diff --git a/python/ql/test/2/query-tests/Exceptions/raising/RaisingTuple.expected b/python/ql/test/2/query-tests/Exceptions/raising/RaisingTuple.expected index ecfd7587d53..5f914d6c49e 100644 --- a/python/ql/test/2/query-tests/Exceptions/raising/RaisingTuple.expected +++ b/python/ql/test/2/query-tests/Exceptions/raising/RaisingTuple.expected @@ -1,3 +1,3 @@ -| test.py:8:5:8:12 | Raise | Raising a $@ will result in the first element (recursively) being raised and all other elements being discarded. | test.py:7:10:7:29 | ControlFlowNode for Tuple | tuple | -| test.py:11:5:11:32 | Raise | Raising a $@ will result in the first element (recursively) being raised and all other elements being discarded. | test.py:11:12:11:31 | ControlFlowNode for Tuple | tuple | -| test.py:15:5:15:23 | Raise | Raising a $@ will result in the first element (recursively) being raised and all other elements being discarded. | test.py:14:10:14:19 | ControlFlowNode for Tuple | tuple | +| test.py:8:5:8:12 | Raise | Raising a $@ will result in the first element (recursively) being raised and all other elements being discarded. | test.py:7:10:7:29 | After Tuple | tuple | +| test.py:11:5:11:32 | Raise | Raising a $@ will result in the first element (recursively) being raised and all other elements being discarded. | test.py:11:12:11:31 | After Tuple | tuple | +| test.py:15:5:15:23 | Raise | Raising a $@ will result in the first element (recursively) being raised and all other elements being discarded. | test.py:14:10:14:19 | After Tuple | tuple | diff --git a/python/ql/test/2/query-tests/Expressions/UseofApply.expected b/python/ql/test/2/query-tests/Expressions/UseofApply.expected index 0c5e28c9494..78ec06d8b07 100644 --- a/python/ql/test/2/query-tests/Expressions/UseofApply.expected +++ b/python/ql/test/2/query-tests/Expressions/UseofApply.expected @@ -1,2 +1,2 @@ -| UseofApply.py:19:3:19:17 | ControlFlowNode for apply() | Call to the obsolete builtin function 'apply'. | -| expressions_test.py:2:5:2:21 | ControlFlowNode for apply() | Call to the obsolete builtin function 'apply'. | +| UseofApply.py:19:3:19:17 | After apply() | Call to the obsolete builtin function 'apply'. | +| expressions_test.py:2:5:2:21 | After apply() | Call to the obsolete builtin function 'apply'. | diff --git a/python/ql/test/2/query-tests/Expressions/UseofInput.expected b/python/ql/test/2/query-tests/Expressions/UseofInput.expected index 470c24df21f..e1ded3ef961 100644 --- a/python/ql/test/2/query-tests/Expressions/UseofInput.expected +++ b/python/ql/test/2/query-tests/Expressions/UseofInput.expected @@ -1 +1 @@ -| expressions_test.py:6:12:6:18 | ControlFlowNode for input() | The unsafe built-in function 'input' is used in Python 2. | +| expressions_test.py:6:12:6:18 | After input() | The unsafe built-in function 'input' is used in Python 2. | diff --git a/python/ql/test/experimental/attrs/AttrReads.expected b/python/ql/test/experimental/attrs/AttrReads.expected index 28fda7c75d4..a313b5abec2 100644 --- a/python/ql/test/experimental/attrs/AttrReads.expected +++ b/python/ql/test/experimental/attrs/AttrReads.expected @@ -1,2 +1,2 @@ -| test.py:10:1:10:9 | ControlFlowNode for Attribute | test.py:10:1:10:5 | ControlFlowNode for myobj | foo | -| test.py:13:1:13:21 | ControlFlowNode for getattr() | test.py:13:9:13:13 | ControlFlowNode for myobj | foo | +| test.py:10:1:10:9 | After Attribute | test.py:10:1:10:5 | myobj | foo | +| test.py:13:1:13:21 | After getattr() | test.py:13:9:13:13 | myobj | foo | diff --git a/python/ql/test/experimental/attrs/AttrWrites.expected b/python/ql/test/experimental/attrs/AttrWrites.expected index d1fc30b3451..8ecdda65808 100644 --- a/python/ql/test/experimental/attrs/AttrWrites.expected +++ b/python/ql/test/experimental/attrs/AttrWrites.expected @@ -1,5 +1,5 @@ -| test.py:5:9:5:16 | ControlFlowNode for __init__ | test.py:4:1:4:20 | ControlFlowNode for ClassExpr | __init__ | test.py:5:5:5:28 | ControlFlowNode for FunctionExpr | -| test.py:6:9:6:16 | ControlFlowNode for Attribute | test.py:6:9:6:12 | ControlFlowNode for self | foo | test.py:6:20:6:22 | ControlFlowNode for foo | -| test.py:9:1:9:9 | ControlFlowNode for Attribute | test.py:0:0:0:0 | ModuleVariableNode in Module test for myobj | foo | test.py:9:13:9:17 | ControlFlowNode for StringLiteral | -| test.py:9:1:9:9 | ControlFlowNode for Attribute | test.py:9:1:9:5 | ControlFlowNode for myobj | foo | test.py:9:13:9:17 | ControlFlowNode for StringLiteral | -| test.py:12:1:12:25 | ControlFlowNode for setattr() | test.py:12:9:12:13 | ControlFlowNode for myobj | foo | test.py:12:23:12:24 | ControlFlowNode for IntegerLiteral | +| test.py:5:9:5:16 | __init__ | test.py:4:1:4:20 | After ClassExpr | __init__ | test.py:5:5:5:28 | FunctionExpr | +| test.py:6:9:6:16 | After Attribute | test.py:6:9:6:12 | self | foo | test.py:6:20:6:22 | foo | +| test.py:9:1:9:9 | After Attribute | test.py:0:0:0:0 | ModuleVariableNode in Module test for myobj | foo | test.py:9:13:9:17 | StringLiteral | +| test.py:9:1:9:9 | After Attribute | test.py:9:1:9:5 | myobj | foo | test.py:9:13:9:17 | StringLiteral | +| test.py:12:1:12:25 | After setattr() | test.py:12:9:12:13 | myobj | foo | test.py:12:23:12:24 | IntegerLiteral | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.expected index 97527c300db..84c0ec31cbb 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.expected @@ -1,235 +1,235 @@ edges -| TarSlipImprov.py:15:1:15:3 | ControlFlowNode for tar | TarSlipImprov.py:17:5:17:10 | ControlFlowNode for member | provenance | | -| TarSlipImprov.py:15:7:15:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:15:1:15:3 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:17:5:17:10 | ControlFlowNode for member | TarSlipImprov.py:20:19:20:24 | ControlFlowNode for member | provenance | | -| TarSlipImprov.py:20:5:20:10 | [post] ControlFlowNode for result | TarSlipImprov.py:22:35:22:40 | ControlFlowNode for result | provenance | | -| TarSlipImprov.py:20:19:20:24 | ControlFlowNode for member | TarSlipImprov.py:20:5:20:10 | [post] ControlFlowNode for result | provenance | list.append | -| TarSlipImprov.py:26:21:26:27 | ControlFlowNode for tarfile | TarSlipImprov.py:28:9:28:14 | ControlFlowNode for member | provenance | | -| TarSlipImprov.py:28:9:28:14 | ControlFlowNode for member | TarSlipImprov.py:35:23:35:28 | ControlFlowNode for member | provenance | | -| TarSlipImprov.py:35:9:35:14 | [post] ControlFlowNode for result | TarSlipImprov.py:36:12:36:17 | ControlFlowNode for result | provenance | | -| TarSlipImprov.py:35:23:35:28 | ControlFlowNode for member | TarSlipImprov.py:35:9:35:14 | [post] ControlFlowNode for result | provenance | list.append | -| TarSlipImprov.py:38:1:38:3 | ControlFlowNode for tar | TarSlipImprov.py:39:65:39:67 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:38:7:38:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:38:1:38:3 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:39:65:39:67 | ControlFlowNode for tar | TarSlipImprov.py:26:21:26:27 | ControlFlowNode for tarfile | provenance | | -| TarSlipImprov.py:39:65:39:67 | ControlFlowNode for tar | TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | provenance | list.append | -| TarSlipImprov.py:43:6:43:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:43:43:43:45 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:43:43:43:45 | ControlFlowNode for tar | TarSlipImprov.py:44:9:44:13 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:44:9:44:13 | ControlFlowNode for entry | TarSlipImprov.py:47:21:47:25 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:54:6:54:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:54:43:54:45 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:54:43:54:45 | ControlFlowNode for tar | TarSlipImprov.py:56:9:56:13 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:56:9:56:13 | ControlFlowNode for entry | TarSlipImprov.py:58:21:58:25 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:88:6:88:43 | ControlFlowNode for Attribute() | TarSlipImprov.py:88:48:88:50 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:88:48:88:50 | ControlFlowNode for tar | TarSlipImprov.py:91:5:91:7 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:111:1:111:3 | ControlFlowNode for tar | TarSlipImprov.py:115:9:115:11 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:111:7:111:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:111:1:111:3 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:123:6:123:29 | ControlFlowNode for Attribute() | TarSlipImprov.py:123:34:123:36 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:123:34:123:36 | ControlFlowNode for tar | TarSlipImprov.py:124:9:124:13 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:124:9:124:13 | ControlFlowNode for entry | TarSlipImprov.py:125:36:125:40 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:129:6:129:26 | ControlFlowNode for Attribute() | TarSlipImprov.py:129:31:129:33 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:129:31:129:33 | ControlFlowNode for tar | TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:133:1:133:3 | ControlFlowNode for tar | TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:133:7:133:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:133:1:133:3 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:141:6:141:29 | ControlFlowNode for Attribute() | TarSlipImprov.py:141:34:141:36 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:141:34:141:36 | ControlFlowNode for tar | TarSlipImprov.py:142:9:142:13 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:142:9:142:13 | ControlFlowNode for entry | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:151:14:151:50 | ControlFlowNode for closing() | TarSlipImprov.py:151:55:151:56 | ControlFlowNode for tf | provenance | | -| TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | TarSlipImprov.py:151:14:151:50 | ControlFlowNode for closing() | provenance | Config | -| TarSlipImprov.py:151:55:151:56 | ControlFlowNode for tf | TarSlipImprov.py:152:13:152:20 | ControlFlowNode for Yield | provenance | | -| TarSlipImprov.py:151:55:151:56 | ControlFlowNode for tf | TarSlipImprov.py:152:19:152:20 | ControlFlowNode for tf | provenance | | -| TarSlipImprov.py:152:13:152:20 | ControlFlowNode for Yield | TarSlipImprov.py:157:18:157:40 | ControlFlowNode for py2_tarxz() | provenance | | -| TarSlipImprov.py:152:19:152:20 | ControlFlowNode for tf | TarSlipImprov.py:157:18:157:40 | ControlFlowNode for py2_tarxz() | provenance | | -| TarSlipImprov.py:157:9:157:14 | ControlFlowNode for tar_cm | TarSlipImprov.py:162:20:162:23 | ControlFlowNode for tarc | provenance | | -| TarSlipImprov.py:157:18:157:40 | ControlFlowNode for py2_tarxz() | TarSlipImprov.py:157:9:157:14 | ControlFlowNode for tar_cm | provenance | | -| TarSlipImprov.py:159:9:159:14 | ControlFlowNode for tar_cm | TarSlipImprov.py:162:20:162:23 | ControlFlowNode for tarc | provenance | | -| TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() | TarSlipImprov.py:159:9:159:14 | ControlFlowNode for tar_cm | provenance | | -| TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() | provenance | Config | -| TarSlipImprov.py:162:20:162:23 | ControlFlowNode for tarc | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | provenance | | -| TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:176:36:176:38 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:176:36:176:38 | ControlFlowNode for tar | TarSlipImprov.py:177:9:177:13 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:177:9:177:13 | ControlFlowNode for entry | TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:182:6:182:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:182:36:182:38 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:182:36:182:38 | ControlFlowNode for tar | TarSlipImprov.py:183:9:183:13 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:183:9:183:13 | ControlFlowNode for entry | TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:188:1:188:3 | ControlFlowNode for tar | TarSlipImprov.py:189:1:189:3 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:188:7:188:27 | ControlFlowNode for Attribute() | TarSlipImprov.py:188:1:188:3 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:193:6:193:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:193:36:193:38 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:193:36:193:38 | ControlFlowNode for tar | TarSlipImprov.py:194:49:194:51 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:210:6:210:43 | ControlFlowNode for Attribute() | TarSlipImprov.py:210:48:210:50 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:210:48:210:50 | ControlFlowNode for tar | TarSlipImprov.py:211:5:211:7 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:231:6:231:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:231:43:231:52 | ControlFlowNode for corpus_tar | provenance | | -| TarSlipImprov.py:231:43:231:52 | ControlFlowNode for corpus_tar | TarSlipImprov.py:233:9:233:9 | ControlFlowNode for f | provenance | | -| TarSlipImprov.py:233:9:233:9 | ControlFlowNode for f | TarSlipImprov.py:235:28:235:28 | ControlFlowNode for f | provenance | | -| TarSlipImprov.py:235:13:235:19 | [post] ControlFlowNode for members | TarSlipImprov.py:236:44:236:50 | ControlFlowNode for members | provenance | | -| TarSlipImprov.py:235:28:235:28 | ControlFlowNode for f | TarSlipImprov.py:235:13:235:19 | [post] ControlFlowNode for members | provenance | list.append | -| TarSlipImprov.py:258:6:258:26 | ControlFlowNode for Attribute() | TarSlipImprov.py:258:31:258:33 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:258:31:258:33 | ControlFlowNode for tar | TarSlipImprov.py:259:9:259:13 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:259:9:259:13 | ControlFlowNode for entry | TarSlipImprov.py:261:25:261:29 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:264:6:264:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:264:43:264:45 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:264:43:264:45 | ControlFlowNode for tar | TarSlipImprov.py:265:9:265:13 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:265:9:265:13 | ControlFlowNode for entry | TarSlipImprov.py:268:21:268:25 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:271:6:271:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:271:44:271:46 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:271:44:271:46 | ControlFlowNode for tar | TarSlipImprov.py:272:9:272:13 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:272:9:272:13 | ControlFlowNode for entry | TarSlipImprov.py:274:25:274:29 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:276:6:276:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:276:43:276:45 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:276:43:276:45 | ControlFlowNode for tar | TarSlipImprov.py:277:9:277:13 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:277:9:277:13 | ControlFlowNode for entry | TarSlipImprov.py:280:21:280:25 | ControlFlowNode for entry | provenance | | -| TarSlipImprov.py:283:6:283:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:283:56:283:58 