Merge branch 'master' into python-keyword-only-args

2025-12-20 10:46:30 +01:00 · 2020-05-26 11:20:04 +02:00
parent 5a18b08d13 6bc9624a4c
commit c78ca2616c
435 changed files with 11016 additions and 8392 deletions
--- a/python/ql/examples/snippets/filename.ql
+++ b/python/ql/examples/snippets/filename.ql
@@ -8,5 +8,5 @@
 import python

 from File f
-where f.getName() = "spam.py"
+where f.getShortName() = "spam.py"
 select f
--- a/python/ql/src/Classes/DefineEqualsWhenAddingAttributes.ql
+++ b/python/ql/src/Classes/DefineEqualsWhenAddingAttributes.ql
@@ -14,21 +14,21 @@ import python
 import semmle.python.SelfAttribute
 import Equality

-predicate class_stores_to_attribute(ClassObject cls, SelfAttributeStore store, string name) {
-    exists(FunctionObject f |
-        f = cls.declaredAttribute(_) and store.getScope() = f.getFunction() and store.getName() = name
+predicate class_stores_to_attribute(ClassValue cls, SelfAttributeStore store, string name) {
+    exists(FunctionValue f |
+        f = cls.declaredAttribute(_) and store.getScope() = f.getScope() and store.getName() = name
    ) and
    /* Exclude classes used as metaclasses */
-    not cls.getASuperType() = theTypeType()
+    not cls.getASuperType() = ClassValue::type()
 }

-predicate should_override_eq(ClassObject cls, Object base_eq) {
+predicate should_override_eq(ClassValue cls, Value base_eq) {
    not cls.declaresAttribute("__eq__") and
-    exists(ClassObject sup | sup = cls.getABaseType() and sup.declaredAttribute("__eq__") = base_eq |
-        not exists(GenericEqMethod eq | eq.getScope() = sup.getPyClass()) and
-        not exists(IdentityEqMethod eq | eq.getScope() = sup.getPyClass()) and
-        not base_eq.(FunctionObject).getFunction() instanceof IdentityEqMethod and
-        not base_eq = theObjectType().declaredAttribute("__eq__")
+    exists(ClassValue sup | sup = cls.getABaseType() and sup.declaredAttribute("__eq__") = base_eq |
+        not exists(GenericEqMethod eq | eq.getScope() = sup.getScope()) and
+        not exists(IdentityEqMethod eq | eq.getScope() = sup.getScope()) and
+        not base_eq.(FunctionValue).getScope() instanceof IdentityEqMethod and
+        not base_eq = ClassValue::object().declaredAttribute("__eq__")
    )
 }

@@ -36,16 +36,16 @@ predicate should_override_eq(ClassObject cls, Object base_eq) {
 * Does the non-overridden __eq__ method access the attribute,
 * which implies that the  __eq__ method does not need to be overridden.
 */
-predicate superclassEqExpectsAttribute(ClassObject cls, PyFunctionObject base_eq, string attrname) {
+predicate superclassEqExpectsAttribute(ClassValue cls, FunctionValue base_eq, string attrname) {
    not cls.declaresAttribute("__eq__") and
-    exists(ClassObject sup | sup = cls.getABaseType() and sup.declaredAttribute("__eq__") = base_eq |
+    exists(ClassValue sup | sup = cls.getABaseType() and sup.declaredAttribute("__eq__") = base_eq |
        exists(SelfAttributeRead store | store.getName() = attrname |
-            store.getScope() = base_eq.getFunction()
+            store.getScope() = base_eq.getScope()
        )
    )
 }

-from ClassObject cls, SelfAttributeStore store, Object base_eq
+from ClassValue cls, SelfAttributeStore store, Value base_eq
 where
    class_stores_to_attribute(cls, store, _) and
    should_override_eq(cls, base_eq) and
--- a/python/ql/src/Security/CWE-022/TarSlip.ql
+++ b/python/ql/src/Security/CWE-022/TarSlip.ql
@@ -13,7 +13,7 @@

 import python
 import semmle.python.security.Paths
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Basic

 /** A TaintKind to represent open tarfile objects. That is, the result of calling `tarfile.open(...)` */
--- a/python/ql/src/Security/CWE-312/CleartextLogging.ql
+++ b/python/ql/src/Security/CWE-312/CleartextLogging.ql
@@ -14,7 +14,7 @@

 import python
 import semmle.python.security.Paths
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.SensitiveData
 import semmle.python.security.ClearText

--- a/python/ql/src/Security/CWE-312/CleartextStorage.ql
+++ b/python/ql/src/Security/CWE-312/CleartextStorage.ql
@@ -14,7 +14,7 @@

 import python
 import semmle.python.security.Paths
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.SensitiveData
 import semmle.python.security.ClearText

--- a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -13,7 +13,7 @@

 import python
 import semmle.python.security.Paths
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.filters.Tests

 class HardcodedValue extends TaintKind {
--- a/python/ql/src/Variables/Undefined.qll
+++ b/python/ql/src/Variables/Undefined.qll
@@ -1,6 +1,6 @@
 import python
 import Loop
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking

 /** Marker for "uninitialized". */
 class Uninitialized extends TaintKind {
--- a/python/ql/src/Variables/UndefinedExport.ql
+++ b/python/ql/src/Variables/UndefinedExport.ql
@@ -59,7 +59,7 @@ predicate contains_unknown_import_star(ModuleValue m) {
 from ModuleValue m, StrConst name, string exported_name
 where
    declaredInAll(m.getScope(), name) and
-    exported_name = name.strValue() and
+    exported_name = name.getText() and
    not m.hasAttribute(exported_name) and
    not is_exported_submodule_name(m, exported_name) and
    not contains_unknown_import_star(m) and
--- a/python/ql/src/semmle/python/Exprs.qll
+++ b/python/ql/src/semmle/python/Exprs.qll
@@ -597,7 +597,7 @@ class StrConst extends Str_, ImmutableLiteral {
        this.getEnclosingModule().hasFromFuture("unicode_literals")
    }

-    override string strValue() { result = this.getS() }
+    deprecated override string strValue() { result = this.getS() }

    override Expr getASubExpression() { none() }

--- a/python/ql/src/semmle/python/dataflow/Configuration.qll
+++ b/python/ql/src/semmle/python/dataflow/Configuration.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 private import semmle.python.objects.ObjectInternal
 private import semmle.python.dataflow.Implementation

