNode for x |
 | examples.py:27:15:27:20 | ControlFlowNode for SOURCE | examples.py:27:8:27:12 | [post arg] ControlFlowNode for myobj [Attribute foo] |
 | examples.py:28:6:28:10 | ControlFlowNode for myobj [Attribute foo] | examples.py:28:6:28:14 | ControlFlowNode for Attribute |
 | examples.py:31:5:31:10 | ControlFlowNode for SOURCE | examples.py:35:13:35:13 | ControlFlowNode for x |
@@ -9,13 +14,29 @@ edges
 | examples.py:37:6:37:6 | ControlFlowNode for a [Attribute obj, Attribute foo] | examples.py:37:6:37:10 | ControlFlowNode for Attribute [Attribute foo] |
 | examples.py:37:6:37:10 | ControlFlowNode for Attribute [Attribute foo] | examples.py:37:6:37:14 | ControlFlowNode for Attribute |
 | examples.py:49:7:49:19 | ControlFlowNode for MyObj() [Attribute foo] | examples.py:50:6:50:8 | ControlFlowNode for obj [Attribute foo] |
+| examples.py:49:13:49:18 | ControlFlowNode for SOURCE | examples.py:7:24:7:26 | ControlFlowNode for foo |
 | examples.py:49:13:49:18 | ControlFlowNode for SOURCE | examples.py:49:7:49:19 | ControlFlowNode for MyObj() [Attribute foo] |
 | examples.py:50:6:50:8 | ControlFlowNode for obj [Attribute foo] | examples.py:50:6:50:12 | ControlFlowNode for Attribute |
+| examples.py:53:28:53:28 | ControlFlowNode for x | examples.py:54:17:54:17 | ControlFlowNode for x |
+| examples.py:54:11:54:18 | ControlFlowNode for MyObj() [Attribute foo] | examples.py:55:9:55:11 | ControlFlowNode for obj [Attribute foo] |
+| examples.py:54:17:54:17 | ControlFlowNode for x | examples.py:7:24:7:26 | ControlFlowNode for foo |
+| examples.py:54:17:54:17 | ControlFlowNode for x | examples.py:54:11:54:18 | ControlFlowNode for MyObj() [Attribute foo] |
+| examples.py:55:9:55:11 | ControlFlowNode for obj [Attribute foo] | examples.py:55:9:55:15 | ControlFlowNode for Attribute |
+| examples.py:55:9:55:15 | ControlFlowNode for Attribute | examples.py:56:12:56:12 | ControlFlowNode for a |
+| examples.py:59:29:59:34 | ControlFlowNode for SOURCE | examples.py:53:28:53:28 | ControlFlowNode for x |
 | examples.py:59:29:59:34 | ControlFlowNode for SOURCE | examples.py:59:6:59:35 | ControlFlowNode for fields_with_local_flow() |
+| test.py:26:24:26:26 | ControlFlowNode for foo | test.py:27:20:27:22 | ControlFlowNode for foo |
+| test.py:27:20:27:22 | ControlFlowNode for foo | test.py:27:9:27:12 | [post store] ControlFlowNode for self [Attribute foo] |
+| test.py:29:22:29:24 | ControlFlowNode for foo | test.py:30:20:30:22 | ControlFlowNode for foo |
+| test.py:30:20:30:22 | ControlFlowNode for foo | test.py:30:9:30:12 | [post store] ControlFlowNode for self [Attribute foo] |
+| test.py:41:17:41:17 | ControlFlowNode for x | test.py:43:15:43:15 | ControlFlowNode for x |
+| test.py:43:15:43:15 | ControlFlowNode for x | test.py:43:5:43:7 | [post store] ControlFlowNode for obj [Attribute foo] |
 | test.py:49:12:49:16 | [post arg] ControlFlowNode for myobj [Attribute foo] | test.py:50:10:50:14 | ControlFlowNode for myobj [Attribute foo] |
+| test.py:49:19:49:24 | ControlFlowNode for SOURCE | test.py:41:17:41:17 | ControlFlowNode for x |
 | test.py:49:19:49:24 | ControlFlowNode for SOURCE | test.py:49:12:49:16 | [post arg] ControlFlowNode for myobj [Attribute foo] |
 | test.py:50:10:50:14 | ControlFlowNode for myobj [Attribute foo] | test.py:50:10:50:18 | ControlFlowNode for Attribute |
 | test.py:56:5:56:9 | [post read] ControlFlowNode for myobj [Attribute foo] | test.py:57:10:57:14 | ControlFlowNode for myobj [Attribute foo] |
+| test.py:56:18:56:23 | ControlFlowNode for SOURCE | test.py:29:22:29:24 | ControlFlowNode for foo |
 | test.py:56:18:56:23 | ControlFlowNode for SOURCE | test.py:56:5:56:9 | [post read] ControlFlowNode for myobj [Attribute foo] |
 | test.py:57:10:57:14 | ControlFlowNode for myobj [Attribute foo] | test.py:57:10:57:18 | ControlFlowNode for Attribute |
 | test.py:61:9:61:14 | ControlFlowNode for SOURCE | test.py:65:17:65:17 | ControlFlowNode for x |
@@ -31,13 +52,28 @@ edges
 | test.py:77:10:77:10 | ControlFlowNode for a [Attribute obj, Attribute foo] | test.py:77:10:77:14 | ControlFlowNode for Attribute [Attribute foo] |
 | test.py:77:10:77:14 | ControlFlowNode for Attribute [Attribute foo] | test.py:77:10:77:18 | ControlFlowNode for Attribute |
 | test.py:81:11:81:23 | ControlFlowNode for MyObj() [Attribute foo] | test.py:82:10:82:12 | ControlFlowNode for obj [Attribute foo] |
+| test.py:81:17:81:22 | ControlFlowNode for SOURCE | test.py:26:24:26:26 | ControlFlowNode for foo |
 | test.py:81:17:81:22 | ControlFlowNode for SOURCE | test.py:81:11:81:23 | ControlFlowNode for MyObj() [Attribute foo] |
 | test.py:82:10:82:12 | ControlFlowNode for obj [Attribute foo] | test.py:82:10:82:16 | ControlFlowNode for Attribute |
 | test.py:86:11:86:27 | ControlFlowNode for MyObj() [Attribute foo] | test.py:87:10:87:12 | ControlFlowNode for obj [Attribute foo] |
+| test.py:86:21:86:26 | ControlFlowNode for SOURCE | test.py:26:24:26:26 | ControlFlowNode for foo |
 | test.py:86:21:86:26 | ControlFlowNode for SOURCE | test.py:86:11:86:27 | ControlFlowNode for MyObj() [Attribute foo] |
 | test.py:87:10:87:12 | ControlFlowNode for obj [Attribute foo] | test.py:87:10:87:16 | ControlFlowNode for Attribute |
+| test.py:90:28:90:28 | ControlFlowNode for x | test.py:91:17:91:17 | ControlFlowNode for x |
+| test.py:91:11:91:18 | ControlFlowNode for MyObj() [Attribute foo] | test.py:92:9:92:11 | ControlFlowNode for obj [Attribute foo] |
+| test.py:91:17:91:17 | ControlFlowNode for x | test.py:26:24:26:26 | ControlFlowNode for foo |
+| test.py:91:17:91:17 | ControlFlowNode for x | test.py:91:11:91:18 | ControlFlowNode for MyObj() [Attribute foo] |
+| test.py:92:9:92:11 | ControlFlowNode for obj [Attribute foo] | test.py:92:9:92:15 | ControlFlowNode for Attribute |
+| test.py:92:9:92:15 | ControlFlowNode for Attribute | test.py:93:12:93:12 | ControlFlowNode for a |
+| test.py:97:33:97:38 | ControlFlowNode for SOURCE | test.py:90:28:90:28 | ControlFlowNode for x |
 | test.py:97:33:97:38 | ControlFlowNode for SOURCE | test.py:97:10:97:39 | ControlFlowNode for fields_with_local_flow() |
 nodes
+| examples.py:7:24:7:26 | ControlFlowNode for foo | semmle.label | ControlFlowNode for foo |
+| examples.py:8:9:8:12 | [post store] ControlFlowNode for self [Attribute foo] | semmle.label | [post store] ControlFlowNode for self [Attribute foo] |
+| examples.py:8:20:8:22 | ControlFlowNode for foo | semmle.label | ControlFlowNode for foo |
+| examples.py:20:17:20:17 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| examples.py:22:5:22:7 | [post store] ControlFlowNode for obj [Attribute foo] | semmle.label | [post store] ControlFlowNode for obj [Attribute foo] |
+| examples.py:22:15:22:15 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
 | examples.py:27:8:27:12 | [post arg] ControlFlowNode for myobj [Attribute foo] | semmle.label | [post arg] ControlFlowNode for myobj [Attribute foo] |
 | examples.py:27:15:27:20 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | examples.py:28:6:28:10 | ControlFlowNode for myobj [Attribute foo] | semmle.label | ControlFlowNode for myobj [Attribute foo] |
@@ -53,8 +89,23 @@ nodes
 | examples.py:49:13:49:18 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | examples.py:50:6:50:8 | ControlFlowNode for obj [Attribute foo] | semmle.label | ControlFlowNode for obj [Attribute foo] |
 | examples.py:50:6:50:12 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| examples.py:53:28:53:28 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| examples.py:54:11:54:18 | ControlFlowNode for MyObj() [Attribute foo] | semmle.label | ControlFlowNode for MyObj() [Attribute foo] |
+| examples.py:54:17:54:17 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| examples.py:55:9:55:11 | ControlFlowNode for obj [Attribute foo] | semmle.label | ControlFlowNode for obj [Attribute foo] |
+| examples.py:55:9:55:15 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| examples.py:56:12:56:12 | ControlFlowNode for a | semmle.label | ControlFlowNode for a |
 | examples.py:59:6:59:35 | ControlFlowNode for fields_with_local_flow() | semmle.label | ControlFlowNode for fields_with_local_flow() |
 | examples.py:59:29:59:34 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:26:24:26:26 | ControlFlowNode for foo | semmle.label | ControlFlowNode for foo |
+| test.py:27:9:27:12 | [post store] ControlFlowNode for self [Attribute foo] | semmle.label | [post store] ControlFlowNode for self [Attribute foo] |
+| test.py:27:20:27:22 | ControlFlowNode for foo | semmle.label | ControlFlowNode for foo |
+| test.py:29:22:29:24 | ControlFlowNode for foo | semmle.label | ControlFlowNode for foo |
+| test.py:30:9:30:12 | [post store] ControlFlowNode for self [Attribute foo] | semmle.label | [post store] ControlFlowNode for self [Attribute foo] |
+| test.py:30:20:30:22 | ControlFlowNode for foo | semmle.label | ControlFlowNode for foo |
+| test.py:41:17:41:17 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| test.py:43:5:43:7 | [post store] ControlFlowNode for obj [Attribute foo] | semmle.label | [post store] ControlFlowNode for obj [Attribute foo] |
+| test.py:43:15:43:15 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
 | test.py:49:12:49:16 | [post arg] ControlFlowNode for myobj [Attribute foo] | semmle.label | [post arg] ControlFlowNode for myobj [Attribute foo] |
 | test.py:49:19:49:24 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | test.py:50:10:50:14 | ControlFlowNode for myobj [Attribute foo] | semmle.label | ControlFlowNode for myobj [Attribute foo] |
@@ -85,8 +136,25 @@ nodes
 | test.py:86:21:86:26 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | test.py:87:10:87:12 | ControlFlowNode for obj [Attribute foo] | semmle.label | ControlFlowNode for obj [Attribute foo] |
 | test.py:87:10:87:16 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:90:28:90:28 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| test.py:91:11:91:18 | ControlFlowNode for MyObj() [Attribute foo] | semmle.label | ControlFlowNode for MyObj() [Attribute foo] |
+| test.py:91:17:91:17 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| test.py:92:9:92:11 | ControlFlowNode for obj [Attribute foo] | semmle.label | ControlFlowNode for obj [Attribute foo] |
+| test.py:92:9:92:15 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:93:12:93:12 | ControlFlowNode for a | semmle.label | ControlFlowNode for a |
 | test.py:97:10:97:39 | ControlFlowNode for fields_with_local_flow() | semmle.label | ControlFlowNode for fields_with_local_flow() |
 | test.py:97:33:97:38 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+subpaths
+| examples.py:27:15:27:20 | ControlFlowNode for SOURCE | examples.py:20:17:20:17 | ControlFlowNode for x | examples.py:22:5:22:7 | [post store] ControlFlowNode for obj [Attribute foo] | examples.py:27:8:27:12 | [post arg] ControlFlowNode for myobj [Attribute foo] |
+| examples.py:49:13:49:18 | ControlFlowNode for SOURCE | examples.py:7:24:7:26 | ControlFlowNode for foo | examples.py:8:9:8:12 | [post store] ControlFlowNode for self [Attribute foo] | examples.py:49:7:49:19 | ControlFlowNode for MyObj() [Attribute foo] |
+| examples.py:54:17:54:17 | ControlFlowNode for x | examples.py:7:24:7:26 | ControlFlowNode for foo | examples.py:8:9:8:12 | [post store] ControlFlowNode for self [Attribute foo] | examples.py:54:11:54:18 | ControlFlowNode for MyObj() [Attribute foo] |
+| examples.py:59:29:59:34 | ControlFlowNode for SOURCE | examples.py:53:28:53:28 | ControlFlowNode for x | examples.py:56:12:56:12 | ControlFlowNode for a | examples.py:59:6:59:35 | ControlFlowNode for fields_with_local_flow() |
+| test.py:49:19:49:24 | ControlFlowNode for SOURCE | test.py:41:17:41:17 | ControlFlowNode for x | test.py:43:5:43:7 | [post store] ControlFlowNode for obj [Attribute foo] | test.py:49:12:49:16 | [post arg] ControlFlowNode for myobj [Attribute foo] |
+| test.py:56:18:56:23 | ControlFlowNode for SOURCE | test.py:29:22:29:24 | ControlFlowNode for foo | test.py:30:9:30:12 | [post store] ControlFlowNode for self [Attribute foo] | test.py:56:5:56:9 | [post read] ControlFlowNode for myobj [Attribute foo] |
+| test.py:81:17:81:22 | ControlFlowNode for SOURCE | test.py:26:24:26:26 | ControlFlowNode for foo | test.py:27:9:27:12 | [post store] ControlFlowNode for self [Attribute foo] | test.py:81:11:81:23 | ControlFlowNode for MyObj() [Attribute foo] |
+| test.py:86:21:86:26 | ControlFlowNode for SOURCE | test.py:26:24:26:26 | ControlFlowNode for foo | test.py:27:9:27:12 | [post store] ControlFlowNode for self [Attribute foo] | test.py:86:11:86:27 | ControlFlowNode for MyObj() [Attribute foo] |
+| test.py:91:17:91:17 | ControlFlowNode for x | test.py:26:24:26:26 | ControlFlowNode for foo | test.py:27:9:27:12 | [post store] ControlFlowNode for self [Attribute foo] | test.py:91:11:91:18 | ControlFlowNode for MyObj() [Attribute foo] |
+| test.py:97:33:97:38 | ControlFlowNode for SOURCE | test.py:90:28:90:28 | ControlFlowNode for x | test.py:93:12:93:12 | ControlFlowNode for a | test.py:97:10:97:39 | ControlFlowNode for fields_with_local_flow() |
 #select
 | examples.py:28:6:28:14 | ControlFlowNode for Attribute | examples.py:27:15:27:20 | ControlFlowNode for SOURCE | examples.py:28:6:28:14 | ControlFlowNode for Attribute | Flow found |
 | examples.py:37:6:37:14 | ControlFlowNode for Attribute | examples.py:31:5:31:10 | ControlFlowNode for SOURCE | examples.py:37:6:37:14 | ControlFlowNode for Attribute | Flow found |
--- a/python/ql/test/experimental/dataflow/fieldflow/globalStep.expected
+++ b/python/ql/test/experimental/dataflow/fieldflow/globalStep.expected
@@ -30,20 +30,22 @@
 | examples.py:0:0:0:0 | GSSA Variable object | examples.py:6:13:6:18 | ControlFlowNode for object |
 | examples.py:0:0:0:0 | GSSA Variable object | examples.py:11:17:11:22 | ControlFlowNode for object |
 | examples.py:0:0:0:0 | GSSA Variable object | examples.py:11:17:11:22 | ControlFlowNode for object |
-| examples.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module examples | examples.py:13:20:13:24 | ControlFlowNode for MyObj |
-| examples.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module examples | examples.py:13:20:13:24 | ControlFlowNode for MyObj |
-| examples.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module examples | examples.py:54:11:54:15 | ControlFlowNode for MyObj |
-| examples.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module examples | examples.py:54:11:54:15 | ControlFlowNode for MyObj |
-| examples.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK_F in Module examples | examples.py:21:5:21:10 | ControlFlowNode for SINK_F |
-| examples.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK_F in Module examples | examples.py:21:5:21:10 | ControlFlowNode for SINK_F |
+| examples.py:0:0:0:0 | ModuleVariableNode for examples.MyObj | examples.py:13:20:13:24 | ControlFlowNode for MyObj |
+| examples.py:0:0:0:0 | ModuleVariableNode for examples.MyObj | examples.py:13:20:13:24 | ControlFlowNode for MyObj |
+| examples.py:0:0:0:0 | ModuleVariableNode for examples.MyObj | examples.py:54:11:54:15 | ControlFlowNode for MyObj |
+| examples.py:0:0:0:0 | ModuleVariableNode for examples.MyObj | examples.py:54:11:54:15 | ControlFlowNode for MyObj |
+| examples.py:0:0:0:0 | ModuleVariableNode for examples.SINK_F | examples.py:21:5:21:10 | ControlFlowNode for SINK_F |
+| examples.py:0:0:0:0 | ModuleVariableNode for examples.SINK_F | examples.py:21:5:21:10 | ControlFlowNode for SINK_F |
 | examples.py:6:1:6:20 | ControlFlowNode for ClassExpr | examples.py:6:7:6:11 | GSSA Variable MyObj |
 | examples.py:6:1:6:20 | ControlFlowNode for ClassExpr | examples.py:6:7:6:11 | GSSA Variable MyObj |
 | examples.py:6:1:6:20 | ControlFlowNode for ClassExpr | examples.py:25:9:25:13 | ControlFlowNode for MyObj |
 | examples.py:6:1:6:20 | ControlFlowNode for ClassExpr | examples.py:25:9:25:13 | ControlFlowNode for MyObj |
 | examples.py:6:1:6:20 | ControlFlowNode for ClassExpr | examples.py:49:7:49:11 | ControlFlowNode for MyObj |
 | examples.py:6:1:6:20 | ControlFlowNode for ClassExpr | examples.py:49:7:49:11 | ControlFlowNode for MyObj |
-| examples.py:6:7:6:11 | GSSA Variable MyObj | examples.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module examples |
-| examples.py:6:7:6:11 | GSSA Variable MyObj | examples.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module examples |
+| examples.py:6:7:6:11 | ControlFlowNode for MyObj | examples.py:0:0:0:0 | ModuleVariableNode for examples.MyObj |
+| examples.py:6:7:6:11 | ControlFlowNode for MyObj | examples.py:0:0:0:0 | ModuleVariableNode for examples.MyObj |
+| examples.py:6:7:6:11 | GSSA Variable MyObj | examples.py:0:0:0:0 | ModuleVariableNode for examples.MyObj |
+| examples.py:6:7:6:11 | GSSA Variable MyObj | examples.py:0:0:0:0 | ModuleVariableNode for examples.MyObj |
 | examples.py:6:7:6:11 | GSSA Variable MyObj | examples.py:25:9:25:13 | ControlFlowNode for MyObj |
 | examples.py:6:7:6:11 | GSSA Variable MyObj | examples.py:25:9:25:13 | ControlFlowNode for MyObj |
 | examples.py:6:7:6:11 | GSSA Variable MyObj | examples.py:49:7:49:11 | ControlFlowNode for MyObj |
@@ -470,78 +472,82 @@
 | examples.py:59:29:59:34 | ControlFlowNode for SOURCE | examples.py:53:28:53:28 | ControlFlowNode for x |
 | examples.py:59:29:59:34 | ControlFlowNode for SOURCE | examples.py:59:6:59:35 | ControlFlowNode for fields_with_local_flow() |
 | examples.py:59:29:59:34 | ControlFlowNode for SOURCE | examples.py:59:6:59:35 | ControlFlowNode for fields_with_local_flow() |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module test | test.py:35:20:35:24 | ControlFlowNode for MyObj |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module test | test.py:35:20:35:24 | ControlFlowNode for MyObj |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module test | test.py:47:13:47:17 | ControlFlowNode for MyObj |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module test | test.py:47:13:47:17 | ControlFlowNode for MyObj |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module test | test.py:54:13:54:17 | ControlFlowNode for MyObj |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module test | test.py:54:13:54:17 | ControlFlowNode for MyObj |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module test | test.py:81:11:81:15 | ControlFlowNode for MyObj |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module test | test.py:81:11:81:15 | ControlFlowNode for MyObj |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module test | test.py:86:11:86:15 | ControlFlowNode for MyObj |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module test | test.py:86:11:86:15 | ControlFlowNode for MyObj |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module test | test.py:91:11:91:15 | ControlFlowNode for MyObj |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module test | test.py:91:11:91:15 | ControlFlowNode for MyObj |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable NestedObj in Module test | test.py:63:9:63:17 | ControlFlowNode for NestedObj |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable NestedObj in Module test | test.py:63:9:63:17 | ControlFlowNode for NestedObj |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable NestedObj in Module test | test.py:73:9:73:17 | ControlFlowNode for NestedObj |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable NestedObj in Module test | test.py:73:9:73:17 | ControlFlowNode for NestedObj |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK in Module test | test.py:50:5:50:8 | ControlFlowNode for SINK |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK in Module test | test.py:50:5:50:8 | ControlFlowNode for SINK |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK in Module test | test.py:57:5:57:8 | ControlFlowNode for SINK |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK in Module test | test.py:57:5:57:8 | ControlFlowNode for SINK |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK in Module test | test.py:67:5:67:8 | ControlFlowNode for SINK |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK in Module test | test.py:67:5:67:8 | ControlFlowNode for SINK |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK in Module test | test.py:77:5:77:8 | ControlFlowNode for SINK |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK in Module test | test.py:77:5:77:8 | ControlFlowNode for SINK |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK in Module test | test.py:82:5:82:8 | ControlFlowNode for SINK |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK in Module test | test.py:82:5:82:8 | ControlFlowNode for SINK |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK in Module test | test.py:87:5:87:8 | ControlFlowNode for SINK |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK in Module test | test.py:87:5:87:8 | ControlFlowNode for SINK |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK in Module test | test.py:97:5:97:8 | ControlFlowNode for SINK |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK in Module test | test.py:97:5:97:8 | ControlFlowNode for SINK |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK_F in Module test | test.py:42:5:42:10 | ControlFlowNode for SINK_F |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK_F in Module test | test.py:42:5:42:10 | ControlFlowNode for SINK_F |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:49:19:49:24 | ControlFlowNode for SOURCE |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:49:19:49:24 | ControlFlowNode for SOURCE |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:56:18:56:23 | ControlFlowNode for SOURCE |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:56:18:56:23 | ControlFlowNode for SOURCE |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:61:9:61:14 | ControlFlowNode for SOURCE |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:61:9:61:14 | ControlFlowNode for SOURCE |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:71:9:71:14 | ControlFlowNode for SOURCE |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:71:9:71:14 | ControlFlowNode for SOURCE |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:81:17:81:22 | ControlFlowNode for SOURCE |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:81:17:81:22 | ControlFlowNode for SOURCE |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:86:21:86:26 | ControlFlowNode for SOURCE |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:86:21:86:26 | ControlFlowNode for SOURCE |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:97:33:97:38 | ControlFlowNode for SOURCE |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test | test.py:97:33:97:38 | ControlFlowNode for SOURCE |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable fields_with_local_flow in Module test | test.py:97:10:97:31 | ControlFlowNode for fields_with_local_flow |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable fields_with_local_flow in Module test | test.py:97:10:97:31 | ControlFlowNode for fields_with_local_flow |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable is_source in Module test | test.py:11:8:11:16 | ControlFlowNode for is_source |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable is_source in Module test | test.py:11:8:11:16 | ControlFlowNode for is_source |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable is_source in Module test | test.py:18:8:18:16 | ControlFlowNode for is_source |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable is_source in Module test | test.py:18:8:18:16 | ControlFlowNode for is_source |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable print in Module test | test.py:12:9:12:13 | ControlFlowNode for print |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable print in Module test | test.py:12:9:12:13 | ControlFlowNode for print |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable print in Module test | test.py:14:9:14:13 | ControlFlowNode for print |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable print in Module test | test.py:14:9:14:13 | ControlFlowNode for print |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable print in Module test | test.py:19:9:19:13 | ControlFlowNode for print |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable print in Module test | test.py:19:9:19:13 | ControlFlowNode for print |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable print in Module test | test.py:21:9:21:13 | ControlFlowNode for print |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable print in Module test | test.py:21:9:21:13 | ControlFlowNode for print |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable setFoo in Module test | test.py:49:5:49:10 | ControlFlowNode for setFoo |
-| test.py:0:0:0:0 | ModuleVariableNode for Global Variable setFoo in Module test | test.py:49:5:49:10 | ControlFlowNode for setFoo |
+| test.py:0:0:0:0 | ModuleVariableNode for test.MyObj | test.py:35:20:35:24 | ControlFlowNode for MyObj |
+| test.py:0:0:0:0 | ModuleVariableNode for test.MyObj | test.py:35:20:35:24 | ControlFlowNode for MyObj |
