Merge branch 'main' into jorgectf/python/ldapinsecureauth

2026-04-30 19:26:02 +02:00 · 2021-09-23 10:05:56 +02:00
parent b505662ef9 a66f83644b
commit 70489b2fc2
716 changed files with 62100 additions and 5033 deletions
--- a/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/ConceptsTest.ql
+++ b/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/ConceptsTest.ql
@@ -1,3 +0,0 @@
-import python
-import experimental.meta.ConceptsTest
-import experimental.semmle.python.frameworks.SqlAlchemy
--- a/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/InlineTaintTest.ql
+++ b/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/InlineTaintTest.ql
@@ -1,2 +0,0 @@
-import experimental.meta.InlineTaintTest
-import experimental.semmle.python.frameworks.SqlAlchemy
--- a/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/taint_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/taint_test.py
@@ -1,12 +0,0 @@
-import sqlalchemy
-
-def test_taint():
-    ts = TAINTED_STRING
-
-    ensure_tainted(
-        ts, # $ tainted
-        sqlalchemy.text(ts), # $ tainted
-        sqlalchemy.sql.text(ts),# $ tainted
-        sqlalchemy.sql.expression.text(ts),# $ tainted
-        sqlalchemy.sql.expression.TextClause(ts),# $ tainted
-    )
--- a/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/ConceptsTest.expected
+++ b/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/ConceptsTest.expected
--- a/python/ql/test/library-tests/frameworks/flask_sqlalchemy/ConceptsTest.ql
+++ b/python/ql/test/library-tests/frameworks/flask_sqlalchemy/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
--- a/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/InlineTaintTest.expected
+++ b/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/InlineTaintTest.expected
--- a/python/ql/test/library-tests/frameworks/flask_sqlalchemy/InlineTaintTest.ql
+++ b/python/ql/test/library-tests/frameworks/flask_sqlalchemy/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
--- a/python/ql/test/library-tests/frameworks/flask_sqlalchemy/SqlExecution.py
+++ b/python/ql/test/library-tests/frameworks/flask_sqlalchemy/SqlExecution.py
@@ -0,0 +1,51 @@
+# pip install Flask-SQLAlchemy
+from flask import Flask
+from flask_sqlalchemy import SQLAlchemy
+import sqlalchemy
+
+app = Flask(__name__)
+app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite+pysqlite:///:memory:"
+db = SQLAlchemy(app)
+
+# re-exports all things from `sqlalchemy` and `sqlalchemy.orm` under instances of `SQLAlchemy`
+# see
+# - https://github.com/pallets/flask-sqlalchemy/blob/931ec00d1e27f51508e05706eef41cc4419a0b32/src/flask_sqlalchemy/__init__.py#L765
+# - https://github.com/pallets/flask-sqlalchemy/blob/931ec00d1e27f51508e05706eef41cc4419a0b32/src/flask_sqlalchemy/__init__.py#L99-L109
+
+assert str(type(db.text("Foo"))) == "<class 'sqlalchemy.sql.elements.TextClause'>"
+
+# also has engine/session instantiated
+
+raw_sql = "SELECT 'Foo'"
+
+conn = db.engine.connect()
+result = conn.execute(raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("Foo",)]
+
+conn = db.get_engine().connect()
+result = conn.execute(raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("Foo",)]
+
+result = db.session.execute(raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("Foo",)]
+
+Session = db.create_session(options={})
+session = Session()
+result = session.execute(raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("Foo",)]
+
+Session = db.create_session(options={})
+with Session.begin() as session:
+    result = session.execute(raw_sql) # $ getSql=raw_sql
+    assert result.fetchall() == [("Foo",)]
+
+result = db.create_scoped_session().execute(raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("Foo",)]
+
+
+# text
+t = db.text("foo")
+assert isinstance(t, sqlalchemy.sql.expression.TextClause)
+
+t = db.text(text="foo")
+assert isinstance(t, sqlalchemy.sql.expression.TextClause)
--- a/python/ql/test/library-tests/frameworks/sqlalchemy/ConceptsTest.expected
+++ b/python/ql/test/library-tests/frameworks/sqlalchemy/ConceptsTest.expected
--- a/python/ql/test/library-tests/frameworks/sqlalchemy/ConceptsTest.ql
+++ b/python/ql/test/library-tests/frameworks/sqlalchemy/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
--- a/python/ql/test/library-tests/frameworks/sqlalchemy/InlineTaintTest.expected
+++ b/python/ql/test/library-tests/frameworks/sqlalchemy/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
--- a/python/ql/test/library-tests/frameworks/sqlalchemy/InlineTaintTest.ql
+++ b/python/ql/test/library-tests/frameworks/sqlalchemy/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
--- a/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/SqlExecution.py
+++ b/python/ql/test/experimental/library-tests/frameworks/sqlalchemy/SqlExecution.py
@@ -47,10 +47,10 @@ with engine.begin() as connection:

 # Injection requiring the text() taint-step
 t = text("some sql")
-session.query(User).filter(t)  # $ getSql=t
-session.query(User).group_by(User.id).having(t)  # $ getSql=User.id MISSING: getSql=t
-session.query(User).group_by(t).first()  # $ getSql=t
-session.query(User).order_by(t).first()  # $ getSql=t
+session.query(User).filter(t)
+session.query(User).group_by(User.id).having(t)
+session.query(User).group_by(t).first()
+session.query(User).order_by(t).first()

 query = select(User).where(User.name == t)  # $ MISSING: getSql=t
 with engine.connect() as conn:
--- a/python/ql/test/library-tests/frameworks/sqlalchemy/new_tests.py
+++ b/python/ql/test/library-tests/frameworks/sqlalchemy/new_tests.py
@@ -0,0 +1,388 @@
+import sqlalchemy
+import sqlalchemy.orm
+
+# SQLAlchemy is slowly migrating to a 2.0 version, and as part of 1.4 release have a 2.0
+# style (forwards compatible) API that _can_ be adopted. So these tests are marked with
+# either v1.4 or v2.0, such that we cover both.
