diff --git a/python/ql/test/query-tests/Security/CWE-022/PathInjection.expected b/python/ql/test/query-tests/Security/CWE-022/PathInjection.expected
index 68979df27ed..d6791fde69b 100644
--- a/python/ql/test/query-tests/Security/CWE-022/PathInjection.expected
+++ b/python/ql/test/query-tests/Security/CWE-022/PathInjection.expected
@@ -1,3 +1,54 @@
-| path_injection.py:10:14:10:44 | argument to open() | This path depends on $@. | path_injection.py:9:12:9:23 | flask.request.args | a user-provided value |
-| path_injection.py:17:14:17:18 | argument to open() | This path depends on $@. | path_injection.py:15:12:15:23 | flask.request.args | a user-provided value |
-| path_injection.py:28:14:28:18 | argument to open() | This path depends on $@. | path_injection.py:24:12:24:23 | flask.request.args | a user-provided value |
+edges
+| ../lib/os/path.py:1:13:1:13 | Taint externally controlled string at ../lib/os/path.py:1 | ../lib/os/path.py:2:22:2:22 | Taint externally controlled string at ../lib/os/path.py:2 |
+| ../lib/os/path.py:1:13:1:13 | Taint externally controlled string at ../lib/os/path.py:1 | ../lib/os/path.py:2:22:2:22 | Taint externally controlled string at ../lib/os/path.py:2 |
+| ../lib/os/path.py:1:13:1:13 | Taint externally controlled string at ../lib/os/path.py:1 | ../lib/os/path.py:2:22:2:22 | Taint externally controlled string at ../lib/os/path.py:2 |
+| ../lib/os/path.py:1:13:1:13 | Taint externally controlled string at ../lib/os/path.py:1 | ../lib/os/path.py:2:22:2:22 | Taint externally controlled string at ../lib/os/path.py:2 |
+| ../lib/os/path.py:2:12:2:22 | Taint externally controlled string at ../lib/os/path.py:2 | path_injection.py:10:14:10:44 | Taint externally controlled string at path_injection.py:10 |
+| ../lib/os/path.py:2:12:2:22 | Taint externally controlled string at ../lib/os/path.py:2 | path_injection.py:16:30:16:60 | Taint externally controlled string at path_injection.py:16 |
+| ../lib/os/path.py:2:12:2:22 | Taint externally controlled string at ../lib/os/path.py:2 | path_injection.py:25:30:25:60 | Taint externally controlled string at path_injection.py:25 |
+| ../lib/os/path.py:2:12:2:22 | Taint externally controlled string at ../lib/os/path.py:2 | path_injection.py:34:30:34:60 | Taint externally controlled string at path_injection.py:34 |
+| ../lib/os/path.py:2:22:2:22 | Taint externally controlled string at ../lib/os/path.py:2 | ../lib/os/path.py:2:12:2:22 | Taint externally controlled string at ../lib/os/path.py:2 |
+| ../lib/os/path.py:2:22:2:22 | Taint externally controlled string at ../lib/os/path.py:2 | ../lib/os/path.py:2:12:2:22 | Taint externally controlled string at ../lib/os/path.py:2 |
+| ../lib/os/path.py:2:22:2:22 | Taint externally controlled string at ../lib/os/path.py:2 | ../lib/os/path.py:2:12:2:22 | Taint externally controlled string at ../lib/os/path.py:2 |
+| ../lib/os/path.py:2:22:2:22 | Taint externally controlled string at ../lib/os/path.py:2 | ../lib/os/path.py:2:12:2:22 | Taint externally controlled string at ../lib/os/path.py:2 |
+| ../lib/os/path.py:4:14:4:14 | Taint externally controlled string at ../lib/os/path.py:4 | ../lib/os/path.py:5:12:5:12 | Taint externally controlled string at ../lib/os/path.py:5 |
+| ../lib/os/path.py:4:14:4:14 | Taint externally controlled string at ../lib/os/path.py:4 | ../lib/os/path.py:5:12:5:12 | Taint externally controlled string at ../lib/os/path.py:5 |
+| ../lib/os/path.py:4:14:4:14 | Taint externally controlled string at ../lib/os/path.py:4 | ../lib/os/path.py:5:12:5:12 | Taint externally controlled string at ../lib/os/path.py:5 |
+| path_injection.py:9:12:9:23 | Taint {externally controlled string} at path_injection.py:9 | path_injection.py:9:12:9:39 | Taint externally controlled string at path_injection.py:9 |