--- a/python/ql/src/semmle/python/dataflow/DataFlow.qll
+++ b/python/ql/src/semmle/python/dataflow/DataFlow.qll
@@ -1 +1 @@
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
--- a/python/ql/src/semmle/python/dataflow/Files.qll
+++ b/python/ql/src/semmle/python/dataflow/Files.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking

 class OpenFile extends TaintKind {
    OpenFile() { this = "file.open" }
--- a/python/ql/src/semmle/python/dataflow/Legacy.qll
+++ b/python/ql/src/semmle/python/dataflow/Legacy.qll
@@ -1,4 +1,4 @@
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 private import semmle.python.objects.ObjectInternal
 import semmle.python.dataflow.Implementation

--- a/python/ql/src/semmle/python/objects/Callables.qll
+++ b/python/ql/src/semmle/python/objects/Callables.qll
@@ -27,8 +27,10 @@ abstract class CallableObjectInternal extends ObjectInternal {
        none()
    }

+    /** Gets the `n`th parameter node of this callable. */
    abstract NameNode getParameter(int n);

+    /** Gets the `name`d parameter node of this callable. */
    abstract NameNode getParameterByName(string name);

    abstract predicate neverReturns();
@@ -438,16 +440,30 @@ class BoundMethodObjectInternal extends CallableObjectInternal, TBoundMethod {
        PointsTo::pointsTo(result.getFunction(), ctx, this, _)
    }

-    override NameNode getParameter(int n) { result = this.getFunction().getParameter(n + 1) }
+    /** Gets the parameter node that will be used for `self`. */
+    NameNode getSelfParameter() { result = this.getFunction().getParameter(0) }

+    override NameNode getParameter(int n) {
+        result = this.getFunction().getParameter(n + 1) and
+        // don't return the parameter for `self` at `n = -1`
+        n >= 0
+    }
+
+    /**
+     * Gets the `name`d parameter node of this callable.
+     * Will not return the parameter node for `self`, instead use `getSelfParameter`.
+     */
    override NameNode getParameterByName(string name) {
-        result = this.getFunction().getParameterByName(name)
+        result = this.getFunction().getParameterByName(name) and
+        not result = this.getSelfParameter()
    }

    override predicate neverReturns() { this.getFunction().neverReturns() }

    override predicate functionAndOffset(CallableObjectInternal function, int offset) {
        function = this.getFunction() and offset = 1
+        or
+        function = this and offset = 0
    }

    override predicate useOriginAsLegacyObject() { any() }
--- a/python/ql/src/semmle/python/objects/ObjectAPI.qll
+++ b/python/ql/src/semmle/python/objects/ObjectAPI.qll
@@ -352,7 +352,29 @@ class CallableValue extends Value {
        result = this.(CallableObjectInternal).getParameterByName(name)
    }

-    /** Gets the argument corresponding to the `n'th parameter node of this callable. */
+    /**
+     * Gets the argument in `call` corresponding to the `n`'th positional parameter of this callable.
+     *
+     * Use this method instead of `call.getArg(n)` to handle the fact that this function might be used as
+     * a bound-method, such that argument `n` of the call corresponds to the `n+1` parameter of the callable.
+     *
+     * This method also gives results when the argument is passed as a keyword argument in `call`, as long
+     * as `this` is not a builtin function or a builtin method.
+     *
+     * Examples:
+     *
+     * - if `this` represents the `PythonFunctionValue` for `def func(a, b):`, and `call` represents
+     *   `func(10, 20)`, then `getArgumentForCall(call, 0)` will give the `ControlFlowNode` for `10`.
+     *
+     * - with `call` representing `func(b=20, a=10)`, `getArgumentForCall(call, 0)` will give
+     *   the `ControlFlowNode` for `10`.
+     *
+     * - if `this` represents the `PythonFunctionValue` for `def func(self, a, b):`, and `call`
+     *   represents `foo.func(10, 20)`, then `getArgumentForCall(call, 1)` will give the
+     *   `ControlFlowNode` for `10`.
+     *   Note: There will also exist a `BoundMethodValue bm` where `bm.getArgumentForCall(call, 0)`
+     *   will give the `ControlFlowNode` for `10` (notice the shift in index used).
+     */
    cached
    ControlFlowNode getArgumentForCall(CallNode call, int n) {
        exists(ObjectInternal called, int offset |
@@ -363,7 +385,7 @@ class CallableValue extends Value {
            or
            exists(string name |
                call.getArgByName(name) = result and
-                this.(PythonFunctionObjectInternal).getScope().getArg(n + offset).getName() = name
+                this.getParameter(n).getId() = name
            )
            or
            called instanceof BoundMethodObjectInternal and
@@ -373,22 +395,38 @@ class CallableValue extends Value {
        )
    }

-    /** Gets the argument corresponding to the `name`d parameter node of this callable. */
+    /**
+     * Gets the argument in `call` corresponding to the `name`d keyword parameter of this callable.
+     *
+     * This method also gives results when the argument is passed as a positional argument in `call`, as long
+     * as `this` is not a builtin function or a builtin method.
+     *
+     * Examples:
+     *
+     * - if `this` represents the `PythonFunctionValue` for `def func(a, b):`, and `call` represents
+     *   `func(10, 20)`, then `getNamedArgumentForCall(call, "a")` will give the `ControlFlowNode` for `10`.
+     *
+     * - with `call` representing `func(b=20, a=10)`, `getNamedArgumentForCall(call, "a")` will give
+     *   the `ControlFlowNode` for `10`.
+     *
+     * - if `this` represents the `PythonFunctionValue` for `def func(self, a, b):`, and `call`
+     *   represents `foo.func(10, 20)`, then `getNamedArgumentForCall(call, "a")` will give the
+     *   `ControlFlowNode` for `10`.
+     */
    cached
    ControlFlowNode getNamedArgumentForCall(CallNode call, string name) {
        exists(CallableObjectInternal called, int offset |
            PointsToInternal::pointsTo(call.getFunction(), _, called, _) and
            called.functionAndOffset(this, offset)
        |
+            call.getArgByName(name) = result
+            or
            exists(int n |
                call.getArg(n) = result and
-                this.(PythonFunctionObjectInternal).getScope().getArg(n + offset).getName() = name
+                this.getParameter(n + offset).getId() = name
                // TODO: and not positional only argument (Python 3.8+)
            )
            or
-            call.getArgByName(name) = result and
-            exists(this.(PythonFunctionObjectInternal).getScope().getArgByName(name))
-            or
            called instanceof BoundMethodObjectInternal and
            offset = 1 and
            name = "self" and
@@ -397,6 +435,29 @@ class CallableValue extends Value {
    }
 }