+
+raw_sql = "select 'FOO'"
+text_sql = sqlalchemy.text(raw_sql)
+
+Base = sqlalchemy.orm.declarative_base()
+
+# ==============================================================================
+# v1.4
+# ==============================================================================
+
+print("v1.4")
+
+# Engine see https://docs.sqlalchemy.org/en/14/core/connections.html#sqlalchemy.engine.Engine
+
+engine = sqlalchemy.create_engine("sqlite+pysqlite:///:memory:", echo=True)
+
+result = engine.execute(raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("FOO",)]
+result = engine.execute(statement=raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("FOO",)]
+result = engine.execute(text_sql) # $ getSql=text_sql
+assert result.fetchall() == [("FOO",)]
+
+scalar_result = engine.scalar(raw_sql) # $ getSql=raw_sql
+assert scalar_result == "FOO"
+scalar_result = engine.scalar(statement=raw_sql) # $ getSql=raw_sql
+assert scalar_result == "FOO"
+
+# engine with custom execution options
+# see https://docs.sqlalchemy.org/en/14/core/connections.html#sqlalchemy.engine.Engine.execution_options
+engine_with_custom_exe_opts = engine.execution_options(foo=42)
+result = engine_with_custom_exe_opts.execute(raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("FOO",)]
+
+even_more_opts = engine_with_custom_exe_opts.execution_options(bar=43)
+result = even_more_opts.execute(raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("FOO",)]
+
+# Connection see https://docs.sqlalchemy.org/en/14/core/connections.html#sqlalchemy.engine.Connection
+conn = engine.connect()
+conn: sqlalchemy.engine.base.Connection
+
+result = conn.execute(raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("FOO",)]
+result = conn.execute(statement=raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("FOO",)]
+
+result = conn.execute(text_sql) # $ getSql=text_sql
+assert result.fetchall() == [("FOO",)]
+result = conn.execute(statement=text_sql) # $ getSql=text_sql
+assert result.fetchall() == [("FOO",)]
+
+# scalar
+scalar_result = conn.scalar(raw_sql) # $ getSql=raw_sql
+assert scalar_result == "FOO"
+scalar_result = conn.scalar(object_=raw_sql) # $ getSql=raw_sql
+assert scalar_result == "FOO"
+
+scalar_result = conn.scalar(text_sql) # $ getSql=text_sql
+assert scalar_result == "FOO"
+scalar_result = conn.scalar(object_=text_sql) # $ getSql=text_sql
+assert scalar_result == "FOO"
+
+
+# exec_driver_sql
+result = conn.exec_driver_sql(raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("FOO",)]
+
+# construction by object
+conn = sqlalchemy.engine.base.Connection(engine)
+result = conn.execute(raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("FOO",)]
+
+# branched connection
+branched_conn = conn.connect()
+result = branched_conn.execute(text_sql) # $ getSql=text_sql
+assert result.fetchall() == [("FOO",)]
+
+# raw connection
+raw_conn = conn.connection
+result = raw_conn.execute(raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("FOO",)]
+
+cursor = raw_conn.cursor()
+cursor.execute(raw_sql) # $ getSql=raw_sql
+assert cursor.fetchall() == [("FOO",)]
+cursor.close()
+
+raw_conn = engine.raw_connection()
+result = raw_conn.execute(raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("FOO",)]
+
+# connection with custom execution options
+conn_with_custom_exe_opts = conn.execution_options(bar=1337)
+result = conn_with_custom_exe_opts.execute(text_sql) # $ getSql=text_sql
+assert result.fetchall() == [("FOO",)]
+
+# Session -- is what you use to work with the ORM layer
+# see https://docs.sqlalchemy.org/en/14/orm/session_basics.html
+# and https://docs.sqlalchemy.org/en/14/orm/session_api.html#sqlalchemy.orm.Session
+
+session = sqlalchemy.orm.Session(engine)
+
+result = session.execute(raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("FOO",)]
+result = session.execute(statement=raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("FOO",)]
+
+result = session.execute(text_sql) # $ getSql=text_sql
+assert result.fetchall() == [("FOO",)]
+result = session.execute(statement=text_sql) # $ getSql=text_sql
+assert result.fetchall() == [("FOO",)]
+
+# scalar
+scalar_result = session.scalar(raw_sql) # $ getSql=raw_sql
+assert scalar_result == "FOO"
+scalar_result = session.scalar(statement=raw_sql) # $ getSql=raw_sql
+assert scalar_result == "FOO"
+
+scalar_result = session.scalar(text_sql) # $ getSql=text_sql
+assert scalar_result == "FOO"
+scalar_result = session.scalar(statement=text_sql) # $ getSql=text_sql
+assert scalar_result == "FOO"
+
+# other ways to construct a session
+with sqlalchemy.orm.Session(engine) as session:
+    result = session.execute(raw_sql) # $ getSql=raw_sql
+    assert result.fetchall() == [("FOO",)]
+
+Session = sqlalchemy.orm.sessionmaker(engine)
+session = Session()
+
+result = session.execute(raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("FOO",)]
+
+with Session() as session:
+    result = session.execute(raw_sql) # $ getSql=raw_sql
+    assert result.fetchall() == [("FOO",)]
+
+with Session.begin() as session:
+    result = session.execute(raw_sql) # $ getSql=raw_sql
+    assert result.fetchall() == [("FOO",)]
+
+# Querying (1.4)
+# see https://docs.sqlalchemy.org/en/14/orm/session_basics.html#querying-1-x-style
+
+# to do so we first need a model
+
+class For14(Base):
+    __tablename__ = "for14"
+
+    id = sqlalchemy.Column(sqlalchemy.Integer, primary_key=True)
+    description = sqlalchemy.Column(sqlalchemy.String)
+
+Base.metadata.create_all(engine)
+
+# add a test-entry
+test_entry = For14(id=14, description="test")
+session = sqlalchemy.orm.Session(engine)
+session.add(test_entry)
+session.commit()
+assert session.query(For14).all()[0].id == 14
+
+# and now we can do the actual querying
+
+text_foo = sqlalchemy.text("'FOO'")
+
+# filter_by is only vulnerable to injection if sqlalchemy.text is used, which is evident
+# from the logs produced if this file is run
+# that is, first filter_by results in the SQL
+#
+# SELECT for14.id AS for14_id, for14.description AS for14_description
+# FROM for14
+# WHERE for14.description = ?
+#
+# which is then called with the argument `'FOO'`
+#
+# and the second filter_by results in the SQL
+#
+# SELECT for14.id AS for14_id, for14.description AS for14_description
+# FROM for14
+# WHERE for14.description = 'FOO'
+#
+# which is then called without any arguments
+assert session.query(For14).filter_by(description="'FOO'").all() == []
+query = session.query(For14).filter_by(description=text_foo)
+assert query.all() == []
+
+# Initially I wanted to add lots of additional taint steps such that the normal SQL
+# injection query would find these cases where an ORM query includes a TextClause that
+# includes user-input directly... But that presented 2 problems:
+#
+# - which part of the query construction above should be marked as SQL to fit our
+#   `SqlExecution` concept. Nothing really fits this well, since all the SQL execution
+#   happens under the hood.
+# - This would require a LOT of modeling for these additional taint steps, since there
+#   are many many constructs we would need to have models for. (see the 2 examples below)
+#
+# So instead we flag user-input to a TextClause with its' own query. And so we don't
+# highlight any parts of an ORM constructed query such as these as containing SQL.
+
+# `filter` provides more general filtering
+# see https://docs.sqlalchemy.org/en/14/orm/tutorial.html#common-filter-operators
+# and https://docs.sqlalchemy.org/en/14/orm/query.html#sqlalchemy.orm.Query.filter
+assert session.query(For14).filter(For14.description == "'FOO'").all() == []
+query = session.query(For14).filter(For14.description == text_foo)
+assert query.all() == []
+
+assert session.query(For14).filter(For14.description.like("'FOO'")).all() == []
+query = session.query(For14).filter(For14.description.like(text_foo))
+assert query.all() == []
+
+# There are many other possibilities for ending up with SQL injection, including the
+# following (not an exhaustive list):
+# - `where` (alias for `filter`)
+# - `group_by`
+# - `having`
+# - `order_by`
+# - `join`
+# - `outerjoin`
+
+# ==============================================================================
+# v2.0
+# ==============================================================================
+import sqlalchemy.future
+
+print("-"*80)
+print("v2.0 style")
+
+# For Engine, see https://docs.sqlalchemy.org/en/14/core/future.html#sqlalchemy.future.Engine
+engine = sqlalchemy.create_engine("sqlite+pysqlite:///:memory:", echo=True, future=True)
+future_engine = sqlalchemy.future.create_engine("sqlite+pysqlite:///:memory:", echo=True)
+
+# in 2.0 you are not allowed to execute things directly on the engine
+try:
+    engine.execute(raw_sql) # $ SPURIOUS: getSql=raw_sql
+    raise Exception("above not allowed in 2.0")
+except NotImplementedError:
+    pass
+try:
+    engine.execute(text_sql) # $ SPURIOUS: getSql=text_sql
+    raise Exception("above not allowed in 2.0")
+except NotImplementedError:
+    pass
+
+
+# `connect` returns a new Connection object.