+| path_injection.py:9:12:9:39 | Taint externally controlled string at path_injection.py:9 | path_injection.py:10:40:10:43 | Taint externally controlled string at path_injection.py:10 |
+| path_injection.py:10:40:10:43 | Taint externally controlled string at path_injection.py:10 | ../lib/os/path.py:1:13:1:13 | Taint externally controlled string at ../lib/os/path.py:1 |
+| path_injection.py:10:40:10:43 | Taint externally controlled string at path_injection.py:10 | path_injection.py:10:14:10:44 | Taint externally controlled string at path_injection.py:10 |
+| path_injection.py:15:12:15:23 | Taint {externally controlled string} at path_injection.py:15 | path_injection.py:15:12:15:39 | Taint externally controlled string at path_injection.py:15 |
+| path_injection.py:15:12:15:39 | Taint externally controlled string at path_injection.py:15 | path_injection.py:16:56:16:59 | Taint externally controlled string at path_injection.py:16 |
+| path_injection.py:16:13:16:61 | Taint normalized.path.injection at path_injection.py:16 | path_injection.py:17:14:17:18 | Taint normalized.path.injection at path_injection.py:17 |
+| path_injection.py:16:30:16:60 | Taint externally controlled string at path_injection.py:16 | ../lib/os/path.py:4:14:4:14 | Taint externally controlled string at ../lib/os/path.py:4 |
+| path_injection.py:16:30:16:60 | Taint externally controlled string at path_injection.py:16 | path_injection.py:16:13:16:61 | Taint normalized.path.injection at path_injection.py:16 |
+| path_injection.py:16:56:16:59 | Taint externally controlled string at path_injection.py:16 | ../lib/os/path.py:1:13:1:13 | Taint externally controlled string at ../lib/os/path.py:1 |
+| path_injection.py:16:56:16:59 | Taint externally controlled string at path_injection.py:16 | path_injection.py:16:30:16:60 | Taint externally controlled string at path_injection.py:16 |
+| path_injection.py:24:12:24:23 | Taint {externally controlled string} at path_injection.py:24 | path_injection.py:24:12:24:39 | Taint externally controlled string at path_injection.py:24 |
+| path_injection.py:24:12:24:39 | Taint externally controlled string at path_injection.py:24 | path_injection.py:25:56:25:59 | Taint externally controlled string at path_injection.py:25 |
+| path_injection.py:25:13:25:61 | Taint normalized.path.injection at path_injection.py:25 | path_injection.py:26:8:26:12 | Taint normalized.path.injection at path_injection.py:26 |
+| path_injection.py:25:13:25:61 | Taint normalized.path.injection at path_injection.py:25 | path_injection.py:28:14:28:18 | Taint normalized.path.injection at path_injection.py:28 |
+| path_injection.py:25:30:25:60 | Taint externally controlled string at path_injection.py:25 | ../lib/os/path.py:4:14:4:14 | Taint externally controlled string at ../lib/os/path.py:4 |
+| path_injection.py:25:30:25:60 | Taint externally controlled string at path_injection.py:25 | path_injection.py:25:13:25:61 | Taint normalized.path.injection at path_injection.py:25 |
+| path_injection.py:25:56:25:59 | Taint externally controlled string at path_injection.py:25 | ../lib/os/path.py:1:13:1:13 | Taint externally controlled string at ../lib/os/path.py:1 |
+| path_injection.py:25:56:25:59 | Taint externally controlled string at path_injection.py:25 | path_injection.py:25:30:25:60 | Taint externally controlled string at path_injection.py:25 |
+| path_injection.py:33:12:33:23 | Taint {externally controlled string} at path_injection.py:33 | path_injection.py:33:12:33:39 | Taint externally controlled string at path_injection.py:33 |
+| path_injection.py:33:12:33:39 | Taint externally controlled string at path_injection.py:33 | path_injection.py:34:56:34:59 | Taint externally controlled string at path_injection.py:34 |