+/**
+ * Class representing bound-methods, such as `o.func`, where `o` is an instance
+ * of a class that has a callable attribute `func`.
+ */
+class BoundMethodValue extends CallableValue {
+    BoundMethodValue() { this instanceof BoundMethodObjectInternal }
+
+    /**
+     * Gets the callable that will be used when `this` is called.
+     * The actual callable for `func` in `o.func`.
+     */
+    CallableValue getFunction() { result = this.(BoundMethodObjectInternal).getFunction() }
+
+    /**
+     * Gets the value that will be used for the `self` parameter when `this` is called.
+     * The value for `o` in `o.func`.
+     */
+    Value getSelf() { result = this.(BoundMethodObjectInternal).getSelf() }
+
+    /** Gets the parameter node that will be used for `self`. */
+    NameNode getSelfParameter() { result = this.(BoundMethodObjectInternal).getSelfParameter() }
+}
+
 /**
 * Class representing classes in the Python program, both Python and built-in.
 */
@@ -664,11 +725,13 @@ class PythonFunctionValue extends FunctionValue {
    ControlFlowNode getAReturnedNode() { result = this.getScope().getAReturnValueFlowNode() }

    override ClassValue getARaisedType() { scope_raises(result, this.getScope()) }
-    
+
    override ClassValue getAnInferredReturnType() {
-        /* We have to do a special version of this because builtin functions have no
+        /*
+         * We have to do a special version of this because builtin functions have no
         * explicit return nodes that we can query and get the class of.
         */
+
        result = this.getAReturnedNode().pointsTo().getClass()
    }
 }
@@ -691,9 +754,11 @@ class BuiltinFunctionValue extends FunctionValue {
    }

    override ClassValue getAnInferredReturnType() {
-        /* We have to do a special version of this because builtin functions have no
+        /*
+         * We have to do a special version of this because builtin functions have no
         * explicit return nodes that we can query and get the class of.
         */
+
        result = TBuiltinClassObject(this.(BuiltinFunctionObjectInternal).getReturnType())
    }
 }
@@ -720,7 +785,7 @@ class BuiltinMethodValue extends FunctionValue {
        /* Information is unavailable for C code in general */
        none()
    }
-    
+
    override ClassValue getAnInferredReturnType() {
        result = TBuiltinClassObject(this.(BuiltinMethodObjectInternal).getReturnType())
    }
--- a/python/ql/src/semmle/python/security/ClearText.qll
+++ b/python/ql/src/semmle/python/security/ClearText.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.SensitiveData
 import semmle.python.dataflow.Files
 import semmle.python.web.Http
--- a/python/ql/src/semmle/python/security/Crypto.qll
+++ b/python/ql/src/semmle/python/security/Crypto.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 private import semmle.python.security.SensitiveData
 private import semmle.crypto.Crypto as CryptoLib

--- a/python/ql/src/semmle/python/security/Exceptions.qll
+++ b/python/ql/src/semmle/python/security/Exceptions.qll
@@ -4,7 +4,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Basic

 private Value traceback_function(string name) { result = Module::named("traceback").attr(name) }
--- a/python/ql/src/semmle/python/security/SQL.qll
+++ b/python/ql/src/semmle/python/security/SQL.qll
@@ -1,4 +1,4 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking

 abstract class SqlInjectionSink extends TaintSink { }
--- a/python/ql/src/semmle/python/security/SensitiveData.qll
+++ b/python/ql/src/semmle/python/security/SensitiveData.qll
@@ -10,7 +10,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.web.HttpRequest

 /**
--- a/python/ql/src/semmle/python/security/injection/Command.qll
+++ b/python/ql/src/semmle/python/security/injection/Command.qll
@@ -7,7 +7,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted

 /** Abstract taint sink that is potentially vulnerable to malicious shell commands. */
--- a/python/ql/src/semmle/python/security/injection/Deserialization.qll
+++ b/python/ql/src/semmle/python/security/injection/Deserialization.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking

 /** `pickle.loads(untrusted)` vulnerability. */
 abstract class DeserializationSink extends TaintSink {
--- a/python/ql/src/semmle/python/security/injection/Exec.qll
+++ b/python/ql/src/semmle/python/security/injection/Exec.qll
@@ -7,7 +7,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted

 /**
--- a/python/ql/src/semmle/python/security/injection/Marshal.qll
+++ b/python/ql/src/semmle/python/security/injection/Marshal.qll
@@ -7,7 +7,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted
 import semmle.python.security.injection.Deserialization

--- a/python/ql/src/semmle/python/security/injection/Path.qll
+++ b/python/ql/src/semmle/python/security/injection/Path.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted

 /**
--- a/python/ql/src/semmle/python/security/injection/Pickle.qll
+++ b/python/ql/src/semmle/python/security/injection/Pickle.qll
@@ -7,7 +7,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted
 import semmle.python.security.injection.Deserialization

--- a/python/ql/src/semmle/python/security/injection/Sql.qll
+++ b/python/ql/src/semmle/python/security/injection/Sql.qll
@@ -7,7 +7,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted
 import semmle.python.security.SQL

--- a/python/ql/src/semmle/python/security/injection/Xml.qll
+++ b/python/ql/src/semmle/python/security/injection/Xml.qll
@@ -7,7 +7,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted
 import semmle.python.security.injection.Deserialization

--- a/python/ql/src/semmle/python/security/injection/Yaml.qll
+++ b/python/ql/src/semmle/python/security/injection/Yaml.qll
@@ -7,7 +7,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted
 import semmle.python.security.injection.Deserialization

--- a/python/ql/src/semmle/python/security/strings/Basic.qll
+++ b/python/ql/src/semmle/python/security/strings/Basic.qll
@@ -1,6 +1,6 @@
 import python
 private import Common
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking

 /** An extensible kind of taint representing any kind of string. */
 abstract class StringKind extends TaintKind {
--- a/python/ql/src/semmle/python/types/ModuleObject.qll
+++ b/python/ql/src/semmle/python/types/ModuleObject.qll
@@ -118,7 +118,7 @@ class BuiltinModuleObject extends ModuleObject {

    override predicate hasAttribute(string name) { exists(this.asBuiltin().getMember(name)) }

-    override predicate exportsComplete() { any() }
+    deprecated override predicate exportsComplete() { any() }
 }

 class PythonModuleObject extends ModuleObject {
@@ -132,7 +132,7 @@ class PythonModuleObject extends ModuleObject {

    override Container getPath() { result = this.getModule().getFile() }

-    override predicate exportsComplete() {
+    deprecated override predicate exportsComplete() {
        exists(Module m | m = this.getModule() |
            not exists(Call modify, Attribute attr, GlobalVariable all |
                modify.getScope() = m and
@@ -196,7 +196,7 @@ class PackageObject extends ModuleObject {
        )
    }