+# see https://docs.sqlalchemy.org/en/14/core/future.html#sqlalchemy.future.Connection
+print("v2.0 engine.connect")
+with engine.connect() as conn:
+    conn: sqlalchemy.future.Connection
+
+    # in 2.0 you are not allowed to use raw strings like this:
+    try:
+        conn.execute(raw_sql) # $ SPURIOUS: getSql=raw_sql
+        raise Exception("above not allowed in 2.0")
+    except sqlalchemy.exc.ObjectNotExecutableError:
+        pass
+
+    result = conn.execute(text_sql) # $ getSql=text_sql
+    assert result.fetchall() == [("FOO",)]
+    result = conn.execute(statement=text_sql) # $ getSql=text_sql
+    assert result.fetchall() == [("FOO",)]
+
+    result = conn.exec_driver_sql(raw_sql) # $ getSql=raw_sql
+    assert result.fetchall() == [("FOO",)]
+
+    raw_conn = conn.connection
+    result = raw_conn.execute(raw_sql) # $ getSql=raw_sql
+    assert result.fetchall() == [("FOO",)]
+
+    # branching not allowed in 2.0
+    try:
+        branched_conn = conn.connect()
+        raise Exception("above not allowed in 2.0")
+    except NotImplementedError:
+        pass
+
+    # connection with custom execution options
+    conn_with_custom_exe_opts = conn.execution_options(bar=1337)
+    result = conn_with_custom_exe_opts.execute(text_sql) # $ getSql=text_sql
+    assert result.fetchall() == [("FOO",)]
+
+    # `scalar` is shorthand helper
+    try:
+        conn.scalar(raw_sql) # $ SPURIOUS: getSql=raw_sql
+    except sqlalchemy.exc.ObjectNotExecutableError:
+        pass
+    scalar_result = conn.scalar(text_sql) # $ getSql=text_sql
+    assert scalar_result == "FOO"
+    scalar_result = conn.scalar(statement=text_sql) # $ getSql=text_sql
+    assert scalar_result == "FOO"
+
+    # This is a contrived example
+    select = sqlalchemy.select(sqlalchemy.text("'BAR'"))
+    result = conn.execute(select) # $ getSql=select
+    assert result.fetchall() == [("BAR",)]
+
+    # This is a contrived example
+    select = sqlalchemy.select(sqlalchemy.literal_column("'BAZ'"))
+    result = conn.execute(select) # $ getSql=select
+    assert result.fetchall() == [("BAZ",)]
+
+with future_engine.connect() as conn:
+    result = conn.execute(text_sql) # $ getSql=text_sql
+    assert result.fetchall() == [("FOO",)]
+
+# `begin` returns a new Connection object with a transaction begun.
+print("v2.0 engine.begin")
+with engine.begin() as conn:
+    result = conn.execute(text_sql) # $ getSql=text_sql
+    assert result.fetchall() == [("FOO",)]
+
+# construction by object
+conn = sqlalchemy.future.Connection(engine)
+result = conn.execute(text_sql) # $ getSql=text_sql
+assert result.fetchall() == [("FOO",)]
+
+# raw_connection
+
+raw_conn = engine.raw_connection()
+result = raw_conn.execute(raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("FOO",)]
+
+cursor = raw_conn.cursor()
+cursor.execute(raw_sql) # $ getSql=raw_sql
+assert cursor.fetchall() == [("FOO",)]
+cursor.close()
+
+# Session (2.0)
+session = sqlalchemy.orm.Session(engine, future=True)
+
+result = session.execute(raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("FOO",)]
+result = session.execute(statement=raw_sql) # $ getSql=raw_sql
+assert result.fetchall() == [("FOO",)]
+
+result = session.execute(text_sql) # $ getSql=text_sql
+assert result.fetchall() == [("FOO",)]
+result = session.execute(statement=text_sql) # $ getSql=text_sql
+assert result.fetchall() == [("FOO",)]
+
+# scalar
+scalar_result = session.scalar(raw_sql) # $ getSql=raw_sql
+assert scalar_result == "FOO"
+scalar_result = session.scalar(statement=raw_sql) # $ getSql=raw_sql
+assert scalar_result == "FOO"
+
+scalar_result = session.scalar(text_sql) # $ getSql=text_sql
+assert scalar_result == "FOO"
+scalar_result = session.scalar(statement=text_sql) # $ getSql=text_sql
+assert scalar_result == "FOO"
+
+# Querying (2.0)
+# uses a slightly different style than 1.4 -- see note about not modeling
+# ORM query construction as SQL execution at the 1.4 query tests.
+
+class For20(Base):
+    __tablename__ = "for20"
+
+    id = sqlalchemy.Column(sqlalchemy.Integer, primary_key=True)
+    description = sqlalchemy.Column(sqlalchemy.String)
+
+For20.metadata.create_all(engine)
+
+# add a test-entry
+test_entry = For20(id=20, description="test")
+session = sqlalchemy.orm.Session(engine, future=True)
+session.add(test_entry)
+session.commit()
+assert session.query(For20).all()[0].id == 20
+
+# and now we can do the actual querying
+# see https://docs.sqlalchemy.org/en/14/orm/session_basics.html#querying-2-0-style
+
+statement = sqlalchemy.select(For20)
+result = session.execute(statement) # $ getSql=statement
+assert result.scalars().all()[0].id == 20
+
+statement = sqlalchemy.select(For20).where(For20.description == text_foo)
+result = session.execute(statement) # $ getSql=statement
+assert result.scalars().all() == []
--- a/python/ql/test/library-tests/frameworks/sqlalchemy/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/sqlalchemy/taint_test.py
@@ -0,0 +1,28 @@
+import sqlalchemy
+
+ensure_tainted = ensure_not_tainted = print
+TAINTED_STRING = "TAINTED_STRING"
+
+def test_taint():
+    ts = TAINTED_STRING
+
+    ensure_tainted(ts) # $ tainted
+
+    t1 = sqlalchemy.text(ts)
+    t2 = sqlalchemy.text(text=ts)
+    t3 = sqlalchemy.sql.text(ts)
+    t4 = sqlalchemy.sql.text(text=ts)
+    t5 = sqlalchemy.sql.expression.text(ts)
+    t6 = sqlalchemy.sql.expression.text(text=ts)
+    t7 = sqlalchemy.sql.expression.TextClause(ts)
+    t8 = sqlalchemy.sql.expression.TextClause(text=ts)
+
+    # Since we flag user-input to a TextClause with its' own query, we don't want to
+    # have a taint-step for it as that would lead to us also giving an alert for normal
+    # SQL-injection... and double alerting like this does not seem desireable.