+| path_injection.py:34:13:34:61 | Taint normalized.path.injection at path_injection.py:34 | path_injection.py:35:8:35:12 | Taint normalized.path.injection at path_injection.py:35 |
+| path_injection.py:34:30:34:60 | Taint externally controlled string at path_injection.py:34 | ../lib/os/path.py:4:14:4:14 | Taint externally controlled string at ../lib/os/path.py:4 |
+| path_injection.py:34:30:34:60 | Taint externally controlled string at path_injection.py:34 | path_injection.py:34:13:34:61 | Taint normalized.path.injection at path_injection.py:34 |
+| path_injection.py:34:56:34:59 | Taint externally controlled string at path_injection.py:34 | ../lib/os/path.py:1:13:1:13 | Taint externally controlled string at ../lib/os/path.py:1 |
+| path_injection.py:34:56:34:59 | Taint externally controlled string at path_injection.py:34 | path_injection.py:34:30:34:60 | Taint externally controlled string at path_injection.py:34 |
+parents
+| ../lib/os/path.py:1:13:1:13 | Taint externally controlled string at ../lib/os/path.py:1 | path_injection.py:10:40:10:43 | Taint externally controlled string at path_injection.py:10 |
+| ../lib/os/path.py:1:13:1:13 | Taint externally controlled string at ../lib/os/path.py:1 | path_injection.py:16:56:16:59 | Taint externally controlled string at path_injection.py:16 |
+| ../lib/os/path.py:1:13:1:13 | Taint externally controlled string at ../lib/os/path.py:1 | path_injection.py:25:56:25:59 | Taint externally controlled string at path_injection.py:25 |
+| ../lib/os/path.py:1:13:1:13 | Taint externally controlled string at ../lib/os/path.py:1 | path_injection.py:34:56:34:59 | Taint externally controlled string at path_injection.py:34 |
+| ../lib/os/path.py:4:14:4:14 | Taint externally controlled string at ../lib/os/path.py:4 | path_injection.py:16:30:16:60 | Taint externally controlled string at path_injection.py:16 |
+| ../lib/os/path.py:4:14:4:14 | Taint externally controlled string at ../lib/os/path.py:4 | path_injection.py:25:30:25:60 | Taint externally controlled string at path_injection.py:25 |
+| ../lib/os/path.py:4:14:4:14 | Taint externally controlled string at ../lib/os/path.py:4 | path_injection.py:34:30:34:60 | Taint externally controlled string at path_injection.py:34 |
+#select
+| path_injection.py:10:14:10:44 | argument to open() | path_injection.py:9:12:9:23 | Taint {externally controlled string} at path_injection.py:9 | path_injection.py:10:14:10:44 | Taint externally controlled string at path_injection.py:10 | This path depends on $@. | path_injection.py:9:12:9:23 | flask.request.args | a user-provided value |
+| path_injection.py:17:14:17:18 | argument to open() | path_injection.py:15:12:15:23 | Taint {externally controlled string} at path_injection.py:15 | path_injection.py:17:14:17:18 | Taint normalized.path.injection at path_injection.py:17 | This path depends on $@. | path_injection.py:15:12:15:23 | flask.request.args | a user-provided value |
+| path_injection.py:28:14:28:18 | argument to open() | path_injection.py:24:12:24:23 | Taint {externally controlled string} at path_injection.py:24 | path_injection.py:28:14:28:18 | Taint normalized.path.injection at path_injection.py:28 | This path depends on $@. | path_injection.py:24:12:24:23 | flask.request.args | a user-provided value |
diff --git a/python/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/python/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
index e48b14ad0aa..09953ec851e 100644
--- a/python/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
+++ b/python/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
@@ -1,3 +1,19 @@
