Merge branch 'master' into python-fix-django-taint-sinks

2026-05-01 19:55:15 +02:00 · 2020-07-02 11:55:42 +02:00
parent 9a82927187 50fee5c4a1
commit 67be45f045
1672 changed files with 69476 additions and 29250 deletions
--- a/python/ql/test/2/library-tests/PointsTo/class_properties/ClassValues.expected
+++ b/python/ql/test/2/library-tests/PointsTo/class_properties/ClassValues.expected
@@ -0,0 +1,12 @@
+| mapping | builtin-class collections.defaultdict |
+| mapping | builtin-class dict |
+| mapping | class MyDictSubclass |
+| mapping | class MyMappingABC |
+| mapping | class OrderedDict |
+| neither sequence nor mapping | builtin-class set |
+| sequence | builtin-class list |
+| sequence | builtin-class str |
+| sequence | builtin-class tuple |
+| sequence | builtin-class unicode |
+| sequence | class MySequenceABC |
+| sequence | class MySequenceImpl |
--- a/python/ql/test/2/library-tests/PointsTo/class_properties/ClassValues.ql
+++ b/python/ql/test/2/library-tests/PointsTo/class_properties/ClassValues.ql
@@ -0,0 +1,20 @@
+import python
+
+from ClassValue cls, string res
+where
+    exists(CallNode call |
+        call.getFunction().(NameNode).getId() = "test" and
+        call.getAnArg().pointsTo(cls)
+    ) and
+    (
+        cls.isSequence() and
+        cls.isMapping() and
+        res = "IS BOTH. SHOULD NOT HAPPEN. THEY ARE MUTUALLY EXCLUSIVE."
+        or
+        cls.isSequence() and not cls.isMapping() and res = "sequence"
+        or
+        not cls.isSequence() and cls.isMapping() and res = "mapping"
+        or
+        not cls.isSequence() and not cls.isMapping() and res = "neither sequence nor mapping"
+    )
+select res, cls.toString()
--- a/python/ql/test/2/library-tests/PointsTo/class_properties/options
+++ b/python/ql/test/2/library-tests/PointsTo/class_properties/options
@@ -0,0 +1 @@
+semmle-extractor-options: --lang=2 --max-import-depth=2
--- a/python/ql/test/2/library-tests/PointsTo/class_properties/test.py
+++ b/python/ql/test/2/library-tests/PointsTo/class_properties/test.py
@@ -0,0 +1,50 @@
+from collections import OrderedDict, defaultdict
+
+# Python 2 specific
+from collections import Sequence, Mapping
+
+def test(*args):
+    pass
+
+class MySequenceABC(Sequence):
+    pass
+
+class MyMappingABC(Mapping):
+    pass
+
+class MySequenceImpl(object):
+    def __getitem__(self, key):
+        pass
+
+    def __len__(self):
+        pass
+
+class MyDictSubclass(dict):
+    pass
+
+test(
+    list,
+    tuple,
+    str,
+    unicode,
+    bytes,
+    MySequenceABC,
+    MySequenceImpl,
+    set,
+    dict,
+    OrderedDict,
+    defaultdict,
+    MyMappingABC,
+    MyDictSubclass,
+)
+
+for seq_cls in (list, tuple, str, bytes):
+    assert issubclass(seq_cls, collections.abc.Sequence)
+    assert not issubclass(seq_cls, collections.abc.Mapping)
+
+for map_cls in (dict, OrderedDict, defaultdict):
+    assert not issubclass(map_cls, collections.abc.Sequence)
+    assert issubclass(map_cls, collections.abc.Mapping)
+
+assert not issubclass(set, collections.abc.Sequence)
+assert not issubclass(set, collections.abc.Mapping)
--- a/python/ql/test/2/library-tests/comprehensions/ConsistencyCheck.expected
+++ b/python/ql/test/2/library-tests/comprehensions/ConsistencyCheck.expected
--- a/python/ql/test/2/library-tests/comprehensions/ConsistencyCheck.ql
+++ b/python/ql/test/2/library-tests/comprehensions/ConsistencyCheck.ql
--- a/python/ql/test/3/library-tests/PointsTo/class_properties/ClassValues.expected
+++ b/python/ql/test/3/library-tests/PointsTo/class_properties/ClassValues.expected
@@ -0,0 +1,13 @@
+| mapping | builtin-class collections.OrderedDict |
+| mapping | builtin-class collections.defaultdict |
+| mapping | builtin-class dict |
+| mapping | class MyDictSubclass |
+| mapping | class MyMappingABC |
+| mapping | class OrderedDict |
+| neither sequence nor mapping | builtin-class set |
+| sequence | builtin-class bytes |
+| sequence | builtin-class list |
+| sequence | builtin-class str |
+| sequence | builtin-class tuple |
+| sequence | class MySequenceABC |
+| sequence | class MySequenceImpl |
--- a/python/ql/test/3/library-tests/PointsTo/class_properties/ClassValues.ql
+++ b/python/ql/test/3/library-tests/PointsTo/class_properties/ClassValues.ql
@@ -0,0 +1,20 @@
+import python
+
+from ClassValue cls, string res
+where
+    exists(CallNode call |
+        call.getFunction().(NameNode).getId() = "test" and
+        call.getAnArg().pointsTo(cls)
+    ) and
+    (
+        cls.isSequence() and
+        cls.isMapping() and
+        res = "IS BOTH. SHOULD NOT HAPPEN. THEY ARE MUTUALLY EXCLUSIVE."
+        or
+        cls.isSequence() and not cls.isMapping() and res = "sequence"
+        or
+        not cls.isSequence() and cls.isMapping() and res = "mapping"
+        or
+        not cls.isSequence() and not cls.isMapping() and res = "neither sequence nor mapping"
+    )
+select res, cls.toString()
--- a/python/ql/test/3/library-tests/PointsTo/class_properties/options
+++ b/python/ql/test/3/library-tests/PointsTo/class_properties/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=2
--- a/python/ql/test/3/library-tests/PointsTo/class_properties/test.py
+++ b/python/ql/test/3/library-tests/PointsTo/class_properties/test.py
@@ -0,0 +1,50 @@
+from collections import OrderedDict, defaultdict
+
+# Python 3 specific
+from collections.abc import Sequence, Mapping
+
+def test(*args):
+    pass
+
+class MySequenceABC(Sequence):
+    pass
+
+class MyMappingABC(Mapping):
+    pass
+
+class MySequenceImpl(object):
+    def __getitem__(self, key):
+        pass
+
+    def __len__(self):
+        pass
+
+class MyDictSubclass(dict):
+    pass
+
+test(
+    list,
+    tuple,
+    str,
+    unicode,
+    bytes,
+    MySequenceABC,
+    MySequenceImpl,
+    set,
+    dict,
+    OrderedDict,
+    defaultdict,
+    MyMappingABC,
+    MyDictSubclass,
+)
+
+for seq_cls in (list, tuple, str, bytes):
+    assert issubclass(seq_cls, collections.abc.Sequence)
+    assert not issubclass(seq_cls, collections.abc.Mapping)
+
+for map_cls in (dict, OrderedDict, defaultdict):
+    assert not issubclass(map_cls, collections.abc.Sequence)
+    assert issubclass(map_cls, collections.abc.Mapping)
+
+assert not issubclass(set, collections.abc.Sequence)
+assert not issubclass(set, collections.abc.Mapping)
--- a/python/ql/test/3/library-tests/taint/unpacking/Taint.qll
+++ b/python/ql/test/3/library-tests/taint/unpacking/Taint.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted

 class SimpleSource extends TaintSource {
--- a/python/ql/test/3/library-tests/taint/unpacking/TestTaint.ql
+++ b/python/ql/test/3/library-tests/taint/unpacking/TestTaint.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import Taint