+    ensure_not_tainted(t1, t2, t3, t4, t5, t6, t7, t8)
+
+    for text in [t1, t2, t3, t4, t5, t6, t7, t8]:
+        assert isinstance(text, sqlalchemy.sql.expression.TextClause)
+
+test_taint()
--- a/python/ql/test/query-tests/Exceptions/generators/test.py
+++ b/python/ql/test/query-tests/Exceptions/generators/test.py
@@ -53,3 +53,12 @@ def ok5(seq):

 def ok6(seq):
    yield next(iter([]), default='foo')    
+
+# Handling for multiple exception types, one of which is `StopIteration`
+# Reported as a false positive in github/codeql#6227
+def ok7(seq, ctx):
+    try:
+        with ctx:
+            yield next(iter)
+    except (StopIteration, MemoryError):
+        return
--- a/python/ql/test/query-tests/Functions/ModificationOfParameterWithDefault/ModificationOfParameterWithDefault.expected
+++ b/python/ql/test/query-tests/Functions/ModificationOfParameterWithDefault/ModificationOfParameterWithDefault.expected
@@ -0,0 +1,108 @@
+edges
+| test.py:2:12:2:12 | ControlFlowNode for l | test.py:3:5:3:5 | ControlFlowNode for l |
+| test.py:7:11:7:11 | ControlFlowNode for l | test.py:8:5:8:5 | ControlFlowNode for l |
+| test.py:12:14:12:14 | ControlFlowNode for l | test.py:13:9:13:9 | ControlFlowNode for l |
+| test.py:17:15:17:15 | ControlFlowNode for l | test.py:18:5:18:5 | ControlFlowNode for l |
+| test.py:22:15:22:15 | ControlFlowNode for l | test.py:23:5:23:5 | ControlFlowNode for l |
+| test.py:27:12:27:12 | ControlFlowNode for l | test.py:28:5:28:5 | ControlFlowNode for l |
+| test.py:38:13:38:13 | ControlFlowNode for l | test.py:39:5:39:5 | ControlFlowNode for l |
+| test.py:43:14:43:14 | ControlFlowNode for l | test.py:44:13:44:13 | ControlFlowNode for l |
+| test.py:44:13:44:13 | ControlFlowNode for l | test.py:38:13:38:13 | ControlFlowNode for l |
+| test.py:48:14:48:14 | ControlFlowNode for l | test.py:49:5:49:5 | ControlFlowNode for l |
+| test.py:53:10:53:10 | ControlFlowNode for d | test.py:54:5:54:5 | ControlFlowNode for d |
+| test.py:58:19:58:19 | ControlFlowNode for d | test.py:59:5:59:5 | ControlFlowNode for d |
+| test.py:63:28:63:28 | ControlFlowNode for d | test.py:64:5:64:5 | ControlFlowNode for d |
+| test.py:67:14:67:14 | ControlFlowNode for d | test.py:68:5:68:5 | ControlFlowNode for d |
+| test.py:72:19:72:19 | ControlFlowNode for d | test.py:73:14:73:14 | ControlFlowNode for d |
+| test.py:73:14:73:14 | ControlFlowNode for d | test.py:67:14:67:14 | ControlFlowNode for d |
+| test.py:77:17:77:17 | ControlFlowNode for d | test.py:78:5:78:5 | ControlFlowNode for d |
+| test.py:82:26:82:26 | ControlFlowNode for d | test.py:83:5:83:5 | ControlFlowNode for d |
+| test.py:87:35:87:35 | ControlFlowNode for d | test.py:88:5:88:5 | ControlFlowNode for d |
+| test.py:91:21:91:21 | ControlFlowNode for d | test.py:92:5:92:5 | ControlFlowNode for d |
+| test.py:96:26:96:26 | ControlFlowNode for d | test.py:97:21:97:21 | ControlFlowNode for d |
+| test.py:97:21:97:21 | ControlFlowNode for d | test.py:91:21:91:21 | ControlFlowNode for d |
+| test.py:108:14:108:14 | ControlFlowNode for d | test.py:109:9:109:9 | ControlFlowNode for d |
+| test.py:113:20:113:20 | ControlFlowNode for d | test.py:115:5:115:5 | ControlFlowNode for d |
+| test.py:119:29:119:29 | ControlFlowNode for d | test.py:121:5:121:5 | ControlFlowNode for d |
+| test.py:124:15:124:15 | ControlFlowNode for l | test.py:128:9:128:9 | ControlFlowNode for l |
+| test.py:131:23:131:23 | ControlFlowNode for l | test.py:135:9:135:9 | ControlFlowNode for l |
+| test.py:138:15:138:15 | ControlFlowNode for l | test.py:140:9:140:9 | ControlFlowNode for l |
+| test.py:145:23:145:23 | ControlFlowNode for l | test.py:147:9:147:9 | ControlFlowNode for l |
+nodes
+| test.py:2:12:2:12 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:3:5:3:5 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:7:11:7:11 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:8:5:8:5 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:12:14:12:14 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:13:9:13:9 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:17:15:17:15 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:18:5:18:5 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:22:15:22:15 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:23:5:23:5 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:27:12:27:12 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:28:5:28:5 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:38:13:38:13 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:39:5:39:5 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:43:14:43:14 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:44:13:44:13 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:48:14:48:14 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:49:5:49:5 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:53:10:53:10 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:54:5:54:5 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:58:19:58:19 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:59:5:59:5 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:63:28:63:28 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:64:5:64:5 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:67:14:67:14 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:68:5:68:5 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:72:19:72:19 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:73:14:73:14 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:77:17:77:17 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:78:5:78:5 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:82:26:82:26 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:83:5:83:5 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:87:35:87:35 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:88:5:88:5 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:91:21:91:21 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:92:5:92:5 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:96:26:96:26 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:97:21:97:21 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:108:14:108:14 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:109:9:109:9 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:113:20:113:20 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:115:5:115:5 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:119:29:119:29 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:121:5:121:5 | ControlFlowNode for d | semmle.label | ControlFlowNode for d |
