Python: Adjust getARelevantTag

python/ql/src/experimental/semmle/python/frameworks/Yaml.qll

@@ -41,6 +41,9 @@ private module Yaml {
 /**
  * A call to `yaml.load`
  * See https://pyyaml.org/wiki/PyYAMLDocumentation (you will have to scroll down).
+ *
+ * This function was briefly thought safe until new exploits were found in 2020,
+ * see https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation for details.
  */
 private class YamlDeserialization extends UnmarshalingFunction::Range {
   YamlDeserialization() {

python/ql/test/experimental/library-tests/frameworks/dill/UnmarshalFunction.py

@@ -1,4 +1,4 @@
 import dill
 
-dill.loads(payload)  # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute() $UNSAFE_getFormat=ASCII
-dill.loads(payload, encoding='latin1')  # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute() $UNSAFE_getFormat=latin1
+dill.loads(payload)  # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute() $UNSAFE_getFormat=dill
+dill.loads(payload, encoding='latin1')  # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute() $UNSAFE_getFormat=dill

python/ql/test/experimental/library-tests/frameworks/stdlib/UnmarshalFunction.py

@@ -10,6 +10,6 @@ app = Flask(__name__)
 @app.route("/")
 def hello():
     payload = request.args.get("payload")
-    pickle.loads(payload)  # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute() $UNSAFE_getFormat=ASCII
-    pickle.loads(payload, encoding='latin1')  # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute() $UNSAFE_getFormat=latin1
-    marshal.loads(payload)  # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute()
+    pickle.loads(payload)  # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute() $UNSAFE_getFormat=pickle
+    pickle.loads(payload, encoding='latin1')  # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute() $UNSAFE_getFormat=pickle
+    marshal.loads(payload)  # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute() $UNSAFE_getFormat=marshal

python/ql/test/experimental/library-tests/frameworks/yaml/UnmarshalFunction.py

@@ -10,5 +10,5 @@ app = Flask(__name__)
 @app.route("/")
 def hello():
     payload = request.args.get("payload")
-    yaml.load(payload)  # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute()
-    yaml.load(payload, Loader=SafeLoader)  # $getAnInput=payload $getOutput=Attribute()
+    yaml.load(payload)  # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute() $UNSAFE_getFormat=YAML
+    yaml.load(payload, Loader=SafeLoader)  # $getAnInput=payload $getOutput=Attribute() $getFormat=YAML

python/ql/test/experimental/meta/ConceptsTest.qll

@@ -36,7 +36,7 @@ class SystemCommandExecutionTest extends InlineExpectationsTest {
 class UnmarshalingFunctionTest extends InlineExpectationsTest {
   UnmarshalingFunctionTest() { this = "UnmarshalingFunctionTest" }
 
-  override string getARelevantTag() { result = "getData" }
+  override string getARelevantTag() { result in ["getAnInput", "getOutput", "getFormat"] }
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(location.getFile().getRelativePath()) and