 from Call call, Expr arg, string taint_string
--- a/python/ql/test/3/query-tests/Classes/equals-attr/DefineEqualsWhenAddingAttributes.expected
+++ b/python/ql/test/3/query-tests/Classes/equals-attr/DefineEqualsWhenAddingAttributes.expected
@@ -1,2 +1,2 @@
-| test.py:12:1:12:24 | class C | The class 'C' does not override $@, but adds the new attribute $@. | test.py:9:5:9:28 | Function __eq__ | '__eq__' | test.py:15:9:15:14 | Attribute | a |
-| test.py:12:1:12:24 | class C | The class 'C' does not override $@, but adds the new attribute $@. | test.py:9:5:9:28 | Function __eq__ | '__eq__' | test.py:15:17:15:22 | Attribute | b |
+| test.py:12:1:12:24 | class C | The class 'C' does not override $@, but adds the new attribute $@. | test.py:9:5:9:28 | Function RedefineEquals.__eq__ | '__eq__' | test.py:15:9:15:14 | Attribute | a |
+| test.py:12:1:12:24 | class C | The class 'C' does not override $@, but adds the new attribute $@. | test.py:9:5:9:28 | Function RedefineEquals.__eq__ | '__eq__' | test.py:15:17:15:22 | Attribute | b |
--- a/python/ql/test/experimental/CWE-091/Xslt.expected
+++ b/python/ql/test/experimental/CWE-091/Xslt.expected
@@ -0,0 +1,47 @@
+edges
+| xslt.py:10:17:10:28 | dict of etree.XML string | xslt.py:10:17:10:43 | etree.XML string |
+| xslt.py:10:17:10:28 | dict of etree.XML string | xslt.py:10:17:10:43 | etree.XML string |
+| xslt.py:10:17:10:43 | etree.XML string | xslt.py:11:27:11:35 | etree.XML string |
+| xslt.py:10:17:10:43 | etree.XML string | xslt.py:11:27:11:35 | etree.XML string |
+| xslt.py:11:17:11:36 | lxml etree xml | xslt.py:14:29:14:37 | lxml etree xml |
+| xslt.py:11:17:11:36 | lxml etree xml | xslt.py:14:29:14:37 | lxml etree xml |
+| xslt.py:11:27:11:35 | etree.XML string | xslt.py:11:17:11:36 | lxml etree xml |
+| xslt.py:11:27:11:35 | etree.XML string | xslt.py:11:17:11:36 | lxml etree xml |
+| xsltInjection.py:10:17:10:28 | dict of etree.XML string | xsltInjection.py:10:17:10:43 | etree.XML string |
+| xsltInjection.py:10:17:10:28 | dict of etree.XML string | xsltInjection.py:10:17:10:43 | etree.XML string |
+| xsltInjection.py:10:17:10:43 | etree.XML string | xsltInjection.py:11:27:11:35 | etree.XML string |
+| xsltInjection.py:10:17:10:43 | etree.XML string | xsltInjection.py:11:27:11:35 | etree.XML string |
+| xsltInjection.py:11:17:11:36 | lxml etree xml | xsltInjection.py:12:28:12:36 | lxml etree xml |
+| xsltInjection.py:11:17:11:36 | lxml etree xml | xsltInjection.py:12:28:12:36 | lxml etree xml |
+| xsltInjection.py:11:27:11:35 | etree.XML string | xsltInjection.py:11:17:11:36 | lxml etree xml |
+| xsltInjection.py:11:27:11:35 | etree.XML string | xsltInjection.py:11:17:11:36 | lxml etree xml |
+| xsltInjection.py:17:17:17:28 | dict of etree.XML string | xsltInjection.py:17:17:17:43 | etree.XML string |
+| xsltInjection.py:17:17:17:28 | dict of etree.XML string | xsltInjection.py:17:17:17:43 | etree.XML string |
+| xsltInjection.py:17:17:17:43 | etree.XML string | xsltInjection.py:18:27:18:35 | etree.XML string |
+| xsltInjection.py:17:17:17:43 | etree.XML string | xsltInjection.py:18:27:18:35 | etree.XML string |
+| xsltInjection.py:18:17:18:36 | lxml etree xml | xsltInjection.py:21:29:21:37 | lxml etree xml |
+| xsltInjection.py:18:17:18:36 | lxml etree xml | xsltInjection.py:21:29:21:37 | lxml etree xml |
+| xsltInjection.py:18:27:18:35 | etree.XML string | xsltInjection.py:18:17:18:36 | lxml etree xml |
+| xsltInjection.py:18:27:18:35 | etree.XML string | xsltInjection.py:18:17:18:36 | lxml etree xml |
+| xsltInjection.py:26:17:26:28 | dict of etree.XML string | xsltInjection.py:26:17:26:43 | etree.XML string |
+| xsltInjection.py:26:17:26:28 | dict of etree.XML string | xsltInjection.py:26:17:26:43 | etree.XML string |
+| xsltInjection.py:26:17:26:43 | etree.XML string | xsltInjection.py:27:27:27:35 | etree.XML string |
+| xsltInjection.py:26:17:26:43 | etree.XML string | xsltInjection.py:27:27:27:35 | etree.XML string |
+| xsltInjection.py:27:17:27:36 | lxml etree xml | xsltInjection.py:31:24:31:32 | lxml etree xml |
+| xsltInjection.py:27:17:27:36 | lxml etree xml | xsltInjection.py:31:24:31:32 | lxml etree xml |
+| xsltInjection.py:27:27:27:35 | etree.XML string | xsltInjection.py:27:17:27:36 | lxml etree xml |
+| xsltInjection.py:27:27:27:35 | etree.XML string | xsltInjection.py:27:17:27:36 | lxml etree xml |
+| xsltInjection.py:35:17:35:28 | dict of etree.XML string | xsltInjection.py:35:17:35:43 | etree.XML string |
+| xsltInjection.py:35:17:35:28 | dict of etree.XML string | xsltInjection.py:35:17:35:43 | etree.XML string |
+| xsltInjection.py:35:17:35:43 | etree.XML string | xsltInjection.py:36:34:36:42 | etree.XML string |
+| xsltInjection.py:35:17:35:43 | etree.XML string | xsltInjection.py:36:34:36:42 | etree.XML string |
+| xsltInjection.py:36:17:36:43 | lxml etree xml | xsltInjection.py:40:24:40:32 | lxml etree xml |
+| xsltInjection.py:36:17:36:43 | lxml etree xml | xsltInjection.py:40:24:40:32 | lxml etree xml |
+| xsltInjection.py:36:34:36:42 | etree.XML string | xsltInjection.py:36:17:36:43 | lxml etree xml |
+| xsltInjection.py:36:34:36:42 | etree.XML string | xsltInjection.py:36:17:36:43 | lxml etree xml |
+#select
+| xslt.py:14:29:14:37 | xslt_root | xslt.py:10:17:10:28 | dict of etree.XML string | xslt.py:14:29:14:37 | lxml etree xml | This XSLT query depends on $@. | xslt.py:10:17:10:28 | Attribute | a user-provided value |
+| xsltInjection.py:12:28:12:36 | xslt_root | xsltInjection.py:10:17:10:28 | dict of etree.XML string | xsltInjection.py:12:28:12:36 | lxml etree xml | This XSLT query depends on $@. | xsltInjection.py:10:17:10:28 | Attribute | a user-provided value |
+| xsltInjection.py:21:29:21:37 | xslt_root | xsltInjection.py:17:17:17:28 | dict of etree.XML string | xsltInjection.py:21:29:21:37 | lxml etree xml | This XSLT query depends on $@. | xsltInjection.py:17:17:17:28 | Attribute | a user-provided value |
+| xsltInjection.py:31:24:31:32 | xslt_root | xsltInjection.py:26:17:26:28 | dict of etree.XML string | xsltInjection.py:31:24:31:32 | lxml etree xml | This XSLT query depends on $@. | xsltInjection.py:26:17:26:28 | Attribute | a user-provided value |
+| xsltInjection.py:40:24:40:32 | xslt_root | xsltInjection.py:35:17:35:28 | dict of etree.XML string | xsltInjection.py:40:24:40:32 | lxml etree xml | This XSLT query depends on $@. | xsltInjection.py:35:17:35:28 | Attribute | a user-provided value |
--- a/python/ql/test/experimental/CWE-091/Xslt.qlref
+++ b/python/ql/test/experimental/CWE-091/Xslt.qlref
@@ -0,0 +1 @@
+experimental/CWE-643/Xslt.ql
--- a/python/ql/test/experimental/CWE-091/XsltSinks.expected
+++ b/python/ql/test/experimental/CWE-091/XsltSinks.expected
@@ -0,0 +1,12 @@
+| xslt.py:14:29:14:37 | lxml.etree.parse.xslt | lxml etree xml |
+| xsltInjection.py:12:28:12:36 | lxml.etree.XSLT | lxml etree xml |
+| xsltInjection.py:21:29:21:37 | lxml.etree.parse.xslt | lxml etree xml |
+| xsltInjection.py:31:24:31:32 | lxml.etree.parse.xslt | lxml etree xml |
+| xsltInjection.py:40:24:40:32 | lxml.etree.parse.xslt | lxml etree xml |
+| xsltInjection.py:50:24:50:32 | lxml.etree.parse.xslt | lxml etree xml |
+| xsltInjection.py:60:24:60:32 | lxml.etree.parse.xslt | lxml etree xml |
+| xsltInjection.py:69:24:69:32 | lxml.etree.parse.xslt | lxml etree xml |
+| xsltInjection.py:79:24:79:32 | lxml.etree.parse.xslt | lxml etree xml |
+| xsltSinks.py:17:28:17:36 | lxml.etree.XSLT | lxml etree xml |
+| xsltSinks.py:30:29:30:37 | lxml.etree.parse.xslt | lxml etree xml |
+| xsltSinks.py:44:24:44:32 | lxml.etree.parse.xslt | lxml etree xml |
--- a/python/ql/test/experimental/CWE-091/XsltSinks.ql
+++ b/python/ql/test/experimental/CWE-091/XsltSinks.ql
@@ -0,0 +1,6 @@
+import python
+import experimental.semmle.python.security.injection.XSLT
+
+from XSLTInjection::XSLTInjectionSink sink, TaintKind kind
+where sink.sinks(kind)
+select sink, kind
--- a/python/ql/test/experimental/CWE-091/options
+++ b/python/ql/test/experimental/CWE-091/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../../query-tests/Security/lib/ --max-import-depth=3
--- a/python/ql/test/experimental/CWE-091/xslt.py
+++ b/python/ql/test/experimental/CWE-091/xslt.py
@@ -0,0 +1,14 @@
+from lxml import etree
+from io import StringIO
+from flask import Flask, request
+
+app = Flask(__name__)
+
+
+@app.route("/xslt")
+def bad():
+    xsltQuery = request.args.get('xml', '')
+    xslt_root = etree.XML(xsltQuery)
+    f = StringIO('<foo><bar></bar></foo>')
+    tree = etree.parse(f)
+    result_tree = tree.xslt(xslt_root)  # Not OK
--- a/python/ql/test/experimental/CWE-091/xsltInjection.py
+++ b/python/ql/test/experimental/CWE-091/xsltInjection.py
@@ -0,0 +1,79 @@
+from lxml import etree
+from io import StringIO
+from flask import Flask, request
+
+app = Flask(__name__)
+
+
+@app.route("/xslt1")
+def a():
+    xsltQuery = request.args.get('xml', '')
+    xslt_root = etree.XML(xsltQuery)
+    transform = etree.XSLT(xslt_root) # Not OK
+
+
+@app.route("/xslt2")
+def b():
+    xsltQuery = request.args.get('xml', '')
+    xslt_root = etree.XML(xsltQuery)
+    f = StringIO('<foo><bar></bar></foo>')
+    tree = etree.parse(f)
+    result_tree = tree.xslt(xslt_root) # Not OK
+
+
+@app.route("/xslt3")
+def c():
+    xsltQuery = request.args.get('xml', '')
+    xslt_root = etree.XML(xsltQuery)
+
+    f = StringIO('<foo><bar></bar></foo>')
+    tree = etree.parse(f)
