Merge pull request #5330 from RasmusWL/fix-flask-taint-prop-to-methods

Approved by yoff
2025-12-20 10:46:30 +01:00 · 2021-03-05 03:17:41 -08:00
parent 0d7f6ced8f 3dc0c2081e
commit a55246c9f4
1 changed files with 2 additions and 1 deletions
--- a/python/ql/src/semmle/python/frameworks/Flask.qll
+++ b/python/ql/src/semmle/python/frameworks/Flask.qll
@@ -351,7 +351,8 @@ module Flask {
      exists(string method_name | method_name in ["get_data", "get_json"] |
        // Method access
        nodeFrom = request().getAUse() and
-        nodeTo = request().getMember(method_name).getAnImmediateUse()
+        nodeTo.(DataFlow::AttrRead).getObject() = nodeFrom and
+        nodeTo.(DataFlow::AttrRead).getAttributeName() = method_name
        or
        // Method call
        nodeFrom = request().getMember(method_name).getAUse() and