Use custom Sink

python/ql/src/experimental/Security/CWE-730/RegexInjection.ql

@@ -16,7 +16,13 @@ import python
 import experimental.semmle.python.security.injection.RegexInjection
 import DataFlow::PathGraph
 
-from RegexInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ regular expression is constructed from a $@.",
-  sink.getNode(), "This", source.getNode(), "user-provided value"
+from
+  RegexInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
+  Attribute sinkAttribute
+where
+  config.hasFlowPath(source, sink) and
+  sinkAttribute = sink.getNode().(RegexInjectionSink).getRegexMethod()
+select sink.getNode(), source, sink,
+  "$@ regular expression is constructed from a $@ and executed by $@.", sink.getNode(), "This",
+  source.getNode(), "user-provided value", sinkAttribute,
+  sinkAttribute.getObject().toString() + "." + sinkAttribute.getName()

python/ql/src/experimental/semmle/python/Concepts.qll

@@ -76,3 +76,16 @@ class RegexEscape extends DataFlow::Node {
 
   DataFlow::CallCfgNode getEscapeMethod() { result = range.getEscapeMethod() }
 }
+
+class RegexInjectionSink extends DataFlow::Node {
+  Attribute regexMethod;
+
+  RegexInjectionSink() {
+    exists(RegexExecution reExec |
+      this = reExec.getRegexNode() and
+      regexMethod = reExec.getRegexMethod().getFunction().asExpr().(Attribute)
+    )
+  }
+
+  Attribute getRegexMethod() { result = regexMethod }
+}

python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll

@@ -24,6 +24,7 @@ private module Re {
     DataFlow::CallCfgNode regexMethod;
 
     DirectRegex() {
+      // this.getLocation().getFile().getBaseName().regexpMatch("^re_(good|bad)\\.py$") and // debug
       this = API::moduleImport("re").getMember(any(ReMethods m)).getACall() and
       regexNode = this.getArg(0) and
       regexMethod = this
@@ -41,6 +42,7 @@ private module Re {
 
     CompiledRegex() {
       exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
+        // this.getLocation().getFile().getBaseName().regexpMatch("^re_(good|bad)\\.py$") and // debug
         this.getFunction() = reMethod and
         patternCall = API::moduleImport("re").getMember("compile").getACall() and
         patternCall = reMethod.getObject().getALocalSource() and

python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll

@@ -8,7 +8,6 @@ import experimental.semmle.python.Concepts
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
-import semmle.python.ApiGraphs
 
 /**
  * A taint-tracking configuration for detecting regular expression injections.
@@ -18,7 +17,7 @@ class RegexInjectionFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sink = any(RegexExecution re).getRegexNode() }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink }
 
   override predicate isSanitizer(DataFlow::Node sanitizer) {
     sanitizer = any(RegexEscape reEscape).getRegexNode()