+    result = tree.xslt(xslt_root, a="'A'") # Not OK
+
+@app.route("/xslt4")
+def d():
+    xsltQuery = request.args.get('xml', '')
+    xslt_root = etree.fromstring(xsltQuery)
+
+    f = StringIO('<foo><bar></bar></foo>')
+    tree = etree.parse(f)
+    result = tree.xslt(xslt_root, a="'A'") # Not OK
+
+@app.route("/xslt5")
+def e():
+    xsltQuery = request.args.get('xml', '')
+    xsltStrings = [xsltQuery,"asd","random"]
+    xslt_root = etree.fromstringlist(xsltStrings)
+
+    f = StringIO('<foo><bar></bar></foo>')
+    tree = etree.parse(f)
+    result = tree.xslt(xslt_root, a="'A'") # Not OK
+
+
+@app.route("/xslt6")
+def f():
+    xsltQuery = '<non><remote><query></query></remote></non>'
+    xslt_root = etree.XML(xsltQuery)
+
+    f = StringIO('<foo><bar></bar></foo>')
+    tree = etree.parse(f)
+    result = tree.xslt(xslt_root, a="'A'") # OK
+
+@app.route("/xslt7")
+def g():
+    xsltQuery = '<non><remote><query></query></remote></non>'
+    xslt_root = etree.fromstring(xsltQuery)
+
+    f = StringIO('<foo><bar></bar></foo>')
+    tree = etree.parse(f)
+    result = tree.xslt(xslt_root, a="'A'") # OK
+
+@app.route("/xslt8")
+def h():
+    xsltQuery = '<non><remote><query></query></remote></non>'
+    xsltStrings = [xsltQuery,"asd","random"]
+    xslt_root = etree.fromstringlist(xsltStrings)
+
+    f = StringIO('<foo><bar></bar></foo>')
+    tree = etree.parse(f)
+    result = tree.xslt(xslt_root, a="'A'") # OK    
--- a/python/ql/test/experimental/CWE-091/xsltSinks.py
+++ b/python/ql/test/experimental/CWE-091/xsltSinks.py
@@ -0,0 +1,56 @@
+from lxml import etree
+from io import StringIO
+
+from django.urls import path
+from django.http import HttpResponse
+from django.template import Template, Context, Engine, engines
+
+
+def a(request):
+    xslt_root = etree.XML('''\
+        <xsl:stylesheet version="1.0"
+            xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+            <xsl:template match="/">
+                <foo><xsl:value-of select="/a/b/text()" /></foo>
+            </xsl:template>
+        </xsl:stylesheet>''')
+    transform = etree.XSLT(xslt_root)
+
+
+def b(request):
+    xslt_root = etree.XML('''\
+        <xsl:stylesheet version="1.0"
+            xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+            <xsl:template match="/">
+                <foo><xsl:value-of select="/a/b/text()" /></foo>
+            </xsl:template>
+        </xsl:stylesheet>''')
+    f = StringIO('<foo><bar></bar></foo>')
+    tree = etree.parse(f)
+    result_tree = tree.xslt(xslt_root)
+
+
+def c(request):
+    xslt_root = etree.XML('''\
+        <xsl:stylesheet version="1.0"
+            xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+            <xsl:template match="/">
+                <foo><xsl:value-of select="/a/b/text()" /></foo>
+            </xsl:template>
+        </xsl:stylesheet>''')
+
+    f = StringIO('<foo><bar></bar></foo>')
+    tree = etree.parse(f)
+    result = tree.xslt(xslt_root, a="'A'")
+
+
+urlpatterns = [
+    path('a', a),
+    path('b', b),
+    path('c', c)
+]
+
+if __name__ == "__main__":
+    a(None)
+    b(None)
+    c(None)
--- a/python/ql/test/experimental/CWE-643/options
+++ b/python/ql/test/experimental/CWE-643/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=3 -p ../../query-tests/Security/lib/
--- a/python/ql/test/experimental/CWE-643/xpath.expected
+++ b/python/ql/test/experimental/CWE-643/xpath.expected
@@ -0,0 +1,38 @@
+edges
+| xpathBad.py:9:7:9:13 | django.request.HttpRequest | xpathBad.py:10:13:10:19 | django.request.HttpRequest |
+| xpathBad.py:9:7:9:13 | django.request.HttpRequest | xpathBad.py:10:13:10:19 | django.request.HttpRequest |
+| xpathBad.py:10:13:10:19 | django.request.HttpRequest | xpathBad.py:10:13:10:23 | django.http.request.QueryDict |
+| xpathBad.py:10:13:10:19 | django.request.HttpRequest | xpathBad.py:10:13:10:23 | django.http.request.QueryDict |
+| xpathBad.py:10:13:10:23 | django.http.request.QueryDict | xpathBad.py:10:13:10:32 | externally controlled string |
+| xpathBad.py:10:13:10:23 | django.http.request.QueryDict | xpathBad.py:10:13:10:32 | externally controlled string |
+| xpathBad.py:10:13:10:32 | externally controlled string | xpathBad.py:13:39:13:43 | externally controlled string |
+| xpathBad.py:10:13:10:32 | externally controlled string | xpathBad.py:13:39:13:43 | externally controlled string |
+| xpathBad.py:13:39:13:43 | externally controlled string | xpathBad.py:13:20:13:43 | externally controlled string |
+| xpathBad.py:13:39:13:43 | externally controlled string | xpathBad.py:13:20:13:43 | externally controlled string |
+| xpathFlow.py:11:18:11:29 | dict of externally controlled string | xpathFlow.py:11:18:11:44 | externally controlled string |
+| xpathFlow.py:11:18:11:29 | dict of externally controlled string | xpathFlow.py:11:18:11:44 | externally controlled string |
+| xpathFlow.py:11:18:11:44 | externally controlled string | xpathFlow.py:14:20:14:29 | externally controlled string |
+| xpathFlow.py:11:18:11:44 | externally controlled string | xpathFlow.py:14:20:14:29 | externally controlled string |
+| xpathFlow.py:20:18:20:29 | dict of externally controlled string | xpathFlow.py:20:18:20:44 | externally controlled string |
+| xpathFlow.py:20:18:20:29 | dict of externally controlled string | xpathFlow.py:20:18:20:44 | externally controlled string |
+| xpathFlow.py:20:18:20:44 | externally controlled string | xpathFlow.py:23:29:23:38 | externally controlled string |
+| xpathFlow.py:20:18:20:44 | externally controlled string | xpathFlow.py:23:29:23:38 | externally controlled string |
+| xpathFlow.py:30:18:30:29 | dict of externally controlled string | xpathFlow.py:30:18:30:44 | externally controlled string |
+| xpathFlow.py:30:18:30:29 | dict of externally controlled string | xpathFlow.py:30:18:30:44 | externally controlled string |
+| xpathFlow.py:30:18:30:44 | externally controlled string | xpathFlow.py:32:29:32:38 | externally controlled string |
+| xpathFlow.py:30:18:30:44 | externally controlled string | xpathFlow.py:32:29:32:38 | externally controlled string |
+| xpathFlow.py:39:18:39:29 | dict of externally controlled string | xpathFlow.py:39:18:39:44 | externally controlled string |
+| xpathFlow.py:39:18:39:29 | dict of externally controlled string | xpathFlow.py:39:18:39:44 | externally controlled string |
+| xpathFlow.py:39:18:39:44 | externally controlled string | xpathFlow.py:41:31:41:40 | externally controlled string |
+| xpathFlow.py:39:18:39:44 | externally controlled string | xpathFlow.py:41:31:41:40 | externally controlled string |
+| xpathFlow.py:47:18:47:29 | dict of externally controlled string | xpathFlow.py:47:18:47:44 | externally controlled string |
+| xpathFlow.py:47:18:47:29 | dict of externally controlled string | xpathFlow.py:47:18:47:44 | externally controlled string |
+| xpathFlow.py:47:18:47:44 | externally controlled string | xpathFlow.py:49:29:49:38 | externally controlled string |
+| xpathFlow.py:47:18:47:44 | externally controlled string | xpathFlow.py:49:29:49:38 | externally controlled string |
+#select
+| xpathBad.py:13:20:13:43 | BinaryExpr | xpathBad.py:9:7:9:13 | django.request.HttpRequest | xpathBad.py:13:20:13:43 | externally controlled string | This Xpath query depends on $@. | xpathBad.py:9:7:9:13 | request | a user-provided value |
+| xpathFlow.py:14:20:14:29 | xpathQuery | xpathFlow.py:11:18:11:29 | dict of externally controlled string | xpathFlow.py:14:20:14:29 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:11:18:11:29 | Attribute | a user-provided value |
+| xpathFlow.py:23:29:23:38 | xpathQuery | xpathFlow.py:20:18:20:29 | dict of externally controlled string | xpathFlow.py:23:29:23:38 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:20:18:20:29 | Attribute | a user-provided value |
+| xpathFlow.py:32:29:32:38 | xpathQuery | xpathFlow.py:30:18:30:29 | dict of externally controlled string | xpathFlow.py:32:29:32:38 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:30:18:30:29 | Attribute | a user-provided value |
+| xpathFlow.py:41:31:41:40 | xpathQuery | xpathFlow.py:39:18:39:29 | dict of externally controlled string | xpathFlow.py:41:31:41:40 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:39:18:39:29 | Attribute | a user-provided value |
+| xpathFlow.py:49:29:49:38 | xpathQuery | xpathFlow.py:47:18:47:29 | dict of externally controlled string | xpathFlow.py:49:29:49:38 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:47:18:47:29 | Attribute | a user-provided value |
--- a/python/ql/test/experimental/CWE-643/xpath.py
+++ b/python/ql/test/experimental/CWE-643/xpath.py
@@ -0,0 +1,40 @@
+from lxml import etree
+from io import StringIO
+
+
+def a():
+    f = StringIO('<foo><bar></bar></foo>')
+    tree = etree.parse(f)
+    r = tree.xpath('/foo/bar')
+
+
+def b():
+    root = etree.XML("<root><a>TEXT</a></root>")
+    find_text = etree.XPath("//text()")
+    text = find_text(root)[0]
+
+
+def c():
+    root = etree.XML("<root><a>TEXT</a></root>")
+    find_text = etree.XPath("//text()", smart_strings=False)
+    text = find_text(root)[0]
+
+
+def d():
+    root = etree.XML("<root><a>TEXT</a></root>")
+    find_text = find = etree.ETXPath("//{ns}b")
+    text = find_text(root)[0]
+
+
+def e():
+    import libxml2
+    doc = libxml2.parseFile('xpath_injection/credential.xml')
+    results = doc.xpathEval('sink')
+
+
+if __name__ == "__main__":