-    override predicate exportsComplete() {
+    deprecated override predicate exportsComplete() {
        not exists(this.getInitModule())
        or
        this.getInitModule().exportsComplete()
--- a/python/ql/src/semmle/python/web/bottle/Redirect.qll
+++ b/python/ql/src/semmle/python/web/bottle/Redirect.qll
@@ -5,7 +5,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Basic
 import semmle.python.web.bottle.General

--- a/python/ql/src/semmle/python/web/bottle/Request.qll
+++ b/python/ql/src/semmle/python/web/bottle/Request.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted
 import semmle.python.web.Http
 import semmle.python.web.bottle.General
--- a/python/ql/src/semmle/python/web/bottle/Response.qll
+++ b/python/ql/src/semmle/python/web/bottle/Response.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted
 import semmle.python.web.Http
 import semmle.python.web.bottle.General
--- a/python/ql/src/semmle/python/web/cherrypy/Request.qll
+++ b/python/ql/src/semmle/python/web/cherrypy/Request.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Basic
 import semmle.python.web.Http
 import semmle.python.web.cherrypy.General
--- a/python/ql/src/semmle/python/web/cherrypy/Response.qll
+++ b/python/ql/src/semmle/python/web/cherrypy/Response.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted
 import semmle.python.web.Http
 import semmle.python.web.cherrypy.General
--- a/python/ql/src/semmle/python/web/django/Model.qll
+++ b/python/ql/src/semmle/python/web/django/Model.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Basic
 import semmle.python.web.Http
 import semmle.python.security.injection.Sql
--- a/python/ql/src/semmle/python/web/django/Redirect.qll
+++ b/python/ql/src/semmle/python/web/django/Redirect.qll
@@ -5,7 +5,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Basic
 private import semmle.python.web.django.Shared
 private import semmle.python.web.Http
--- a/python/ql/src/semmle/python/web/django/Request.qll
+++ b/python/ql/src/semmle/python/web/django/Request.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.web.Http
 import semmle.python.web.django.General

--- a/python/ql/src/semmle/python/web/django/Response.qll
+++ b/python/ql/src/semmle/python/web/django/Response.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Basic
 private import semmle.python.web.django.Shared
 private import semmle.python.web.Http
--- a/python/ql/src/semmle/python/web/falcon/Request.qll
+++ b/python/ql/src/semmle/python/web/falcon/Request.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.web.Http
 import semmle.python.web.falcon.General
 import semmle.python.security.strings.External
--- a/python/ql/src/semmle/python/web/falcon/Response.qll
+++ b/python/ql/src/semmle/python/web/falcon/Response.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.web.Http
 import semmle.python.web.falcon.General
 import semmle.python.security.strings.External
--- a/python/ql/src/semmle/python/web/flask/Redirect.qll
+++ b/python/ql/src/semmle/python/web/flask/Redirect.qll
@@ -5,7 +5,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Basic
 import semmle.python.web.flask.General

--- a/python/ql/src/semmle/python/web/flask/Request.qll
+++ b/python/ql/src/semmle/python/web/flask/Request.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.web.Http
 import semmle.python.web.flask.General

@@ -54,3 +54,35 @@ class FlaskRequestJson extends HttpRequestTaintSource {

    override string toString() { result = "flask.request.json" }
 }
+
+/**
+ * A parameter to a flask request handler, that can capture a part of the URL (as specified in
+ * the url-pattern of a route).
+ *
+ * For example, the `name` parameter in:
+ * ```
+ * @app.route('/hello/<name>')
+ * def hello(name):
+ * ```
+ */
+class FlaskRoutedParameter extends HttpRequestTaintSource {
+    FlaskRoutedParameter() {
+        exists(string name, Function func, StrConst url_pattern |
+            this.(ControlFlowNode).getNode() = func.getArgByName(name) and
+            flask_routing(url_pattern.getAFlowNode(), func) and
+            exists(string match |
+                match = url_pattern.getS().regexpFind(werkzeug_rule_re(), _, _) and
+                name = match.regexpCapture(werkzeug_rule_re(), 4)
+            )
+        )
+    }
+
+    override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
+}
+
+private string werkzeug_rule_re() {
+    // since flask uses werkzeug internally, we are using its routing rules from
+    // https://github.com/pallets/werkzeug/blob/4dc8d6ab840d4b78cbd5789cef91b01e3bde01d5/src/werkzeug/routing.py#L138-L151
+    result =
+        "(?<static>[^<]*)<(?:(?<converter>[a-zA-Z_][a-zA-Z0-9_]*)(?:\\((?<args>.*?)\\))?\\:)?(?<variable>[a-zA-Z_][a-zA-Z0-9_]*)>"
+}
--- a/python/ql/src/semmle/python/web/flask/Response.qll
+++ b/python/ql/src/semmle/python/web/flask/Response.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Basic
 import semmle.python.web.flask.General

--- a/python/ql/src/semmle/python/web/pyramid/Redirect.qll
+++ b/python/ql/src/semmle/python/web/pyramid/Redirect.qll
@@ -5,7 +5,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Basic
 import semmle.python.web.Http

--- a/python/ql/src/semmle/python/web/pyramid/Request.qll
+++ b/python/ql/src/semmle/python/web/pyramid/Request.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.web.Http
 private import semmle.python.web.webob.Request
 private import semmle.python.web.pyramid.View
--- a/python/ql/src/semmle/python/web/pyramid/Response.qll
+++ b/python/ql/src/semmle/python/web/pyramid/Response.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Basic
 import semmle.python.web.Http
 private import semmle.python.web.pyramid.View
--- a/python/ql/src/semmle/python/web/stdlib/Request.qll
+++ b/python/ql/src/semmle/python/web/stdlib/Request.qll
@@ -4,7 +4,7 @@
 * (or subclasses) and form parsing using `cgi.FieldStorage`.
 */
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.web.Http

 /** Source of BaseHTTPRequestHandler instances. */
--- a/python/ql/src/semmle/python/web/stdlib/Response.qll
+++ b/python/ql/src/semmle/python/web/stdlib/Response.qll
@@ -3,7 +3,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.web.Http

 private predicate is_wfile(AttrNode wfile) {
--- a/python/ql/src/semmle/python/web/tornado/Redirect.qll
+++ b/python/ql/src/semmle/python/web/tornado/Redirect.qll
@@ -5,7 +5,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Basic
 import semmle.python.web.Http
 import Tornado
--- a/python/ql/src/semmle/python/web/tornado/Request.qll
+++ b/python/ql/src/semmle/python/web/tornado/Request.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.web.Http
 import Tornado