+| test.py:0:0:0:0 | ModuleVariableNode for test.MyObj | test.py:47:13:47:17 | ControlFlowNode for MyObj |
+| test.py:0:0:0:0 | ModuleVariableNode for test.MyObj | test.py:47:13:47:17 | ControlFlowNode for MyObj |
+| test.py:0:0:0:0 | ModuleVariableNode for test.MyObj | test.py:54:13:54:17 | ControlFlowNode for MyObj |
+| test.py:0:0:0:0 | ModuleVariableNode for test.MyObj | test.py:54:13:54:17 | ControlFlowNode for MyObj |
+| test.py:0:0:0:0 | ModuleVariableNode for test.MyObj | test.py:81:11:81:15 | ControlFlowNode for MyObj |
+| test.py:0:0:0:0 | ModuleVariableNode for test.MyObj | test.py:81:11:81:15 | ControlFlowNode for MyObj |
+| test.py:0:0:0:0 | ModuleVariableNode for test.MyObj | test.py:86:11:86:15 | ControlFlowNode for MyObj |
+| test.py:0:0:0:0 | ModuleVariableNode for test.MyObj | test.py:86:11:86:15 | ControlFlowNode for MyObj |
+| test.py:0:0:0:0 | ModuleVariableNode for test.MyObj | test.py:91:11:91:15 | ControlFlowNode for MyObj |
+| test.py:0:0:0:0 | ModuleVariableNode for test.MyObj | test.py:91:11:91:15 | ControlFlowNode for MyObj |
+| test.py:0:0:0:0 | ModuleVariableNode for test.NestedObj | test.py:63:9:63:17 | ControlFlowNode for NestedObj |
+| test.py:0:0:0:0 | ModuleVariableNode for test.NestedObj | test.py:63:9:63:17 | ControlFlowNode for NestedObj |
+| test.py:0:0:0:0 | ModuleVariableNode for test.NestedObj | test.py:73:9:73:17 | ControlFlowNode for NestedObj |
+| test.py:0:0:0:0 | ModuleVariableNode for test.NestedObj | test.py:73:9:73:17 | ControlFlowNode for NestedObj |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SINK | test.py:50:5:50:8 | ControlFlowNode for SINK |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SINK | test.py:50:5:50:8 | ControlFlowNode for SINK |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SINK | test.py:57:5:57:8 | ControlFlowNode for SINK |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SINK | test.py:57:5:57:8 | ControlFlowNode for SINK |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SINK | test.py:67:5:67:8 | ControlFlowNode for SINK |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SINK | test.py:67:5:67:8 | ControlFlowNode for SINK |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SINK | test.py:77:5:77:8 | ControlFlowNode for SINK |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SINK | test.py:77:5:77:8 | ControlFlowNode for SINK |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SINK | test.py:82:5:82:8 | ControlFlowNode for SINK |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SINK | test.py:82:5:82:8 | ControlFlowNode for SINK |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SINK | test.py:87:5:87:8 | ControlFlowNode for SINK |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SINK | test.py:87:5:87:8 | ControlFlowNode for SINK |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SINK | test.py:97:5:97:8 | ControlFlowNode for SINK |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SINK | test.py:97:5:97:8 | ControlFlowNode for SINK |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SINK_F | test.py:42:5:42:10 | ControlFlowNode for SINK_F |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SINK_F | test.py:42:5:42:10 | ControlFlowNode for SINK_F |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SOURCE | test.py:49:19:49:24 | ControlFlowNode for SOURCE |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SOURCE | test.py:49:19:49:24 | ControlFlowNode for SOURCE |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SOURCE | test.py:56:18:56:23 | ControlFlowNode for SOURCE |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SOURCE | test.py:56:18:56:23 | ControlFlowNode for SOURCE |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SOURCE | test.py:61:9:61:14 | ControlFlowNode for SOURCE |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SOURCE | test.py:61:9:61:14 | ControlFlowNode for SOURCE |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SOURCE | test.py:71:9:71:14 | ControlFlowNode for SOURCE |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SOURCE | test.py:71:9:71:14 | ControlFlowNode for SOURCE |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SOURCE | test.py:81:17:81:22 | ControlFlowNode for SOURCE |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SOURCE | test.py:81:17:81:22 | ControlFlowNode for SOURCE |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SOURCE | test.py:86:21:86:26 | ControlFlowNode for SOURCE |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SOURCE | test.py:86:21:86:26 | ControlFlowNode for SOURCE |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SOURCE | test.py:97:33:97:38 | ControlFlowNode for SOURCE |
+| test.py:0:0:0:0 | ModuleVariableNode for test.SOURCE | test.py:97:33:97:38 | ControlFlowNode for SOURCE |
+| test.py:0:0:0:0 | ModuleVariableNode for test.fields_with_local_flow | test.py:97:10:97:31 | ControlFlowNode for fields_with_local_flow |
+| test.py:0:0:0:0 | ModuleVariableNode for test.fields_with_local_flow | test.py:97:10:97:31 | ControlFlowNode for fields_with_local_flow |
+| test.py:0:0:0:0 | ModuleVariableNode for test.is_source | test.py:11:8:11:16 | ControlFlowNode for is_source |
+| test.py:0:0:0:0 | ModuleVariableNode for test.is_source | test.py:11:8:11:16 | ControlFlowNode for is_source |
+| test.py:0:0:0:0 | ModuleVariableNode for test.is_source | test.py:18:8:18:16 | ControlFlowNode for is_source |
+| test.py:0:0:0:0 | ModuleVariableNode for test.is_source | test.py:18:8:18:16 | ControlFlowNode for is_source |
+| test.py:0:0:0:0 | ModuleVariableNode for test.print | test.py:12:9:12:13 | ControlFlowNode for print |
+| test.py:0:0:0:0 | ModuleVariableNode for test.print | test.py:12:9:12:13 | ControlFlowNode for print |
+| test.py:0:0:0:0 | ModuleVariableNode for test.print | test.py:14:9:14:13 | ControlFlowNode for print |
+| test.py:0:0:0:0 | ModuleVariableNode for test.print | test.py:14:9:14:13 | ControlFlowNode for print |
+| test.py:0:0:0:0 | ModuleVariableNode for test.print | test.py:19:9:19:13 | ControlFlowNode for print |
+| test.py:0:0:0:0 | ModuleVariableNode for test.print | test.py:19:9:19:13 | ControlFlowNode for print |
+| test.py:0:0:0:0 | ModuleVariableNode for test.print | test.py:21:9:21:13 | ControlFlowNode for print |
+| test.py:0:0:0:0 | ModuleVariableNode for test.print | test.py:21:9:21:13 | ControlFlowNode for print |
+| test.py:0:0:0:0 | ModuleVariableNode for test.setFoo | test.py:49:5:49:10 | ControlFlowNode for setFoo |
+| test.py:0:0:0:0 | ModuleVariableNode for test.setFoo | test.py:49:5:49:10 | ControlFlowNode for setFoo |
 | test.py:2:13:2:26 | ControlFlowNode for Str | test.py:2:1:2:9 | GSSA Variable NONSOURCE |
 | test.py:2:13:2:26 | ControlFlowNode for Str | test.py:2:1:2:9 | GSSA Variable NONSOURCE |
-| test.py:3:1:3:6 | GSSA Variable SOURCE | test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test |
-| test.py:3:1:3:6 | GSSA Variable SOURCE | test.py:0:0:0:0 | ModuleVariableNode for Global Variable SOURCE in Module test |
+| test.py:3:1:3:6 | ControlFlowNode for SOURCE | test.py:0:0:0:0 | ModuleVariableNode for test.SOURCE |
+| test.py:3:1:3:6 | ControlFlowNode for SOURCE | test.py:0:0:0:0 | ModuleVariableNode for test.SOURCE |
+| test.py:3:1:3:6 | GSSA Variable SOURCE | test.py:0:0:0:0 | ModuleVariableNode for test.SOURCE |
+| test.py:3:1:3:6 | GSSA Variable SOURCE | test.py:0:0:0:0 | ModuleVariableNode for test.SOURCE |
 | test.py:3:10:3:17 | ControlFlowNode for Str | test.py:3:1:3:6 | GSSA Variable SOURCE |
 | test.py:3:10:3:17 | ControlFlowNode for Str | test.py:3:1:3:6 | GSSA Variable SOURCE |
 | test.py:6:1:6:17 | ControlFlowNode for FunctionExpr | test.py:6:5:6:13 | GSSA Variable is_source |
 | test.py:6:1:6:17 | ControlFlowNode for FunctionExpr | test.py:6:5:6:13 | GSSA Variable is_source |
-| test.py:6:5:6:13 | GSSA Variable is_source | test.py:0:0:0:0 | ModuleVariableNode for Global Variable is_source in Module test |
-| test.py:6:5:6:13 | GSSA Variable is_source | test.py:0:0:0:0 | ModuleVariableNode for Global Variable is_source in Module test |
+| test.py:6:5:6:13 | ControlFlowNode for is_source | test.py:0:0:0:0 | ModuleVariableNode for test.is_source |
+| test.py:6:5:6:13 | ControlFlowNode for is_source | test.py:0:0:0:0 | ModuleVariableNode for test.is_source |
+| test.py:6:5:6:13 | GSSA Variable is_source | test.py:0:0:0:0 | ModuleVariableNode for test.is_source |
+| test.py:6:5:6:13 | GSSA Variable is_source | test.py:0:0:0:0 | ModuleVariableNode for test.is_source |
 | test.py:6:15:6:15 | ControlFlowNode for x | test.py:6:15:6:15 | SSA variable x |
 | test.py:6:15:6:15 | ControlFlowNode for x | test.py:6:15:6:15 | SSA variable x |
 | test.py:6:15:6:15 | ControlFlowNode for x | test.py:6:15:6:15 | SSA variable x |
@@ -602,6 +608,8 @@
 | test.py:7:12:7:12 | ControlFlowNode for x | test.py:7:71:7:71 | ControlFlowNode for x |
 | test.py:7:12:7:12 | ControlFlowNode for x | test.py:7:71:7:71 | ControlFlowNode for x |
 | test.py:7:12:7:12 | ControlFlowNode for x | test.py:7:71:7:71 | ControlFlowNode for x |
+| test.py:7:12:7:24 | ControlFlowNode for Compare | test.py:7:12:7:78 | ControlFlowNode for BoolExpr |
+| test.py:7:12:7:24 | ControlFlowNode for Compare | test.py:7:12:7:78 | ControlFlowNode for BoolExpr |
 | test.py:7:12:7:78 | ControlFlowNode for BoolExpr | test.py:11:8:11:19 | ControlFlowNode for is_source() |
 | test.py:7:12:7:78 | ControlFlowNode for BoolExpr | test.py:11:8:11:19 | ControlFlowNode for is_source() |
 | test.py:7:12:7:78 | ControlFlowNode for BoolExpr | test.py:18:8:18:19 | ControlFlowNode for is_source() |
@@ -618,6 +626,8 @@
 | test.py:7:29:7:29 | ControlFlowNode for x | test.py:7:71:7:71 | ControlFlowNode for x |
 | test.py:7:29:7:29 | ControlFlowNode for x | test.py:7:71:7:71 | ControlFlowNode for x |
 | test.py:7:29:7:29 | ControlFlowNode for x | test.py:7:71:7:71 | ControlFlowNode for x |
+| test.py:7:29:7:42 | ControlFlowNode for Compare | test.py:7:12:7:78 | ControlFlowNode for BoolExpr |
+| test.py:7:29:7:42 | ControlFlowNode for Compare | test.py:7:12:7:78 | ControlFlowNode for BoolExpr |
 | test.py:7:47:7:47 | ControlFlowNode for x | test.py:7:58:7:58 | ControlFlowNode for x |
 | test.py:7:47:7:47 | ControlFlowNode for x | test.py:7:58:7:58 | ControlFlowNode for x |
 | test.py:7:47:7:47 | ControlFlowNode for x | test.py:7:58:7:58 | ControlFlowNode for x |
@@ -626,16 +636,24 @@
 | test.py:7:47:7:47 | ControlFlowNode for x | test.py:7:71:7:71 | ControlFlowNode for x |
 | test.py:7:47:7:47 | ControlFlowNode for x | test.py:7:71:7:71 | ControlFlowNode for x |
 | test.py:7:47:7:47 | ControlFlowNode for x | test.py:7:71:7:71 | ControlFlowNode for x |
+| test.py:7:47:7:53 | ControlFlowNode for Compare | test.py:7:12:7:78 | ControlFlowNode for BoolExpr |
+| test.py:7:47:7:53 | ControlFlowNode for Compare | test.py:7:12:7:78 | ControlFlowNode for BoolExpr |
 | test.py:7:58:7:58 | ControlFlowNode for x | test.py:7:71:7:71 | ControlFlowNode for x |
 | test.py:7:58:7:58 | ControlFlowNode for x | test.py:7:71:7:71 | ControlFlowNode for x |
 | test.py:7:58:7:58 | ControlFlowNode for x | test.py:7:71:7:71 | ControlFlowNode for x |
 | test.py:7:58:7:58 | ControlFlowNode for x | test.py:7:71:7:71 | ControlFlowNode for x |
+| test.py:7:58:7:66 | ControlFlowNode for Compare | test.py:7:12:7:78 | ControlFlowNode for BoolExpr |
+| test.py:7:58:7:66 | ControlFlowNode for Compare | test.py:7:12:7:78 | ControlFlowNode for BoolExpr |
+| test.py:7:71:7:78 | ControlFlowNode for Compare | test.py:7:12:7:78 | ControlFlowNode for BoolExpr |
+| test.py:7:71:7:78 | ControlFlowNode for Compare | test.py:7:12:7:78 | ControlFlowNode for BoolExpr |
 | test.py:10:1:10:12 | ControlFlowNode for FunctionExpr | test.py:10:5:10:8 | GSSA Variable SINK |
 | test.py:10:1:10:12 | ControlFlowNode for FunctionExpr | test.py:10:5:10:8 | GSSA Variable SINK |
 | test.py:10:1:10:12 | GSSA Variable is_source | test.py:11:8:11:16 | ControlFlowNode for is_source |
 | test.py:10:1:10:12 | GSSA Variable is_source | test.py:11:8:11:16 | ControlFlowNode for is_source |
-| test.py:10:5:10:8 | GSSA Variable SINK | test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK in Module test |
-| test.py:10:5:10:8 | GSSA Variable SINK | test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK in Module test |
+| test.py:10:5:10:8 | ControlFlowNode for SINK | test.py:0:0:0:0 | ModuleVariableNode for test.SINK |
+| test.py:10:5:10:8 | ControlFlowNode for SINK | test.py:0:0:0:0 | ModuleVariableNode for test.SINK |
+| test.py:10:5:10:8 | GSSA Variable SINK | test.py:0:0:0:0 | ModuleVariableNode for test.SINK |
+| test.py:10:5:10:8 | GSSA Variable SINK | test.py:0:0:0:0 | ModuleVariableNode for test.SINK |
 | test.py:10:10:10:10 | ControlFlowNode for x | test.py:10:10:10:10 | SSA variable x |
 | test.py:10:10:10:10 | ControlFlowNode for x | test.py:10:10:10:10 | SSA variable x |
 | test.py:10:10:10:10 | ControlFlowNode for x | test.py:10:10:10:10 | SSA variable x |
@@ -684,8 +702,10 @@
 | test.py:17:1:17:14 | ControlFlowNode for FunctionExpr | test.py:17:5:17:10 | GSSA Variable SINK_F |
 | test.py:17:1:17:14 | GSSA Variable is_source | test.py:18:8:18:16 | ControlFlowNode for is_source |
 | test.py:17:1:17:14 | GSSA Variable is_source | test.py:18:8:18:16 | ControlFlowNode for is_source |
-| test.py:17:5:17:10 | GSSA Variable SINK_F | test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK_F in Module test |
-| test.py:17:5:17:10 | GSSA Variable SINK_F | test.py:0:0:0:0 | ModuleVariableNode for Global Variable SINK_F in Module test |
+| test.py:17:5:17:10 | ControlFlowNode for SINK_F | test.py:0:0:0:0 | ModuleVariableNode for test.SINK_F |
+| test.py:17:5:17:10 | ControlFlowNode for SINK_F | test.py:0:0:0:0 | ModuleVariableNode for test.SINK_F |
+| test.py:17:5:17:10 | GSSA Variable SINK_F | test.py:0:0:0:0 | ModuleVariableNode for test.SINK_F |
+| test.py:17:5:17:10 | GSSA Variable SINK_F | test.py:0:0:0:0 | ModuleVariableNode for test.SINK_F |
 | test.py:17:12:17:12 | ControlFlowNode for x | test.py:17:12:17:12 | SSA variable x |
 | test.py:17:12:17:12 | ControlFlowNode for x | test.py:17:12:17:12 | SSA variable x |
 | test.py:17:12:17:12 | ControlFlowNode for x | test.py:17:12:17:12 | SSA variable x |
@@ -722,8 +742,10 @@
 | test.py:19:34:19:34 | [post arg] ControlFlowNode for x | test.py:42:12:42:18 | [post arg] ControlFlowNode for Attribute |
 | test.py:25:1:25:20 | ControlFlowNode for ClassExpr | test.py:25:7:25:11 | GSSA Variable MyObj |
 | test.py:25:1:25:20 | ControlFlowNode for ClassExpr | test.py:25:7:25:11 | GSSA Variable MyObj |
-| test.py:25:7:25:11 | GSSA Variable MyObj | test.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module test |
-| test.py:25:7:25:11 | GSSA Variable MyObj | test.py:0:0:0:0 | ModuleVariableNode for Global Variable MyObj in Module test |
+| test.py:25:7:25:11 | ControlFlowNode for MyObj | test.py:0:0:0:0 | ModuleVariableNode for test.MyObj |
+| test.py:25:7:25:11 | ControlFlowNode for MyObj | test.py:0:0:0:0 | ModuleVariableNode for test.MyObj |
+| test.py:25:7:25:11 | GSSA Variable MyObj | test.py:0:0:0:0 | ModuleVariableNode for test.MyObj |
+| test.py:25:7:25:11 | GSSA Variable MyObj | test.py:0:0:0:0 | ModuleVariableNode for test.MyObj |
 | test.py:25:13:25:18 | ControlFlowNode for object | test.py:33:17:33:22 | ControlFlowNode for object |
 | test.py:25:13:25:18 | ControlFlowNode for object | test.py:33:17:33:22 | ControlFlowNode for object |
 | test.py:26:5:26:28 | ControlFlowNode for FunctionExpr | test.py:26:9:26:16 | SSA variable __init__ |
@@ -805,8 +827,10 @@
 | test.py:30:20:30:22 | ControlFlowNode for foo | test.py:30:9:30:12 | [post store] ControlFlowNode for self [Attribute foo] |
 | test.py:33:1:33:24 | ControlFlowNode for ClassExpr | test.py:33:7:33:15 | GSSA Variable NestedObj |
 | test.py:33:1:33:24 | ControlFlowNode for ClassExpr | test.py:33:7:33:15 | GSSA Variable NestedObj |
-| test.py:33:7:33:15 | GSSA Variable NestedObj | test.py:0:0:0:0 | ModuleVariableNode for Global Variable NestedObj in Module test |
-| test.py:33:7:33:15 | GSSA Variable NestedObj | test.py:0:0:0:0 | ModuleVariableNode for Global Variable NestedObj in Module test |
+| test.py:33:7:33:15 | ControlFlowNode for NestedObj | test.py:0:0:0:0 | ModuleVariableNode for test.NestedObj |
+| test.py:33:7:33:15 | ControlFlowNode for NestedObj | test.py:0:0:0:0 | ModuleVariableNode for test.NestedObj |
+| test.py:33:7:33:15 | GSSA Variable NestedObj | test.py:0:0:0:0 | ModuleVariableNode for test.NestedObj |
+| test.py:33:7:33:15 | GSSA Variable NestedObj | test.py:0:0:0:0 | ModuleVariableNode for test.NestedObj |
 | test.py:34:5:34:23 | ControlFlowNode for FunctionExpr | test.py:34:9:34:16 | SSA variable __init__ |
 | test.py:34:5:34:23 | ControlFlowNode for FunctionExpr | test.py:34:9:34:16 | SSA variable __init__ |
 | test.py:34:5:34:23 | GSSA Variable MyObj | test.py:35:20:35:24 | ControlFlowNode for MyObj |
@@ -865,8 +889,10 @@
 | test.py:41:1:41:19 | ControlFlowNode for FunctionExpr | test.py:41:5:41:10 | GSSA Variable setFoo |
 | test.py:41:1:41:19 | GSSA Variable SINK_F | test.py:42:5:42:10 | ControlFlowNode for SINK_F |
 | test.py:41:1:41:19 | GSSA Variable SINK_F | test.py:42:5:42:10 | ControlFlowNode for SINK_F |
-| test.py:41:5:41:10 | GSSA Variable setFoo | test.py:0:0:0:0 | ModuleVariableNode for Global Variable setFoo in Module test |
-| test.py:41:5:41:10 | GSSA Variable setFoo | test.py:0:0:0:0 | ModuleVariableNode for Global Variable setFoo in Module test |
+| test.py:41:5:41:10 | ControlFlowNode for setFoo | test.py:0:0:0:0 | ModuleVariableNode for test.setFoo |
+| test.py:41:5:41:10 | ControlFlowNode for setFoo | test.py:0:0:0:0 | ModuleVariableNode for test.setFoo |
+| test.py:41:5:41:10 | GSSA Variable setFoo | test.py:0:0:0:0 | ModuleVariableNode for test.setFoo |
+| test.py:41:5:41:10 | GSSA Variable setFoo | test.py:0:0:0:0 | ModuleVariableNode for test.setFoo |
 | test.py:41:12:41:14 | ControlFlowNode for obj | test.py:41:12:41:14 | SSA variable obj |
 | test.py:41:12:41:14 | ControlFlowNode for obj | test.py:41:12:41:14 | SSA variable obj |
 | test.py:41:12:41:14 | ControlFlowNode for obj | test.py:41:12:41:14 | SSA variable obj |
@@ -1191,8 +1217,10 @@
 | test.py:90:1:90:30 | ControlFlowNode for FunctionExpr | test.py:90:5:90:26 | GSSA Variable fields_with_local_flow |
 | test.py:90:1:90:30 | GSSA Variable MyObj | test.py:91:11:91:15 | ControlFlowNode for MyObj |
 | test.py:90:1:90:30 | GSSA Variable MyObj | test.py:91:11:91:15 | ControlFlowNode for MyObj |
-| test.py:90:5:90:26 | GSSA Variable fields_with_local_flow | test.py:0:0:0:0 | ModuleVariableNode for Global Variable fields_with_local_flow in Module test |
-| test.py:90:5:90:26 | GSSA Variable fields_with_local_flow | test.py:0:0:0:0 | ModuleVariableNode for Global Variable fields_with_local_flow in Module test |
+| test.py:90:5:90:26 | ControlFlowNode for fields_with_local_flow | test.py:0:0:0:0 | ModuleVariableNode for test.fields_with_local_flow |
+| test.py:90:5:90:26 | ControlFlowNode for fields_with_local_flow | test.py:0:0:0:0 | ModuleVariableNode for test.fields_with_local_flow |
+| test.py:90:5:90:26 | GSSA Variable fields_with_local_flow | test.py:0:0:0:0 | ModuleVariableNode for test.fields_with_local_flow |
+| test.py:90:5:90:26 | GSSA Variable fields_with_local_flow | test.py:0:0:0:0 | ModuleVariableNode for test.fields_with_local_flow |
 | test.py:90:28:90:28 | ControlFlowNode for x | test.py:90:28:90:28 | SSA variable x |
 | test.py:90:28:90:28 | ControlFlowNode for x | test.py:90:28:90:28 | SSA variable x |
 | test.py:90:28:90:28 | ControlFlowNode for x | test.py:90:28:90:28 | SSA variable x |
--- a/python/ql/test/experimental/dataflow/import-helper/ImportHelper.expected
+++ b/python/ql/test/experimental/dataflow/import-helper/ImportHelper.expected
@@ -1,23 +0,0 @@
-| test1.py:1:8:1:12 | ControlFlowNode for ImportExpr | mypkg |
-| test2.py:1:6:1:10 | ControlFlowNode for ImportExpr | mypkg |
-| test2.py:1:6:1:10 | ControlFlowNode for ImportExpr | mypkg |
-| test2.py:1:19:1:21 | ControlFlowNode for ImportMember | mypkg.foo |
-| test2.py:1:24:1:26 | ControlFlowNode for ImportMember | mypkg.bar |
-| test3.py:1:8:1:16 | ControlFlowNode for ImportExpr | mypkg |
-| test3.py:2:8:2:16 | ControlFlowNode for ImportExpr | mypkg |
-| test4.py:1:8:1:16 | ControlFlowNode for ImportExpr | mypkg.foo |
-| test4.py:2:8:2:16 | ControlFlowNode for ImportExpr | mypkg.bar |
-| test5.py:1:8:1:12 | ControlFlowNode for ImportExpr | mypkg |
-| test5.py:9:6:9:10 | ControlFlowNode for ImportExpr | mypkg |
-| test5.py:9:19:9:29 | ControlFlowNode for ImportMember | mypkg.bar |
-| test6.py:1:8:1:12 | ControlFlowNode for ImportExpr | mypkg |
-| test6.py:5:8:5:16 | ControlFlowNode for ImportExpr | mypkg |
-| test7.py:1:6:1:10 | ControlFlowNode for ImportExpr | mypkg |
-| test7.py:1:19:1:21 | ControlFlowNode for ImportMember | mypkg.foo |
-| test7.py:5:8:5:16 | ControlFlowNode for ImportExpr | mypkg |
-| test7.py:9:6:9:10 | ControlFlowNode for ImportExpr | mypkg |
-| test7.py:9:19:9:21 | ControlFlowNode for ImportMember | mypkg.foo |
-| test_deep.py:1:6:1:21 | ControlFlowNode for ImportExpr | start.middle.end |
-| test_deep.py:1:6:1:21 | ControlFlowNode for ImportExpr | start.middle.end |
-| test_deep.py:1:30:1:32 | ControlFlowNode for ImportMember | start.middle.end.foo |
-| test_deep.py:1:35:1:37 | ControlFlowNode for ImportMember | start.middle.end.bar |
--- a/python/ql/test/experimental/dataflow/import-helper/ImportHelper.ql
+++ b/python/ql/test/experimental/dataflow/import-helper/ImportHelper.ql
@@ -1,4 +0,0 @@
-import python
-import semmle.python.dataflow.new.DataFlow
-
-query predicate importNode(DataFlow::Node res, string name) { res = DataFlow::importNode(name) }
--- a/python/ql/test/experimental/dataflow/import-helper/README.md
+++ b/python/ql/test/experimental/dataflow/import-helper/README.md
@@ -1 +0,0 @@
-Small tests that explore difference between `import mypkg.foo` and `from mypkg import foo`.
--- a/python/ql/test/experimental/dataflow/import-helper/mypkg/init.py
+++ b/python/ql/test/experimental/dataflow/import-helper/mypkg/init.py
@@ -1 +0,0 @@
-foo = 42
--- a/python/ql/test/experimental/dataflow/import-helper/mypkg/bar.py
+++ b/python/ql/test/experimental/dataflow/import-helper/mypkg/bar.py
@@ -1 +0,0 @@
-pass
--- a/python/ql/test/experimental/dataflow/import-helper/mypkg/foo.py
+++ b/python/ql/test/experimental/dataflow/import-helper/mypkg/foo.py
@@ -1 +0,0 @@
-pass
--- a/python/ql/test/experimental/dataflow/import-helper/test1.py
+++ b/python/ql/test/experimental/dataflow/import-helper/test1.py
@@ -1,6 +0,0 @@
-import mypkg
-print(mypkg.foo)  # 42
-try:
-    print(mypkg.bar)
-except AttributeError as e:
-    print(e)  # module 'mypkg' has no attribute 'bar'
--- a/python/ql/test/experimental/dataflow/import-helper/test2.py
+++ b/python/ql/test/experimental/dataflow/import-helper/test2.py
@@ -1,3 +0,0 @@
-from mypkg import foo, bar
-print(foo)
-print(bar)
--- a/python/ql/test/experimental/dataflow/import-helper/test3.py
+++ b/python/ql/test/experimental/dataflow/import-helper/test3.py
@@ -1,4 +0,0 @@
-import mypkg.foo
-import mypkg.bar
-print(mypkg.foo)  # <module 'mypkg.foo' ...
-print(mypkg.bar)  # <module 'mypkg.bar' ...
--- a/python/ql/test/experimental/dataflow/import-helper/test4.py
+++ b/python/ql/test/experimental/dataflow/import-helper/test4.py
@@ -1,4 +0,0 @@
-import mypkg.foo as _foo
-import mypkg.bar as _bar
-print(_foo)  # <module 'mypkg.foo' ...
-print(_bar)  # <module 'mypkg.bar' ...
--- a/python/ql/test/experimental/dataflow/import-helper/test5.py
+++ b/python/ql/test/experimental/dataflow/import-helper/test5.py
@@ -1,10 +0,0 @@
-import mypkg
-
-print(mypkg.foo)  # 42
-try:
-    print(mypkg.bar)
-except AttributeError as e:
-    print(e)  # module 'mypkg' has no attribute 'bar'
-
-from mypkg import bar as _bar
-print(mypkg.bar)  # <module 'mypkg.bar' ...
--- a/python/ql/test/experimental/dataflow/import-helper/test6.py
+++ b/python/ql/test/experimental/dataflow/import-helper/test6.py
@@ -1,6 +0,0 @@
-import mypkg
-
-print(mypkg.foo) # 42
-
-import mypkg.foo
-print(mypkg.foo) # <module 'mypkg.foo' ...
--- a/python/ql/test/experimental/dataflow/import-helper/test7.py
+++ b/python/ql/test/experimental/dataflow/import-helper/test7.py
@@ -1,10 +0,0 @@
-from mypkg import foo
-
-print(foo)  # 42
-
-import mypkg.foo
-print(foo)  # 42
-print(mypkg.foo)  # <module 'mypkg.foo' ...
-
-from mypkg import foo
-print(foo)  # <module 'mypkg.foo' ...
--- a/python/ql/test/experimental/dataflow/import-helper/test_deep.py
+++ b/python/ql/test/experimental/dataflow/import-helper/test_deep.py
@@ -1,3 +0,0 @@
-from start.middle.end import foo, bar
-print(foo)
-print(bar)
--- a/python/ql/test/experimental/dataflow/method-calls/test.ql
+++ b/python/ql/test/experimental/dataflow/method-calls/test.ql
@@ -1,6 +1,6 @@
 import python
 import semmle.python.dataflow.new.DataFlow
-import experimental.dataflow.TestUtil.PrintNode
+private import semmle.python.dataflow.new.internal.PrintNode