+    a()
+    b()
+    c()
+    d()
+    e()
--- a/python/ql/test/experimental/CWE-643/xpath.qlref
+++ b/python/ql/test/experimental/CWE-643/xpath.qlref
@@ -0,0 +1 @@
+experimental/CWE-643/xpath.ql
--- a/python/ql/test/experimental/CWE-643/xpathBad.py
+++ b/python/ql/test/experimental/CWE-643/xpathBad.py
@@ -0,0 +1,18 @@
+from lxml import etree
+from io import StringIO
+
+from django.urls import path
+from django.http import HttpResponse
+from django.template import Template, Context, Engine, engines
+
+
+def a(request):
+    value = request.GET['xpath']
+    f = StringIO('<foo><bar></bar></foo>')
+    tree = etree.parse(f)
+    r = tree.xpath("/tag[@id='%s']" % value)
+
+
+urlpatterns = [
+    path('a', a)
+]
--- a/python/ql/test/experimental/CWE-643/xpathFlow.py
+++ b/python/ql/test/experimental/CWE-643/xpathFlow.py
@@ -0,0 +1,49 @@
+from io import StringIO
+from flask import Flask, request
+
+app = Flask(__name__)
+
+
+@app.route("/xpath1")
+def xpath1():
+    from lxml import etree
+
+    xpathQuery = request.args.get('xml', '')
+    f = StringIO('<foo><bar></bar></foo>')
+    tree = etree.parse(f)
+    r = tree.xpath(xpathQuery)
+
+
+@app.route("/xpath2")
+def xpath2():
+    from lxml import etree
+    xpathQuery = request.args.get('xml', '')
+
+    root = etree.XML("<root><a>TEXT</a></root>")
+    find_text = etree.XPath(xpathQuery)
+    text = find_text(root)[0]
+
+
+@app.route("/xpath3")
+def xpath3():
+    from lxml import etree
+    xpathQuery = request.args.get('xml', '')
+    root = etree.XML("<root><a>TEXT</a></root>")
+    find_text = etree.XPath(xpathQuery, smart_strings=False)
+    text = find_text(root)[0]
+
+
+@app.route("/xpath4")
+def xpath4():
+    from lxml import etree
+    xpathQuery = request.args.get('xml', '')
+    root = etree.XML("<root><a>TEXT</a></root>")
+    find_text = etree.ETXPath(xpathQuery)
+    text = find_text(root)[0]
+
+@app.route("/xpath5")
+def xpath5():
+    import libxml2
+    xpathQuery = request.args.get('xml', '')
+    doc = libxml2.parseFile('xpath_injection/credential.xml')
+    results = doc.xpathEval(xpathQuery)
--- a/python/ql/test/experimental/CWE-643/xpathGood.py
+++ b/python/ql/test/experimental/CWE-643/xpathGood.py
@@ -0,0 +1,18 @@
+from lxml import etree
+from io import StringIO
+
+from django.urls import path
+from django.http import HttpResponse
+from django.template import Template, Context, Engine, engines
+
+
+def a(request):
+    value = request.GET['xpath']
+    f = StringIO('<foo><bar></bar></foo>')
+    tree = etree.parse(f)
+    r = tree.xpath("/tag[@id=$tagid]", tagid=value)
+
+
+urlpatterns = [
+    path('a', a)
+]
--- a/python/ql/test/experimental/CWE-643/xpathSinks.expected
+++ b/python/ql/test/experimental/CWE-643/xpathSinks.expected
@@ -0,0 +1,12 @@
+| xpath.py:8:20:8:29 | lxml.etree.parse.xpath | externally controlled string |
+| xpath.py:13:29:13:38 | lxml.etree.Xpath | externally controlled string |
+| xpath.py:19:29:19:38 | lxml.etree.Xpath | externally controlled string |
+| xpath.py:25:38:25:46 | lxml.etree.ETXpath | externally controlled string |
+| xpath.py:32:29:32:34 | libxml2.parseFile.xpathEval | externally controlled string |
+| xpathBad.py:13:20:13:43 | lxml.etree.parse.xpath | externally controlled string |
+| xpathFlow.py:14:20:14:29 | lxml.etree.parse.xpath | externally controlled string |
+| xpathFlow.py:23:29:23:38 | lxml.etree.Xpath | externally controlled string |
+| xpathFlow.py:32:29:32:38 | lxml.etree.Xpath | externally controlled string |
+| xpathFlow.py:41:31:41:40 | lxml.etree.ETXpath | externally controlled string |
+| xpathFlow.py:49:29:49:38 | libxml2.parseFile.xpathEval | externally controlled string |
+| xpathGood.py:13:20:13:37 | lxml.etree.parse.xpath | externally controlled string |
--- a/python/ql/test/experimental/CWE-643/xpathSinks.ql
+++ b/python/ql/test/experimental/CWE-643/xpathSinks.ql
@@ -0,0 +1,6 @@
+import python
+import experimental.semmle.python.security.injection.Xpath
+
+from XpathInjection::XpathInjectionSink sink, TaintKind kind
+where sink.sinks(kind)
+select sink, kind
--- a/python/ql/test/library-tests/ControlFlow/dominators/DominatesConsistency.expected
+++ b/python/ql/test/library-tests/ControlFlow/dominators/DominatesConsistency.expected
--- a/python/ql/test/library-tests/ControlFlow/dominators/DominatesConsistency.ql
+++ b/python/ql/test/library-tests/ControlFlow/dominators/DominatesConsistency.ql
--- a/python/ql/test/library-tests/PointsTo/calls/Argument.expected
+++ b/python/ql/test/library-tests/PointsTo/calls/Argument.expected
@@ -1,15 +0,0 @@
-| 19 | 0 | ControlFlowNode for w | Function f |
-| 19 | 1 | ControlFlowNode for x | Function f |
-| 19 | 2 | ControlFlowNode for y | Function f |
-| 21 | 0 | ControlFlowNode for y | Function f |
-| 21 | 1 | ControlFlowNode for w | Function f |
-| 21 | 2 | ControlFlowNode for z | Function f |
-| 23 | 0 | ControlFlowNode for c | Function f |
-| 23 | 1 | ControlFlowNode for w | Function f |
-| 23 | 2 | ControlFlowNode for z | Function f |
-| 24 | 0 | ControlFlowNode for c | Function n |
-| 24 | 1 | ControlFlowNode for x | Function n |
-| 25 | 0 | ControlFlowNode for y | Function n |
-| 25 | 1 | ControlFlowNode for z | Function n |
-| 33 | 0 | ControlFlowNode for IntegerLiteral | Function foo |
-| 34 | 0 | ControlFlowNode for IntegerLiteral | Function foo |
--- a/python/ql/test/library-tests/PointsTo/calls/Argument.ql
+++ b/python/ql/test/library-tests/PointsTo/calls/Argument.ql
@@ -1,5 +0,0 @@
-import python
-
-from ControlFlowNode arg, FunctionObject func, int i
-where arg = func.getArgumentForCall(_, i)
-select arg.getLocation().getStartLine(), i, arg.toString(), func.toString()
--- a/python/ql/test/library-tests/PointsTo/calls/Call.expected
+++ b/python/ql/test/library-tests/PointsTo/calls/Call.expected
@@ -1,7 +0,0 @@
-| 19 | ControlFlowNode for f() | Function f |
-| 21 | ControlFlowNode for f() | Function f |
-| 23 | ControlFlowNode for Attribute() | Function f |
-| 24 | ControlFlowNode for Attribute() | Function n |
-| 25 | ControlFlowNode for Attribute() | Function n |
-| 33 | ControlFlowNode for Attribute() | Function foo |
-| 34 | ControlFlowNode for Attribute() | Function foo |
--- a/python/ql/test/library-tests/PointsTo/calls/CallPointsTo.expected
+++ b/python/ql/test/library-tests/PointsTo/calls/CallPointsTo.expected
@@ -0,0 +1,19 @@
+| 19 | ControlFlowNode for f() | Function f |
+| 21 | ControlFlowNode for f() | Function f |
+| 22 | ControlFlowNode for C() | class C |
+| 23 | ControlFlowNode for Attribute() | Method(Function f, C()) |
+| 24 | ControlFlowNode for Attribute() | Method(Function C.n, C()) |
+| 25 | ControlFlowNode for Attribute() | Function C.n |
+| 29 | ControlFlowNode for staticmethod() | builtin-class staticmethod |
+| 33 | ControlFlowNode for Attribute() | Function D.foo |
+| 34 | ControlFlowNode for Attribute() | Function D.foo |
+| 34 | ControlFlowNode for D() | class D |
+| 37 | ControlFlowNode for Attribute() | Method(builtin method append, List) |
+| 38 | ControlFlowNode for len() | Builtin-function len |
+| 40 | ControlFlowNode for f() | Function f |
+| 41 | ControlFlowNode for C() | class C |
+| 42 | ControlFlowNode for Attribute() | Method(Function C.n, C()) |
+| 45 | ControlFlowNode for open() | Builtin-function open |
+| 46 | ControlFlowNode for open() | Builtin-function open |
+| 51 | ControlFlowNode for foo() | Function foo |
+| 55 | ControlFlowNode for bar() | Function bar |
--- a/python/ql/test/library-tests/PointsTo/calls/CallPointsTo.ql
+++ b/python/ql/test/library-tests/PointsTo/calls/CallPointsTo.ql
@@ -0,0 +1,5 @@
+import python
+
+from CallNode call, Value func
+where call.getFunction().pointsTo(func)
+select call.getLocation().getStartLine(), call.toString(), func.toString()
--- a/python/ql/test/library-tests/PointsTo/calls/GetACall.expected
+++ b/python/ql/test/library-tests/PointsTo/calls/GetACall.expected
@@ -0,0 +1,23 @@
+| 19 | ControlFlowNode for f() | Function f |
+| 21 | ControlFlowNode for f() | Function f |
+| 22 | ControlFlowNode for C() | class C |
+| 23 | ControlFlowNode for Attribute() | Function f |
+| 23 | ControlFlowNode for Attribute() | Method(Function f, C()) |
+| 24 | ControlFlowNode for Attribute() | Function C.n |
+| 24 | ControlFlowNode for Attribute() | Method(Function C.n, C()) |
+| 25 | ControlFlowNode for Attribute() | Function C.n |
+| 29 | ControlFlowNode for staticmethod() | builtin-class staticmethod |
+| 33 | ControlFlowNode for Attribute() | Function D.foo |
+| 34 | ControlFlowNode for Attribute() | Function D.foo |
+| 34 | ControlFlowNode for D() | class D |
+| 37 | ControlFlowNode for Attribute() | Method(builtin method append, List) |
+| 37 | ControlFlowNode for Attribute() | builtin method append |
+| 38 | ControlFlowNode for len() | Builtin-function len |
+| 40 | ControlFlowNode for f() | Function f |
+| 41 | ControlFlowNode for C() | class C |
+| 42 | ControlFlowNode for Attribute() | Function C.n |
+| 42 | ControlFlowNode for Attribute() | Method(Function C.n, C()) |
+| 45 | ControlFlowNode for open() | Builtin-function open |
+| 46 | ControlFlowNode for open() | Builtin-function open |
+| 51 | ControlFlowNode for foo() | Function foo |
+| 55 | ControlFlowNode for bar() | Function bar |
--- a/python/ql/test/library-tests/PointsTo/calls/GetACall.ql
+++ b/python/ql/test/library-tests/PointsTo/calls/GetACall.ql
@@ -1,5 +1,5 @@
 import python