+| test.py:124:15:124:15 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:128:9:128:9 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:131:23:131:23 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:135:9:135:9 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:138:15:138:15 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:140:9:140:9 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:145:23:145:23 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+| test.py:147:9:147:9 | ControlFlowNode for l | semmle.label | ControlFlowNode for l |
+subpaths
+#select
+| test.py:3:5:3:5 | ControlFlowNode for l | test.py:2:12:2:12 | ControlFlowNode for l | test.py:3:5:3:5 | ControlFlowNode for l | $@ flows to here and is mutated. | test.py:2:12:2:12 | ControlFlowNode for l | Default value |
+| test.py:8:5:8:5 | ControlFlowNode for l | test.py:7:11:7:11 | ControlFlowNode for l | test.py:8:5:8:5 | ControlFlowNode for l | $@ flows to here and is mutated. | test.py:7:11:7:11 | ControlFlowNode for l | Default value |
+| test.py:13:9:13:9 | ControlFlowNode for l | test.py:12:14:12:14 | ControlFlowNode for l | test.py:13:9:13:9 | ControlFlowNode for l | $@ flows to here and is mutated. | test.py:12:14:12:14 | ControlFlowNode for l | Default value |
+| test.py:18:5:18:5 | ControlFlowNode for l | test.py:17:15:17:15 | ControlFlowNode for l | test.py:18:5:18:5 | ControlFlowNode for l | $@ flows to here and is mutated. | test.py:17:15:17:15 | ControlFlowNode for l | Default value |
+| test.py:23:5:23:5 | ControlFlowNode for l | test.py:22:15:22:15 | ControlFlowNode for l | test.py:23:5:23:5 | ControlFlowNode for l | $@ flows to here and is mutated. | test.py:22:15:22:15 | ControlFlowNode for l | Default value |
+| test.py:28:5:28:5 | ControlFlowNode for l | test.py:27:12:27:12 | ControlFlowNode for l | test.py:28:5:28:5 | ControlFlowNode for l | $@ flows to here and is mutated. | test.py:27:12:27:12 | ControlFlowNode for l | Default value |
+| test.py:39:5:39:5 | ControlFlowNode for l | test.py:43:14:43:14 | ControlFlowNode for l | test.py:39:5:39:5 | ControlFlowNode for l | $@ flows to here and is mutated. | test.py:43:14:43:14 | ControlFlowNode for l | Default value |
+| test.py:49:5:49:5 | ControlFlowNode for l | test.py:48:14:48:14 | ControlFlowNode for l | test.py:49:5:49:5 | ControlFlowNode for l | $@ flows to here and is mutated. | test.py:48:14:48:14 | ControlFlowNode for l | Default value |
+| test.py:54:5:54:5 | ControlFlowNode for d | test.py:53:10:53:10 | ControlFlowNode for d | test.py:54:5:54:5 | ControlFlowNode for d | $@ flows to here and is mutated. | test.py:53:10:53:10 | ControlFlowNode for d | Default value |
+| test.py:59:5:59:5 | ControlFlowNode for d | test.py:58:19:58:19 | ControlFlowNode for d | test.py:59:5:59:5 | ControlFlowNode for d | $@ flows to here and is mutated. | test.py:58:19:58:19 | ControlFlowNode for d | Default value |
+| test.py:64:5:64:5 | ControlFlowNode for d | test.py:63:28:63:28 | ControlFlowNode for d | test.py:64:5:64:5 | ControlFlowNode for d | $@ flows to here and is mutated. | test.py:63:28:63:28 | ControlFlowNode for d | Default value |
+| test.py:68:5:68:5 | ControlFlowNode for d | test.py:72:19:72:19 | ControlFlowNode for d | test.py:68:5:68:5 | ControlFlowNode for d | $@ flows to here and is mutated. | test.py:72:19:72:19 | ControlFlowNode for d | Default value |
+| test.py:78:5:78:5 | ControlFlowNode for d | test.py:77:17:77:17 | ControlFlowNode for d | test.py:78:5:78:5 | ControlFlowNode for d | $@ flows to here and is mutated. | test.py:77:17:77:17 | ControlFlowNode for d | Default value |
+| test.py:83:5:83:5 | ControlFlowNode for d | test.py:82:26:82:26 | ControlFlowNode for d | test.py:83:5:83:5 | ControlFlowNode for d | $@ flows to here and is mutated. | test.py:82:26:82:26 | ControlFlowNode for d | Default value |
+| test.py:88:5:88:5 | ControlFlowNode for d | test.py:87:35:87:35 | ControlFlowNode for d | test.py:88:5:88:5 | ControlFlowNode for d | $@ flows to here and is mutated. | test.py:87:35:87:35 | ControlFlowNode for d | Default value |
+| test.py:92:5:92:5 | ControlFlowNode for d | test.py:96:26:96:26 | ControlFlowNode for d | test.py:92:5:92:5 | ControlFlowNode for d | $@ flows to here and is mutated. | test.py:96:26:96:26 | ControlFlowNode for d | Default value |
+| test.py:109:9:109:9 | ControlFlowNode for d | test.py:108:14:108:14 | ControlFlowNode for d | test.py:109:9:109:9 | ControlFlowNode for d | $@ flows to here and is mutated. | test.py:108:14:108:14 | ControlFlowNode for d | Default value |
+| test.py:115:5:115:5 | ControlFlowNode for d | test.py:113:20:113:20 | ControlFlowNode for d | test.py:115:5:115:5 | ControlFlowNode for d | $@ flows to here and is mutated. | test.py:113:20:113:20 | ControlFlowNode for d | Default value |
+| test.py:121:5:121:5 | ControlFlowNode for d | test.py:119:29:119:29 | ControlFlowNode for d | test.py:121:5:121:5 | ControlFlowNode for d | $@ flows to here and is mutated. | test.py:119:29:119:29 | ControlFlowNode for d | Default value |
+| test.py:128:9:128:9 | ControlFlowNode for l | test.py:124:15:124:15 | ControlFlowNode for l | test.py:128:9:128:9 | ControlFlowNode for l | $@ flows to here and is mutated. | test.py:124:15:124:15 | ControlFlowNode for l | Default value |
+| test.py:135:9:135:9 | ControlFlowNode for l | test.py:131:23:131:23 | ControlFlowNode for l | test.py:135:9:135:9 | ControlFlowNode for l | $@ flows to here and is mutated. | test.py:131:23:131:23 | ControlFlowNode for l | Default value |
+| test.py:140:9:140:9 | ControlFlowNode for l | test.py:138:15:138:15 | ControlFlowNode for l | test.py:140:9:140:9 | ControlFlowNode for l | $@ flows to here and is mutated. | test.py:138:15:138:15 | ControlFlowNode for l | Default value |
+| test.py:147:9:147:9 | ControlFlowNode for l | test.py:145:23:145:23 | ControlFlowNode for l | test.py:147:9:147:9 | ControlFlowNode for l | $@ flows to here and is mutated. | test.py:145:23:145:23 | ControlFlowNode for l | Default value |
--- a/python/ql/test/query-tests/Functions/ModificationOfParameterWithDefault/ModificationOfParameterWithDefault.qlref
+++ b/python/ql/test/query-tests/Functions/ModificationOfParameterWithDefault/ModificationOfParameterWithDefault.qlref
@@ -0,0 +1 @@
+Functions/ModificationOfParameterWithDefault.ql
--- a/python/ql/test/query-tests/Functions/ModificationOfParameterWithDefault/test.expected
+++ b/python/ql/test/query-tests/Functions/ModificationOfParameterWithDefault/test.expected
--- a/python/ql/test/query-tests/Functions/ModificationOfParameterWithDefault/test.py
+++ b/python/ql/test/query-tests/Functions/ModificationOfParameterWithDefault/test.py
@@ -0,0 +1,150 @@
+# Not OK
+def simple(l = [0]):
+    l[0] = 1  #$ modification=l
+    return l
+
+# Not OK
+def slice(l = [0]):