 query predicate conjunctive_lookup(
  DataFlow::MethodCallNode methCall, string call, string object, string methodName
--- a/python/ql/test/experimental/dataflow/module-initialization/base.py
+++ b/python/ql/test/experimental/dataflow/module-initialization/base.py
@@ -0,0 +1 @@
+foo = 3
--- a/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/ConceptsTest.expected
+++ b/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/ConceptsTest.expected
--- a/python/ql/test/experimental/dataflow/module-initialization/localFlow.ql
+++ b/python/ql/test/experimental/dataflow/module-initialization/localFlow.ql
@@ -0,0 +1,36 @@
+// This query should be more focused yet.
+import python
+import experimental.dataflow.TestUtil.FlowTest
+private import semmle.python.dataflow.new.internal.PrintNode
+private import semmle.python.dataflow.new.internal.DataFlowPrivate as DP
+
+class ImportTimeLocalFlowTest extends FlowTest {
+  ImportTimeLocalFlowTest() { this = "ImportTimeLocalFlowTest" }
+
+  override string flowTag() { result = "importTimeFlow" }
+
+  override predicate relevantFlow(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    nodeFrom.getLocation().getFile().getBaseName() = "multiphase.py" and
+    // results are displayed next to `nodeTo`, so we need a line to write on
+    nodeTo.getLocation().getStartLine() > 0 and
+    nodeTo.asVar() instanceof GlobalSsaVariable and
+    DP::importTimeLocalFlowStep(nodeFrom, nodeTo)
+  }
+}
+
+class RuntimeLocalFlowTest extends FlowTest {
+  RuntimeLocalFlowTest() { this = "RuntimeLocalFlowTest" }
+
+  override string flowTag() { result = "runtimeFlow" }
+
+  override predicate relevantFlow(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    nodeFrom.getLocation().getFile().getBaseName() = "multiphase.py" and
+    // results are displayed next to `nodeTo`, so we need a line to write on
+    nodeTo.getLocation().getStartLine() > 0 and
+    (
+      nodeFrom instanceof DataFlow::ModuleVariableNode or
+      nodeTo instanceof DataFlow::ModuleVariableNode
+    ) and
+    DP::runtimeJumpStep(nodeFrom, nodeTo)
+  }
+}
--- a/python/ql/test/experimental/dataflow/module-initialization/m1.py
+++ b/python/ql/test/experimental/dataflow/module-initialization/m1.py
@@ -0,0 +1,10 @@
+# constant
+foo = 42
+
+import base
+
+def passOn(x):
+    return x
+
+# depends on other constant
+bar = passOn(base.foo)
--- a/python/ql/test/experimental/dataflow/module-initialization/multiphase.py
+++ b/python/ql/test/experimental/dataflow/module-initialization/multiphase.py
@@ -0,0 +1,42 @@
+import sys  #$ importTimeFlow="ImportExpr -> GSSA Variable sys"
+import os  #$ importTimeFlow="ImportExpr -> GSSA Variable os"
+
+sys.path.append(os.path.dirname(os.path.dirname((__file__))))
+from testlib import *
+
+# These are defined so that we can evaluate the test code.
+NONSOURCE = "not a source"  #$ importTimeFlow="'not a source' -> GSSA Variable NONSOURCE"
+SOURCE = "source"  #$ importTimeFlow="'source' -> GSSA Variable SOURCE"
+
+
+def is_source(x):  #$ importTimeFlow="FunctionExpr -> GSSA Variable is_source"
+    return x == "source" or x == b"source" or x == 42 or x == 42.0 or x == 42j
+
+
+def SINK(x):  #$ importTimeFlow="FunctionExpr -> GSSA Variable SINK"
+    if is_source(x):  #$ runtimeFlow="ModuleVariableNode for multiphase.is_source, l:-17 -> is_source"
+        print("OK")  #$ runtimeFlow="ModuleVariableNode for multiphase.print, l:-18 -> print"
+    else:
+        print("Unexpected flow", x)  #$ runtimeFlow="ModuleVariableNode for multiphase.print, l:-20 -> print"
+
+
+def SINK_F(x):  #$ importTimeFlow="FunctionExpr -> GSSA Variable SINK_F"
+    if is_source(x):  #$ runtimeFlow="ModuleVariableNode for multiphase.is_source, l:-24 -> is_source"
+        print("Unexpected flow", x)  #$ runtimeFlow="ModuleVariableNode for multiphase.print, l:-25 -> print"
+    else:
+        print("OK")  #$ runtimeFlow="ModuleVariableNode for multiphase.print, l:-27 -> print"
+
+def set_foo():  #$ importTimeFlow="FunctionExpr -> GSSA Variable set_foo"
+    global foo
+    foo = SOURCE  #$ runtimeFlow="ModuleVariableNode for multiphase.SOURCE, l:-31 -> SOURCE" # missing final definition of foo
+
+foo = NONSOURCE  #$ importTimeFlow="NONSOURCE -> GSSA Variable foo"
+set_foo()
+
+@expects(2)
+def test_phases():  #$ importTimeFlow="expects(..)(..), l:-1 -> GSSA Variable test_phases"
+    global foo
+    SINK(foo)  #$ runtimeFlow="ModuleVariableNode for multiphase.SINK, l:-39 -> SINK" runtimeFlow="ModuleVariableNode for multiphase.foo, l:-39 -> foo"
+    foo = NONSOURCE  #$ runtimeFlow="ModuleVariableNode for multiphase.NONSOURCE, l:-40 -> NONSOURCE"
+    set_foo()  #$ runtimeFlow="ModuleVariableNode for multiphase.set_foo, l:-41 -> set_foo"
+    SINK(foo)  #$ runtimeFlow="ModuleVariableNode for multiphase.SINK, l:-42 -> SINK" runtimeFlow="ModuleVariableNode for multiphase.foo, l:-42 -> foo"
--- a/python/ql/test/experimental/dataflow/module-initialization/test.py
+++ b/python/ql/test/experimental/dataflow/module-initialization/test.py
@@ -0,0 +1,33 @@
+# These are defined so that we can evaluate the test code.
+NONSOURCE = "not a source"
+SOURCE = "source"
+
+
+def is_source(x):
+    return x == "source" or x == b"source" or x == 42 or x == 42.0 or x == 42j
+
+
+def SINK(x):
+    if is_source(x):
+        print("OK")
+    else:
+        print("Unexpected flow", x)
+
+
+def SINK_F(x):
+    if is_source(x):
+        print("Unexpected flow", x)
+    else:
+        print("OK")
+
+import base
+
+base.foo = 42
+
+import m1
+
+def test_const():
+    SINK(m1.foo)
+
+def test_overwritten():
+    SINK(m1.bar)
--- a/python/ql/test/experimental/dataflow/module-initialization/testOnce.py
+++ b/python/ql/test/experimental/dataflow/module-initialization/testOnce.py
@@ -0,0 +1,33 @@
+# These are defined so that we can evaluate the test code.
+NONSOURCE = "not a source"
+SOURCE = "source"
+
+
+def is_source(x):
+    return x == "source" or x == b"source" or x == 42 or x == 42.0 or x == 42j
+
+
+def SINK(x):
+    if is_source(x):
+        print("OK")
+    else:
+        print("Unexpected flow", x)
+
+
+def SINK_F(x):
+    if is_source(x):
+        print("Unexpected flow", x)
+    else:
+        print("OK")
+
+import m1
+
+import base
+
+base.foo = 42
+
+def test_const():
+    SINK(m1.foo)
+
+def test_unoverwritten():
+    SINK_F(m1.bar)
--- a/python/ql/test/experimental/dataflow/strange-essaflow/testFlow.expected
+++ b/python/ql/test/experimental/dataflow/strange-essaflow/testFlow.expected
@@ -2,5 +2,5 @@ os_import
 | test.py:2:8:2:9 | GSSA Variable os |
 flowstep
 jumpStep
-| test.py:2:8:2:9 | GSSA Variable os | test.py:0:0:0:0 | ModuleVariableNode for Global Variable os in Module test |
+| test.py:2:8:2:9 | GSSA Variable os | test.py:0:0:0:0 | ModuleVariableNode for test.os |
 essaFlowStep
--- a/python/ql/test/experimental/dataflow/tainttracking/TestTaintLib.qll
+++ b/python/ql/test/experimental/dataflow/tainttracking/TestTaintLib.qll
@@ -1,7 +1,7 @@
 import python
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.DataFlow
-import experimental.dataflow.TestUtil.PrintNode
+private import semmle.python.dataflow.new.internal.PrintNode