-from ControlFlowNode call, FunctionObject func
+from ControlFlowNode call, Value func
 where call = func.getACall()
 select call.getLocation().getStartLine(), call.toString(), func.toString()
--- a/python/ql/test/library-tests/PointsTo/calls/getArgumentForCall.expected
+++ b/python/ql/test/library-tests/PointsTo/calls/getArgumentForCall.expected
@@ -0,0 +1,34 @@
+| 19 | ControlFlowNode for f() | Function f | 0 | ControlFlowNode for w |
+| 19 | ControlFlowNode for f() | Function f | 1 | ControlFlowNode for x |
+| 19 | ControlFlowNode for f() | Function f | 2 | ControlFlowNode for y |
+| 21 | ControlFlowNode for f() | Function f | 0 | ControlFlowNode for y |
+| 21 | ControlFlowNode for f() | Function f | 1 | ControlFlowNode for w |
+| 21 | ControlFlowNode for f() | Function f | 2 | ControlFlowNode for z |
+| 23 | ControlFlowNode for Attribute() | Function f | 0 | ControlFlowNode for c |
+| 23 | ControlFlowNode for Attribute() | Function f | 1 | ControlFlowNode for w |
+| 23 | ControlFlowNode for Attribute() | Function f | 2 | ControlFlowNode for z |
+| 23 | ControlFlowNode for Attribute() | Method(Function f, C()) | 0 | ControlFlowNode for w |
+| 23 | ControlFlowNode for Attribute() | Method(Function f, C()) | 1 | ControlFlowNode for z |
+| 24 | ControlFlowNode for Attribute() | Function C.n | 0 | ControlFlowNode for c |
+| 24 | ControlFlowNode for Attribute() | Function C.n | 1 | ControlFlowNode for x |
+| 24 | ControlFlowNode for Attribute() | Method(Function C.n, C()) | 0 | ControlFlowNode for x |
+| 25 | ControlFlowNode for Attribute() | Function C.n | 0 | ControlFlowNode for y |
+| 25 | ControlFlowNode for Attribute() | Function C.n | 1 | ControlFlowNode for z |
+| 33 | ControlFlowNode for Attribute() | Function D.foo | 0 | ControlFlowNode for IntegerLiteral |
+| 34 | ControlFlowNode for Attribute() | Function D.foo | 0 | ControlFlowNode for IntegerLiteral |
+| 37 | ControlFlowNode for Attribute() | Method(builtin method append, List) | 0 | ControlFlowNode for IntegerLiteral |
+| 37 | ControlFlowNode for Attribute() | builtin method append | 0 | ControlFlowNode for l |
+| 37 | ControlFlowNode for Attribute() | builtin method append | 1 | ControlFlowNode for IntegerLiteral |
+| 38 | ControlFlowNode for len() | Builtin-function len | 0 | ControlFlowNode for l |
+| 40 | ControlFlowNode for f() | Function f | 0 | ControlFlowNode for IntegerLiteral |
+| 40 | ControlFlowNode for f() | Function f | 1 | ControlFlowNode for IntegerLiteral |
+| 40 | ControlFlowNode for f() | Function f | 2 | ControlFlowNode for IntegerLiteral |
+| 42 | ControlFlowNode for Attribute() | Function C.n | 0 | ControlFlowNode for c |
+| 42 | ControlFlowNode for Attribute() | Function C.n | 1 | ControlFlowNode for IntegerLiteral |
+| 42 | ControlFlowNode for Attribute() | Method(Function C.n, C()) | 0 | ControlFlowNode for IntegerLiteral |
+| 45 | ControlFlowNode for open() | Builtin-function open | 0 | ControlFlowNode for Str |
+| 45 | ControlFlowNode for open() | Builtin-function open | 1 | ControlFlowNode for Str |
+| 51 | ControlFlowNode for foo() | Function foo | 0 | ControlFlowNode for IntegerLiteral |
+| 51 | ControlFlowNode for foo() | Function foo | 1 | ControlFlowNode for IntegerLiteral |
+| 51 | ControlFlowNode for foo() | Function foo | 2 | ControlFlowNode for IntegerLiteral |
+| 55 | ControlFlowNode for bar() | Function bar | 0 | ControlFlowNode for IntegerLiteral |
--- a/python/ql/test/library-tests/PointsTo/calls/getArgumentForCall.ql
+++ b/python/ql/test/library-tests/PointsTo/calls/getArgumentForCall.ql
@@ -0,0 +1,5 @@
+import python
+
+from CallNode call, CallableValue callable, int i
+select call.getLocation().getStartLine(), call.toString(), callable.toString(), i,
+    callable.getArgumentForCall(call, i).toString()
--- a/python/ql/test/library-tests/PointsTo/calls/getNamedArgumentForCall.expected
+++ b/python/ql/test/library-tests/PointsTo/calls/getNamedArgumentForCall.expected
@@ -0,0 +1,31 @@
+| 19 | ControlFlowNode for f() | Function f | arg0 | ControlFlowNode for w |
+| 19 | ControlFlowNode for f() | Function f | arg1 | ControlFlowNode for x |
+| 19 | ControlFlowNode for f() | Function f | arg2 | ControlFlowNode for y |
+| 21 | ControlFlowNode for f() | Function f | arg0 | ControlFlowNode for y |
+| 21 | ControlFlowNode for f() | Function f | arg1 | ControlFlowNode for w |
+| 21 | ControlFlowNode for f() | Function f | arg2 | ControlFlowNode for z |
+| 23 | ControlFlowNode for Attribute() | Function f | arg1 | ControlFlowNode for w |
+| 23 | ControlFlowNode for Attribute() | Function f | arg2 | ControlFlowNode for z |
+| 23 | ControlFlowNode for Attribute() | Function f | self | ControlFlowNode for c |
+| 23 | ControlFlowNode for Attribute() | Method(Function f, C()) | arg1 | ControlFlowNode for w |
+| 23 | ControlFlowNode for Attribute() | Method(Function f, C()) | arg2 | ControlFlowNode for z |
+| 24 | ControlFlowNode for Attribute() | Function C.n | arg1 | ControlFlowNode for x |
+| 24 | ControlFlowNode for Attribute() | Function C.n | self | ControlFlowNode for c |
+| 24 | ControlFlowNode for Attribute() | Method(Function C.n, C()) | arg1 | ControlFlowNode for x |
+| 25 | ControlFlowNode for Attribute() | Function C.n | arg1 | ControlFlowNode for z |
+| 25 | ControlFlowNode for Attribute() | Function C.n | self | ControlFlowNode for y |
+| 33 | ControlFlowNode for Attribute() | Function D.foo | arg | ControlFlowNode for IntegerLiteral |
+| 34 | ControlFlowNode for Attribute() | Function D.foo | arg | ControlFlowNode for IntegerLiteral |
+| 37 | ControlFlowNode for Attribute() | builtin method append | self | ControlFlowNode for l |
+| 40 | ControlFlowNode for f() | Function f | arg0 | ControlFlowNode for IntegerLiteral |
+| 40 | ControlFlowNode for f() | Function f | arg1 | ControlFlowNode for IntegerLiteral |
+| 40 | ControlFlowNode for f() | Function f | arg2 | ControlFlowNode for IntegerLiteral |
+| 42 | ControlFlowNode for Attribute() | Function C.n | arg1 | ControlFlowNode for IntegerLiteral |
+| 42 | ControlFlowNode for Attribute() | Function C.n | self | ControlFlowNode for c |
+| 42 | ControlFlowNode for Attribute() | Method(Function C.n, C()) | arg1 | ControlFlowNode for IntegerLiteral |
+| 46 | ControlFlowNode for open() | Builtin-function open | file | ControlFlowNode for Str |
+| 46 | ControlFlowNode for open() | Builtin-function open | mode | ControlFlowNode for Str |
+| 51 | ControlFlowNode for foo() | Function foo | a | ControlFlowNode for IntegerLiteral |
+| 55 | ControlFlowNode for bar() | Function bar | a | ControlFlowNode for IntegerLiteral |
+| 55 | ControlFlowNode for bar() | Function bar | b | ControlFlowNode for IntegerLiteral |
+| 55 | ControlFlowNode for bar() | Function bar | c | ControlFlowNode for IntegerLiteral |
--- a/python/ql/test/library-tests/PointsTo/calls/getNamedArgumentForCall.ql
+++ b/python/ql/test/library-tests/PointsTo/calls/getNamedArgumentForCall.ql
@@ -0,0 +1,5 @@
+import python
+
+from CallNode call, CallableValue callable, string name
+select call.getLocation().getStartLine(), call.toString(), callable.toString(), name,
+    callable.getNamedArgumentForCall(call, name).toString()
--- a/python/ql/test/library-tests/PointsTo/calls/getParameter.expected
+++ b/python/ql/test/library-tests/PointsTo/calls/getParameter.expected
@@ -0,0 +1,12 @@
+| Function C.n | 0 | ControlFlowNode for self |
+| Function C.n | 1 | ControlFlowNode for arg1 |
+| Function D.foo | 0 | ControlFlowNode for arg |
+| Function bar | 0 | ControlFlowNode for a |
+| Function f | 0 | ControlFlowNode for arg0 |
+| Function f | 1 | ControlFlowNode for arg1 |
+| Function f | 2 | ControlFlowNode for arg2 |
+| Function foo | 0 | ControlFlowNode for a |
+| Method(Function C.n, C()) | 0 | ControlFlowNode for arg1 |
+| Method(Function C.n, class C) | 0 | ControlFlowNode for arg1 |
+| Method(Function f, C()) | 0 | ControlFlowNode for arg1 |
+| Method(Function f, C()) | 1 | ControlFlowNode for arg2 |
--- a/python/ql/test/library-tests/PointsTo/calls/getParameter.ql
+++ b/python/ql/test/library-tests/PointsTo/calls/getParameter.ql
@@ -0,0 +1,4 @@
+import python
+
+from CallableValue callable, int i
+select callable.toString(), i, callable.getParameter(i).toString()
--- a/python/ql/test/library-tests/PointsTo/calls/getParameterByName.expected
+++ b/python/ql/test/library-tests/PointsTo/calls/getParameterByName.expected
@@ -0,0 +1,12 @@
+| Function C.n | arg1 | ControlFlowNode for arg1 |
+| Function C.n | self | ControlFlowNode for self |
+| Function D.foo | arg | ControlFlowNode for arg |
+| Function bar | a | ControlFlowNode for a |
+| Function f | arg0 | ControlFlowNode for arg0 |
+| Function f | arg1 | ControlFlowNode for arg1 |
+| Function f | arg2 | ControlFlowNode for arg2 |
+| Function foo | a | ControlFlowNode for a |
+| Method(Function C.n, C()) | arg1 | ControlFlowNode for arg1 |
+| Method(Function C.n, class C) | arg1 | ControlFlowNode for arg1 |
+| Method(Function f, C()) | arg1 | ControlFlowNode for arg1 |
+| Method(Function f, C()) | arg2 | ControlFlowNode for arg2 |
--- a/python/ql/test/library-tests/PointsTo/calls/getParameterByName.ql
+++ b/python/ql/test/library-tests/PointsTo/calls/getParameterByName.ql
@@ -0,0 +1,4 @@
+import python
+
+from CallableValue callable, string name
+select callable.toString(), name, callable.getParameterByName(name).toString()
--- a/python/ql/test/library-tests/PointsTo/calls/test.py
+++ b/python/ql/test/library-tests/PointsTo/calls/test.py
@@ -32,3 +32,24 @@ class D(object):