+    l[0:1] = 1  #$ modification=l
+    return l
+
+# Not OK
+def list_del(l = [0]):
+    del l[0]  #$ modification=l
+    return l
+
+# Not OK
+def append_op(l = []):
+    l += [1, 2, 3]  #$ modification=l
+    return l
+
+# Not OK
+def repeat_op(l = [0]):
+    l *= 3  #$ modification=l
+    return l
+
+# Not OK
+def append(l = []):
+    l.append(1)  #$ modification=l
+    return l
+
+# OK
+def includes(l = []):
+    x = [0]
+    x.extend(l)
+    x.extend([1])
+    return x
+
+def extends(l):
+    l.extend([1])  #$ modification=l
+    return l
+
+# Not OK
+def deferred(l = []):
+    extends(l)
+    return l
+
+# Not OK
+def nonempty(l = [5]):
+    l.append(1)  #$ modification=l
+    return l
+
+# Not OK
+def dict(d = {}):
+    d['a'] = 1  #$ modification=d
+    return d
+
+# Not OK
+def dict_nonempty(d = {'a': 1}):
+    d['a'] = 2  #$ modification=d
+    return d
+
+# OK
+def dict_nonempty_nochange(d = {'a': 1}):
+    d['a'] = 1  #$ SPURIOUS: modification=d
+    return d
+
+def modifies(d):
+    d['a'] = 1  #$ modification=d
+    return d
+
+# Not OK
+def dict_deferred(d = {}):
+    modifies(d)
+    return d
+
+# Not OK
+def dict_method(d = {}):
+    d.update({'a': 1})  #$ modification=d
+    return d
+
+# Not OK
+def dict_method_nonempty(d = {'a': 1}):
+    d.update({'a': 2})  #$ modification=d
+    return d
+
+# OK
+def dict_method_nonempty_nochange(d = {'a': 1}):
+    d.update({'a': 1})  #$ SPURIOUS:modification=d
+    return d
+
+def modifies_method(d):
+    d.update({'a': 1})  #$ modification=d
+    return d
+
+# Not OK
+def dict_deferred_method(d = {}):
+    modifies_method(d)
+    return d
+
+# OK
+def dict_includes(d = {}):
+    x = {}
+    x.update(d)
+    x.update({'a': 1})
+    return x
+
+# Not OK
+def dict_del(d = {'a': 1}):
+    del d['a']  #$ modification=d
+    return d
+
+# Not OK
+def dict_update_op(d = {}):
+    x = {'a': 1}
+    d |= x  #$ modification=d
+    return d
+
+# OK
+def dict_update_op_nochange(d = {}):
+    x = {}
+    d |= x  #$ SPURIOUS: modification=d
+    return d
+
+def sanitizer(l = []):
+    if l:
+        l.append(1)
+    else:
+        l.append(1)  #$ modification=l
+    return l
+
+def sanitizer_negated(l = [1]):
+    if not l:
+        l.append(1)
+    else:
+        l.append(1)  #$ modification=l
+    return l
+
+def sanitizer(l = []):
+    if not l:
+        l.append(1)  #$ modification=l
+    else:
+        l.append(1)
+    return l
+
+def sanitizer_negated(l = [1]):
+    if l:
+        l.append(1)  #$ modification=l
+    else:
+        l.append(1)
+    return l
--- a/python/ql/test/query-tests/Functions/ModificationOfParameterWithDefault/test.ql
+++ b/python/ql/test/query-tests/Functions/ModificationOfParameterWithDefault/test.ql
@@ -0,0 +1,24 @@
+import python
+import semmle.python.dataflow.new.DataFlow
+import TestUtilities.InlineExpectationsTest
+import semmle.python.functions.ModificationOfParameterWithDefault
+private import semmle.python.dataflow.new.internal.PrintNode
+
+class ModificationOfParameterWithDefaultTest extends InlineExpectationsTest {
+  ModificationOfParameterWithDefaultTest() { this = "ModificationOfParameterWithDefaultTest" }
+
+  override string getARelevantTag() { result = "modification" }
+
+  predicate relevant_node(DataFlow::Node sink) {
+    exists(ModificationOfParameterWithDefault::Configuration cfg | cfg.hasFlowTo(sink))
+  }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(DataFlow::Node n | relevant_node(n) |
+      n.getLocation() = location and
+      tag = "modification" and
+      value = prettyNode(n) and
+      element = n.toString()
+    )
+  }
+}
--- a/python/ql/test/query-tests/Functions/general/ModificationOfParameterWithDefault.expected
+++ b/python/ql/test/query-tests/Functions/general/ModificationOfParameterWithDefault.expected
@@ -1,24 +1,44 @@
 edges
-| functions_test.py:39:9:39:9 | empty mutable value | functions_test.py:40:5:40:5 | empty mutable value |
-| functions_test.py:133:15:133:15 | empty mutable value | functions_test.py:134:5:134:5 | empty mutable value |
-| functions_test.py:151:25:151:25 | empty mutable value | functions_test.py:152:5:152:5 | empty mutable value |
-| functions_test.py:154:21:154:21 | empty mutable value | functions_test.py:155:5:155:5 | empty mutable value |
-| functions_test.py:157:27:157:27 | empty mutable value | functions_test.py:158:25:158:25 | empty mutable value |
-| functions_test.py:157:27:157:27 | empty mutable value | functions_test.py:159:21:159:21 | empty mutable value |
-| functions_test.py:158:25:158:25 | empty mutable value | functions_test.py:151:25:151:25 | empty mutable value |
-| functions_test.py:159:21:159:21 | empty mutable value | functions_test.py:154:21:154:21 | empty mutable value |
-| functions_test.py:175:28:175:28 | non-empty mutable value | functions_test.py:179:9:179:9 | non-empty mutable value |
-| functions_test.py:175:28:175:28 | non-empty mutable value | functions_test.py:181:9:181:9 | non-empty mutable value |
-| functions_test.py:188:18:188:18 | non-empty mutable value | functions_test.py:189:28:189:28 | non-empty mutable value |
-| functions_test.py:189:28:189:28 | non-empty mutable value | functions_test.py:175:28:175:28 | non-empty mutable value |
-| functions_test.py:191:18:191:18 | non-empty mutable value | functions_test.py:192:28:192:28 | non-empty mutable value |
-| functions_test.py:192:28:192:28 | non-empty mutable value | functions_test.py:175:28:175:28 | non-empty mutable value |
+| functions_test.py:39:9:39:9 | ControlFlowNode for x | functions_test.py:40:5:40:5 | ControlFlowNode for x |
+| functions_test.py:133:15:133:15 | ControlFlowNode for x | functions_test.py:134:5:134:5 | ControlFlowNode for x |
+| functions_test.py:151:25:151:25 | ControlFlowNode for x | functions_test.py:152:5:152:5 | ControlFlowNode for x |
+| functions_test.py:154:21:154:21 | ControlFlowNode for x | functions_test.py:155:5:155:5 | ControlFlowNode for x |
+| functions_test.py:157:27:157:27 | ControlFlowNode for y | functions_test.py:158:25:158:25 | ControlFlowNode for y |
+| functions_test.py:157:27:157:27 | ControlFlowNode for y | functions_test.py:159:21:159:21 | ControlFlowNode for y |
+| functions_test.py:158:25:158:25 | ControlFlowNode for y | functions_test.py:151:25:151:25 | ControlFlowNode for x |
+| functions_test.py:159:21:159:21 | ControlFlowNode for y | functions_test.py:154:21:154:21 | ControlFlowNode for x |
+| functions_test.py:179:28:179:28 | ControlFlowNode for x | functions_test.py:183:9:183:9 | ControlFlowNode for x |
+| functions_test.py:179:28:179:28 | ControlFlowNode for x | functions_test.py:185:9:185:9 | ControlFlowNode for x |
+| functions_test.py:192:18:192:18 | ControlFlowNode for x | functions_test.py:193:28:193:28 | ControlFlowNode for x |