-| command_injection.py:12:15:12:27 | shell command | This command depends on $@. | command_injection.py:10:13:10:24 | flask.request.args | a user-provided value |
-| command_injection.py:19:22:19:34 | shell command | This command depends on $@. | command_injection.py:17:13:17:24 | flask.request.args | a user-provided value |
-| command_injection.py:25:22:25:36 | OS command first argument | This command depends on $@. | command_injection.py:24:11:24:22 | flask.request.args | a user-provided value |
+edges
+| command_injection.py:10:13:10:24 | Taint {externally controlled string} at command_injection.py:10 | command_injection.py:10:13:10:41 | Taint externally controlled string at command_injection.py:10 |
+| command_injection.py:10:13:10:41 | Taint externally controlled string at command_injection.py:10 | command_injection.py:12:23:12:27 | Taint externally controlled string at command_injection.py:12 |
+| command_injection.py:12:15:12:27 | Taint externally controlled string at command_injection.py:12 | ../lib/os/__init__.py:1:12:1:14 | Taint externally controlled string at ../lib/os/__init__.py:1 |
+| command_injection.py:12:23:12:27 | Taint externally controlled string at command_injection.py:12 | command_injection.py:12:15:12:27 | Taint externally controlled string at command_injection.py:12 |
+| command_injection.py:17:13:17:24 | Taint {externally controlled string} at command_injection.py:17 | command_injection.py:17:13:17:41 | Taint externally controlled string at command_injection.py:17 |
+| command_injection.py:17:13:17:41 | Taint externally controlled string at command_injection.py:17 | command_injection.py:19:29:19:33 | Taint externally controlled string at command_injection.py:19 |
+| command_injection.py:19:29:19:33 | Taint externally controlled string at command_injection.py:19 | command_injection.py:19:22:19:34 | Taint [externally controlled string] at command_injection.py:19 |
+| command_injection.py:24:11:24:22 | Taint {externally controlled string} at command_injection.py:24 | command_injection.py:24:11:24:37 | Taint externally controlled string at command_injection.py:24 |
+| command_injection.py:24:11:24:37 | Taint externally controlled string at command_injection.py:24 | command_injection.py:25:23:25:25 | Taint externally controlled string at command_injection.py:25 |
+| command_injection.py:25:23:25:25 | Taint externally controlled string at command_injection.py:25 | command_injection.py:25:22:25:36 | Taint [externally controlled string] at command_injection.py:25 |
+| command_injection.py:25:23:25:25 | Taint externally controlled string at command_injection.py:25 | command_injection.py:25:22:25:36 | Taint sequence[externally controlled string][0] at command_injection.py:25 |
+parents
+| ../lib/os/__init__.py:1:12:1:14 | Taint externally controlled string at ../lib/os/__init__.py:1 | command_injection.py:12:15:12:27 | Taint externally controlled string at command_injection.py:12 |
+#select
+| command_injection.py:12:15:12:27 | shell command | command_injection.py:10:13:10:24 | Taint {externally controlled string} at command_injection.py:10 | command_injection.py:12:15:12:27 | Taint externally controlled string at command_injection.py:12 | This command depends on $@. | command_injection.py:10:13:10:24 | flask.request.args | a user-provided value |
+| command_injection.py:19:22:19:34 | shell command | command_injection.py:17:13:17:24 | Taint {externally controlled string} at command_injection.py:17 | command_injection.py:19:22:19:34 | Taint [externally controlled string] at command_injection.py:19 | This command depends on $@. | command_injection.py:17:13:17:24 | flask.request.args | a user-provided value |