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:283:56:283:58 | ControlFlowNode for tar | TarSlipImprov.py:284:5:284:7 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:287:1:287:3 | ControlFlowNode for tar | TarSlipImprov.py:288:49:288:51 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:287:7:287:28 | ControlFlowNode for Attribute() | TarSlipImprov.py:287:1:287:3 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:292:1:292:3 | ControlFlowNode for tar | TarSlipImprov.py:293:1:293:3 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:292:7:292:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:292:1:292:3 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:300:6:300:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:300:56:300:58 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:300:56:300:58 | ControlFlowNode for tar | TarSlipImprov.py:301:49:301:51 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:304:1:304:3 | ControlFlowNode for tar | TarSlipImprov.py:306:5:306:10 | ControlFlowNode for member | provenance | | -| TarSlipImprov.py:304:7:304:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:304:1:304:3 | ControlFlowNode for tar | provenance | | -| TarSlipImprov.py:306:5:306:10 | ControlFlowNode for member | TarSlipImprov.py:309:19:309:24 | ControlFlowNode for member | provenance | | -| TarSlipImprov.py:309:5:309:10 | [post] ControlFlowNode for result | TarSlipImprov.py:310:49:310:54 | ControlFlowNode for result | provenance | | -| TarSlipImprov.py:309:19:309:24 | ControlFlowNode for member | TarSlipImprov.py:309:5:309:10 | [post] ControlFlowNode for result | provenance | list.append | +| TarSlipImprov.py:15:1:15:3 | tar | TarSlipImprov.py:17:5:17:10 | member | provenance | | +| TarSlipImprov.py:15:7:15:39 | After Attribute() | TarSlipImprov.py:15:1:15:3 | tar | provenance | | +| TarSlipImprov.py:17:5:17:10 | member | TarSlipImprov.py:20:19:20:24 | member | provenance | | +| TarSlipImprov.py:20:5:20:10 | [post] result | TarSlipImprov.py:22:35:22:40 | result | provenance | | +| TarSlipImprov.py:20:19:20:24 | member | TarSlipImprov.py:20:5:20:10 | [post] result | provenance | list.append | +| TarSlipImprov.py:26:21:26:27 | tarfile | TarSlipImprov.py:28:9:28:14 | member | provenance | | +| TarSlipImprov.py:28:9:28:14 | member | TarSlipImprov.py:35:23:35:28 | member | provenance | | +| TarSlipImprov.py:35:9:35:14 | [post] result | TarSlipImprov.py:36:12:36:17 | result | provenance | | +| TarSlipImprov.py:35:23:35:28 | member | TarSlipImprov.py:35:9:35:14 | [post] result | provenance | list.append | +| TarSlipImprov.py:38:1:38:3 | tar | TarSlipImprov.py:39:65:39:67 | tar | provenance | | +| TarSlipImprov.py:38:7:38:39 | After Attribute() | TarSlipImprov.py:38:1:38:3 | tar | provenance | | +| TarSlipImprov.py:39:65:39:67 | tar | TarSlipImprov.py:26:21:26:27 | tarfile | provenance | | +| TarSlipImprov.py:39:65:39:67 | tar | TarSlipImprov.py:39:49:39:68 | After members_filter1() | provenance | list.append | +| TarSlipImprov.py:43:6:43:38 | After Attribute() | TarSlipImprov.py:43:43:43:45 | tar | provenance | | +| TarSlipImprov.py:43:43:43:45 | tar | TarSlipImprov.py:44:9:44:13 | entry | provenance | | +| TarSlipImprov.py:44:9:44:13 | entry | TarSlipImprov.py:47:21:47:25 | entry | provenance | | +| TarSlipImprov.py:54:6:54:38 | After Attribute() | TarSlipImprov.py:54:43:54:45 | tar | provenance | | +| TarSlipImprov.py:54:43:54:45 | tar | TarSlipImprov.py:56:9:56:13 | entry | provenance | | +| TarSlipImprov.py:56:9:56:13 | entry | TarSlipImprov.py:58:21:58:25 | entry | provenance | | +| TarSlipImprov.py:88:6:88:43 | After Attribute() | TarSlipImprov.py:88:48:88:50 | tar | provenance | | +| TarSlipImprov.py:88:48:88:50 | tar | TarSlipImprov.py:91:5:91:7 | tar | provenance | | +| TarSlipImprov.py:111:1:111:3 | tar | TarSlipImprov.py:115:9:115:11 | tar | provenance | | +| TarSlipImprov.py:111:7:111:39 | After Attribute() | TarSlipImprov.py:111:1:111:3 | tar | provenance | | +| TarSlipImprov.py:123:6:123:29 | After Attribute() | TarSlipImprov.py:123:34:123:36 | tar | provenance | | +| TarSlipImprov.py:123:34:123:36 | tar | TarSlipImprov.py:124:9:124:13 | entry | provenance | | +| TarSlipImprov.py:124:9:124:13 | entry | TarSlipImprov.py:125:36:125:40 | entry | provenance | | +| TarSlipImprov.py:129:6:129:26 | After Attribute() | TarSlipImprov.py:129:31:129:33 | tar | provenance | | +| TarSlipImprov.py:129:31:129:33 | tar | TarSlipImprov.py:130:5:130:7 | tar | provenance | | +| TarSlipImprov.py:133:1:133:3 | tar | TarSlipImprov.py:134:1:134:3 | tar | provenance | | +| TarSlipImprov.py:133:7:133:39 | After Attribute() | TarSlipImprov.py:133:1:133:3 | tar | provenance | | +| TarSlipImprov.py:141:6:141:29 | After Attribute() | TarSlipImprov.py:141:34:141:36 | tar | provenance | | +| TarSlipImprov.py:141:34:141:36 | tar | TarSlipImprov.py:142:9:142:13 | entry | provenance | | +| TarSlipImprov.py:142:9:142:13 | entry | TarSlipImprov.py:143:36:143:40 | entry | provenance | | +| TarSlipImprov.py:151:14:151:50 | After closing() | TarSlipImprov.py:151:55:151:56 | tf | provenance | | +| TarSlipImprov.py:151:22:151:49 | After Attribute() | TarSlipImprov.py:151:14:151:50 | After closing() | provenance | Config | +| TarSlipImprov.py:151:55:151:56 | tf | TarSlipImprov.py:152:13:152:20 | After Yield | provenance | | +| TarSlipImprov.py:151:55:151:56 | tf | TarSlipImprov.py:152:19:152:20 | tf | provenance | | +| TarSlipImprov.py:152:13:152:20 | After Yield | TarSlipImprov.py:157:18:157:40 | After py2_tarxz() | provenance | | +| TarSlipImprov.py:152:19:152:20 | tf | TarSlipImprov.py:157:18:157:40 | After py2_tarxz() | provenance | | +| TarSlipImprov.py:157:9:157:14 | tar_cm | TarSlipImprov.py:162:20:162:23 | tarc | provenance | | +| TarSlipImprov.py:157:18:157:40 | After py2_tarxz() | TarSlipImprov.py:157:9:157:14 | tar_cm | provenance | | +| TarSlipImprov.py:159:9:159:14 | tar_cm | TarSlipImprov.py:162:20:162:23 | tarc | provenance | | +| TarSlipImprov.py:159:18:159:52 | After closing() | TarSlipImprov.py:159:9:159:14 | tar_cm | provenance | | +| TarSlipImprov.py:159:26:159:51 | After Attribute() | TarSlipImprov.py:159:18:159:52 | After closing() | provenance | Config | +| TarSlipImprov.py:162:20:162:23 | tarc | TarSlipImprov.py:169:9:169:12 | tarc | provenance | | +| TarSlipImprov.py:176:6:176:31 | After Attribute() | TarSlipImprov.py:176:36:176:38 | tar | provenance | | +| TarSlipImprov.py:176:36:176:38 | tar | TarSlipImprov.py:177:9:177:13 | entry | provenance | | +| TarSlipImprov.py:177:9:177:13 | entry | TarSlipImprov.py:178:36:178:40 | entry | provenance | | +| TarSlipImprov.py:182:6:182:31 | After Attribute() | TarSlipImprov.py:182:36:182:38 | tar | provenance | | +| TarSlipImprov.py:182:36:182:38 | tar | TarSlipImprov.py:183:9:183:13 | entry | provenance | | +| TarSlipImprov.py:183:9:183:13 | entry | TarSlipImprov.py:184:21:184:25 | entry | provenance | | +| TarSlipImprov.py:188:1:188:3 | tar | TarSlipImprov.py:189:1:189:3 | tar | provenance | | +| TarSlipImprov.py:188:7:188:27 | After Attribute() | TarSlipImprov.py:188:1:188:3 | tar | provenance | | +| TarSlipImprov.py:193:6:193:31 | After Attribute() | TarSlipImprov.py:193:36:193:38 | tar | provenance | | +| TarSlipImprov.py:193:36:193:38 | tar | TarSlipImprov.py:194:49:194:51 | tar | provenance | | +| TarSlipImprov.py:210:6:210:43 | After Attribute() | TarSlipImprov.py:210:48:210:50 | tar | provenance | | +| TarSlipImprov.py:210:48:210:50 | tar | TarSlipImprov.py:211:5:211:7 | tar | provenance | | +| TarSlipImprov.py:231:6:231:38 | After Attribute() | TarSlipImprov.py:231:43:231:52 | corpus_tar | provenance | | +| TarSlipImprov.py:231:43:231:52 | corpus_tar | TarSlipImprov.py:233:9:233:9 | f | provenance | | +| TarSlipImprov.py:233:9:233:9 | f | TarSlipImprov.py:235:28:235:28 | f | provenance | | +| TarSlipImprov.py:235:13:235:19 | [post] members | TarSlipImprov.py:236:44:236:50 | members | provenance | | +| TarSlipImprov.py:235:28:235:28 | f | TarSlipImprov.py:235:13:235:19 | [post] members | provenance | list.append | +| TarSlipImprov.py:258:6:258:26 | After Attribute() | TarSlipImprov.py:258:31:258:33 | tar | provenance | | +| TarSlipImprov.py:258:31:258:33 | tar | TarSlipImprov.py:259:9:259:13 | entry | provenance | | +| TarSlipImprov.py:259:9:259:13 | entry | TarSlipImprov.py:261:25:261:29 | entry | provenance | | +| TarSlipImprov.py:264:6:264:38 | After Attribute() | TarSlipImprov.py:264:43:264:45 | tar | provenance | | +| TarSlipImprov.py:264:43:264:45 | tar | TarSlipImprov.py:265:9:265:13 | entry | provenance | | +| TarSlipImprov.py:265:9:265:13 | entry | TarSlipImprov.py:268:21:268:25 | entry | provenance | | +| TarSlipImprov.py:271:6:271:39 | After Attribute() | TarSlipImprov.py:271:44:271:46 | tar | provenance | | +| TarSlipImprov.py:271:44:271:46 | tar | TarSlipImprov.py:272:9:272:13 | entry | provenance | | +| TarSlipImprov.py:272:9:272:13 | entry | TarSlipImprov.py:274:25:274:29 | entry | provenance | | +| TarSlipImprov.py:276:6:276:38 | After Attribute() | TarSlipImprov.py:276:43:276:45 | tar | provenance | | +| TarSlipImprov.py:276:43:276:45 | tar | TarSlipImprov.py:277:9:277:13 | entry | provenance | | +| TarSlipImprov.py:277:9:277:13 | entry | TarSlipImprov.py:280:21:280:25 | entry | provenance | | +| TarSlipImprov.py:283:6:283:51 | After Attribute() | TarSlipImprov.py:283:56:283:58 | tar | provenance | | +| TarSlipImprov.py:283:56:283:58 | tar | TarSlipImprov.py:284:5:284:7 | tar | provenance | | +| TarSlipImprov.py:287:1:287:3 | tar | TarSlipImprov.py:288:49:288:51 | tar | provenance | | +| TarSlipImprov.py:287:7:287:28 | After Attribute() | TarSlipImprov.py:287:1:287:3 | tar | provenance | | +| TarSlipImprov.py:292:1:292:3 | tar | TarSlipImprov.py:293:1:293:3 | tar | provenance | | +| TarSlipImprov.py:292:7:292:39 | After Attribute() | TarSlipImprov.py:292:1:292:3 | tar | provenance | | +| TarSlipImprov.py:300:6:300:51 | After Attribute() | TarSlipImprov.py:300:56:300:58 | tar | provenance | | +| TarSlipImprov.py:300:56:300:58 | tar | TarSlipImprov.py:301:49:301:51 | tar | provenance | | +| TarSlipImprov.py:304:1:304:3 | tar | TarSlipImprov.py:306:5:306:10 | member | provenance | | +| TarSlipImprov.py:304:7:304:39 | After Attribute() | TarSlipImprov.py:304:1:304:3 | tar | provenance | | +| TarSlipImprov.py:306:5:306:10 | member | TarSlipImprov.py:309:19:309:24 | member | provenance | | +| TarSlipImprov.py:309:5:309:10 | [post] result | TarSlipImprov.py:310:49:310:54 | result | provenance | | +| TarSlipImprov.py:309:19:309:24 | member | TarSlipImprov.py:309:5:309:10 | [post] result | provenance | list.append | nodes -| TarSlipImprov.py:15:1:15:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:15:7:15:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:17:5:17:10 | ControlFlowNode for member | semmle.label | ControlFlowNode for member | -| TarSlipImprov.py:20:5:20:10 | [post] ControlFlowNode for result | semmle.label | [post] ControlFlowNode for result | -| TarSlipImprov.py:20:19:20:24 | ControlFlowNode for member | semmle.label | ControlFlowNode for member | -| TarSlipImprov.py:22:35:22:40 | ControlFlowNode for result | semmle.label | ControlFlowNode for result | -| TarSlipImprov.py:26:21:26:27 | ControlFlowNode for tarfile | semmle.label | ControlFlowNode for tarfile | -| TarSlipImprov.py:28:9:28:14 | ControlFlowNode for member | semmle.label | ControlFlowNode for member | -| TarSlipImprov.py:35:9:35:14 | [post] ControlFlowNode for result | semmle.label | [post] ControlFlowNode for result | -| TarSlipImprov.py:35:23:35:28 | ControlFlowNode for member | semmle.label | ControlFlowNode for member | -| TarSlipImprov.py:36:12:36:17 | ControlFlowNode for result | semmle.label | ControlFlowNode for result | -| TarSlipImprov.py:38:1:38:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:38:7:38:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | semmle.label | ControlFlowNode for members_filter1() | -| TarSlipImprov.py:39:65:39:67 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:43:6:43:38 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:43:43:43:45 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:44:9:44:13 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:47:21:47:25 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:54:6:54:38 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:54:43:54:45 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:56:9:56:13 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:58:21:58:25 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:88:6:88:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:88:48:88:50 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:91:5:91:7 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:111:1:111:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:111:7:111:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:115:9:115:11 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:123:6:123:29 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:123:34:123:36 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:124:9:124:13 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:125:36:125:40 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:129:6:129:26 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:129:31:129:33 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:133:1:133:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:133:7:133:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:141:6:141:29 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:141:34:141:36 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:142:9:142:13 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:151:14:151:50 | ControlFlowNode for closing() | semmle.label | ControlFlowNode for closing() | -| TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:151:55:151:56 | ControlFlowNode for tf | semmle.label | ControlFlowNode for tf | -| TarSlipImprov.py:152:13:152:20 | ControlFlowNode for Yield | semmle.label | ControlFlowNode for Yield | -| TarSlipImprov.py:152:19:152:20 | ControlFlowNode for tf | semmle.label | ControlFlowNode for tf | -| TarSlipImprov.py:157:9:157:14 | ControlFlowNode for tar_cm | semmle.label | ControlFlowNode for tar_cm | -| TarSlipImprov.py:157:18:157:40 | ControlFlowNode for py2_tarxz() | semmle.label | ControlFlowNode for py2_tarxz() | -| TarSlipImprov.py:159:9:159:14 | ControlFlowNode for tar_cm | semmle.label | ControlFlowNode for tar_cm | -| TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() | semmle.label | ControlFlowNode for closing() | -| TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:162:20:162:23 | ControlFlowNode for tarc | semmle.label | ControlFlowNode for tarc | -| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | semmle.label | ControlFlowNode for tarc | -| TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:176:36:176:38 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:177:9:177:13 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:182:6:182:31 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:182:36:182:38 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:183:9:183:13 