 D.foo(1)
 D().foo(2)
+
+l = [1,2,3]
+l.append(4)
+len(l)
+
+f(arg0=0, arg1=1, arg2=2)
+c = C()
+c.n(arg1=1)
+
+# positional/keyword arguments for a builtin function
+open("foo.txt", "rb") # TODO: Not handled by getNamedArgumentForCall
+open(file="foo.txt", mode="rb")
+
+# Testing how arguments to *args and **kwargs are handled
+def foo(a, *args):
+    pass
+foo(1, 2, 3)
+
+def bar(a, **kwargs):
+    pass
+bar(a=1, b=2, c=3)
--- a/python/ql/test/library-tests/PointsTo/new/Consistency.expected
+++ b/python/ql/test/library-tests/PointsTo/new/Consistency.expected
--- a/python/ql/test/library-tests/PointsTo/new/Consistency.ql
+++ b/python/ql/test/library-tests/PointsTo/new/Consistency.ql
@@ -2,7 +2,7 @@ import python
 import semmle.python.pointsto.PointsTo
 import semmle.python.objects.ObjectInternal

-predicate ssa_sanity(string clsname, string problem, string what) {
+predicate ssa_consistency(string clsname, string problem, string what) {
    /* Exactly one definition of each SSA variable */
    exists(EssaVariable var | clsname = var.getAQlClass() |
        /* Exactly one definition of each SSA variable */
@@ -130,7 +130,7 @@ predicate ssa_sanity(string clsname, string problem, string what) {
    )
 }