+| command_injection.py:25:22:25:36 | OS command first argument | command_injection.py:24:11:24:22 | Taint {externally controlled string} at command_injection.py:24 | command_injection.py:25:22:25:36 | Taint [externally controlled string] at command_injection.py:25 | This command depends on $@. | command_injection.py:24:11:24:22 | flask.request.args | a user-provided value |
+| command_injection.py:25:22:25:36 | OS command first argument | command_injection.py:24:11:24:22 | Taint {externally controlled string} at command_injection.py:24 | command_injection.py:25:22:25:36 | Taint sequence[externally controlled string][0] at command_injection.py:25 | This command depends on $@. | command_injection.py:24:11:24:22 | flask.request.args | a user-provided value |
diff --git a/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected b/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
index d9d226b6248..1f1e49293fe 100644
--- a/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
+++ b/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
@@ -1 +1,13 @@
-| ../lib/flask/__init__.py:16:25:16:26 | flask.response.argument | Cross-site scripting vulnerability due to $@. | reflected_xss.py:7:18:7:29 | flask.request.args | user-provided value |
+edges
+| ../lib/flask/__init__.py:14:19:14:20 | Taint externally controlled string at ../lib/flask/__init__.py:14 | ../lib/flask/__init__.py:15:19:15:20 | Taint externally controlled string at ../lib/flask/__init__.py:15 |
+| ../lib/flask/__init__.py:14:19:14:20 | Taint externally controlled string at ../lib/flask/__init__.py:14 | ../lib/flask/__init__.py:16:25:16:26 | Taint externally controlled string at ../lib/flask/__init__.py:16 |
+| reflected_xss.py:7:18:7:29 | Taint {externally controlled string} at reflected_xss.py:7 | reflected_xss.py:7:18:7:45 | Taint externally controlled string at reflected_xss.py:7 |
+| reflected_xss.py:7:18:7:45 | Taint externally controlled string at reflected_xss.py:7 | reflected_xss.py:8:44:8:53 | Taint externally controlled string at reflected_xss.py:8 |
+| reflected_xss.py:8:26:8:53 | Taint externally controlled string at reflected_xss.py:8 | ../lib/flask/__init__.py:14:19:14:20 | Taint externally controlled string at ../lib/flask/__init__.py:14 |
+| reflected_xss.py:8:44:8:53 | Taint externally controlled string at reflected_xss.py:8 | reflected_xss.py:8:26:8:53 | Taint externally controlled string at reflected_xss.py:8 |
+| reflected_xss.py:12:18:12:29 | Taint {externally controlled string} at reflected_xss.py:12 | reflected_xss.py:12:18:12:45 | Taint externally controlled string at reflected_xss.py:12 |
+| reflected_xss.py:12:18:12:45 | Taint externally controlled string at reflected_xss.py:12 | reflected_xss.py:13:51:13:60 | Taint externally controlled string at reflected_xss.py:13 |
+parents
+| ../lib/flask/__init__.py:14:19:14:20 | Taint externally controlled string at ../lib/flask/__init__.py:14 | reflected_xss.py:8:26:8:53 | Taint externally controlled string at reflected_xss.py:8 |
+#select
+| ../lib/flask/__init__.py:16:25:16:26 | flask.response.argument | reflected_xss.py:7:18:7:29 | Taint {externally controlled string} at reflected_xss.py:7 | ../lib/flask/__init__.py:16:25:16:26 | Taint externally controlled string at ../lib/flask/__init__.py:16 | Cross-site scripting vulnerability due to $@. | reflected_xss.py:7:18:7:29 | flask.request.args | user-provided value |
diff --git a/python/ql/test/query-tests/Security/CWE-089/SqlInjection.expected b/python/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
index 01a1f6f0b43..5144f195f24 100644
--- a/python/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
+++ b/python/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
@@ -1,4 +1,13 @@
-| sql_injection.py:19:13:19:66 | db.connection.execute | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value |