 class TestTaintTrackingConfiguration extends TaintTracking::Configuration {
  TestTaintTrackingConfiguration() { this = "TestTaintTrackingConfiguration" }
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_collections.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_collections.py
@@ -16,6 +16,15 @@ def test_access():
        tainted_list.copy(), # $ tainted
    )

+    for ((x, y, *z), a, b) in tainted_list:
+        ensure_tainted(
+            x, # $ tainted
+            y, # $ tainted
+            z, # $ tainted
+            a, # $ tainted
+            b, # $ tainted
+        )
+

 def list_clear():
    tainted_string = TAINTED_STRING
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_collections.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_collections.py
@@ -52,6 +52,8 @@ def test_access(x, y, z):
        reversed(tainted_list), # $ tainted
        iter(tainted_list), # $ tainted
        next(iter(tainted_list)), # $ tainted
+        [i for i in tainted_list], # $ tainted
+        [tainted_list for _i in [1,2,3]], # $ MISSING: tainted
    )

    a, b, c = tainted_list[0:3]
--- a/python/ql/test/experimental/dataflow/typetracking/moduleattr.expected
+++ b/python/ql/test/experimental/dataflow/typetracking/moduleattr.expected
@@ -1,7 +1,7 @@
 module_tracker
 | import_as_attr.py:1:6:1:11 | ControlFlowNode for ImportExpr |
 module_attr_tracker
-| import_as_attr.py:0:0:0:0 | ModuleVariableNode for Global Variable attr_ref in Module import_as_attr |
+| import_as_attr.py:0:0:0:0 | ModuleVariableNode for import_as_attr.attr_ref |
 | import_as_attr.py:1:20:1:35 | ControlFlowNode for ImportMember |
 | import_as_attr.py:1:28:1:35 | GSSA Variable attr_ref |
 | import_as_attr.py:3:1:3:1 | GSSA Variable x |
--- a/python/ql/test/experimental/dataflow/typetracking/moduleattr.ql
+++ b/python/ql/test/experimental/dataflow/typetracking/moduleattr.ql
@@ -1,10 +1,11 @@
 import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TypeTracker
+import semmle.python.ApiGraphs

 private DataFlow::TypeTrackingNode module_tracker(TypeTracker t) {
  t.start() and
-  result = DataFlow::importNode("module")
+  result = API::moduleImport("module").getAUse()
  or
  exists(TypeTracker t2 | result = module_tracker(t2).track(t2, t))
 }
--- a/python/ql/test/experimental/dataflow/typetracking/tracked.ql
+++ b/python/ql/test/experimental/dataflow/typetracking/tracked.ql
@@ -2,6 +2,7 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TypeTracker
 import TestUtilities.InlineExpectationsTest
+import semmle.python.ApiGraphs

 // -----------------------------------------------------------------------------
 // tracked
@@ -119,7 +120,7 @@ class TrackedSelfTest extends InlineExpectationsTest {
 /** Gets a reference to `foo` (fictive module). */
 private DataFlow::TypeTrackingNode foo(DataFlow::TypeTracker t) {
  t.start() and
-  result = DataFlow::importNode("foo")
+  result = API::moduleImport("foo").getAUse()
  or
  exists(DataFlow::TypeTracker t2 | result = foo(t2).track(t2, t))
 }
@@ -130,7 +131,7 @@ DataFlow::Node foo() { foo(DataFlow::TypeTracker::end()).flowsTo(result) }
 /** Gets a reference to `foo.bar` (fictive module). */
 private DataFlow::TypeTrackingNode foo_bar(DataFlow::TypeTracker t) {
  t.start() and
-  result = DataFlow::importNode("foo.bar")
+  result = API::moduleImport("foo.bar").getAUse()
  or
  t.startInAttr("bar") and
  result = foo()
@@ -144,7 +145,7 @@ DataFlow::Node foo_bar() { foo_bar(DataFlow::TypeTracker::end()).flowsTo(result)
 /** Gets a reference to `foo.bar.baz` (fictive attribute on `foo.bar` module). */
 private DataFlow::TypeTrackingNode foo_bar_baz(DataFlow::TypeTracker t) {
  t.start() and
-  result = DataFlow::importNode("foo.bar.baz")
+  result = API::moduleImport("foo.bar.baz").getAUse()
  or
  t.startInAttr("baz") and
  result = foo_bar()
--- a/python/ql/test/experimental/dataflow/validTest.py
+++ b/python/ql/test/experimental/dataflow/validTest.py
@@ -56,3 +56,7 @@ if __name__ == "__main__":
    check_tests_valid("variable-capture.in")
    check_tests_valid("variable-capture.nonlocal")
    check_tests_valid("variable-capture.dict")
+    check_tests_valid("module-initialization.multiphase")
+    # The below fails when trying to import modules
+    # check_tests_valid("module-initialization.test")
+    # check_tests_valid("module-initialization.testOnce")
--- a/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/ConceptsTest.ql
+++ b/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/ConceptsTest.ql
@@ -1,3 +0,0 @@
-import python
-import experimental.meta.ConceptsTest
-import experimental.semmle.python.frameworks.SqlAlchemy
--- a/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/InlineTaintTest.ql
+++ b/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/InlineTaintTest.ql
@@ -1,2 +0,0 @@
-import experimental.meta.InlineTaintTest
-import experimental.semmle.python.frameworks.SqlAlchemy
--- a/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/taint_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/taint_test.py
@@ -1,12 +0,0 @@
-import sqlalchemy
-
-def test_taint():
-    ts = TAINTED_STRING
-
-    ensure_tainted(
-        ts, # $ tainted
-        sqlalchemy.text(ts), # $ tainted
-        sqlalchemy.sql.text(ts),# $ tainted
-        sqlalchemy.sql.expression.text(ts),# $ tainted
-        sqlalchemy.sql.expression.TextClause(ts),# $ tainted
-    )
--- a/python/ql/test/experimental/meta/ConceptsTest.qll
+++ b/python/ql/test/experimental/meta/ConceptsTest.qll
@@ -2,7 +2,7 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.Concepts
 import TestUtilities.InlineExpectationsTest
-import experimental.dataflow.TestUtil.PrintNode
+private import semmle.python.dataflow.new.internal.PrintNode

 class SystemCommandExecutionTest extends InlineExpectationsTest {
  SystemCommandExecutionTest() { this = "SystemCommandExecutionTest" }
@@ -96,7 +96,7 @@ class EncodingTest extends InlineExpectationsTest {
 class LoggingTest extends InlineExpectationsTest {
  LoggingTest() { this = "LoggingTest" }