+| functions_test.py:193:28:193:28 | ControlFlowNode for x | functions_test.py:179:28:179:28 | ControlFlowNode for x |
+| functions_test.py:195:18:195:18 | ControlFlowNode for x | functions_test.py:196:28:196:28 | ControlFlowNode for x |
+| functions_test.py:196:28:196:28 | ControlFlowNode for x | functions_test.py:179:28:179:28 | ControlFlowNode for x |
+nodes
+| functions_test.py:39:9:39:9 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| functions_test.py:40:5:40:5 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| functions_test.py:133:15:133:15 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| functions_test.py:134:5:134:5 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| functions_test.py:151:25:151:25 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| functions_test.py:152:5:152:5 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| functions_test.py:154:21:154:21 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| functions_test.py:155:5:155:5 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| functions_test.py:157:27:157:27 | ControlFlowNode for y | semmle.label | ControlFlowNode for y |
+| functions_test.py:158:25:158:25 | ControlFlowNode for y | semmle.label | ControlFlowNode for y |
+| functions_test.py:159:21:159:21 | ControlFlowNode for y | semmle.label | ControlFlowNode for y |
+| functions_test.py:179:28:179:28 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| functions_test.py:183:9:183:9 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| functions_test.py:185:9:185:9 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| functions_test.py:192:18:192:18 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| functions_test.py:193:28:193:28 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| functions_test.py:195:18:195:18 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| functions_test.py:196:28:196:28 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+subpaths
 #select
-| functions_test.py:40:5:40:5 | x | functions_test.py:39:9:39:9 | empty mutable value | functions_test.py:40:5:40:5 | empty mutable value | $@ flows to here and is mutated. | functions_test.py:39:9:39:9 | x | Default value |
-| functions_test.py:134:5:134:5 | x | functions_test.py:133:15:133:15 | empty mutable value | functions_test.py:134:5:134:5 | empty mutable value | $@ flows to here and is mutated. | functions_test.py:133:15:133:15 | x | Default value |
-| functions_test.py:152:5:152:5 | x | functions_test.py:157:27:157:27 | empty mutable value | functions_test.py:152:5:152:5 | empty mutable value | $@ flows to here and is mutated. | functions_test.py:157:27:157:27 | y | Default value |
-| functions_test.py:155:5:155:5 | x | functions_test.py:157:27:157:27 | empty mutable value | functions_test.py:155:5:155:5 | empty mutable value | $@ flows to here and is mutated. | functions_test.py:157:27:157:27 | y | Default value |
-| functions_test.py:179:9:179:9 | x | functions_test.py:188:18:188:18 | non-empty mutable value | functions_test.py:179:9:179:9 | non-empty mutable value | $@ flows to here and is mutated. | functions_test.py:188:18:188:18 | x | Default value |
-| functions_test.py:179:9:179:9 | x | functions_test.py:191:18:191:18 | non-empty mutable value | functions_test.py:179:9:179:9 | non-empty mutable value | $@ flows to here and is mutated. | functions_test.py:191:18:191:18 | x | Default value |
-| functions_test.py:181:9:181:9 | x | functions_test.py:188:18:188:18 | non-empty mutable value | functions_test.py:181:9:181:9 | non-empty mutable value | $@ flows to here and is mutated. | functions_test.py:188:18:188:18 | x | Default value |
-| functions_test.py:181:9:181:9 | x | functions_test.py:191:18:191:18 | non-empty mutable value | functions_test.py:181:9:181:9 | non-empty mutable value | $@ flows to here and is mutated. | functions_test.py:191:18:191:18 | x | Default value |
+| functions_test.py:40:5:40:5 | ControlFlowNode for x | functions_test.py:39:9:39:9 | ControlFlowNode for x | functions_test.py:40:5:40:5 | ControlFlowNode for x | $@ flows to here and is mutated. | functions_test.py:39:9:39:9 | ControlFlowNode for x | Default value |
+| functions_test.py:134:5:134:5 | ControlFlowNode for x | functions_test.py:133:15:133:15 | ControlFlowNode for x | functions_test.py:134:5:134:5 | ControlFlowNode for x | $@ flows to here and is mutated. | functions_test.py:133:15:133:15 | ControlFlowNode for x | Default value |
+| functions_test.py:152:5:152:5 | ControlFlowNode for x | functions_test.py:157:27:157:27 | ControlFlowNode for y | functions_test.py:152:5:152:5 | ControlFlowNode for x | $@ flows to here and is mutated. | functions_test.py:157:27:157:27 | ControlFlowNode for y | Default value |
+| functions_test.py:155:5:155:5 | ControlFlowNode for x | functions_test.py:157:27:157:27 | ControlFlowNode for y | functions_test.py:155:5:155:5 | ControlFlowNode for x | $@ flows to here and is mutated. | functions_test.py:157:27:157:27 | ControlFlowNode for y | Default value |
+| functions_test.py:183:9:183:9 | ControlFlowNode for x | functions_test.py:192:18:192:18 | ControlFlowNode for x | functions_test.py:183:9:183:9 | ControlFlowNode for x | $@ flows to here and is mutated. | functions_test.py:192:18:192:18 | ControlFlowNode for x | Default value |
+| functions_test.py:183:9:183:9 | ControlFlowNode for x | functions_test.py:195:18:195:18 | ControlFlowNode for x | functions_test.py:183:9:183:9 | ControlFlowNode for x | $@ flows to here and is mutated. | functions_test.py:195:18:195:18 | ControlFlowNode for x | Default value |
+| functions_test.py:185:9:185:9 | ControlFlowNode for x | functions_test.py:192:18:192:18 | ControlFlowNode for x | functions_test.py:185:9:185:9 | ControlFlowNode for x | $@ flows to here and is mutated. | functions_test.py:192:18:192:18 | ControlFlowNode for x | Default value |
+| functions_test.py:185:9:185:9 | ControlFlowNode for x | functions_test.py:195:18:195:18 | ControlFlowNode for x | functions_test.py:185:9:185:9 | ControlFlowNode for x | $@ flows to here and is mutated. | functions_test.py:195:18:195:18 | ControlFlowNode for x | Default value |
--- a/python/ql/test/query-tests/Functions/general/functions_test.py
+++ b/python/ql/test/query-tests/Functions/general/functions_test.py
@@ -163,11 +163,15 @@ def guarded_modification(z=[]):
        z.append(0)
    return z

-def issue1143(expr, param=[]):
-    if not param:
-        return result
-    for i in param:
-        param.remove(i) # Mutation here
+# This function causes a discrepancy between the
+# Python 2 and 3 versions of the analysis.
+# We comment it out until we have resoved the issue.