--- a/python/ql/src/semmle/python/web/tornado/Response.qll
+++ b/python/ql/src/semmle/python/web/tornado/Response.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Basic
 private import semmle.python.web.Http
 import Tornado
--- a/python/ql/src/semmle/python/web/tornado/Tornado.qll
+++ b/python/ql/src/semmle/python/web/tornado/Tornado.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.web.Http

 private ClassValue theTornadoRequestHandlerClass() {
--- a/python/ql/src/semmle/python/web/turbogears/Response.qll
+++ b/python/ql/src/semmle/python/web/turbogears/Response.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Basic
 import semmle.python.web.Http
 import TurboGears
--- a/python/ql/src/semmle/python/web/turbogears/TurboGears.qll
+++ b/python/ql/src/semmle/python/web/turbogears/TurboGears.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking

 private ClassValue theTurboGearsControllerClass() { result = Value::named("tg.TGController") }

--- a/python/ql/src/semmle/python/web/twisted/Request.qll
+++ b/python/ql/src/semmle/python/web/twisted/Request.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.web.Http
 import Twisted

--- a/python/ql/src/semmle/python/web/twisted/Response.qll
+++ b/python/ql/src/semmle/python/web/twisted/Response.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.web.Http
 import semmle.python.security.strings.Basic
 import Twisted
--- a/python/ql/src/semmle/python/web/twisted/Twisted.qll
+++ b/python/ql/src/semmle/python/web/twisted/Twisted.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking

 private ClassValue theTwistedHttpRequestClass() {
    result = Value::named("twisted.web.http.Request")
--- a/python/ql/src/semmle/python/web/webob/Request.qll
+++ b/python/ql/src/semmle/python/web/webob/Request.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.web.Http

 abstract class BaseWebobRequest extends TaintKind {
--- a/python/ql/test/3/library-tests/taint/unpacking/Taint.qll
+++ b/python/ql/test/3/library-tests/taint/unpacking/Taint.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted

 class SimpleSource extends TaintSource {
--- a/python/ql/test/3/library-tests/taint/unpacking/TestTaint.ql
+++ b/python/ql/test/3/library-tests/taint/unpacking/TestTaint.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import Taint

 from Call call, Expr arg, string taint_string
--- a/python/ql/test/3/query-tests/Classes/equals-attr/DefineEqualsWhenAddingAttributes.expected
+++ b/python/ql/test/3/query-tests/Classes/equals-attr/DefineEqualsWhenAddingAttributes.expected
@@ -1,2 +1,2 @@
-| test.py:12:1:12:24 | class C | The class 'C' does not override $@, but adds the new attribute $@. | test.py:9:5:9:28 | Function __eq__ | '__eq__' | test.py:15:9:15:14 | Attribute | a |
-| test.py:12:1:12:24 | class C | The class 'C' does not override $@, but adds the new attribute $@. | test.py:9:5:9:28 | Function __eq__ | '__eq__' | test.py:15:17:15:22 | Attribute | b |
+| test.py:12:1:12:24 | class C | The class 'C' does not override $@, but adds the new attribute $@. | test.py:9:5:9:28 | Function RedefineEquals.__eq__ | '__eq__' | test.py:15:9:15:14 | Attribute | a |
+| test.py:12:1:12:24 | class C | The class 'C' does not override $@, but adds the new attribute $@. | test.py:9:5:9:28 | Function RedefineEquals.__eq__ | '__eq__' | test.py:15:17:15:22 | Attribute | b |
--- a/python/ql/test/library-tests/PointsTo/calls/Argument.expected
+++ b/python/ql/test/library-tests/PointsTo/calls/Argument.expected
@@ -1,15 +0,0 @@
-| 19 | 0 | ControlFlowNode for w | Function f |
-| 19 | 1 | ControlFlowNode for x | Function f |
-| 19 | 2 | ControlFlowNode for y | Function f |
-| 21 | 0 | ControlFlowNode for y | Function f |
-| 21 | 1 | ControlFlowNode for w | Function f |
-| 21 | 2 | ControlFlowNode for z | Function f |
-| 23 | 0 | ControlFlowNode for c | Function f |
-| 23 | 1 | ControlFlowNode for w | Function f |
-| 23 | 2 | ControlFlowNode for z | Function f |
-| 24 | 0 | ControlFlowNode for c | Function n |
-| 24 | 1 | ControlFlowNode for x | Function n |
-| 25 | 0 | ControlFlowNode for y | Function n |
-| 25 | 1 | ControlFlowNode for z | Function n |
-| 33 | 0 | ControlFlowNode for IntegerLiteral | Function foo |
-| 34 | 0 | ControlFlowNode for IntegerLiteral | Function foo |
--- a/python/ql/test/library-tests/PointsTo/calls/Argument.ql
+++ b/python/ql/test/library-tests/PointsTo/calls/Argument.ql
@@ -1,5 +0,0 @@
-import python
-
-from ControlFlowNode arg, FunctionObject func, int i
-where arg = func.getArgumentForCall(_, i)
-select arg.getLocation().getStartLine(), i, arg.toString(), func.toString()
--- a/python/ql/test/library-tests/PointsTo/calls/Call.expected
+++ b/python/ql/test/library-tests/PointsTo/calls/Call.expected
@@ -1,7 +0,0 @@
-| 19 | ControlFlowNode for f() | Function f |
-| 21 | ControlFlowNode for f() | Function f |
-| 23 | ControlFlowNode for Attribute() | Function f |
-| 24 | ControlFlowNode for Attribute() | Function n |
-| 25 | ControlFlowNode for Attribute() | Function n |
-| 33 | ControlFlowNode for Attribute() | Function foo |
-| 34 | ControlFlowNode for Attribute() | Function foo |
--- a/python/ql/test/library-tests/PointsTo/calls/CallPointsTo.expected
+++ b/python/ql/test/library-tests/PointsTo/calls/CallPointsTo.expected
@@ -0,0 +1,19 @@
+| 19 | ControlFlowNode for f() | Function f |
+| 21 | ControlFlowNode for f() | Function f |
+| 22 | ControlFlowNode for C() | class C |
+| 23 | ControlFlowNode for Attribute() | Method(Function f, C()) |
+| 24 | ControlFlowNode for Attribute() | Method(Function C.n, C()) |
+| 25 | ControlFlowNode for Attribute() | Function C.n |
+| 29 | ControlFlowNode for staticmethod() | builtin-class staticmethod |
+| 33 | ControlFlowNode for Attribute() | Function D.foo |
+| 34 | ControlFlowNode for Attribute() | Function D.foo |
+| 34 | ControlFlowNode for D() | class D |
+| 37 | ControlFlowNode for Attribute() | Method(builtin method append, List) |
+| 38 | ControlFlowNode for len() | Builtin-function len |
+| 40 | ControlFlowNode for f() | Function f |
+| 41 | ControlFlowNode for C() | class C |
+| 42 | ControlFlowNode for Attribute() | Method(Function C.n, C()) |
+| 45 | ControlFlowNode for open() | Builtin-function open |
+| 46 | ControlFlowNode for open() | Builtin-function open |
+| 51 | ControlFlowNode for foo() | Function foo |
+| 55 | ControlFlowNode for bar() | Function bar |
--- a/python/ql/test/library-tests/PointsTo/calls/CallPointsTo.ql
+++ b/python/ql/test/library-tests/PointsTo/calls/CallPointsTo.ql
@@ -0,0 +1,5 @@
+import python
+
+from CallNode call, Value func
+where call.getFunction().pointsTo(func)
+select call.getLocation().getStartLine(), call.toString(), func.toString()
--- a/python/ql/test/library-tests/PointsTo/calls/GetACall.expected
+++ b/python/ql/test/library-tests/PointsTo/calls/GetACall.expected
@@ -0,0 +1,23 @@
+| 19 | ControlFlowNode for f() | Function f |
+| 21 | ControlFlowNode for f() | Function f |
+| 22 | ControlFlowNode for C() | class C |
+| 23 | ControlFlowNode for Attribute() | Function f |
+| 23 | ControlFlowNode for Attribute() | Method(Function f, C()) |
+| 24 | ControlFlowNode for Attribute() | Function C.n |
+| 24 | ControlFlowNode for Attribute() | Method(Function C.n, C()) |
+| 25 | ControlFlowNode for Attribute() | Function C.n |
+| 29 | ControlFlowNode for staticmethod() | builtin-class staticmethod |
+| 33 | ControlFlowNode for Attribute() | Function D.foo |
+| 34 | ControlFlowNode for Attribute() | Function D.foo |
+| 34 | ControlFlowNode for D() | class D |
+| 37 | ControlFlowNode for Attribute() | Method(builtin method append, List) |
+| 37 | ControlFlowNode for Attribute() | builtin method append |
+| 38 | ControlFlowNode for len() | Builtin-function len |
+| 40 | ControlFlowNode for f() | Function f |
+| 41 | ControlFlowNode for C() | class C |
+| 42 | ControlFlowNode for Attribute() | Function C.n |
+| 42 | ControlFlowNode for Attribute() | Method(Function C.n, C()) |
+| 45 | ControlFlowNode for open() | Builtin-function open |
+| 46 | ControlFlowNode for open() | Builtin-function open |
+| 51 | ControlFlowNode for foo() | Function foo |
+| 55 | ControlFlowNode for bar() | Function bar |
--- a/python/ql/test/library-tests/PointsTo/calls/GetACall.ql
+++ b/python/ql/test/library-tests/PointsTo/calls/GetACall.ql
@@ -1,5 +1,5 @@
 import python