-| sql_injection.py:22:38:22:91 | django.db.models.expressions.RawSQL(sink,...) | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value |
-| sql_injection.py:23:26:23:79 | django.models.QuerySet.raw(sink,...) | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value |
-| sql_injection.py:24:28:24:81 | django.models.QuerySet.extra(sink,...) | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value |
+edges
+| sql_injection.py:5:15:5:21 | Taint django.request.HttpRequest at sql_injection.py:5 | sql_injection.py:7:8:7:14 | Taint django.request.HttpRequest at sql_injection.py:7 |
+| sql_injection.py:5:15:5:21 | Taint django.request.HttpRequest at sql_injection.py:5 | sql_injection.py:8:16:8:22 | Taint django.request.HttpRequest at sql_injection.py:8 |
+| sql_injection.py:8:16:8:22 | Taint django.request.HttpRequest at sql_injection.py:8 | sql_injection.py:8:16:8:27 | Taint django.http.request.QueryDict at sql_injection.py:8 |
+| sql_injection.py:8:16:8:27 | Taint django.http.request.QueryDict at sql_injection.py:8 | sql_injection.py:8:16:8:39 | Taint externally controlled string at sql_injection.py:8 |
+| sql_injection.py:8:16:8:39 | Taint externally controlled string at sql_injection.py:8 | sql_injection.py:12:62:12:65 | Taint externally controlled string at sql_injection.py:12 |
+| sql_injection.py:8:16:8:39 | Taint externally controlled string at sql_injection.py:8 | sql_injection.py:15:63:15:66 | Taint externally controlled string at sql_injection.py:15 |
+| sql_injection.py:9:16:9:34 | Taint django.db.connection.cursor at sql_injection.py:9 | sql_injection.py:11:9:11:12 | Taint django.db.connection.cursor at sql_injection.py:11 |
+| sql_injection.py:9:16:9:34 | Taint django.db.connection.cursor at sql_injection.py:9 | sql_injection.py:14:9:14:12 | Taint django.db.connection.cursor at sql_injection.py:14 |
+| sql_injection.py:15:63:15:66 | Taint externally controlled string at sql_injection.py:15 | sql_injection.py:15:13:15:66 | Taint externally controlled string at sql_injection.py:15 |
+parents
+#select
+| sql_injection.py:15:13:15:66 | db.connection.execute | sql_injection.py:5:15:5:21 | Taint django.request.HttpRequest at sql_injection.py:5 | sql_injection.py:15:13:15:66 | Taint externally controlled string at sql_injection.py:15 | This SQL query depends on $@. | sql_injection.py:5:15:5:21 | Django request source | a user-provided value |
diff --git a/python/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/python/ql/test/query-tests/Security/CWE-094/CodeInjection.expected
index 02a6bc6255d..48980e5b6a9 100644
--- a/python/ql/test/query-tests/Security/CWE-094/CodeInjection.expected
+++ b/python/ql/test/query-tests/Security/CWE-094/CodeInjection.expected
@@ -1 +1,12 @@
-| code_injection.py:7:14:7:44 | exec or eval | $@ flows to here and is interpreted as code. | code_injection.py:4:20:4:26 | Django request source | User-provided value |
+edges
+| code_injection.py:4:20:4:26 | Taint django.request.HttpRequest at code_injection.py:4 | code_injection.py:5:8:5:14 | Taint django.request.HttpRequest at code_injection.py:5 |
+| code_injection.py:4:20:4:26 | Taint django.request.HttpRequest at code_injection.py:4 | code_injection.py:6:22:6:28 | Taint django.request.HttpRequest at code_injection.py:6 |
+| code_injection.py:6:22:6:28 | Taint django.request.HttpRequest at code_injection.py:6 | code_injection.py:6:22:6:33 | Taint django.http.request.QueryDict at code_injection.py:6 |
+| code_injection.py:6:22:6:33 | Taint django.http.request.QueryDict at code_injection.py:6 | code_injection.py:6:22:6:55 | Taint externally controlled string at code_injection.py:6 |
