Python: Only allow unsafe positional args to extra

2026-04-30 19:26:02 +02:00 · 2020-10-21 14:21:36 +02:00
parent 3a416bce2d
commit 77d4cbc0df
1 changed files with 1 additions and 1 deletions
--- a/python/ql/src/experimental/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Django.qll
@@ -359,7 +359,7 @@ private module Django {

    override DataFlow::Node getSql() {
      result.asCfgNode() =
-        [node.getArg([0 .. 5]), node.getArgByName(["select", "where", "tables", "order_by"])]
+        [node.getArg([0, 1, 3, 4]), node.getArgByName(["select", "where", "tables", "order_by"])]
    }
  }
 }