-from ControlFlowNode call, FunctionObject func
+from ControlFlowNode call, Value func
 where call = func.getACall()
 select call.getLocation().getStartLine(), call.toString(), func.toString()
--- a/python/ql/test/library-tests/PointsTo/calls/getArgumentForCall.expected
+++ b/python/ql/test/library-tests/PointsTo/calls/getArgumentForCall.expected
@@ -0,0 +1,34 @@
+| 19 | ControlFlowNode for f() | Function f | 0 | ControlFlowNode for w |
+| 19 | ControlFlowNode for f() | Function f | 1 | ControlFlowNode for x |
+| 19 | ControlFlowNode for f() | Function f | 2 | ControlFlowNode for y |
+| 21 | ControlFlowNode for f() | Function f | 0 | ControlFlowNode for y |
+| 21 | ControlFlowNode for f() | Function f | 1 | ControlFlowNode for w |
+| 21 | ControlFlowNode for f() | Function f | 2 | ControlFlowNode for z |
+| 23 | ControlFlowNode for Attribute() | Function f | 0 | ControlFlowNode for c |
+| 23 | ControlFlowNode for Attribute() | Function f | 1 | ControlFlowNode for w |
+| 23 | ControlFlowNode for Attribute() | Function f | 2 | ControlFlowNode for z |
+| 23 | ControlFlowNode for Attribute() | Method(Function f, C()) | 0 | ControlFlowNode for w |
+| 23 | ControlFlowNode for Attribute() | Method(Function f, C()) | 1 | ControlFlowNode for z |
+| 24 | ControlFlowNode for Attribute() | Function C.n | 0 | ControlFlowNode for c |
+| 24 | ControlFlowNode for Attribute() | Function C.n | 1 | ControlFlowNode for x |
+| 24 | ControlFlowNode for Attribute() | Method(Function C.n, C()) | 0 | ControlFlowNode for x |
+| 25 | ControlFlowNode for Attribute() | Function C.n | 0 | ControlFlowNode for y |
+| 25 | ControlFlowNode for Attribute() | Function C.n | 1 | ControlFlowNode for z |
+| 33 | ControlFlowNode for Attribute() | Function D.foo | 0 | ControlFlowNode for IntegerLiteral |
+| 34 | ControlFlowNode for Attribute() | Function D.foo | 0 | ControlFlowNode for IntegerLiteral |
+| 37 | ControlFlowNode for Attribute() | Method(builtin method append, List) | 0 | ControlFlowNode for IntegerLiteral |
+| 37 | ControlFlowNode for Attribute() | builtin method append | 0 | ControlFlowNode for l |
+| 37 | ControlFlowNode for Attribute() | builtin method append | 1 | ControlFlowNode for IntegerLiteral |
+| 38 | ControlFlowNode for len() | Builtin-function len | 0 | ControlFlowNode for l |
+| 40 | ControlFlowNode for f() | Function f | 0 | ControlFlowNode for IntegerLiteral |
+| 40 | ControlFlowNode for f() | Function f | 1 | ControlFlowNode for IntegerLiteral |
+| 40 | ControlFlowNode for f() | Function f | 2 | ControlFlowNode for IntegerLiteral |
+| 42 | ControlFlowNode for Attribute() | Function C.n | 0 | ControlFlowNode for c |
+| 42 | ControlFlowNode for Attribute() | Function C.n | 1 | ControlFlowNode for IntegerLiteral |
+| 42 | ControlFlowNode for Attribute() | Method(Function C.n, C()) | 0 | ControlFlowNode for IntegerLiteral |
+| 45 | ControlFlowNode for open() | Builtin-function open | 0 | ControlFlowNode for Str |
+| 45 | ControlFlowNode for open() | Builtin-function open | 1 | ControlFlowNode for Str |
+| 51 | ControlFlowNode for foo() | Function foo | 0 | ControlFlowNode for IntegerLiteral |
+| 51 | ControlFlowNode for foo() | Function foo | 1 | ControlFlowNode for IntegerLiteral |
+| 51 | ControlFlowNode for foo() | Function foo | 2 | ControlFlowNode for IntegerLiteral |
+| 55 | ControlFlowNode for bar() | Function bar | 0 | ControlFlowNode for IntegerLiteral |
--- a/python/ql/test/library-tests/PointsTo/calls/getArgumentForCall.ql
+++ b/python/ql/test/library-tests/PointsTo/calls/getArgumentForCall.ql
@@ -0,0 +1,5 @@
+import python
+
+from CallNode call, CallableValue callable, int i
+select call.getLocation().getStartLine(), call.toString(), callable.toString(), i,
+    callable.getArgumentForCall(call, i).toString()
--- a/python/ql/test/library-tests/PointsTo/calls/getNamedArgumentForCall.expected
+++ b/python/ql/test/library-tests/PointsTo/calls/getNamedArgumentForCall.expected
@@ -0,0 +1,31 @@
+| 19 | ControlFlowNode for f() | Function f | arg0 | ControlFlowNode for w |
+| 19 | ControlFlowNode for f() | Function f | arg1 | ControlFlowNode for x |
+| 19 | ControlFlowNode for f() | Function f | arg2 | ControlFlowNode for y |
+| 21 | ControlFlowNode for f() | Function f | arg0 | ControlFlowNode for y |
+| 21 | ControlFlowNode for f() | Function f | arg1 | ControlFlowNode for w |
+| 21 | ControlFlowNode for f() | Function f | arg2 | ControlFlowNode for z |
+| 23 | ControlFlowNode for Attribute() | Function f | arg1 | ControlFlowNode for w |
+| 23 | ControlFlowNode for Attribute() | Function f | arg2 | ControlFlowNode for z |
+| 23 | ControlFlowNode for Attribute() | Function f | self | ControlFlowNode for c |
+| 23 | ControlFlowNode for Attribute() | Method(Function f, C()) | arg1 | ControlFlowNode for w |