-  override string getARelevantTag() { result in ["loggingInput"] }
+  override string getARelevantTag() { result = "loggingInput" }

  override predicate hasActualResult(Location location, string element, string tag, string value) {
    exists(location.getFile().getRelativePath()) and
@@ -181,7 +181,7 @@ class EscapingTest extends InlineExpectationsTest {
 class HttpServerRouteSetupTest extends InlineExpectationsTest {
  HttpServerRouteSetupTest() { this = "HttpServerRouteSetupTest" }

-  override string getARelevantTag() { result in ["routeSetup"] }
+  override string getARelevantTag() { result = "routeSetup" }

  override predicate hasActualResult(Location location, string element, string tag, string value) {
    exists(location.getFile().getRelativePath()) and
--- a/python/ql/test/experimental/meta/InlineTaintTest.qll
+++ b/python/ql/test/experimental/meta/InlineTaintTest.qll
@@ -14,7 +14,7 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
 import TestUtilities.InlineExpectationsTest
-import experimental.dataflow.TestUtil.PrintNode
+private import semmle.python.dataflow.new.internal.PrintNode

 DataFlow::Node shouldBeTainted() {
  exists(DataFlow::CallCfgNode call |
--- a/python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.expected
@@ -80,6 +80,7 @@ nodes
 | ldap_bad.py:48:21:48:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn |
 | ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter |
+subpaths
 #select
 | ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | $@ LDAP query parameter comes from $@. | ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | This | ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | a user-provided value |
 | ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | $@ LDAP query parameter comes from $@. | ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | This | ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | a user-provided value |
--- a/python/ql/test/experimental/query-tests/Security/CWE-113/HeaderInjection.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-113/HeaderInjection.expected
@@ -1,4 +1,6 @@
 edges
+| django_bad.py:5:18:5:58 | ControlFlowNode for Attribute() | django_bad.py:7:40:7:49 | ControlFlowNode for rfs_header |
+| django_bad.py:12:18:12:58 | ControlFlowNode for Attribute() | django_bad.py:14:30:14:39 | ControlFlowNode for rfs_header |
 | flask_bad.py:9:18:9:24 | ControlFlowNode for request | flask_bad.py:9:18:9:29 | ControlFlowNode for Attribute |
 | flask_bad.py:9:18:9:29 | ControlFlowNode for Attribute | flask_bad.py:9:18:9:43 | ControlFlowNode for Subscript |
 | flask_bad.py:9:18:9:43 | ControlFlowNode for Subscript | flask_bad.py:12:31:12:40 | ControlFlowNode for rfs_header |
@@ -10,11 +12,14 @@ edges
 | flask_bad.py:27:18:27:43 | ControlFlowNode for Subscript | flask_bad.py:29:34:29:43 | ControlFlowNode for rfs_header |
 | flask_bad.py:35:18:35:24 | ControlFlowNode for request | flask_bad.py:35:18:35:29 | ControlFlowNode for Attribute |
 | flask_bad.py:35:18:35:29 | ControlFlowNode for Attribute | flask_bad.py:35:18:35:43 | ControlFlowNode for Subscript |
-| flask_bad.py:35:18:35:43 | ControlFlowNode for Subscript | flask_bad.py:38:9:38:34 | ControlFlowNode for Dict |
+| flask_bad.py:35:18:35:43 | ControlFlowNode for Subscript | flask_bad.py:38:24:38:33 | ControlFlowNode for rfs_header |
 | flask_bad.py:44:44:44:50 | ControlFlowNode for request | flask_bad.py:44:44:44:55 | ControlFlowNode for Attribute |
 | flask_bad.py:44:44:44:55 | ControlFlowNode for Attribute | flask_bad.py:44:44:44:69 | ControlFlowNode for Subscript |
-| flask_bad.py:44:44:44:69 | ControlFlowNode for Subscript | flask_bad.py:44:29:44:70 | ControlFlowNode for Dict |
 nodes
+| django_bad.py:5:18:5:58 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| django_bad.py:7:40:7:49 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
+| django_bad.py:12:18:12:58 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| django_bad.py:14:30:14:39 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
 | flask_bad.py:9:18:9:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | flask_bad.py:9:18:9:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | flask_bad.py:9:18:9:43 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
@@ -30,14 +35,16 @@ nodes
 | flask_bad.py:35:18:35:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | flask_bad.py:35:18:35:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | flask_bad.py:35:18:35:43 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| flask_bad.py:38:9:38:34 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
-| flask_bad.py:44:29:44:70 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
+| flask_bad.py:38:24:38:33 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
 | flask_bad.py:44:44:44:50 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | flask_bad.py:44:44:44:55 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | flask_bad.py:44:44:44:69 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+subpaths
 #select
+| django_bad.py:7:40:7:49 | ControlFlowNode for rfs_header | django_bad.py:5:18:5:58 | ControlFlowNode for Attribute() | django_bad.py:7:40:7:49 | ControlFlowNode for rfs_header | $@ HTTP header is constructed from a $@. | django_bad.py:7:40:7:49 | ControlFlowNode for rfs_header | This | django_bad.py:5:18:5:58 | ControlFlowNode for Attribute() | user-provided value |
+| django_bad.py:14:30:14:39 | ControlFlowNode for rfs_header | django_bad.py:12:18:12:58 | ControlFlowNode for Attribute() | django_bad.py:14:30:14:39 | ControlFlowNode for rfs_header | $@ HTTP header is constructed from a $@. | django_bad.py:14:30:14:39 | ControlFlowNode for rfs_header | This | django_bad.py:12:18:12:58 | ControlFlowNode for Attribute() | user-provided value |
 | flask_bad.py:12:31:12:40 | ControlFlowNode for rfs_header | flask_bad.py:9:18:9:24 | ControlFlowNode for request | flask_bad.py:12:31:12:40 | ControlFlowNode for rfs_header | $@ HTTP header is constructed from a $@. | flask_bad.py:12:31:12:40 | ControlFlowNode for rfs_header | This | flask_bad.py:9:18:9:24 | ControlFlowNode for request | user-provided value |
 | flask_bad.py:21:38:21:47 | ControlFlowNode for rfs_header | flask_bad.py:19:18:19:24 | ControlFlowNode for request | flask_bad.py:21:38:21:47 | ControlFlowNode for rfs_header | $@ HTTP header is constructed from a $@. | flask_bad.py:21:38:21:47 | ControlFlowNode for rfs_header | This | flask_bad.py:19:18:19:24 | ControlFlowNode for request | user-provided value |
 | flask_bad.py:29:34:29:43 | ControlFlowNode for rfs_header | flask_bad.py:27:18:27:24 | ControlFlowNode for request | flask_bad.py:29:34:29:43 | ControlFlowNode for rfs_header | $@ HTTP header is constructed from a $@. | flask_bad.py:29:34:29:43 | ControlFlowNode for rfs_header | This | flask_bad.py:27:18:27:24 | ControlFlowNode for request | user-provided value |
-| flask_bad.py:38:9:38:34 | ControlFlowNode for Dict | flask_bad.py:35:18:35:24 | ControlFlowNode for request | flask_bad.py:38:9:38:34 | ControlFlowNode for Dict | $@ HTTP header is constructed from a $@. | flask_bad.py:38:9:38:34 | ControlFlowNode for Dict | This | flask_bad.py:35:18:35:24 | ControlFlowNode for request | user-provided value |
-| flask_bad.py:44:29:44:70 | ControlFlowNode for Dict | flask_bad.py:44:44:44:50 | ControlFlowNode for request | flask_bad.py:44:29:44:70 | ControlFlowNode for Dict | $@ HTTP header is constructed from a $@. | flask_bad.py:44:29:44:70 | ControlFlowNode for Dict | This | flask_bad.py:44:44:44:50 | ControlFlowNode for request | user-provided value |
+| flask_bad.py:38:24:38:33 | ControlFlowNode for rfs_header | flask_bad.py:35:18:35:24 | ControlFlowNode for request | flask_bad.py:38:24:38:33 | ControlFlowNode for rfs_header | $@ HTTP header is constructed from a $@. | flask_bad.py:38:24:38:33 | ControlFlowNode for rfs_header | This | flask_bad.py:35:18:35:24 | ControlFlowNode for request | user-provided value |
+| flask_bad.py:44:44:44:69 | ControlFlowNode for Subscript | flask_bad.py:44:44:44:50 | ControlFlowNode for request | flask_bad.py:44:44:44:69 | ControlFlowNode for Subscript | $@ HTTP header is constructed from a $@. | flask_bad.py:44:44:44:69 | ControlFlowNode for Subscript | This | flask_bad.py:44:44:44:50 | ControlFlowNode for request | user-provided value |
--- a/python/ql/test/experimental/query-tests/Security/CWE-113/django_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-113/django_bad.py
@@ -1,15 +1,15 @@
 import django.http


-def django_setitem(request):
-    rfs_header = request.GET.get("rfs_header")
+def django_setitem():
+    rfs_header = django.http.request.GET.get("rfs_header")
    response = django.http.HttpResponse()
    response.__setitem__('HeaderName', rfs_header)
    return response


