From 9d629aef95559daf7408fa8a51c5e8d73f5cf7cf Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 24 Feb 2020 11:10:56 +0100
Subject: [PATCH] Python: Highlight py/use-of-input is for Python 2

---
 python/ql/src/Expressions/UseofInput.qhelp                | 8 ++++----
 python/ql/src/Expressions/UseofInput.ql                   | 6 +++---
 .../ql/test/2/query-tests/Expressions/UseofInput.expected | 2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/python/ql/src/Expressions/UseofInput.qhelp b/python/ql/src/Expressions/UseofInput.qhelp
index 44baace8c43..10aacce7e26 100644
--- a/python/ql/src/Expressions/UseofInput.qhelp
+++ b/python/ql/src/Expressions/UseofInput.qhelp
@@ -3,20 +3,20 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>A call to the input() function, <code>input(prompt)</code> is equivalent to <code>eval(raw_input(prompt))</code>. Evaluating user input without any checking can be a serious security flaw.</p>
+<p>In Python 2, a call to the input() function, <code>input(prompt)</code> is equivalent to <code>eval(raw_input(prompt))</code>. Evaluating user input without any checking can be a serious security flaw.</p>
 
 </overview>
 <recommendation>
 
-<p> Get user input with <code>raw_input(prompt)</code> and then validate that input before evaluating. If the expected input is a number or
+<p>Get user input with <code>raw_input(prompt)</code> and then validate that input before evaluating. If the expected input is a number or
 string, then <code>ast.literal_eval()</code> can always be used safely.</p>
 
 
 </recommendation>
 <references>
 
-  <li>Python Standard Library: <a href="http://docs.python.org/library/functions.html#input">input</a>,
-  <a href="http://docs.python.org/library/ast.html#ast.literal_eval">ast.literal_eval</a>.</li>
+  <li>Python Standard Library: <a href="http://docs.python.org/2/library/functions.html#input">input</a>,
+  <a href="http://docs.python.org/2/library/ast.html#ast.literal_eval">ast.literal_eval</a>.</li>
   <li>Wikipedia: <a href="http://en.wikipedia.org/wiki/Data_validation">Data validation</a>.</li>
 
 </references>
diff --git a/python/ql/src/Expressions/UseofInput.ql b/python/ql/src/Expressions/UseofInput.ql
index 8f601d5fafa..dc67458a083 100644
--- a/python/ql/src/Expressions/UseofInput.ql
+++ b/python/ql/src/Expressions/UseofInput.ql
@@ -1,6 +1,6 @@
 /**
- * @name 'input' function used
- * @description The built-in function 'input' is used which can allow arbitrary code to be run.
+ * @name 'input' function used in Python 2
+ * @description The built-in function 'input' is used which, in Python 2, can allow arbitrary code to be run.
  * @kind problem
  * @tags security
  *       correctness
@@ -18,4 +18,4 @@ where
     call.getFunction() = func and
     func.pointsTo(context, Value::named("input"), _) and
     not func.pointsTo(context, Value::named("raw_input"), _)
-select call, "The unsafe built-in function 'input' is used."
+select call, "The unsafe built-in function 'input' is used in Python 2."
diff --git a/python/ql/test/2/query-tests/Expressions/UseofInput.expected b/python/ql/test/2/query-tests/Expressions/UseofInput.expected
index 8f2b1fedd44..470c24df21f 100644
--- a/python/ql/test/2/query-tests/Expressions/UseofInput.expected
+++ b/python/ql/test/2/query-tests/Expressions/UseofInput.expected
@@ -1 +1 @@
-| expressions_test.py:6:12:6:18 | ControlFlowNode for input() | The unsafe built-in function 'input' is used. |
+| expressions_test.py:6:12:6:18 | ControlFlowNode for input() | The unsafe built-in function 'input' is used in Python 2. |