+| 23 | ControlFlowNode for Attribute() | Method(Function f, C()) | arg2 | ControlFlowNode for z |
+| 24 | ControlFlowNode for Attribute() | Function C.n | arg1 | ControlFlowNode for x |
+| 24 | ControlFlowNode for Attribute() | Function C.n | self | ControlFlowNode for c |
+| 24 | ControlFlowNode for Attribute() | Method(Function C.n, C()) | arg1 | ControlFlowNode for x |
+| 25 | ControlFlowNode for Attribute() | Function C.n | arg1 | ControlFlowNode for z |
+| 25 | ControlFlowNode for Attribute() | Function C.n | self | ControlFlowNode for y |
+| 33 | ControlFlowNode for Attribute() | Function D.foo | arg | ControlFlowNode for IntegerLiteral |
+| 34 | ControlFlowNode for Attribute() | Function D.foo | arg | ControlFlowNode for IntegerLiteral |
+| 37 | ControlFlowNode for Attribute() | builtin method append | self | ControlFlowNode for l |
+| 40 | ControlFlowNode for f() | Function f | arg0 | ControlFlowNode for IntegerLiteral |
+| 40 | ControlFlowNode for f() | Function f | arg1 | ControlFlowNode for IntegerLiteral |
+| 40 | ControlFlowNode for f() | Function f | arg2 | ControlFlowNode for IntegerLiteral |
+| 42 | ControlFlowNode for Attribute() | Function C.n | arg1 | ControlFlowNode for IntegerLiteral |
+| 42 | ControlFlowNode for Attribute() | Function C.n | self | ControlFlowNode for c |
+| 42 | ControlFlowNode for Attribute() | Method(Function C.n, C()) | arg1 | ControlFlowNode for IntegerLiteral |
+| 46 | ControlFlowNode for open() | Builtin-function open | file | ControlFlowNode for Str |
+| 46 | ControlFlowNode for open() | Builtin-function open | mode | ControlFlowNode for Str |
+| 51 | ControlFlowNode for foo() | Function foo | a | ControlFlowNode for IntegerLiteral |
+| 55 | ControlFlowNode for bar() | Function bar | a | ControlFlowNode for IntegerLiteral |
+| 55 | ControlFlowNode for bar() | Function bar | b | ControlFlowNode for IntegerLiteral |
+| 55 | ControlFlowNode for bar() | Function bar | c | ControlFlowNode for IntegerLiteral |
--- a/python/ql/test/library-tests/PointsTo/calls/getNamedArgumentForCall.ql
+++ b/python/ql/test/library-tests/PointsTo/calls/getNamedArgumentForCall.ql
@@ -0,0 +1,5 @@
+import python
+
+from CallNode call, CallableValue callable, string name
+select call.getLocation().getStartLine(), call.toString(), callable.toString(), name,
+    callable.getNamedArgumentForCall(call, name).toString()
--- a/python/ql/test/library-tests/PointsTo/calls/getParameter.expected
+++ b/python/ql/test/library-tests/PointsTo/calls/getParameter.expected
@@ -0,0 +1,12 @@
+| Function C.n | 0 | ControlFlowNode for self |
+| Function C.n | 1 | ControlFlowNode for arg1 |
+| Function D.foo | 0 | ControlFlowNode for arg |
+| Function bar | 0 | ControlFlowNode for a |
+| Function f | 0 | ControlFlowNode for arg0 |
+| Function f | 1 | ControlFlowNode for arg1 |
+| Function f | 2 | ControlFlowNode for arg2 |
+| Function foo | 0 | ControlFlowNode for a |
+| Method(Function C.n, C()) | 0 | ControlFlowNode for arg1 |
+| Method(Function C.n, class C) | 0 | ControlFlowNode for arg1 |
+| Method(Function f, C()) | 0 | ControlFlowNode for arg1 |
+| Method(Function f, C()) | 1 | ControlFlowNode for arg2 |
--- a/python/ql/test/library-tests/PointsTo/calls/getParameter.ql
+++ b/python/ql/test/library-tests/PointsTo/calls/getParameter.ql
@@ -0,0 +1,4 @@
+import python
+
+from CallableValue callable, int i
+select callable.toString(), i, callable.getParameter(i).toString()
--- a/python/ql/test/library-tests/PointsTo/calls/getParameterByName.expected
+++ b/python/ql/test/library-tests/PointsTo/calls/getParameterByName.expected
@@ -0,0 +1,12 @@
+| Function C.n | arg1 | ControlFlowNode for arg1 |
+| Function C.n | self | ControlFlowNode for self |
+| Function D.foo | arg | ControlFlowNode for arg |
+| Function bar | a | ControlFlowNode for a |
+| Function f | arg0 | ControlFlowNode for arg0 |
+| Function f | arg1 | ControlFlowNode for arg1 |
+| Function f | arg2 | ControlFlowNode for arg2 |
+| Function foo | a | ControlFlowNode for a |
+| Method(Function C.n, C()) | arg1 | ControlFlowNode for arg1 |
+| Method(Function C.n, class C) | arg1 | ControlFlowNode for arg1 |
+| Method(Function f, C()) | arg1 | ControlFlowNode for arg1 |
+| Method(Function f, C()) | arg2 | ControlFlowNode for arg2 |
--- a/python/ql/test/library-tests/PointsTo/calls/getParameterByName.ql
+++ b/python/ql/test/library-tests/PointsTo/calls/getParameterByName.ql
@@ -0,0 +1,4 @@
+import python
+
+from CallableValue callable, string name
+select callable.toString(), name, callable.getParameterByName(name).toString()
--- a/python/ql/test/library-tests/PointsTo/calls/test.py
+++ b/python/ql/test/library-tests/PointsTo/calls/test.py
@@ -32,3 +32,24 @@ class D(object):