-def django_response(request):
-    rfs_header = request.GET.get("rfs_header")
+def django_response():
+    rfs_header = django.http.request.GET.get("rfs_header")
    response = django.http.HttpResponse()
    response['HeaderName'] = rfs_header
    return response
--- a/python/ql/test/experimental/query-tests/Security/CWE-117/LogInjection.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-117/LogInjection.expected
@@ -0,0 +1,28 @@
+edges
+| LogInjectionBad.py:17:12:17:18 | ControlFlowNode for request | LogInjectionBad.py:17:12:17:23 | ControlFlowNode for Attribute |
+| LogInjectionBad.py:17:12:17:23 | ControlFlowNode for Attribute | LogInjectionBad.py:18:21:18:40 | ControlFlowNode for BinaryExpr |
+| LogInjectionBad.py:23:12:23:18 | ControlFlowNode for request | LogInjectionBad.py:23:12:23:23 | ControlFlowNode for Attribute |
+| LogInjectionBad.py:23:12:23:23 | ControlFlowNode for Attribute | LogInjectionBad.py:24:18:24:37 | ControlFlowNode for BinaryExpr |
+| LogInjectionBad.py:29:12:29:18 | ControlFlowNode for request | LogInjectionBad.py:29:12:29:23 | ControlFlowNode for Attribute |
+| LogInjectionBad.py:29:12:29:23 | ControlFlowNode for Attribute | LogInjectionBad.py:30:25:30:44 | ControlFlowNode for BinaryExpr |
+| LogInjectionBad.py:35:12:35:18 | ControlFlowNode for request | LogInjectionBad.py:35:12:35:23 | ControlFlowNode for Attribute |
+| LogInjectionBad.py:35:12:35:23 | ControlFlowNode for Attribute | LogInjectionBad.py:37:19:37:38 | ControlFlowNode for BinaryExpr |
+nodes
+| LogInjectionBad.py:17:12:17:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| LogInjectionBad.py:17:12:17:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| LogInjectionBad.py:18:21:18:40 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| LogInjectionBad.py:23:12:23:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| LogInjectionBad.py:23:12:23:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| LogInjectionBad.py:24:18:24:37 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| LogInjectionBad.py:29:12:29:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| LogInjectionBad.py:29:12:29:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| LogInjectionBad.py:30:25:30:44 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| LogInjectionBad.py:35:12:35:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| LogInjectionBad.py:35:12:35:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| LogInjectionBad.py:37:19:37:38 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+subpaths
+#select
+| LogInjectionBad.py:18:21:18:40 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:17:12:17:18 | ControlFlowNode for request | LogInjectionBad.py:18:21:18:40 | ControlFlowNode for BinaryExpr | $@ flows to log entry. | LogInjectionBad.py:17:12:17:18 | ControlFlowNode for request | User-provided value |
+| LogInjectionBad.py:24:18:24:37 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:23:12:23:18 | ControlFlowNode for request | LogInjectionBad.py:24:18:24:37 | ControlFlowNode for BinaryExpr | $@ flows to log entry. | LogInjectionBad.py:23:12:23:18 | ControlFlowNode for request | User-provided value |
+| LogInjectionBad.py:30:25:30:44 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:29:12:29:18 | ControlFlowNode for request | LogInjectionBad.py:30:25:30:44 | ControlFlowNode for BinaryExpr | $@ flows to log entry. | LogInjectionBad.py:29:12:29:18 | ControlFlowNode for request | User-provided value |
+| LogInjectionBad.py:37:19:37:38 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:35:12:35:18 | ControlFlowNode for request | LogInjectionBad.py:37:19:37:38 | ControlFlowNode for BinaryExpr | $@ flows to log entry. | LogInjectionBad.py:35:12:35:18 | ControlFlowNode for request | User-provided value |
--- a/python/ql/test/experimental/query-tests/Security/CWE-117/LogInjection.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-117/LogInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-117/LogInjection.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-117/LogInjectionBad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-117/LogInjectionBad.py
@@ -0,0 +1,44 @@
+#!/usr/bin/env python
+# -*- coding: UTF-8 -*-
+"""
+@Desc   ：Log Injection
+"""
+from flask import Flask
+from flask import request
+from django.utils.log import request_logger
+import logging
+
+logging.basicConfig(level=logging.DEBUG)
+
+app = Flask(__name__)
+
+@app.route('/bad1')
+def bad1():
+    name = request.args.get('name')
+    app.logger.info('User name: ' + name) # Bad
+    return 'bad1'
+
+@app.route('/bad2')
+def bad2():
+    name = request.args.get('name')
+    logging.info('User name: ' + name) # Bad
+    return 'bad2'
+
+@app.route('/bad3')
+def bad3():
+    name = request.args.get('name')
+    request_logger.warn('User name: ' + name) # Bad
+    return 'bad3'
+
+@app.route('/bad4')
+def bad4():
+    name = request.args.get('name')
+    logtest = logging.getLogger('test')
+    logtest.debug('User name: ' + name) # Bad
+    return 'bad4'
+
+if __name__ == '__main__':
+    app.debug = True
+    handler = logging.FileHandler('log')
+    app.logger.addHandler(handler)
+    app.run()
--- a/python/ql/test/experimental/query-tests/Security/CWE-117/LogInjectionGood.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-117/LogInjectionGood.py
@@ -0,0 +1,25 @@
+#!/usr/bin/env python
+# -*- coding: UTF-8 -*-
+"""
+@Desc   ：Log Injection
+"""
+from flask import Flask
+from flask import request
+import logging
+
+logging.basicConfig(level=logging.DEBUG)
+
+app = Flask(__name__)
+
+@app.route('/good1')
+def good1():
+    name = request.args.get('name')
+    name = name.replace('\r\n','').replace('\n','')
+    logging.info('User name: ' + name) # Good
+    return 'good1'
+
+if __name__ == '__main__':
+    app.debug = True
+    handler = logging.FileHandler('log')
+    app.logger.addHandler(handler)
+    app.run()
--- a/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected
@@ -0,0 +1,16 @@
+edges
+| flask_bad.py:13:17:13:54 | ControlFlowNode for Attribute() | flask_bad.py:14:12:14:20 | ControlFlowNode for client_ip |
+| flask_bad.py:20:17:20:54 | ControlFlowNode for Attribute() | flask_bad.py:21:12:21:20 | ControlFlowNode for client_ip |
+| tornado_bad.py:22:25:22:69 | ControlFlowNode for Attribute() | tornado_bad.py:23:16:23:24 | ControlFlowNode for client_ip |
+nodes
+| flask_bad.py:13:17:13:54 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| flask_bad.py:14:12:14:20 | ControlFlowNode for client_ip | semmle.label | ControlFlowNode for client_ip |
+| flask_bad.py:20:17:20:54 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| flask_bad.py:21:12:21:20 | ControlFlowNode for client_ip | semmle.label | ControlFlowNode for client_ip |
+| tornado_bad.py:22:25:22:69 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| tornado_bad.py:23:16:23:24 | ControlFlowNode for client_ip | semmle.label | ControlFlowNode for client_ip |
+subpaths
+#select
+| flask_bad.py:14:12:14:20 | ControlFlowNode for client_ip | flask_bad.py:13:17:13:54 | ControlFlowNode for Attribute() | flask_bad.py:14:12:14:20 | ControlFlowNode for client_ip | IP address spoofing might include code from $@. | flask_bad.py:13:17:13:54 | ControlFlowNode for Attribute() | this user input |
+| flask_bad.py:21:12:21:20 | ControlFlowNode for client_ip | flask_bad.py:20:17:20:54 | ControlFlowNode for Attribute() | flask_bad.py:21:12:21:20 | ControlFlowNode for client_ip | IP address spoofing might include code from $@. | flask_bad.py:20:17:20:54 | ControlFlowNode for Attribute() | this user input |
+| tornado_bad.py:23:16:23:24 | ControlFlowNode for client_ip | tornado_bad.py:22:25:22:69 | ControlFlowNode for Attribute() | tornado_bad.py:23:16:23:24 | ControlFlowNode for client_ip | IP address spoofing might include code from $@. | tornado_bad.py:22:25:22:69 | ControlFlowNode for Attribute() | this user input |
--- a/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-348/flask_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-348/flask_bad.py
@@ -0,0 +1,27 @@
+#!/usr/bin/env python
+# -*- coding: UTF-8 -*-
+"""
+@Desc   ：ip address spoofing
+"""
+from flask import Flask
+from flask import request
+
+app = Flask(__name__)
+
+@app.route('/bad1')
+def bad1():
+    client_ip = request.headers.get('x-forwarded-for')
+    if not client_ip.startswith('192.168.'):
+        raise Exception('ip illegal')
+    return 'bad1'
+
+@app.route('/bad2')
+def bad2():
+    client_ip = request.headers.get('x-forwarded-for')
+    if not client_ip == '127.0.0.1':
+        raise Exception('ip illegal')
+    return 'bad2'
+
+if __name__ == '__main__':
+    app.debug = True
+    app.run()
--- a/python/ql/test/experimental/query-tests/Security/CWE-348/flask_good.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-348/flask_good.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+# -*- coding: UTF-8 -*-
+"""
+@Desc   ：ip address spoofing
+"""
+from flask import Flask
+from flask import request
+
+app = Flask(__name__)
+
+@app.route('/good1')
+def good1():
+    client_ip = request.headers.get('x-forwarded-for')
+    client_ip = client_ip.split(',')[len(client_ip.split(',')) - 1]
+    if not client_ip == '127.0.0.1':
+        raise Exception('ip illegal')
+    return 'good1'
+
+if __name__ == '__main__':
+    app.debug = True
+    app.run()
--- a/python/ql/test/experimental/query-tests/Security/CWE-348/tornado_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-348/tornado_bad.py
@@ -0,0 +1,36 @@
+#!/usr/bin/env python
+# -*- coding: UTF-8 -*-
+"""
+@Desc   ：ip address spoofing
+"""
+import tornado.httpserver
+import tornado.options
+import tornado.web
+import tornado.ioloop
+
+from tornado.options import define, options
+
+define("port", default=8000, help="run on the given port,default 8000", type=int)
+
+
+class IndexHandler(tornado.web.RequestHandler):
+    def get(self):
+        client_ip = self.request.headers.get('x-forwarded-for')
+        if client_ip:
+            client_ip = client_ip.split(',')[len(client_ip.split(',')) - 1]
+        else:
+            client_ip = self.request.headers.get('REMOTE_ADDR', None)
+        if not client_ip == '127.0.0.1':
+            raise Exception('ip illegal')
+        self.write("hello.")
+
+handlers = [(r"/", IndexHandler)]
+
+if __name__ == "__main__":
+    tornado.options.parse_command_line()
+    app = tornado.web.Application(
+        handlers
+    )
+    http_server = tornado.httpserver.HTTPServer(app)
+    http_server.listen(options.port)
+    tornado.ioloop.IOLoop.instance().start()
--- a/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LDAPInsecureAuth.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LDAPInsecureAuth.expected
@@ -0,0 +1,4 @@
+edges
+nodes
+subpaths
+#select
--- a/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LDAPInsecureAuth.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/LDAPInsecureAuth.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-522/LDAPInsecureAuth.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/ldap2_global.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-522-global-option/ldap2_global.py
@@ -0,0 +1,29 @@
+# since global options are considered to affect all files in a repo, we need to keep
+# this test in its' own directory (so it doesn't interfere with other tests).
+
+import ldap
+from flask import request, Flask
+
+app = Flask(__name__)
+
+# GOOD
+
+# SSL through ldap global variable option
+
+ldap.set_option(ldap.OPT_X_TLS_DEMAND, True)
+
+
+@app.route("/one")
+def one():
+    # The following connection would have been insecure if the global option above was
+    # not set
+    ldap_connection_5 = ldap.initialize("ldap://somethingon.theinternet.com")
+    ldap_connection_5.simple_bind_s('', '')
+    user = ldap_connection_5.search_s(
+        "dn", ldap.SCOPE_SUBTREE, "search_filter")
+
+    return user
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-522/LDAPInsecureAuth.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-522/LDAPInsecureAuth.expected
@@ -0,0 +1,28 @@
+edges
+| ldap3_remote.py:101:12:101:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host |
+| ldap3_remote.py:114:12:114:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:115:18:115:21 | ControlFlowNode for host |
+| ldap3_remote.py:126:12:126:31 | ControlFlowNode for BinaryExpr | ldap3_remote.py:127:18:127:21 | ControlFlowNode for host |
+| ldap3_remote.py:138:21:138:27 | ControlFlowNode for request | ldap3_remote.py:138:21:138:32 | ControlFlowNode for Attribute |
+| ldap3_remote.py:138:21:138:32 | ControlFlowNode for Attribute | ldap3_remote.py:138:21:138:40 | ControlFlowNode for Subscript |
+| ldap3_remote.py:138:21:138:40 | ControlFlowNode for Subscript | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host |
+nodes
+| ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| ldap3_remote.py:101:12:101:49 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | semmle.label | ControlFlowNode for host |
+| ldap3_remote.py:114:12:114:49 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | semmle.label | ControlFlowNode for host |
+| ldap3_remote.py:126:12:126:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | semmle.label | ControlFlowNode for host |
+| ldap3_remote.py:138:21:138:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap3_remote.py:138:21:138:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap3_remote.py:138:21:138:40 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | semmle.label | ControlFlowNode for host |
+subpaths
+#select
+| ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | $@ is authenticated insecurely. | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | This LDAP host |
+| ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | $@ is authenticated insecurely. | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | This LDAP host |
+| ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | ldap3_remote.py:101:12:101:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | $@ is authenticated insecurely. | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | This LDAP host |
+| ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | ldap3_remote.py:114:12:114:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | $@ is authenticated insecurely. | ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | This LDAP host |
+| ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | ldap3_remote.py:126:12:126:31 | ControlFlowNode for BinaryExpr | ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | $@ is authenticated insecurely. | ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | This LDAP host |
+| ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | ldap3_remote.py:138:21:138:27 | ControlFlowNode for request | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | $@ is authenticated insecurely. | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | This LDAP host |
--- a/python/ql/test/experimental/query-tests/Security/CWE-522/LDAPInsecureAuth.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-522/LDAPInsecureAuth.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-522/LDAPInsecureAuth.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-522/ldap2_private.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-522/ldap2_private.py
@@ -0,0 +1,66 @@
+import ldap
+from flask import request, Flask
+
+app = Flask(__name__)
+
+schema = "ldap://"
+remote_host = "127.0.0.1"
+full_host = "ldap://127.0.0.1"
+
+
+# GOOD
+
+# SSL through ldap variable option
+# host from variable + variable
+
+@app.route("/one")
+def one():
+    ldap_connection_1 = ldap.initialize(schema + remote_host)
+    ldap_connection_1.set_option(ldap.OPT_X_TLS_DEMAND, True)
+    ldap_connection_1.simple_bind_s('', '')
+    user = ldap_connection_1.search_s(
+        "dn", ldap.SCOPE_SUBTREE, "search_filter")
+
+    return user
+
+
+# SSL through ldap start_tls_s
+# hardcoded host
+
+@app.route("/two")
+def two():
+    ldap_connection_2 = ldap.initialize("ldap://127.0.0.1")
+    ldap_connection_2.start_tls_s()
+    ldap_connection_2.simple_bind_s('', '')
+    user = ldap_connection_2.search_s(
+        "dn", ldap.SCOPE_SUBTREE, "search_filter")
+
+    return user
+
+
+# BAD (not a sink because it's private)
+
+@app.route("/one_bad")
+def one_bad():
+    ldap_connection_3 = ldap.initialize(schema + remote_host)
+    ldap_connection_3.set_option(ldap.OPT_X_TLS_DEMAND, False)
+    ldap_connection_3.simple_bind_s('', '')
+    user = ldap_connection_3.search_s(
+        "dn", ldap.SCOPE_SUBTREE, "search_filter")
+
+    return user
+
+
+@app.route("/one_bad_2")
+def one_bad_2():
+    ldap_connection_4 = ldap.initialize(schema + remote_host)
+    ldap_connection_4.set_option(ldap.OPT_X_TLS_NEVER, True)
+    ldap_connection_4.simple_bind_s('', '')
+    user = ldap_connection_4.search_s(
+        "dn", ldap.SCOPE_SUBTREE, "search_filter")
+
+    return user
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-522/ldap2_remote.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-522/ldap2_remote.py
@@ -0,0 +1,66 @@
+import ldap
+from flask import request, Flask
+
+app = Flask(__name__)
+
+schema = "ldap://"
+remote_host = "somethingon.theinternet.com"
+full_host = "ldap://somethingon.theinternet.com"
+
+
+# GOOD
+
+# SSL through ldap variable option
+# host from variable + variable
+
+@app.route("/one")
+def one():
+    ldap_connection_5 = ldap.initialize(schema + remote_host)
+    ldap_connection_5.set_option(ldap.OPT_X_TLS_DEMAND, True)
+    ldap_connection_5.simple_bind_s('', '')
+    user = ldap_connection_5.search_s(
+        "dn", ldap.SCOPE_SUBTREE, "search_filter")
+
+    return user
+
+
+# SSL through ldap start_tls_s
+# hardcoded host
+
+@app.route("/two")
+def two():
+    ldap_connection_6 = ldap.initialize("ldap://somethingon.theinternet.com")
+    ldap_connection_6.start_tls_s()
+    ldap_connection_6.simple_bind_s('', '')
+    user = ldap_connection_6.search_s(
+        "dn", ldap.SCOPE_SUBTREE, "search_filter")
+
+    return user
+
+
+# BAD
+
+@app.route("/one_bad")
+def one_bad():
+    ldap_connection_7 = ldap.initialize(schema + remote_host)
+    ldap_connection_7.set_option(ldap.OPT_X_TLS_DEMAND, False)
+    ldap_connection_7.simple_bind_s('', '')
+    user = ldap_connection_7.search_s(
+        "dn", ldap.SCOPE_SUBTREE, "search_filter")
+
+    return user
+
+
+@app.route("/one_bad_2")
+def one_bad_2():
+    ldap_connection_8 = ldap.initialize(schema + remote_host)
+    ldap_connection_8.set_option(ldap.OPT_X_TLS_NEVER, True)
+    ldap_connection_8.simple_bind_s('', '')
+    user = ldap_connection_8.search_s(
+        "dn", ldap.SCOPE_SUBTREE, "search_filter")
+
+    return user
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-522/ldap3_private.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-522/ldap3_private.py
@@ -0,0 +1,105 @@
+from ldap3 import Server, Connection, ALL
+from flask import request, Flask
+
+app = Flask(__name__)
+
+schema = "ldap://"
+partial_host = "127.0.0.1"
+full_host = "ldap://127.0.0.1"
+
+
+# hardcoded host
+
+@app.route("/one")
+def one():
+    srv = Server("ldap://127.0.0.1", port=1337)
+    conn = Connection(srv, "dn", "password")
+    conn.search("dn", "search_filter")
+    return conn.response
+
+
+# host from variable
+
+@app.route("/two")
+def two():
+    srv = Server(full_host, port=1337)
+    conn = Connection(srv, "dn", "password")
+    conn.search("dn", "search_filter")
+    return conn.response
+
+
+# schema from string + variable
+
+@app.route("/three")
+def three():
+    host = "ldap://" + partial_host
+
+    srv = Server(host, port=1337)
+    conn = Connection(srv, "dn", "password")
+    conn.search("dn", "search_filter")
+    return conn.response
+
+
+# schema from variable + variable
+
+@app.route("/four")
+def four():
+    host = schema + partial_host
+
+    srv = Server(host, port=1337)
+    conn = Connection(srv, "dn", "password")
+    conn.search("dn", "search_filter")
+    return conn.response
+
+
+# schema from string + string
+
+@app.route("/five")
+def five():
+    host = "ldap://" + "127.0.0.1"
+
+    srv = Server(host, port=1337)
+    conn = Connection(srv, "dn", "password")
+    conn.search("dn", "search_filter")
+    return conn.response
+
+
+# schema from variable + hardcoded host
+
+@app.route("/six")
+def six():
+    host = schema + "127.0.0.1"
+
+    srv = Server(host, port=1337)
+    conn = Connection(srv, "dn", "password")
+    conn.search("dn", "search_filter")
+    return conn.response
+
+
+# use_ssl = True (positional argument)
+# host from string + variable
+
+@app.route("/four")
+def four():
+    host = "ldap://" + partial_host
+
+    srv = Server(host, 1337, True)
+    conn = Connection(srv, "dn", "password")
+    conn.search("dn", "search_filter")
+    return conn.response
+
+
+# use_ssl = True (argument by name)
+# host from variable + variable
+
+@app.route("/five")
+def five():
+    host = schema + partial_host
+
+    srv = Server(host, port=1337, use_ssl=True)
+    conn = Connection(srv, "dn", "password")
+    conn.search("dn", "search_filter")
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-522/ldap3_remote.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-522/ldap3_remote.py
@@ -0,0 +1,146 @@
+from ldap3 import Server, Connection, ALL
+from flask import request, Flask
+
+app = Flask(__name__)
+
+schema = "ldap://"
+remote_host = "somethingon.theinternet.com"
+full_host = "ldap://somethingon.theinternet.com"
+
+
+# use_ssl = True (positional argument)
+# hardcoded host
+
+@app.route("/one")
+def one():
+    srv = Server("ldap://somethingon.theinternet.com", 1337, True)
+    conn = Connection(srv, "dn", "password")
+    conn.search("dn", "search_filter")
+    return conn.response
+
+
+# use_ssl = True (argument by name)
+# host from variable
+
+@app.route("/two")
+def two():
+    srv = Server(full_host, port=1337, use_ssl=True)
+    conn = Connection(srv, "dn", "password")
+    conn.search("dn", "search_filter")
+    return conn.response
+
+
+# use_ssl = True (argument by name)
+# host from RFS
+
+@app.route("/three")
+def three():
+    srv = Server(request.args['host'], port=1337, use_ssl=True)
+    conn = Connection(srv, "dn", "password")
+    conn.search("dn", "search_filter")
+    return conn.response
+
+
+# use_ssl = True (positional argument)
+# host from string + variable
+
+@app.route("/four")
+def four():
+    host = "ldap://" + remote_host
+
+    srv = Server(host, 1337, True)
+    conn = Connection(srv, "dn", "password")
+    conn.search("dn", "search_filter")
+    return conn.response
+
+
+# use_ssl = True (argument by name)
+# host from variable + variable
+
+@app.route("/five")
+def five():
+    host = schema + remote_host
+
+    srv = Server(host, port=1337, use_ssl=True)
+    conn = Connection(srv, "dn", "password")
+    conn.search("dn", "search_filter")
+    return conn.response
+
+
+# use_ssl = True (argument by name)
+# host from string + RFS
+
+@app.route("/six")
+def six():
+    host = "ldap://" + request.args['host']
+
+    srv = Server(host, port=1337, use_ssl=True)
+    conn = Connection(srv, "dn", "password")
+    conn.search("dn", "search_filter")
+    return conn.response
+
+
+# use_ssl = True (positional argument)
+# host from variable + RFS
+
+@app.route("/seven")
+def seven():
+    host = schema + request.args['host']
+
+    srv = Server(host, 1337, True)
+    conn = Connection(srv, "dn", "password")
+    conn.search("dn", "search_filter")
+    return conn.response
+
+
+# SSL through special method
+# host from variable + hardcoded host
+
+@app.route("/eight")
+def eight():
+    host = schema + "somethingon.theinternet.com"
+    srv = Server(host, port=1337)
+    conn = Connection(srv, "dn", "password")
+    conn.start_tls()
+    conn.search("dn", "search_filter")
+    return conn.response
+
+
+# No SSL (to test sink)
+# host from variable + hardcoded host
+
+@app.route("/nine")
+def nine():
+    host = schema + "somethingon.theinternet.com"
+    srv = Server(host, 1337, False)
+    conn = Connection(srv, "dn", "password")
+    conn.search("dn", "search_filter")
+    return conn.response
+
+
+# No SSL (to test sink)
+# host from variable + variable
+
+@app.route("/ten")
+def ten():
+    host = schema + remote_host
+    srv = Server(host, port=1337, use_ssl=False)
+    conn = Connection(srv, "dn", "password")
+    conn.search("dn", "search_filter")
+    return conn.response
+
+
+# No SSL (to test sink)
+# host from variable + RFS
+
+@app.route("/eleven")
+def eleven():
+    host = schema + request.args['host']
+    srv = Server(host, port=1337)
+    conn = Connection(srv, "dn", "password")
+    conn.search("dn", "search_filter")
+    return conn.response
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-643/XpathInjection.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-643/XpathInjection.expected
@@ -0,0 +1,74 @@
+edges
+| xpathBad.py:9:7:9:13 | ControlFlowNode for request | xpathBad.py:10:13:10:23 | ControlFlowNode for Attribute |
+| xpathBad.py:9:7:9:13 | ControlFlowNode for request | xpathBad.py:10:13:10:23 | ControlFlowNode for Attribute |
+| xpathBad.py:10:13:10:23 | ControlFlowNode for Attribute | xpathBad.py:10:13:10:32 | ControlFlowNode for Subscript |
+| xpathBad.py:10:13:10:23 | ControlFlowNode for Attribute | xpathBad.py:10:13:10:32 | ControlFlowNode for Subscript |
+| xpathBad.py:10:13:10:32 | ControlFlowNode for Subscript | xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr |
+| xpathBad.py:10:13:10:32 | ControlFlowNode for Subscript | xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr |
+| xpathFlow.py:11:18:11:24 | ControlFlowNode for request | xpathFlow.py:11:18:11:29 | ControlFlowNode for Attribute |
+| xpathFlow.py:11:18:11:24 | ControlFlowNode for request | xpathFlow.py:11:18:11:29 | ControlFlowNode for Attribute |
+| xpathFlow.py:11:18:11:29 | ControlFlowNode for Attribute | xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery |
+| xpathFlow.py:11:18:11:29 | ControlFlowNode for Attribute | xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery |
+| xpathFlow.py:20:18:20:24 | ControlFlowNode for request | xpathFlow.py:20:18:20:29 | ControlFlowNode for Attribute |
+| xpathFlow.py:20:18:20:24 | ControlFlowNode for request | xpathFlow.py:20:18:20:29 | ControlFlowNode for Attribute |
+| xpathFlow.py:20:18:20:29 | ControlFlowNode for Attribute | xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery |
+| xpathFlow.py:20:18:20:29 | ControlFlowNode for Attribute | xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery |
+| xpathFlow.py:30:18:30:24 | ControlFlowNode for request | xpathFlow.py:30:18:30:29 | ControlFlowNode for Attribute |
+| xpathFlow.py:30:18:30:24 | ControlFlowNode for request | xpathFlow.py:30:18:30:29 | ControlFlowNode for Attribute |
+| xpathFlow.py:30:18:30:29 | ControlFlowNode for Attribute | xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery |
+| xpathFlow.py:30:18:30:29 | ControlFlowNode for Attribute | xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery |
+| xpathFlow.py:39:18:39:24 | ControlFlowNode for request | xpathFlow.py:39:18:39:29 | ControlFlowNode for Attribute |
+| xpathFlow.py:39:18:39:24 | ControlFlowNode for request | xpathFlow.py:39:18:39:29 | ControlFlowNode for Attribute |
+| xpathFlow.py:39:18:39:29 | ControlFlowNode for Attribute | xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery |
+| xpathFlow.py:39:18:39:29 | ControlFlowNode for Attribute | xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery |
+| xpathFlow.py:47:18:47:24 | ControlFlowNode for request | xpathFlow.py:47:18:47:29 | ControlFlowNode for Attribute |
+| xpathFlow.py:47:18:47:24 | ControlFlowNode for request | xpathFlow.py:47:18:47:29 | ControlFlowNode for Attribute |
+| xpathFlow.py:47:18:47:29 | ControlFlowNode for Attribute | xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery |
+| xpathFlow.py:47:18:47:29 | ControlFlowNode for Attribute | xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery |
+nodes
+| xpathBad.py:9:7:9:13 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| xpathBad.py:9:7:9:13 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| xpathBad.py:10:13:10:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| xpathBad.py:10:13:10:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| xpathBad.py:10:13:10:32 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| xpathBad.py:10:13:10:32 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| xpathFlow.py:11:18:11:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| xpathFlow.py:11:18:11:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| xpathFlow.py:11:18:11:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| xpathFlow.py:11:18:11:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
+| xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
+| xpathFlow.py:20:18:20:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| xpathFlow.py:20:18:20:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| xpathFlow.py:20:18:20:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| xpathFlow.py:20:18:20:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
+| xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
+| xpathFlow.py:30:18:30:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| xpathFlow.py:30:18:30:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| xpathFlow.py:30:18:30:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| xpathFlow.py:30:18:30:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
+| xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
+| xpathFlow.py:39:18:39:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| xpathFlow.py:39:18:39:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| xpathFlow.py:39:18:39:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| xpathFlow.py:39:18:39:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
+| xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
+| xpathFlow.py:47:18:47:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| xpathFlow.py:47:18:47:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| xpathFlow.py:47:18:47:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| xpathFlow.py:47:18:47:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
+| xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
+subpaths
+#select
+| xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | xpathBad.py:9:7:9:13 | ControlFlowNode for request | xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | This Xpath query depends on $@. | xpathBad.py:9:7:9:13 | ControlFlowNode for request | a user-provided value |
+| xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery | xpathFlow.py:11:18:11:24 | ControlFlowNode for request | xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery | This Xpath query depends on $@. | xpathFlow.py:11:18:11:24 | ControlFlowNode for request | a user-provided value |
+| xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery | xpathFlow.py:20:18:20:24 | ControlFlowNode for request | xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery | This Xpath query depends on $@. | xpathFlow.py:20:18:20:24 | ControlFlowNode for request | a user-provided value |
+| xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery | xpathFlow.py:30:18:30:24 | ControlFlowNode for request | xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery | This Xpath query depends on $@. | xpathFlow.py:30:18:30:24 | ControlFlowNode for request | a user-provided value |
+| xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery | xpathFlow.py:39:18:39:24 | ControlFlowNode for request | xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery | This Xpath query depends on $@. | xpathFlow.py:39:18:39:24 | ControlFlowNode for request | a user-provided value |
+| xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | xpathFlow.py:47:18:47:24 | ControlFlowNode for request | xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | This Xpath query depends on $@. | xpathFlow.py:47:18:47:24 | ControlFlowNode for request | a user-provided value |
--- a/python/ql/test/experimental/query-tests/Security/CWE-643/XpathInjection.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-643/XpathInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-643/XpathInjection.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-643/options
+++ b/python/ql/test/experimental/query-tests/Security/CWE-643/options
@@ -1 +0,0 @@
-semmle-extractor-options: --max-import-depth=3 -p ../../../../query-tests/Security/lib/
--- a/python/ql/test/experimental/query-tests/Security/CWE-643/xpath.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-643/xpath.expected
@@ -1,38 +0,0 @@
-edges
-| xpathBad.py:9:7:9:13 | django.request.HttpRequest | xpathBad.py:10:13:10:19 | django.request.HttpRequest |
-| xpathBad.py:9:7:9:13 | django.request.HttpRequest | xpathBad.py:10:13:10:19 | django.request.HttpRequest |
-| xpathBad.py:10:13:10:19 | django.request.HttpRequest | xpathBad.py:10:13:10:23 | django.http.request.QueryDict |
-| xpathBad.py:10:13:10:19 | django.request.HttpRequest | xpathBad.py:10:13:10:23 | django.http.request.QueryDict |
-| xpathBad.py:10:13:10:23 | django.http.request.QueryDict | xpathBad.py:10:13:10:32 | externally controlled string |
-| xpathBad.py:10:13:10:23 | django.http.request.QueryDict | xpathBad.py:10:13:10:32 | externally controlled string |
-| xpathBad.py:10:13:10:32 | externally controlled string | xpathBad.py:13:39:13:43 | externally controlled string |
-| xpathBad.py:10:13:10:32 | externally controlled string | xpathBad.py:13:39:13:43 | externally controlled string |
-| xpathBad.py:13:39:13:43 | externally controlled string | xpathBad.py:13:20:13:43 | externally controlled string |
-| xpathBad.py:13:39:13:43 | externally controlled string | xpathBad.py:13:20:13:43 | externally controlled string |
-| xpathFlow.py:11:18:11:29 | dict of externally controlled string | xpathFlow.py:11:18:11:44 | externally controlled string |
-| xpathFlow.py:11:18:11:29 | dict of externally controlled string | xpathFlow.py:11:18:11:44 | externally controlled string |
-| xpathFlow.py:11:18:11:44 | externally controlled string | xpathFlow.py:14:20:14:29 | externally controlled string |
-| xpathFlow.py:11:18:11:44 | externally controlled string | xpathFlow.py:14:20:14:29 | externally controlled string |
-| xpathFlow.py:20:18:20:29 | dict of externally controlled string | xpathFlow.py:20:18:20:44 | externally controlled string |
-| xpathFlow.py:20:18:20:29 | dict of externally controlled string | xpathFlow.py:20:18:20:44 | externally controlled string |
-| xpathFlow.py:20:18:20:44 | externally controlled string | xpathFlow.py:23:29:23:38 | externally controlled string |
-| xpathFlow.py:20:18:20:44 | externally controlled string | xpathFlow.py:23:29:23:38 | externally controlled string |
-| xpathFlow.py:30:18:30:29 | dict of externally controlled string | xpathFlow.py:30:18:30:44 | externally controlled string |
-| xpathFlow.py:30:18:30:29 | dict of externally controlled string | xpathFlow.py:30:18:30:44 | externally controlled string |
-| xpathFlow.py:30:18:30:44 | externally controlled string | xpathFlow.py:32:29:32:38 | externally controlled string |
-| xpathFlow.py:30:18:30:44 | externally controlled string | xpathFlow.py:32:29:32:38 | externally controlled string |
-| xpathFlow.py:39:18:39:29 | dict of externally controlled string | xpathFlow.py:39:18:39:44 | externally controlled string |
-| xpathFlow.py:39:18:39:29 | dict of externally controlled string | xpathFlow.py:39:18:39:44 | externally controlled string |
-| xpathFlow.py:39:18:39:44 | externally controlled string | xpathFlow.py:41:31:41:40 | externally controlled string |
-| xpathFlow.py:39:18:39:44 | externally controlled string | xpathFlow.py:41:31:41:40 | externally controlled string |
-| xpathFlow.py:47:18:47:29 | dict of externally controlled string | xpathFlow.py:47:18:47:44 | externally controlled string |
-| xpathFlow.py:47:18:47:29 | dict of externally controlled string | xpathFlow.py:47:18:47:44 | externally controlled string |
-| xpathFlow.py:47:18:47:44 | externally controlled string | xpathFlow.py:49:29:49:38 | externally controlled string |
-| xpathFlow.py:47:18:47:44 | externally controlled string | xpathFlow.py:49:29:49:38 | externally controlled string |
-#select
-| xpathBad.py:13:20:13:43 | BinaryExpr | xpathBad.py:9:7:9:13 | django.request.HttpRequest | xpathBad.py:13:20:13:43 | externally controlled string | This Xpath query depends on $@. | xpathBad.py:9:7:9:13 | request | a user-provided value |
-| xpathFlow.py:14:20:14:29 | xpathQuery | xpathFlow.py:11:18:11:29 | dict of externally controlled string | xpathFlow.py:14:20:14:29 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:11:18:11:29 | Attribute | a user-provided value |
-| xpathFlow.py:23:29:23:38 | xpathQuery | xpathFlow.py:20:18:20:29 | dict of externally controlled string | xpathFlow.py:23:29:23:38 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:20:18:20:29 | Attribute | a user-provided value |
-| xpathFlow.py:32:29:32:38 | xpathQuery | xpathFlow.py:30:18:30:29 | dict of externally controlled string | xpathFlow.py:32:29:32:38 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:30:18:30:29 | Attribute | a user-provided value |
-| xpathFlow.py:41:31:41:40 | xpathQuery | xpathFlow.py:39:18:39:29 | dict of externally controlled string | xpathFlow.py:41:31:41:40 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:39:18:39:29 | Attribute | a user-provided value |
-| xpathFlow.py:49:29:49:38 | xpathQuery | xpathFlow.py:47:18:47:29 | dict of externally controlled string | xpathFlow.py:49:29:49:38 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:47:18:47:29 | Attribute | a user-provided value |
--- a/python/ql/test/experimental/query-tests/Security/CWE-643/xpath.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-643/xpath.qlref
@@ -1 +0,0 @@
-experimental/Security/CWE-643/xpath.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-643/xpathSinks.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-643/xpathSinks.expected
@@ -1,12 +0,0 @@
-| xpath.py:8:20:8:29 | lxml.etree.parse.xpath | externally controlled string |
-| xpath.py:13:29:13:38 | lxml.etree.XPath | externally controlled string |
-| xpath.py:19:29:19:38 | lxml.etree.XPath | externally controlled string |
-| xpath.py:25:38:25:46 | lxml.etree.ETXpath | externally controlled string |
-| xpath.py:32:29:32:34 | libxml2.parseFile.xpathEval | externally controlled string |
-| xpathBad.py:13:20:13:43 | lxml.etree.parse.xpath | externally controlled string |
-| xpathFlow.py:14:20:14:29 | lxml.etree.parse.xpath | externally controlled string |
-| xpathFlow.py:23:29:23:38 | lxml.etree.XPath | externally controlled string |
-| xpathFlow.py:32:29:32:38 | lxml.etree.XPath | externally controlled string |
-| xpathFlow.py:41:31:41:40 | lxml.etree.ETXpath | externally controlled string |
-| xpathFlow.py:49:29:49:38 | libxml2.parseFile.xpathEval | externally controlled string |
-| xpathGood.py:13:20:13:37 | lxml.etree.parse.xpath | externally controlled string |
--- a/python/ql/test/experimental/query-tests/Security/CWE-643/xpathSinks.ql
+++ b/python/ql/test/experimental/query-tests/Security/CWE-643/xpathSinks.ql
@@ -1,7 +0,0 @@
-import python
-import experimental.semmle.python.security.injection.Xpath
-import semmle.python.security.strings.Untrusted
-
-from XpathInjection::XpathInjectionSink sink, TaintKind kind
-where sink.sinks(kind)
-select sink, kind
--- a/python/ql/test/experimental/query-tests/Security/CWE-730/RegexInjection.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-730/RegexInjection.qlref
@@ -1 +0,0 @@
-experimental/Security/CWE-730/RegexInjection.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/NoSQLInjection.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/NoSQLInjection.expected
@@ -0,0 +1,131 @@
+edges
+| flask_mongoengine_bad.py:19:21:19:27 | ControlFlowNode for request | flask_mongoengine_bad.py:19:21:19:32 | ControlFlowNode for Attribute |
+| flask_mongoengine_bad.py:19:21:19:32 | ControlFlowNode for Attribute | flask_mongoengine_bad.py:19:21:19:42 | ControlFlowNode for Subscript |
+| flask_mongoengine_bad.py:19:21:19:42 | ControlFlowNode for Subscript | flask_mongoengine_bad.py:20:19:20:43 | ControlFlowNode for Attribute() |
+| flask_mongoengine_bad.py:20:19:20:43 | ControlFlowNode for Attribute() | flask_mongoengine_bad.py:22:34:22:44 | ControlFlowNode for json_search |
+| flask_mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request | flask_mongoengine_bad.py:26:21:26:32 | ControlFlowNode for Attribute |
+| flask_mongoengine_bad.py:26:21:26:32 | ControlFlowNode for Attribute | flask_mongoengine_bad.py:26:21:26:42 | ControlFlowNode for Subscript |
+| flask_mongoengine_bad.py:26:21:26:42 | ControlFlowNode for Subscript | flask_mongoengine_bad.py:27:19:27:43 | ControlFlowNode for Attribute() |
+| flask_mongoengine_bad.py:27:19:27:43 | ControlFlowNode for Attribute() | flask_mongoengine_bad.py:30:39:30:59 | ControlFlowNode for Dict |
+| flask_mongoengine_good.py:20:21:20:27 | ControlFlowNode for request | flask_mongoengine_good.py:20:21:20:32 | ControlFlowNode for Attribute |
+| flask_mongoengine_good.py:20:21:20:32 | ControlFlowNode for Attribute | flask_mongoengine_good.py:20:21:20:42 | ControlFlowNode for Subscript |
+| flask_mongoengine_good.py:20:21:20:42 | ControlFlowNode for Subscript | flask_mongoengine_good.py:21:19:21:43 | ControlFlowNode for Attribute() |
+| flask_pymongo_bad.py:11:21:11:27 | ControlFlowNode for request | flask_pymongo_bad.py:11:21:11:32 | ControlFlowNode for Attribute |
+| flask_pymongo_bad.py:11:21:11:32 | ControlFlowNode for Attribute | flask_pymongo_bad.py:11:21:11:42 | ControlFlowNode for Subscript |
+| flask_pymongo_bad.py:11:21:11:42 | ControlFlowNode for Subscript | flask_pymongo_bad.py:12:19:12:43 | ControlFlowNode for Attribute() |
+| flask_pymongo_bad.py:12:19:12:43 | ControlFlowNode for Attribute() | flask_pymongo_bad.py:14:31:14:51 | ControlFlowNode for Dict |
+| flask_pymongo_good.py:12:21:12:27 | ControlFlowNode for request | flask_pymongo_good.py:12:21:12:32 | ControlFlowNode for Attribute |
+| flask_pymongo_good.py:12:21:12:32 | ControlFlowNode for Attribute | flask_pymongo_good.py:12:21:12:42 | ControlFlowNode for Subscript |
+| flask_pymongo_good.py:12:21:12:42 | ControlFlowNode for Subscript | flask_pymongo_good.py:13:19:13:43 | ControlFlowNode for Attribute() |
+| mongoengine_bad.py:18:21:18:27 | ControlFlowNode for request | mongoengine_bad.py:18:21:18:32 | ControlFlowNode for Attribute |
+| mongoengine_bad.py:18:21:18:32 | ControlFlowNode for Attribute | mongoengine_bad.py:18:21:18:42 | ControlFlowNode for Subscript |
+| mongoengine_bad.py:18:21:18:42 | ControlFlowNode for Subscript | mongoengine_bad.py:19:19:19:43 | ControlFlowNode for Attribute() |
+| mongoengine_bad.py:19:19:19:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:22:26:22:46 | ControlFlowNode for Dict |
+| mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request | mongoengine_bad.py:26:21:26:32 | ControlFlowNode for Attribute |
+| mongoengine_bad.py:26:21:26:32 | ControlFlowNode for Attribute | mongoengine_bad.py:26:21:26:42 | ControlFlowNode for Subscript |
+| mongoengine_bad.py:26:21:26:42 | ControlFlowNode for Subscript | mongoengine_bad.py:27:19:27:43 | ControlFlowNode for Attribute() |
+| mongoengine_bad.py:27:19:27:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:30:26:30:46 | ControlFlowNode for Dict |
+| mongoengine_bad.py:34:21:34:27 | ControlFlowNode for request | mongoengine_bad.py:34:21:34:32 | ControlFlowNode for Attribute |
+| mongoengine_bad.py:34:21:34:32 | ControlFlowNode for Attribute | mongoengine_bad.py:34:21:34:42 | ControlFlowNode for Subscript |
+| mongoengine_bad.py:34:21:34:42 | ControlFlowNode for Subscript | mongoengine_bad.py:35:19:35:43 | ControlFlowNode for Attribute() |
+| mongoengine_bad.py:35:19:35:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:38:26:38:46 | ControlFlowNode for Dict |
+| mongoengine_bad.py:42:21:42:27 | ControlFlowNode for request | mongoengine_bad.py:42:21:42:32 | ControlFlowNode for Attribute |
+| mongoengine_bad.py:42:21:42:32 | ControlFlowNode for Attribute | mongoengine_bad.py:42:21:42:42 | ControlFlowNode for Subscript |
+| mongoengine_bad.py:42:21:42:42 | ControlFlowNode for Subscript | mongoengine_bad.py:43:19:43:43 | ControlFlowNode for Attribute() |
+| mongoengine_bad.py:43:19:43:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:46:26:46:46 | ControlFlowNode for Dict |
+| mongoengine_bad.py:50:21:50:27 | ControlFlowNode for request | mongoengine_bad.py:50:21:50:32 | ControlFlowNode for Attribute |
+| mongoengine_bad.py:50:21:50:32 | ControlFlowNode for Attribute | mongoengine_bad.py:50:21:50:42 | ControlFlowNode for Subscript |
+| mongoengine_bad.py:50:21:50:42 | ControlFlowNode for Subscript | mongoengine_bad.py:51:19:51:43 | ControlFlowNode for Attribute() |
+| mongoengine_bad.py:51:19:51:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:53:34:53:44 | ControlFlowNode for json_search |
+| mongoengine_bad.py:57:21:57:27 | ControlFlowNode for request | mongoengine_bad.py:57:21:57:32 | ControlFlowNode for Attribute |
+| mongoengine_bad.py:57:21:57:32 | ControlFlowNode for Attribute | mongoengine_bad.py:57:21:57:42 | ControlFlowNode for Subscript |
+| mongoengine_bad.py:57:21:57:42 | ControlFlowNode for Subscript | mongoengine_bad.py:58:19:58:43 | ControlFlowNode for Attribute() |
+| mongoengine_bad.py:58:19:58:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:61:29:61:49 | ControlFlowNode for Dict |
+| mongoengine_good.py:19:21:19:27 | ControlFlowNode for request | mongoengine_good.py:19:21:19:32 | ControlFlowNode for Attribute |
+| mongoengine_good.py:19:21:19:32 | ControlFlowNode for Attribute | mongoengine_good.py:19:21:19:42 | ControlFlowNode for Subscript |
+| mongoengine_good.py:19:21:19:42 | ControlFlowNode for Subscript | mongoengine_good.py:20:19:20:43 | ControlFlowNode for Attribute() |
+| pymongo_bad.py:11:21:11:27 | ControlFlowNode for request | pymongo_bad.py:11:21:11:32 | ControlFlowNode for Attribute |
+| pymongo_bad.py:11:21:11:32 | ControlFlowNode for Attribute | pymongo_bad.py:11:21:11:42 | ControlFlowNode for Subscript |
+| pymongo_bad.py:11:21:11:42 | ControlFlowNode for Subscript | pymongo_bad.py:12:19:12:43 | ControlFlowNode for Attribute() |
+| pymongo_bad.py:12:19:12:43 | ControlFlowNode for Attribute() | pymongo_bad.py:14:42:14:62 | ControlFlowNode for Dict |
+| pymongo_good.py:12:21:12:27 | ControlFlowNode for request | pymongo_good.py:12:21:12:32 | ControlFlowNode for Attribute |
+| pymongo_good.py:12:21:12:32 | ControlFlowNode for Attribute | pymongo_good.py:12:21:12:42 | ControlFlowNode for Subscript |
+| pymongo_good.py:12:21:12:42 | ControlFlowNode for Subscript | pymongo_good.py:13:19:13:43 | ControlFlowNode for Attribute() |
+nodes
+| flask_mongoengine_bad.py:19:21:19:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| flask_mongoengine_bad.py:19:21:19:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| flask_mongoengine_bad.py:19:21:19:42 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| flask_mongoengine_bad.py:20:19:20:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| flask_mongoengine_bad.py:22:34:22:44 | ControlFlowNode for json_search | semmle.label | ControlFlowNode for json_search |
+| flask_mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| flask_mongoengine_bad.py:26:21:26:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| flask_mongoengine_bad.py:26:21:26:42 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| flask_mongoengine_bad.py:27:19:27:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| flask_mongoengine_bad.py:30:39:30:59 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
+| flask_mongoengine_good.py:20:21:20:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| flask_mongoengine_good.py:20:21:20:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| flask_mongoengine_good.py:20:21:20:42 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| flask_mongoengine_good.py:21:19:21:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| flask_pymongo_bad.py:11:21:11:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| flask_pymongo_bad.py:11:21:11:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| flask_pymongo_bad.py:11:21:11:42 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| flask_pymongo_bad.py:12:19:12:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| flask_pymongo_bad.py:14:31:14:51 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
+| flask_pymongo_good.py:12:21:12:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| flask_pymongo_good.py:12:21:12:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| flask_pymongo_good.py:12:21:12:42 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| flask_pymongo_good.py:13:19:13:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| mongoengine_bad.py:18:21:18:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| mongoengine_bad.py:18:21:18:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| mongoengine_bad.py:18:21:18:42 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| mongoengine_bad.py:19:19:19:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| mongoengine_bad.py:22:26:22:46 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
+| mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| mongoengine_bad.py:26:21:26:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| mongoengine_bad.py:26:21:26:42 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| mongoengine_bad.py:27:19:27:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| mongoengine_bad.py:30:26:30:46 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
+| mongoengine_bad.py:34:21:34:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| mongoengine_bad.py:34:21:34:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| mongoengine_bad.py:34:21:34:42 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| mongoengine_bad.py:35:19:35:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| mongoengine_bad.py:38:26:38:46 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
+| mongoengine_bad.py:42:21:42:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| mongoengine_bad.py:42:21:42:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| mongoengine_bad.py:42:21:42:42 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| mongoengine_bad.py:43:19:43:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| mongoengine_bad.py:46:26:46:46 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
+| mongoengine_bad.py:50:21:50:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| mongoengine_bad.py:50:21:50:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| mongoengine_bad.py:50:21:50:42 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| mongoengine_bad.py:51:19:51:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| mongoengine_bad.py:53:34:53:44 | ControlFlowNode for json_search | semmle.label | ControlFlowNode for json_search |
+| mongoengine_bad.py:57:21:57:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| mongoengine_bad.py:57:21:57:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| mongoengine_bad.py:57:21:57:42 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| mongoengine_bad.py:58:19:58:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| mongoengine_bad.py:61:29:61:49 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
+| mongoengine_good.py:19:21:19:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| mongoengine_good.py:19:21:19:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| mongoengine_good.py:19:21:19:42 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| mongoengine_good.py:20:19:20:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| pymongo_bad.py:11:21:11:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| pymongo_bad.py:11:21:11:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| pymongo_bad.py:11:21:11:42 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| pymongo_bad.py:12:19:12:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| pymongo_bad.py:14:42:14:62 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
+| pymongo_good.py:12:21:12:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| pymongo_good.py:12:21:12:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| pymongo_good.py:12:21:12:42 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| pymongo_good.py:13:19:13:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+#select
+| flask_mongoengine_bad.py:22:34:22:44 | ControlFlowNode for json_search | flask_mongoengine_bad.py:19:21:19:27 | ControlFlowNode for request | flask_mongoengine_bad.py:22:34:22:44 | ControlFlowNode for json_search | $@ NoSQL query contains an unsanitized $@ | flask_mongoengine_bad.py:22:34:22:44 | ControlFlowNode for json_search | This | flask_mongoengine_bad.py:19:21:19:27 | ControlFlowNode for request | user-provided value |
+| flask_mongoengine_bad.py:30:39:30:59 | ControlFlowNode for Dict | flask_mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request | flask_mongoengine_bad.py:30:39:30:59 | ControlFlowNode for Dict | $@ NoSQL query contains an unsanitized $@ | flask_mongoengine_bad.py:30:39:30:59 | ControlFlowNode for Dict | This | flask_mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request | user-provided value |
+| flask_pymongo_bad.py:14:31:14:51 | ControlFlowNode for Dict | flask_pymongo_bad.py:11:21:11:27 | ControlFlowNode for request | flask_pymongo_bad.py:14:31:14:51 | ControlFlowNode for Dict | $@ NoSQL query contains an unsanitized $@ | flask_pymongo_bad.py:14:31:14:51 | ControlFlowNode for Dict | This | flask_pymongo_bad.py:11:21:11:27 | ControlFlowNode for request | user-provided value |
+| mongoengine_bad.py:22:26:22:46 | ControlFlowNode for Dict | mongoengine_bad.py:18:21:18:27 | ControlFlowNode for request | mongoengine_bad.py:22:26:22:46 | ControlFlowNode for Dict | $@ NoSQL query contains an unsanitized $@ | mongoengine_bad.py:22:26:22:46 | ControlFlowNode for Dict | This | mongoengine_bad.py:18:21:18:27 | ControlFlowNode for request | user-provided value |
+| mongoengine_bad.py:30:26:30:46 | ControlFlowNode for Dict | mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request | mongoengine_bad.py:30:26:30:46 | ControlFlowNode for Dict | $@ NoSQL query contains an unsanitized $@ | mongoengine_bad.py:30:26:30:46 | ControlFlowNode for Dict | This | mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request | user-provided value |
+| mongoengine_bad.py:38:26:38:46 | ControlFlowNode for Dict | mongoengine_bad.py:34:21:34:27 | ControlFlowNode for request | mongoengine_bad.py:38:26:38:46 | ControlFlowNode for Dict | $@ NoSQL query contains an unsanitized $@ | mongoengine_bad.py:38:26:38:46 | ControlFlowNode for Dict | This | mongoengine_bad.py:34:21:34:27 | ControlFlowNode for request | user-provided value |
+| mongoengine_bad.py:46:26:46:46 | ControlFlowNode for Dict | mongoengine_bad.py:42:21:42:27 | ControlFlowNode for request | mongoengine_bad.py:46:26:46:46 | ControlFlowNode for Dict | $@ NoSQL query contains an unsanitized $@ | mongoengine_bad.py:46:26:46:46 | ControlFlowNode for Dict | This | mongoengine_bad.py:42:21:42:27 | ControlFlowNode for request | user-provided value |
+| mongoengine_bad.py:53:34:53:44 | ControlFlowNode for json_search | mongoengine_bad.py:50:21:50:27 | ControlFlowNode for request | mongoengine_bad.py:53:34:53:44 | ControlFlowNode for json_search | $@ NoSQL query contains an unsanitized $@ | mongoengine_bad.py:53:34:53:44 | ControlFlowNode for json_search | This | mongoengine_bad.py:50:21:50:27 | ControlFlowNode for request | user-provided value |
+| mongoengine_bad.py:61:29:61:49 | ControlFlowNode for Dict | mongoengine_bad.py:57:21:57:27 | ControlFlowNode for request | mongoengine_bad.py:61:29:61:49 | ControlFlowNode for Dict | $@ NoSQL query contains an unsanitized $@ | mongoengine_bad.py:61:29:61:49 | ControlFlowNode for Dict | This | mongoengine_bad.py:57:21:57:27 | ControlFlowNode for request | user-provided value |
+| pymongo_bad.py:14:42:14:62 | ControlFlowNode for Dict | pymongo_bad.py:11:21:11:27 | ControlFlowNode for request | pymongo_bad.py:14:42:14:62 | ControlFlowNode for Dict | $@ NoSQL query contains an unsanitized $@ | pymongo_bad.py:14:42:14:62 | ControlFlowNode for Dict | This | pymongo_bad.py:11:21:11:27 | ControlFlowNode for request | user-provided value |
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/NoSQLInjection.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/NoSQLInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-943/NoSQLInjection.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/flask_mongoengine_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/flask_mongoengine_bad.py
@@ -0,0 +1,33 @@
+from flask import Flask, request
+from flask_mongoengine import MongoEngine
+import json
+
+app = Flask(__name__)
+app.config.from_pyfile('the-config.cfg')
+db = MongoEngine(app)
+
+
+class Movie(db.Document):
+    title = db.StringField(required=True)
+
+
+Movie(title='test').save()
+
+
+@app.route("/subclass_objects")
+def subclass_objects():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    return Movie.objects(__raw__=json_search)
+
+@app.route("/get_db_find")
+def get_db_find():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    retrieved_db = db.get_db()
+    return retrieved_db["Movie"].find({'name': json_search})
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/flask_mongoengine_good.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/flask_mongoengine_good.py
@@ -0,0 +1,27 @@
+from flask import Flask, request
+from flask_mongoengine import MongoEngine
+from mongosanitizer.sanitizer import sanitize
+import json
+
+app = Flask(__name__)
+app.config.from_pyfile('the-config.cfg')
+db = MongoEngine(app)
+
+
+class Movie(db.Document):
+    title = db.StringField(required=True)
+
+
+Movie(title='test').save()
+
+
+@app.route("/subclass_objects")
+def subclass_objects():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+    safe_search = sanitize(json_search)
+
+    return Movie.objects(__raw__=safe_search)
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/flask_pymongo_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/flask_pymongo_bad.py
@@ -0,0 +1,17 @@
+from flask import Flask, request
+from flask_pymongo import PyMongo
+import json
+
+app = Flask(__name__)
+mongo = PyMongo(app)
+
+
+@app.route("/")
+def home_page():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    return mongo.db.user.find({'name': json_search})
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/flask_pymongo_good.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/flask_pymongo_good.py
@@ -0,0 +1,19 @@
+from flask import Flask, request
+from flask_pymongo import PyMongo
+from mongosanitizer.sanitizer import sanitize
+import json
+
+app = Flask(__name__)
+mongo = PyMongo(app)
+
+
+@app.route("/")
+def home_page():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+    safe_search = sanitize(json_search)
+
+    return mongo.db.user.find({'name': safe_search})
+
+# if __name__ == "__main__":
+#    app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/mongoengine_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/mongoengine_bad.py
@@ -0,0 +1,64 @@
+from flask import Flask, request
+import mongoengine as me
+from mongoengine.connection import get_db, connect
+import json
+
+app = Flask(__name__)
+
+
+class Movie(me.Document):
+    title = me.StringField(required=True)
+
+
+Movie(title='test').save()
+
+
+@app.route("/connect_find")
+def connect_find():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    db = me.connect('mydb')  
+    return db.movie.find({'name': json_search})
+
+@app.route("/connection_connect_find")
+def connection_connect_find():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    db = connect('mydb')
+    return db.movie.find({'name': json_search})
+
+@app.route("/get_db_find")
+def get_db_find():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    db = me.get_db()
+    return db.movie.find({'name': json_search})
+
+@app.route("/connection_get_db_find")
+def connection_get_db_find():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    db = get_db()
+    return db.movie.find({'name': json_search})
+
+@app.route("/subclass_objects")
+def subclass_objects():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    return Movie.objects(__raw__=json_search)
+
+@app.route("/subscript_find")
+def subscript_find():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    db = me.connect('mydb')  
+    return db['movie'].find({'name': json_search})
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/mongoengine_good.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/mongoengine_good.py
@@ -0,0 +1,27 @@
+from flask import Flask, request
+import mongoengine as me
+from mongoengine.connection import get_db, connect
+from mongosanitizer.sanitizer import sanitize
+import json
+
+app = Flask(__name__)
+
+
+class Movie(me.Document):
+    title = me.StringField(required=True)
+
+
+Movie(title='test').save()
+
+
+@app.route("/connect_find")
+def connect_find():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+    safe_search = sanitize(json_search)
+
+    db = me.connect('mydb')  
+    return db.movie.find({'name': safe_search})
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/pymongo_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/pymongo_bad.py
@@ -0,0 +1,17 @@
+from flask import Flask, request
+from pymongo import MongoClient
+import json
+
+app = Flask(__name__)
+client = MongoClient()
+
+
+@app.route("/")
+def home_page():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    return client.db.collection.find_one({'data': json_search})
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/pymongo_good.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/pymongo_good.py
@@ -0,0 +1,19 @@
+from flask import Flask, request
+from pymongo import MongoClient
+from mongosanitizer.sanitizer import sanitize
+import json
+
+app = Flask(__name__)
+client = MongoClient()
+
+
+@app.route("/")
+def home_page():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+    safe_search = sanitize(json_search)
+
+    return client.db.collection.find_one({'data': safe_search})
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
--- a/python/ql/test/library-tests/PointsTo/api/Value.ql
+++ b/python/ql/test/library-tests/PointsTo/api/Value.ql
@@ -3,11 +3,5 @@ import python
 from Value val, string name
 where
  val = Value::named(name) and
-  (
-    name = "bool" or
-    name = "sys" or
-    name = "sys.argv" or
-    name = "ValueError" or
-    name = "slice"
-  )
+  name in ["bool", "sys", "sys.argv", "ValueError", "slice"]
 select val, name
--- a/python/ql/test/library-tests/PointsTo/customise/test.ql
+++ b/python/ql/test/library-tests/PointsTo/customise/test.ql
@@ -11,7 +11,7 @@ class HasTypeFact extends CustomPointsToOriginFact {
    exists(FunctionObject func, string name |
      func.getACall() = this and
      name = func.getName() and
-      name.prefix("has_type_".length()) = "has_type_"
+      name.matches("has\\_type\\_%")
    )
  }

