From 6755bb32fbc6e4a48b263b59aad7aefeec5c9473 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Thu, 1 Jun 2023 15:18:05 +0200
Subject: [PATCH] Python: do not add read steps for collections

---
 .../dataflow/new/internal/TaintTrackingPrivate.qll  | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll b/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
index 423ba24e432..78fb529b05a 100644
--- a/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
@@ -202,19 +202,6 @@ predicate containerStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     obj = nodeTo.(DataFlow::PostUpdateNode).getPreUpdateNode() and
     call.getArg(0) = nodeFrom
   )
-  or
-  // Although flow through collections is modeled precisely using stores/reads, we still
-  // allow flow out of a _tainted_ collection. This is needed in order to support taint-
-  // tracking configurations where the source is a collection.
-  exists(DataFlow::Content c | DataFlowPrivate::readStep(nodeFrom, c, nodeTo) |
-    // c instanceof DataFlow::ListElementContent
-    // or
-    // c instanceof DataFlow::SetElementContent
-    // or
-    c instanceof DataFlow::DictionaryElementContent
-    // or
-    // c instanceof DataFlow::DictionaryElementAnyContent
-  )
 }
 
 /**