 D.foo(1)
 D().foo(2)
+
+l = [1,2,3]
+l.append(4)
+len(l)
+
+f(arg0=0, arg1=1, arg2=2)
+c = C()
+c.n(arg1=1)
+
+# positional/keyword arguments for a builtin function
+open("foo.txt", "rb") # TODO: Not handled by getNamedArgumentForCall
+open(file="foo.txt", mode="rb")
+
+# Testing how arguments to *args and **kwargs are handled
+def foo(a, *args):
+    pass
+foo(1, 2, 3)
+
+def bar(a, **kwargs):
+    pass
+bar(a=1, b=2, c=3)
--- a/python/ql/test/library-tests/examples/custom-sanitizer/Taint.qll
+++ b/python/ql/test/library-tests/examples/custom-sanitizer/Taint.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted

 class SimpleSource extends TaintSource {
--- a/python/ql/test/library-tests/examples/custom-sanitizer/TestTaint.ql
+++ b/python/ql/test/library-tests/examples/custom-sanitizer/TestTaint.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import Taint

 from
--- a/python/ql/test/library-tests/taint/collections/Taint.qll
+++ b/python/ql/test/library-tests/taint/collections/Taint.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted

 class SimpleSource extends TaintSource {
--- a/python/ql/test/library-tests/taint/collections/TestStep.ql
+++ b/python/ql/test/library-tests/taint/collections/TestStep.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import Taint

 from TaintedNode n, TaintedNode s
--- a/python/ql/test/library-tests/taint/collections/TestTaint.ql
+++ b/python/ql/test/library-tests/taint/collections/TestTaint.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import Taint

 from Call call, Expr arg, string taint_string
--- a/python/ql/test/library-tests/taint/config/RockPaperScissors.ql
+++ b/python/ql/test/library-tests/taint/config/RockPaperScissors.ql
@@ -3,7 +3,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib
 import semmle.python.security.Paths

--- a/python/ql/test/library-tests/taint/config/Simple.ql
+++ b/python/ql/test/library-tests/taint/config/Simple.ql
@@ -3,7 +3,7 @@
 */

 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib
 import semmle.python.security.Paths

--- a/python/ql/test/library-tests/taint/config/TaintLib.qll
+++ b/python/ql/test/library-tests/taint/config/TaintLib.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking

 class SimpleTest extends TaintKind {
    SimpleTest() { this = "simple.test" }
--- a/python/ql/test/library-tests/taint/config/TaintedArgument.ql
+++ b/python/ql/test/library-tests/taint/config/TaintedArgument.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib
 import semmle.python.dataflow.Implementation

--- a/python/ql/test/library-tests/taint/config/TestNode.ql
+++ b/python/ql/test/library-tests/taint/config/TestNode.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.dataflow.Implementation
 import TaintLib

--- a/python/ql/test/library-tests/taint/config/TestSink.ql
+++ b/python/ql/test/library-tests/taint/config/TestSink.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib

 from TestConfig config, DataFlow::Node sink, TaintKind kind
--- a/python/ql/test/library-tests/taint/config/TestSource.ql
+++ b/python/ql/test/library-tests/taint/config/TestSource.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib

 from TestConfig config, DataFlow::Node source, TaintKind kind
--- a/python/ql/test/library-tests/taint/config/TestStep.ql
+++ b/python/ql/test/library-tests/taint/config/TestStep.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib
 import semmle.python.dataflow.Implementation

--- a/python/ql/test/library-tests/taint/example/Edges.ql
+++ b/python/ql/test/library-tests/taint/example/Edges.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.dataflow.Implementation
 import DilbertConfig

--- a/python/ql/test/library-tests/taint/example/Nodes.ql
+++ b/python/ql/test/library-tests/taint/example/Nodes.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.dataflow.Implementation
 import DilbertConfig

--- a/python/ql/test/library-tests/taint/extensions/ExtensionsLib.qll
+++ b/python/ql/test/library-tests/taint/extensions/ExtensionsLib.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking

 class SimpleTest extends TaintKind {
    SimpleTest() { this = "simple.test" }
--- a/python/ql/test/library-tests/taint/flowpath_regression/Config.qll
+++ b/python/ql/test/library-tests/taint/flowpath_regression/Config.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import semmle.python.security.strings.Untrusted

 class FooSource extends TaintSource {
--- a/python/ql/test/library-tests/taint/general/ParamSource.ql
+++ b/python/ql/test/library-tests/taint/general/ParamSource.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 /* Standard library sink */
 import semmle.python.security.injection.Command

--- a/python/ql/test/library-tests/taint/general/TaintLib.qll
+++ b/python/ql/test/library-tests/taint/general/TaintLib.qll
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking

 class SimpleTest extends TaintKind {
    SimpleTest() { this = "simple.test" }
--- a/python/ql/test/library-tests/taint/general/TestSanitizers.ql
+++ b/python/ql/test/library-tests/taint/general/TestSanitizers.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib

 from Sanitizer s, TaintKind taint, PyEdgeRefinement test
--- a/python/ql/test/library-tests/taint/general/TestSink.ql
+++ b/python/ql/test/library-tests/taint/general/TestSink.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import TaintLib

 from TaintSource src, TaintSink sink, TaintKind srckind, TaintKind sinkkind
--- a/Show More
+++ b/Show More