Python: Handle find_library assignment to temp variable

python/ql/src/experimental/Security/CWE-285/PamAuthorization.ql

@@ -14,12 +14,11 @@ import experimental.semmle.python.Concepts
 import semmle.python.dataflow.new.TaintTracking
 
 API::Node libPam() {
-  exists(API::CallNode findLibCall, API::CallNode cdllCall, StrConst str |
+  exists(API::CallNode findLibCall, API::CallNode cdllCall |
     findLibCall = API::moduleImport("ctypes.util").getMember("find_library").getACall() and
+    findLibCall.getParameter(0).getAValueReachingRhs().asExpr().(StrConst).getText() = "pam" and
     cdllCall = API::moduleImport("ctypes").getMember("CDLL").getACall() and
-    DataFlow::localFlow(DataFlow::exprNode(str), findLibCall.getArg(0)) and
-    str.getText() = "pam" and
-    cdllCall.getArg(0) = findLibCall
+    cdllCall.getParameter(0).getAValueReachingRhs() = findLibCall
   |
     result = cdllCall.getReturn()
   )

python/ql/test/experimental/query-tests/Security/CWE-285/PamAuthorization.expected

@@ -1 +1 @@
-| pam_test.py:44:18:44:44 | ControlFlowNode for pam_authenticate() | This PAM authentication call may be lead to an authorization bypass. |
+| pam_test.py:48:18:48:44 | ControlFlowNode for pam_authenticate() | This PAM authentication call may be lead to an authorization bypass. |

python/ql/test/experimental/query-tests/Security/CWE-285/pam_test.py

@@ -18,9 +18,13 @@ class PamResponse(Structure):
 class PamConv(Structure):
     pass
 
-
+# this is normal way to do things
 libpam = CDLL(find_library("pam"))
 
+# but we also handle assignment to temp variable
+temp = find_library("pam")
+libpam = CDLL(temp)
+
 pam_start = libpam.pam_start
 pam_start.restype = c_int
 pam_start.argtypes = [c_char_p, c_char_p, POINTER(PamConv), POINTER(PamHandle)]