+#
+# def issue1143(expr, param=[]):
+#     if not param:
+#         return result
+#     for i in param:
+#         param.remove(i) # Mutation here


 # Type guarding of modification of parameter with default:
--- a/python/ql/test/query-tests/Functions/general/options
+++ b/python/ql/test/query-tests/Functions/general/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=1 --dont-split-graph
--- a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected
+++ b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected
@@ -3,15 +3,52 @@ edges
 | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr |
 | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:25:26:25:83 | ControlFlowNode for BinaryExpr |
 | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:26:28:26:85 | ControlFlowNode for BinaryExpr |
+| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:27:28:27:87 | ControlFlowNode for Attribute() |
+| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:31:50:31:72 | ControlFlowNode for Attribute() |
+| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:41:26:41:33 | ControlFlowNode for username |
+| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:42:31:42:38 | ControlFlowNode for username |
+| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:43:30:43:37 | ControlFlowNode for username |
+| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:44:35:44:42 | ControlFlowNode for username |
+| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:45:41:45:48 | ControlFlowNode for username |
+| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:46:46:46:53 | ControlFlowNode for username |
+| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:47:47:47:54 | ControlFlowNode for username |
+| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:48:52:48:59 | ControlFlowNode for username |
+| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:50:18:50:25 | ControlFlowNode for username |
+| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:51:24:51:31 | ControlFlowNode for username |
 nodes
 | sql_injection.py:14:15:14:22 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
 | sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | sql_injection.py:25:26:25:83 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | sql_injection.py:26:28:26:85 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
+| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| sqlalchemy_textclause.py:27:28:27:87 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| sqlalchemy_textclause.py:31:50:31:72 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| sqlalchemy_textclause.py:41:26:41:33 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| sqlalchemy_textclause.py:42:31:42:38 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| sqlalchemy_textclause.py:43:30:43:37 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| sqlalchemy_textclause.py:44:35:44:42 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| sqlalchemy_textclause.py:45:41:45:48 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| sqlalchemy_textclause.py:46:46:46:53 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| sqlalchemy_textclause.py:47:47:47:54 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| sqlalchemy_textclause.py:48:52:48:59 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| sqlalchemy_textclause.py:50:18:50:25 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| sqlalchemy_textclause.py:51:24:51:31 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
 subpaths
 #select
 | sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | This SQL query depends on $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | a user-provided value |
 | sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | This SQL query depends on $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | a user-provided value |
 | sql_injection.py:25:26:25:83 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:25:26:25:83 | ControlFlowNode for BinaryExpr | This SQL query depends on $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | a user-provided value |
 | sql_injection.py:26:28:26:85 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:26:28:26:85 | ControlFlowNode for BinaryExpr | This SQL query depends on $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | a user-provided value |
+| sqlalchemy_textclause.py:27:28:27:87 | ControlFlowNode for Attribute() | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:27:28:27:87 | ControlFlowNode for Attribute() | This SQL query depends on $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| sqlalchemy_textclause.py:31:50:31:72 | ControlFlowNode for Attribute() | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:31:50:31:72 | ControlFlowNode for Attribute() | This SQL query depends on $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| sqlalchemy_textclause.py:41:26:41:33 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:41:26:41:33 | ControlFlowNode for username | This SQL query depends on $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| sqlalchemy_textclause.py:42:31:42:38 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:42:31:42:38 | ControlFlowNode for username | This SQL query depends on $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| sqlalchemy_textclause.py:43:30:43:37 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:43:30:43:37 | ControlFlowNode for username | This SQL query depends on $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| sqlalchemy_textclause.py:44:35:44:42 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:44:35:44:42 | ControlFlowNode for username | This SQL query depends on $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| sqlalchemy_textclause.py:45:41:45:48 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:45:41:45:48 | ControlFlowNode for username | This SQL query depends on $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| sqlalchemy_textclause.py:46:46:46:53 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:46:46:46:53 | ControlFlowNode for username | This SQL query depends on $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| sqlalchemy_textclause.py:47:47:47:54 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:47:47:47:54 | ControlFlowNode for username | This SQL query depends on $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| sqlalchemy_textclause.py:48:52:48:59 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:48:52:48:59 | ControlFlowNode for username | This SQL query depends on $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| sqlalchemy_textclause.py:50:18:50:25 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:50:18:50:25 | ControlFlowNode for username | This SQL query depends on $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
+| sqlalchemy_textclause.py:51:24:51:31 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:51:24:51:31 | ControlFlowNode for username | This SQL query depends on $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | a user-provided value |
--- a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/sqlalchemy_textclause.py
+++ b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/sqlalchemy_textclause.py
@@ -0,0 +1,51 @@
+from flask import Flask, request
+import sqlalchemy
+import sqlalchemy.orm
+from flask_sqlalchemy import SQLAlchemy
+
+app = Flask(__name__)
+engine = sqlalchemy.create_engine(...)
+Base = sqlalchemy.orm.declarative_base()
+
+app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite+pysqlite:///:memory:"
+db = SQLAlchemy(app)
+
+
+
+class User(Base):
+    __tablename__ = "users"
+
+    id = sqlalchemy.Column(sqlalchemy.Integer, primary_key=True)
+    username = sqlalchemy.Column(sqlalchemy.String)
+
+
+@app.route("/users/<username>")
+def show_user(username):
+    session = sqlalchemy.orm.Session(engine)
+
+    # BAD, normal SQL injection
+    stmt = sqlalchemy.text("SELECT * FROM users WHERE username = '{}'".format(username))
+    results = session.execute(stmt).fetchall()
+
+    # BAD, allows SQL injection
+    username_formatted_for_sql = sqlalchemy.text("'{}'".format(username))
+    stmt = sqlalchemy.select(User).where(User.username == username_formatted_for_sql)
+    results = session.execute(stmt).scalars().all()
+
+    # GOOD, does not allow for SQL injection
+    stmt = sqlalchemy.select(User).where(User.username == username)
+    results = session.execute(stmt).scalars().all()
+
+
+    # All of these should be flagged by query
+    t1 = sqlalchemy.text(username)
+    t2 = sqlalchemy.text(text=username)
+    t3 = sqlalchemy.sql.text(username)
+    t4 = sqlalchemy.sql.text(text=username)
+    t5 = sqlalchemy.sql.expression.text(username)
+    t6 = sqlalchemy.sql.expression.text(text=username)
+    t7 = sqlalchemy.sql.expression.TextClause(username)
+    t8 = sqlalchemy.sql.expression.TextClause(text=username)
+
+    t9 = db.text(username)
+    t10 = db.text(text=username)
--- a/python/ql/test/query-tests/Variables/undefined/UninitializedLocal.py
+++ b/python/ql/test/query-tests/Variables/undefined/UninitializedLocal.py
@@ -288,3 +288,8 @@ def avoid_redundant_split(a):
        var = False
    if var:
        foo.bar() #foo is defined here.
+
+def type_annotation_fp():
+    annotated : annotation = [1,2,3]
+    for x in annotated:
+        print(x)
--- a/python/ql/test/query-tests/Variables/unused/UnusedLocalVariable.expected
+++ b/python/ql/test/query-tests/Variables/unused/UnusedLocalVariable.expected
@@ -1,4 +1,3 @@
-| type_annotation_fp.py:5:5:5:7 | foo | The value assigned to local variable 'foo' is never used. |
 | variables_test.py:29:5:29:5 | x | The value assigned to local variable 'x' is never used. |
 | variables_test.py:89:5:89:5 | a | The value assigned to local variable 'a' is never used. |
 | variables_test.py:89:7:89:7 | b | The value assigned to local variable 'b' is never used. |
--- a/python/ql/test/query-tests/Variables/unused/type_annotation_fp.py
+++ b/python/ql/test/query-tests/Variables/unused/type_annotation_fp.py
@@ -9,3 +9,8 @@ def type_annotation(x):
    else:
        foo : float
        do_other_stuff_with(foo)
+
+def type_annotation_fn():
+    # False negative: the value of `bar` is never used, but this is masked by the presence of the type annotation.
+    bar = 5
+    bar : int
				`@@ -0,0 +1 @@`
				`Functions/ModificationOfParameterWithDefault.ql`
				`@@ -0,0 +1 @@`
				`semmle-extractor-options: --max-import-depth=1 --dont-split-graph`