@@ -19,7 +19,7 @@ class HasTypeFact extends CustomPointsToOriginFact {
    exists(FunctionObject func, string name |
      func.getACall() = this and
      name = func.getName() and
-      name.prefix("has_type_".length()) = "has_type_"
+      name.matches("has\\_type\\_%")
    |
      cls.getName() = name.suffix("has_type_".length())
    ) and
--- a/python/ql/test/library-tests/PointsTo/new/Consistency.ql
+++ b/python/ql/test/library-tests/PointsTo/new/Consistency.ql
@@ -104,7 +104,7 @@ predicate ssa_consistency(string clsname, string problem, string what) {
  or
  exists(EssaDefinition def |
    clsname = def.getAQlClass() and
-    clsname.prefix(4) = "Essa" and
+    clsname.matches("Essa%") and
    what = " at " + def.getLocation() and
    problem = "not covered by Python-specific subclass."
  )
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				Small tests that explore difference between `import mypkg.foo` and `from mypkg import foo`.
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE-117/LogInjection.ql`
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql`
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE-522/LDAPInsecureAuth.ql`
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE-643/XpathInjection.ql`
				`@@ -1 +0,0 @@`
				`semmle-extractor-options: --max-import-depth=3 -p ../../../../query-tests/Security/lib/`
				`@@ -1 +0,0 @@`
				`experimental/Security/CWE-730/RegexInjection.ql`
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE-943/NoSQLInjection.ql`