+| code_injection.py:6:22:6:55 | Taint externally controlled string at code_injection.py:6 | code_injection.py:7:34:7:43 | Taint externally controlled string at code_injection.py:7 |
+| code_injection.py:7:34:7:43 | Taint externally controlled string at code_injection.py:7 | ../lib/base64.py:1:18:1:18 | Taint externally controlled string at ../lib/base64.py:1 |
+| code_injection.py:7:34:7:43 | Taint externally controlled string at code_injection.py:7 | code_injection.py:7:14:7:44 | Taint externally controlled string at code_injection.py:7 |
+parents
+| ../lib/base64.py:1:18:1:18 | Taint externally controlled string at ../lib/base64.py:1 | code_injection.py:7:34:7:43 | Taint externally controlled string at code_injection.py:7 |
+#select
+| code_injection.py:7:14:7:44 | exec or eval | code_injection.py:4:20:4:26 | Taint django.request.HttpRequest at code_injection.py:4 | code_injection.py:7:14:7:44 | Taint externally controlled string at code_injection.py:7 | $@ flows to here and is interpreted as code. | code_injection.py:4:20:4:26 | Django request source | User-provided value |
diff --git a/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected b/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected
index a0d1a9f8b4e..522188d9152 100644
--- a/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected
+++ b/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected
@@ -1,3 +1,12 @@
-| test.py:12:18:12:24 | unpickling untrusted data | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
-| test.py:13:15:13:21 | yaml.load vulnerability | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
-| test.py:14:19:14:25 | unmarshaling vulnerability | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
+edges
+| test.py:11:15:11:26 | Taint {externally controlled string} at test.py:11 | test.py:11:15:11:41 | Taint externally controlled string at test.py:11 |
+| test.py:11:15:11:41 | Taint externally controlled string at test.py:11 | test.py:12:18:12:24 | Taint externally controlled string at test.py:12 |
+| test.py:11:15:11:41 | Taint externally controlled string at test.py:11 | test.py:13:15:13:21 | Taint externally controlled string at test.py:13 |
+| test.py:11:15:11:41 | Taint externally controlled string at test.py:11 | test.py:14:19:14:25 | Taint externally controlled string at test.py:14 |
+| test.py:13:15:13:21 | Taint externally controlled string at test.py:13 | ../lib/yaml.py:1:10:1:10 | Taint externally controlled string at ../lib/yaml.py:1 |
+parents
+| ../lib/yaml.py:1:10:1:10 | Taint externally controlled string at ../lib/yaml.py:1 | test.py:13:15:13:21 | Taint externally controlled string at test.py:13 |
+#select
+| test.py:12:18:12:24 | unpickling untrusted data | test.py:11:15:11:26 | Taint {externally controlled string} at test.py:11 | test.py:12:18:12:24 | Taint externally controlled string at test.py:12 | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
+| test.py:13:15:13:21 | yaml.load vulnerability | test.py:11:15:11:26 | Taint {externally controlled string} at test.py:11 | test.py:13:15:13:21 | Taint externally controlled string at test.py:13 | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
+| test.py:14:19:14:25 | unmarshaling vulnerability | test.py:11:15:11:26 | Taint {externally controlled string} at test.py:11 | test.py:14:19:14:25 | Taint externally controlled string at test.py:14 | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
diff --git a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
index a62664e2918..c4c0df06c12 100644
--- a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
+++ b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
@@ -1 +1,10 @@
-| test.py:8:21:8:26 | flask.redirect | Untrusted URL redirection due to $@. | test.py:7:22:7:33 | flask.request.args | a user-provided value |
