convert paramiko query to SecondaryServerCmdInjection query, Add inline tests

python/ql/test/experimental/query-tests/Security/CWE-074-SecondaryServerCmdInjection/DataflowQueryTest.expected

@@ -0,0 +1,3 @@
+missingAnnotationOnSink
+testFailures
+failures

python/ql/test/experimental/query-tests/Security/CWE-074-SecondaryServerCmdInjection/DataflowQueryTest.ql

@@ -0,0 +1,4 @@
+import python
+import experimental.dataflow.TestUtil.DataflowQueryTest
+import experimental.semmle.python.security.SecondaryServerCmdInjection
+import FromTaintTrackingConfig<ParamikoConfig>

python/ql/test/experimental/query-tests/Security/CWE-074-SecondaryServerCmdInjection/SecondaryServerCmdInjection.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE-074/secondaryCommandInjection/SecondaryServerCmdInjection.ql

python/ql/test/experimental/query-tests/Security/CWE-074-SecondaryServerCmdInjection/paramiko.py

@@ -13,15 +13,15 @@ app = FastAPI()
 
 @app.get("/bad1")
 async def read_item(cmd: str):
-    stdin, stdout, stderr = paramiko_ssh_client.exec_command(cmd)
+    stdin, stdout, stderr = paramiko_ssh_client.exec_command(cmd)  # $ result=BAD
     return {"success": stdout}
 
 @app.get("/bad2")
 async def read_item(cmd: str):
-    stdin, stdout, stderr = paramiko_ssh_client.exec_command(command=cmd)
+    stdin, stdout, stderr = paramiko_ssh_client.exec_command(command=cmd)  # $ result=BAD
     return {"success": "OK"}
 
 @app.get("/bad3")
 async def read_item(cmd: str):
-    stdin, stdout, stderr = paramiko_ssh_client.connect('hostname', username='user',password='yourpassword',sock=paramiko.ProxyCommand(cmd))
+    stdin, stdout, stderr = paramiko_ssh_client.connect('hostname', username='user',password='yourpassword',sock=paramiko.ProxyCommand(cmd))  # $ result=BAD
     return {"success": "OK"}

python/ql/test/experimental/query-tests/Security/CWE-074-paramiko/paramiko.qlref

@@ -1 +0,0 @@
-experimental/Security/CWE-074/paramiko/paramiko.ql