-predicate undefined_sanity(string clsname, string problem, string what) {
+predicate undefined_consistency(string clsname, string problem, string what) {
    /* Variables may be undefined, but values cannot be */
    exists(ControlFlowNode f |
        PointsToInternal::pointsTo(f, _, ObjectInternal::undefined(), _) and
@@ -142,5 +142,5 @@ predicate undefined_sanity(string clsname, string problem, string what) {
 }

 from string clsname, string problem, string what
-where ssa_sanity(clsname, problem, what) or undefined_sanity(clsname, problem, what)
+where ssa_consistency(clsname, problem, what) or undefined_consistency(clsname, problem, what)
 select clsname, what, problem
--- a/python/ql/test/library-tests/PointsTo/new/code/b_condition.py
+++ b/python/ql/test/library-tests/PointsTo/new/code/b_condition.py
@@ -57,7 +57,7 @@ def loop(seq):
        if v:
            use(v)

-#This was causing the sanity check to fail, 
+#This was causing the consistency check to fail, 
 def double_attr_check(x, y):
    if x.b == 3:
        return
--- a/python/ql/test/library-tests/PointsTo/new/code/c_tests.py
+++ b/python/ql/test/library-tests/PointsTo/new/code/c_tests.py
@@ -95,7 +95,7 @@ def h():
    if not x:
        pass

-def complex_test(x): # Was failing sanity check.
+def complex_test(x): # Was failing consistency check.
    if not (foo(x) and bar(x)):
        use(x)
    pass
--- a/python/ql/test/library-tests/PointsTo/regressions/missing/metaclass/getACall.expected
+++ b/python/ql/test/library-tests/PointsTo/regressions/missing/metaclass/getACall.expected
@@ -0,0 +1 @@
+| test.py:6:5:6:22 | Function Foo.foo | test.py:9:1:9:11 | ControlFlowNode for Attribute() |
--- a/python/ql/test/library-tests/PointsTo/regressions/missing/metaclass/getACall.ql
+++ b/python/ql/test/library-tests/PointsTo/regressions/missing/metaclass/getACall.ql
@@ -0,0 +1,4 @@
+import python
+
+from PythonFunctionValue func
+select func, func.getACall()
--- a/python/ql/test/library-tests/PointsTo/regressions/missing/metaclass/test.py
+++ b/python/ql/test/library-tests/PointsTo/regressions/missing/metaclass/test.py
@@ -0,0 +1,25 @@
+# Simple classmethod
+
+class Foo(object):
+
+    @classmethod
+    def foo(cls, arg):
+        print(cls, arg)
+
+Foo.foo(42)
+
+
+# classmethod defined by metaclass
+
+class BarMeta(type):
+
+    def bar(cls, arg):
+        print(cls, arg)
+
+class Bar(metaclass=BarMeta):
+    pass
+
+Bar.bar(42) # TODO: No points-to
+
+# If this is solved, please update python/ql/src/Variables/UndefinedExport.ql which has a
+# work-around for this behavior
--- a/python/ql/test/library-tests/examples/custom-sanitizer/Taint.qll
+++ b/python/ql/test/library-tests/examples/custom-sanitizer/Taint.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted

 class SimpleSource extends TaintSource {
--- a/python/ql/test/library-tests/examples/custom-sanitizer/TestTaint.ql
+++ b/python/ql/test/library-tests/examples/custom-sanitizer/TestTaint.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import Taint

 from
--- a/python/ql/test/library-tests/jump_to_defn/Consistency.expected
+++ b/python/ql/test/library-tests/jump_to_defn/Consistency.expected
--- a/python/ql/test/library-tests/jump_to_defn/Consistency.ql
+++ b/python/ql/test/library-tests/jump_to_defn/Consistency.ql
--- a/python/ql/test/library-tests/regex/Characters.expected
+++ b/python/ql/test/library-tests/regex/Characters.expected
@@ -110,7 +110,6 @@
 | ax{3,} | 5 | 6 |
 | ax{3} | 0 | 1 |
 | ax{3} | 1 | 2 |
-| ax{3} | 2 | 3 |
 | ax{3} | 3 | 4 |
 | ax{3} | 4 | 5 |
 | ax{,3} | 0 | 1 |
--- a/python/ql/test/library-tests/regex/FirstLast.expected
+++ b/python/ql/test/library-tests/regex/FirstLast.expected
@@ -84,6 +84,8 @@
 | ax{3,} | last | 1 | 6 |
 | ax{3,} | last | 5 | 6 |
 | ax{3} | first | 0 | 1 |
+| ax{3} | last | 1 | 2 |
+| ax{3} | last | 1 | 5 |
 | ax{3} | last | 4 | 5 |
 | ax{,3} | first | 0 | 1 |
 | ax{,3} | last | 0 | 1 |
--- a/python/ql/test/library-tests/regex/Qualified.expected
+++ b/python/ql/test/library-tests/regex/Qualified.expected
@@ -11,4 +11,5 @@
 | ^[A-Z_]+$(?<!not-this) | 1 | 8 | false |
 | ax{01,3} | 1 | 8 | false |
 | ax{3,} | 1 | 6 | false |
+| ax{3} | 1 | 5 | false |
 | ax{,3} | 1 | 6 | true |
--- a/python/ql/test/library-tests/regex/Regex.expected
+++ b/python/ql/test/library-tests/regex/Regex.expected
@@ -207,9 +207,9 @@
 | ax{3,} | sequence | 0 | 6 |
 | ax{3} | char | 0 | 1 |
 | ax{3} | char | 1 | 2 |
-| ax{3} | char | 2 | 3 |
 | ax{3} | char | 3 | 4 |
 | ax{3} | char | 4 | 5 |
+| ax{3} | qualified | 1 | 5 |
 | ax{3} | sequence | 0 | 5 |
 | ax{,3} | char | 0 | 1 |
 | ax{,3} | char | 1 | 2 |
--- a/python/ql/test/library-tests/regex/test.py
+++ b/python/ql/test/library-tests/regex/test.py
@@ -62,3 +62,7 @@ re.compile(r'(?:(?P<n1>^(?:|x)))')
 re.compile(r"\[(?P<txt>[^[]*)\]\((?P<uri>[^)]*)")

 re.compile("", re.M) # ODASA-8056
+
+# FP reported in https://github.com/github/codeql/issues/3712
+# This does not define a regex (but could be used by other code to do so)
+escaped = re.escape("https://www.humblebundle.com/home/library")
--- a/python/ql/test/library-tests/security/fabric-v1-execute/Taint.qll
+++ b/python/ql/test/library-tests/security/fabric-v1-execute/Taint.qll
@@ -0,0 +1,24 @@
+import python
+import semmle.python.dataflow.TaintTracking
+import semmle.python.security.strings.Untrusted
+import semmle.python.security.injection.Command
+
+class SimpleSource extends TaintSource {
+    SimpleSource() { this.(NameNode).getId() = "TAINTED_STRING" }
+
+    override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
+
+    override string toString() { result = "taint source" }
+}
+
+class FabricExecuteTestConfiguration extends TaintTracking::Configuration {
+    FabricExecuteTestConfiguration() { this = "FabricExecuteTestConfiguration" }
+
+    override predicate isSource(TaintTracking::Source source) { source instanceof SimpleSource }
+
+    override predicate isSink(TaintTracking::Sink sink) { sink instanceof CommandSink }
+
+    override predicate isExtension(TaintTracking::Extension extension) {
+        extension instanceof FabricExecuteExtension
+    }
+}
--- a/python/ql/test/library-tests/security/fabric-v1-execute/TestTaint.expected
+++ b/python/ql/test/library-tests/security/fabric-v1-execute/TestTaint.expected
@@ -0,0 +1,10 @@
+| test.py:8 | ok   | unsafe | cmd | externally controlled string |
+| test.py:8 | ok   | unsafe | cmd2 | externally controlled string |
+| test.py:9 | ok   | unsafe | safe_arg | <NO TAINT> |
+| test.py:9 | ok   | unsafe | safe_optional | <NO TAINT> |
+| test.py:16 | ok   | unsafe | cmd | externally controlled string |
+| test.py:16 | ok   | unsafe | cmd2 | externally controlled string |
+| test.py:17 | ok   | unsafe | safe_arg | <NO TAINT> |
+| test.py:17 | ok   | unsafe | safe_optional | <NO TAINT> |
+| test.py:23 | ok   | some_http_handler | cmd | externally controlled string |
+| test.py:23 | ok   | some_http_handler | cmd2 | externally controlled string |
--- a/python/ql/test/library-tests/security/fabric-v1-execute/TestTaint.ql
+++ b/python/ql/test/library-tests/security/fabric-v1-execute/TestTaint.ql
@@ -0,0 +1,34 @@
+import python
+import semmle.python.security.TaintTracking
+import semmle.python.web.HttpRequest
+import semmle.python.security.strings.Untrusted
+
+import Taint
+
+from
+    Call call, Expr arg, boolean expected_taint, boolean has_taint, string test_res,
+    string taint_string
+where
+    call.getLocation().getFile().getShortName() = "test.py" and
+    (
+        call.getFunc().(Name).getId() = "ensure_tainted" and
+        expected_taint = true
+        or
+        call.getFunc().(Name).getId() = "ensure_not_tainted" and
+        expected_taint = false
+    ) and
+    arg = call.getAnArg() and
+    (
+        not exists(TaintedNode tainted | tainted.getAstNode() = arg) and
+        taint_string = "<NO TAINT>" and
+        has_taint = false
+        or
+        exists(TaintedNode tainted | tainted.getAstNode() = arg |
+            taint_string = tainted.getTaintKind().toString()
+        ) and
+        has_taint = true
+    ) and
+    if expected_taint = has_taint then test_res = "ok  " else test_res = "fail"
+// if expected_taint = has_taint then test_res = "✓" else test_res = "✕"
+select arg.getLocation().toString(), test_res, call.getScope().(Function).getName(), arg.toString(),
+    taint_string
--- a/python/ql/test/library-tests/security/fabric-v1-execute/options
+++ b/python/ql/test/library-tests/security/fabric-v1-execute/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=2 -p ../../../query-tests/Security/lib/
--- a/python/ql/test/library-tests/security/fabric-v1-execute/test.py
+++ b/python/ql/test/library-tests/security/fabric-v1-execute/test.py
@@ -0,0 +1,28 @@
+"""Test that shows fabric.api.execute propagates taint"""
+
+from fabric.api import run, execute
+
+
+def unsafe(cmd, safe_arg, cmd2=None, safe_optional=5):
+    run('./venv/bin/activate && {}'.format(cmd))
+    ensure_tainted(cmd, cmd2)
+    ensure_not_tainted(safe_arg, safe_optional)
+
+
+class Foo(object):
+
+    def unsafe(self, cmd, safe_arg, cmd2=None, safe_optional=5):
+        run('./venv/bin/activate && {}'.format(cmd))
+        ensure_tainted(cmd, cmd2)
+        ensure_not_tainted(safe_arg, safe_optional)
+
+
+def some_http_handler():
+    cmd = TAINTED_STRING
+    cmd2 = TAINTED_STRING
+    ensure_tainted(cmd, cmd2)
+
+    execute(unsafe, cmd=cmd, safe_arg='safe_arg', cmd2=cmd2)
+
+    foo = Foo()
+    execute(foo.unsafe, cmd, 'safe_arg', cmd2)
--- a/python/ql/test/library-tests/taint/collections/Taint.qll
+++ b/python/ql/test/library-tests/taint/collections/Taint.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted

 class SimpleSource extends TaintSource {
--- a/python/ql/test/library-tests/taint/collections/TestStep.ql
+++ b/python/ql/test/library-tests/taint/collections/TestStep.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import Taint

 from TaintedNode n, TaintedNode s
--- a/python/ql/test/library-tests/taint/collections/TestTaint.ql
+++ b/python/ql/test/library-tests/taint/collections/TestTaint.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import Taint

 from Call call, Expr arg, string taint_string
--- a/python/ql/test/library-tests/taint/config/RockPaperScissors.ql
+++ b/python/ql/test/library-tests/taint/config/RockPaperScissors.ql
@@ -3,7 +3,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib
 import semmle.python.security.Paths

--- a/python/ql/test/library-tests/taint/config/Simple.ql
+++ b/python/ql/test/library-tests/taint/config/Simple.ql
@@ -3,7 +3,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib
 import semmle.python.security.Paths

--- a/python/ql/test/library-tests/taint/config/TaintLib.qll
+++ b/python/ql/test/library-tests/taint/config/TaintLib.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking

 class SimpleTest extends TaintKind {
    SimpleTest() { this = "simple.test" }
--- a/python/ql/test/library-tests/taint/config/TaintedArgument.ql
+++ b/python/ql/test/library-tests/taint/config/TaintedArgument.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib
 import semmle.python.dataflow.Implementation

--- a/python/ql/test/library-tests/taint/config/TestNode.ql
+++ b/python/ql/test/library-tests/taint/config/TestNode.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.dataflow.Implementation
 import TaintLib

--- a/python/ql/test/library-tests/taint/config/TestSink.ql
+++ b/python/ql/test/library-tests/taint/config/TestSink.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib

 from TestConfig config, DataFlow::Node sink, TaintKind kind
--- a/python/ql/test/library-tests/taint/config/TestSource.ql
+++ b/python/ql/test/library-tests/taint/config/TestSource.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib

 from TestConfig config, DataFlow::Node source, TaintKind kind
--- a/python/ql/test/library-tests/taint/config/TestStep.ql
+++ b/python/ql/test/library-tests/taint/config/TestStep.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib
 import semmle.python.dataflow.Implementation

--- a/python/ql/test/library-tests/taint/example/Edges.ql
+++ b/python/ql/test/library-tests/taint/example/Edges.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.dataflow.Implementation
 import DilbertConfig

--- a/python/ql/test/library-tests/taint/example/Nodes.ql
+++ b/python/ql/test/library-tests/taint/example/Nodes.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.dataflow.Implementation
 import DilbertConfig

--- a/python/ql/test/library-tests/taint/extensions/ExtensionsLib.qll
+++ b/python/ql/test/library-tests/taint/extensions/ExtensionsLib.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking

 class SimpleTest extends TaintKind {
    SimpleTest() { this = "simple.test" }
--- a/python/ql/test/library-tests/taint/flowpath_regression/Config.qll
+++ b/python/ql/test/library-tests/taint/flowpath_regression/Config.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted

 class FooSource extends TaintSource {
--- a/python/ql/test/library-tests/taint/general/ParamSource.ql
+++ b/python/ql/test/library-tests/taint/general/ParamSource.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 /* Standard library sink */
 import semmle.python.security.injection.Command

--- a/python/ql/test/library-tests/taint/general/TaintConsistency.expected
+++ b/python/ql/test/library-tests/taint/general/TaintConsistency.expected
--- a/python/ql/test/library-tests/taint/general/TaintConsistency.ql
+++ b/python/ql/test/library-tests/taint/general/TaintConsistency.ql
--- a/python/ql/test/library-tests/taint/general/TaintLib.qll
+++ b/python/ql/test/library-tests/taint/general/TaintLib.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking

 class SimpleTest extends TaintKind {
    SimpleTest() { this = "simple.test" }
--- a/python/ql/test/library-tests/taint/general/TestSanitizers.ql
+++ b/python/ql/test/library-tests/taint/general/TestSanitizers.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib

 from Sanitizer s, TaintKind taint, PyEdgeRefinement test
--- a/python/ql/test/library-tests/taint/general/TestSink.ql
+++ b/python/ql/test/library-tests/taint/general/TestSink.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib

 from TaintSource src, TaintSink sink, TaintKind srckind, TaintKind sinkkind
--- a/python/ql/test/library-tests/taint/general/TestSource.ql
+++ b/python/ql/test/library-tests/taint/general/TestSource.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib

 from TaintSource src, TaintKind kind
--- a/python/ql/test/library-tests/taint/general/TestStep.ql
+++ b/python/ql/test/library-tests/taint/general/TestStep.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib

 from TaintedNode n, TaintedNode s
--- a/python/ql/test/library-tests/taint/general/TestTaint.ql
+++ b/python/ql/test/library-tests/taint/general/TestTaint.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib

 from Call call, Expr arg, string taint_string
--- a/python/ql/test/library-tests/taint/namedtuple/Taint.qll
+++ b/python/ql/test/library-tests/taint/namedtuple/Taint.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted

 class SimpleSource extends TaintSource {
--- a/python/ql/test/library-tests/taint/namedtuple/TestTaint.ql
+++ b/python/ql/test/library-tests/taint/namedtuple/TestTaint.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import Taint

 from Call call, Expr arg, string taint_string
--- a/python/ql/test/library-tests/taint/strings/Taint.qll
+++ b/python/ql/test/library-tests/taint/strings/Taint.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted
 import semmle.python.security.Exceptions

--- a/python/ql/test/library-tests/taint/strings/TestStep.ql
+++ b/python/ql/test/library-tests/taint/strings/TestStep.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import Taint

 from TaintedNode n, TaintedNode s
--- a/python/ql/test/library-tests/taint/strings/TestTaint.ql
+++ b/python/ql/test/library-tests/taint/strings/TestTaint.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import Taint

 from Call call, Expr arg, string taint_string
--- a/python/ql/test/library-tests/taint/unpacking/Taint.qll
+++ b/python/ql/test/library-tests/taint/unpacking/Taint.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted

 class SimpleSource extends TaintSource {
--- a/python/ql/test/library-tests/taint/unpacking/TestStep.ql
+++ b/python/ql/test/library-tests/taint/unpacking/TestStep.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import Taint

 from TaintedNode n, TaintedNode s
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`semmle-extractor-options: --lang=2 --max-import-depth=2`
				`@@ -0,0 +1 @@`
				`semmle-extractor-options: --max-import-depth=2`
				`@@ -0,0 +1 @@`
				`semmle-extractor-options: -p ../../query-tests/Security/lib/ --max-import-depth=3`
				`@@ -0,0 +1 @@`
				`\| test.py:6:5:6:22 \| Function Foo.foo \| test.py:9:1:9:11 \| ControlFlowNode for Attribute() \|`