+edges
+| test.py:7:22:7:33 | Taint {externally controlled string} at test.py:7 | test.py:7:22:7:51 | Taint externally controlled string at test.py:7 |
+| test.py:7:22:7:51 | Taint externally controlled string at test.py:7 | test.py:8:21:8:26 | Taint externally controlled string at test.py:8 |
+| test.py:8:21:8:26 | Taint externally controlled string at test.py:8 | ../lib/flask/__init__.py:11:14:11:21 | Taint externally controlled string at ../lib/flask/__init__.py:11 |
+| test.py:15:17:15:28 | Taint {externally controlled string} at test.py:15 | test.py:15:17:15:42 | Taint externally controlled string at test.py:15 |
+| test.py:15:17:15:42 | Taint externally controlled string at test.py:15 | test.py:17:13:17:21 | Taint externally controlled string at test.py:17 |
+parents
+| ../lib/flask/__init__.py:11:14:11:21 | Taint externally controlled string at ../lib/flask/__init__.py:11 | test.py:8:21:8:26 | Taint externally controlled string at test.py:8 |
+#select
+| test.py:8:21:8:26 | flask.redirect | test.py:7:22:7:33 | Taint {externally controlled string} at test.py:7 | test.py:8:21:8:26 | Taint externally controlled string at test.py:8 | Untrusted URL redirection due to $@. | test.py:7:22:7:33 | flask.request.args | a user-provided value |
diff --git a/semmlecode-python-tests/query-tests/Security/lib/base64.py b/semmlecode-python-tests/query-tests/Security/lib/base64.py
new file mode 100644
index 00000000000..a2b97ca63ac
--- /dev/null
+++ b/semmlecode-python-tests/query-tests/Security/lib/base64.py
@@ -0,0 +1,2 @@
+def decodestring(s):
+    return None
diff --git a/semmlecode-python-tests/query-tests/Security/lib/marshall.py b/semmlecode-python-tests/query-tests/Security/lib/marshall.py
new file mode 100644
index 00000000000..410fa21087e
--- /dev/null
+++ b/semmlecode-python-tests/query-tests/Security/lib/marshall.py
@@ -0,0 +1,2 @@
+def loads(*args, **kwargs):
+    return None
diff --git a/semmlecode-python-tests/query-tests/Security/lib/os/__init__.py b/semmlecode-python-tests/query-tests/Security/lib/os/__init__.py
new file mode 100644
index 00000000000..84286e873b5
--- /dev/null
+++ b/semmlecode-python-tests/query-tests/Security/lib/os/__init__.py
@@ -0,0 +1,2 @@
+def system(cmd, *args, **kwargs):
+    return None
\ No newline at end of file
diff --git a/semmlecode-python-tests/query-tests/Security/lib/os/path.py b/semmlecode-python-tests/query-tests/Security/lib/os/path.py
new file mode 100644
index 00000000000..77e40f07164
--- /dev/null
+++ b/semmlecode-python-tests/query-tests/Security/lib/os/path.py
@@ -0,0 +1,5 @@
+def join(a, b):
+    return a + "/" + b
+
+def normpath(x):
+    return x
diff --git a/semmlecode-python-tests/query-tests/Security/lib/pickle.py b/semmlecode-python-tests/query-tests/Security/lib/pickle.py
new file mode 100644
index 00000000000..410fa21087e
--- /dev/null
+++ b/semmlecode-python-tests/query-tests/Security/lib/pickle.py
@@ -0,0 +1,2 @@
+def loads(*args, **kwargs):
+    return None
diff --git a/semmlecode-python-tests/query-tests/Security/lib/subprocess.py b/semmlecode-python-tests/query-tests/Security/lib/subprocess.py
new file mode 100644
index 00000000000..efb2ba183f0
--- /dev/null
+++ b/semmlecode-python-tests/query-tests/Security/lib/subprocess.py
@@ -0,0 +1,2 @@
+def Popen(*args, **kwargs):
+    return None
\ No newline at end of file
diff --git a/semmlecode-python-tests/query-tests/Security/lib/traceback.py b/semmlecode-python-tests/query-tests/Security/lib/traceback.py
new file mode 100644
index 00000000000..2a7c5e58847
--- /dev/null
+++ b/semmlecode-python-tests/query-tests/Security/lib/traceback.py
@@ -0,0 +1,2 @@
+def format_exc():
+    return None
\ No newline at end of file