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:188:1:188:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:188:7:188:27 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:189:1:189:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:193:6:193:31 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:193:36:193:38 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:194:49:194:51 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:210:6:210:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:210:48:210:50 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:211:5:211:7 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:231:6:231:38 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:231:43:231:52 | ControlFlowNode for corpus_tar | semmle.label | ControlFlowNode for corpus_tar | -| TarSlipImprov.py:233:9:233:9 | ControlFlowNode for f | semmle.label | ControlFlowNode for f | -| TarSlipImprov.py:235:13:235:19 | [post] ControlFlowNode for members | semmle.label | [post] ControlFlowNode for members | -| TarSlipImprov.py:235:28:235:28 | ControlFlowNode for f | semmle.label | ControlFlowNode for f | -| TarSlipImprov.py:236:44:236:50 | ControlFlowNode for members | semmle.label | ControlFlowNode for members | -| TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:258:6:258:26 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:258:31:258:33 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:259:9:259:13 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:261:25:261:29 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:264:6:264:38 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:264:43:264:45 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:265:9:265:13 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:268:21:268:25 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:271:6:271:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:271:44:271:46 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:272:9:272:13 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:274:25:274:29 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:276:6:276:38 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:276:43:276:45 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:277:9:277:13 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:280:21:280:25 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| TarSlipImprov.py:283:6:283:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:283:56:283:58 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:284:5:284:7 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:287:1:287:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:287:7:287:28 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:288:49:288:51 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:292:1:292:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:292:7:292:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:293:1:293:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:300:6:300:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:300:56:300:58 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:301:49:301:51 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:304:1:304:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | -| TarSlipImprov.py:304:7:304:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TarSlipImprov.py:306:5:306:10 | ControlFlowNode for member | semmle.label | ControlFlowNode for member | -| TarSlipImprov.py:309:5:309:10 | [post] ControlFlowNode for result | semmle.label | [post] ControlFlowNode for result | -| TarSlipImprov.py:309:19:309:24 | ControlFlowNode for member | semmle.label | ControlFlowNode for member | -| TarSlipImprov.py:310:49:310:54 | ControlFlowNode for result | semmle.label | ControlFlowNode for result | -| TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | +| TarSlipImprov.py:15:1:15:3 | tar | semmle.label | tar | +| TarSlipImprov.py:15:7:15:39 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:17:5:17:10 | member | semmle.label | member | +| TarSlipImprov.py:20:5:20:10 | [post] result | semmle.label | [post] result | +| TarSlipImprov.py:20:19:20:24 | member | semmle.label | member | +| TarSlipImprov.py:22:35:22:40 | result | semmle.label | result | +| TarSlipImprov.py:26:21:26:27 | tarfile | semmle.label | tarfile | +| TarSlipImprov.py:28:9:28:14 | member | semmle.label | member | +| TarSlipImprov.py:35:9:35:14 | [post] result | semmle.label | [post] result | +| TarSlipImprov.py:35:23:35:28 | member | semmle.label | member | +| TarSlipImprov.py:36:12:36:17 | result | semmle.label | result | +| TarSlipImprov.py:38:1:38:3 | tar | semmle.label | tar | +| TarSlipImprov.py:38:7:38:39 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:39:49:39:68 | After members_filter1() | semmle.label | After members_filter1() | +| TarSlipImprov.py:39:65:39:67 | tar | semmle.label | tar | +| TarSlipImprov.py:43:6:43:38 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:43:43:43:45 | tar | semmle.label | tar | +| TarSlipImprov.py:44:9:44:13 | entry | semmle.label | entry | +| TarSlipImprov.py:47:21:47:25 | entry | semmle.label | entry | +| TarSlipImprov.py:54:6:54:38 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:54:43:54:45 | tar | semmle.label | tar | +| TarSlipImprov.py:56:9:56:13 | entry | semmle.label | entry | +| TarSlipImprov.py:58:21:58:25 | entry | semmle.label | entry | +| TarSlipImprov.py:88:6:88:43 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:88:48:88:50 | tar | semmle.label | tar | +| TarSlipImprov.py:91:5:91:7 | tar | semmle.label | tar | +| TarSlipImprov.py:111:1:111:3 | tar | semmle.label | tar | +| TarSlipImprov.py:111:7:111:39 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:115:9:115:11 | tar | semmle.label | tar | +| TarSlipImprov.py:123:6:123:29 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:123:34:123:36 | tar | semmle.label | tar | +| TarSlipImprov.py:124:9:124:13 | entry | semmle.label | entry | +| TarSlipImprov.py:125:36:125:40 | entry | semmle.label | entry | +| TarSlipImprov.py:129:6:129:26 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:129:31:129:33 | tar | semmle.label | tar | +| TarSlipImprov.py:130:5:130:7 | tar | semmle.label | tar | +| TarSlipImprov.py:133:1:133:3 | tar | semmle.label | tar | +| TarSlipImprov.py:133:7:133:39 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:134:1:134:3 | tar | semmle.label | tar | +| TarSlipImprov.py:141:6:141:29 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:141:34:141:36 | tar | semmle.label | tar | +| TarSlipImprov.py:142:9:142:13 | entry | semmle.label | entry | +| TarSlipImprov.py:143:36:143:40 | entry | semmle.label | entry | +| TarSlipImprov.py:151:14:151:50 | After closing() | semmle.label | After closing() | +| TarSlipImprov.py:151:22:151:49 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:151:55:151:56 | tf | semmle.label | tf | +| TarSlipImprov.py:152:13:152:20 | After Yield | semmle.label | After Yield | +| TarSlipImprov.py:152:19:152:20 | tf | semmle.label | tf | +| TarSlipImprov.py:157:9:157:14 | tar_cm | semmle.label | tar_cm | +| TarSlipImprov.py:157:18:157:40 | After py2_tarxz() | semmle.label | After py2_tarxz() | +| TarSlipImprov.py:159:9:159:14 | tar_cm | semmle.label | tar_cm | +| TarSlipImprov.py:159:18:159:52 | After closing() | semmle.label | After closing() | +| TarSlipImprov.py:159:26:159:51 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:162:20:162:23 | tarc | semmle.label | tarc | +| TarSlipImprov.py:169:9:169:12 | tarc | semmle.label | tarc | +| TarSlipImprov.py:176:6:176:31 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:176:36:176:38 | tar | semmle.label | tar | +| TarSlipImprov.py:177:9:177:13 | entry | semmle.label | entry | +| TarSlipImprov.py:178:36:178:40 | entry | semmle.label | entry | +| TarSlipImprov.py:182:6:182:31 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:182:36:182:38 | tar | semmle.label | tar | +| TarSlipImprov.py:183:9:183:13 | entry | semmle.label | entry | +| TarSlipImprov.py:184:21:184:25 | entry | semmle.label | entry | +| TarSlipImprov.py:188:1:188:3 | tar | semmle.label | tar | +| TarSlipImprov.py:188:7:188:27 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:189:1:189:3 | tar | semmle.label | tar | +| TarSlipImprov.py:193:6:193:31 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:193:36:193:38 | tar | semmle.label | tar | +| TarSlipImprov.py:194:49:194:51 | tar | semmle.label | tar | +| TarSlipImprov.py:210:6:210:43 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:210:48:210:50 | tar | semmle.label | tar | +| TarSlipImprov.py:211:5:211:7 | tar | semmle.label | tar | +| TarSlipImprov.py:231:6:231:38 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:231:43:231:52 | corpus_tar | semmle.label | corpus_tar | +| TarSlipImprov.py:233:9:233:9 | f | semmle.label | f | +| TarSlipImprov.py:235:13:235:19 | [post] members | semmle.label | [post] members | +| TarSlipImprov.py:235:28:235:28 | f | semmle.label | f | +| TarSlipImprov.py:236:44:236:50 | members | semmle.label | members | +| TarSlipImprov.py:254:1:254:31 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:258:6:258:26 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:258:31:258:33 | tar | semmle.label | tar | +| TarSlipImprov.py:259:9:259:13 | entry | semmle.label | entry | +| TarSlipImprov.py:261:25:261:29 | entry | semmle.label | entry | +| TarSlipImprov.py:264:6:264:38 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:264:43:264:45 | tar | semmle.label | tar | +| TarSlipImprov.py:265:9:265:13 | entry | semmle.label | entry | +| TarSlipImprov.py:268:21:268:25 | entry | semmle.label | entry | +| TarSlipImprov.py:271:6:271:39 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:271:44:271:46 | tar | semmle.label | tar | +| TarSlipImprov.py:272:9:272:13 | entry | semmle.label | entry | +| TarSlipImprov.py:274:25:274:29 | entry | semmle.label | entry | +| TarSlipImprov.py:276:6:276:38 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:276:43:276:45 | tar | semmle.label | tar | +| TarSlipImprov.py:277:9:277:13 | entry | semmle.label | entry | +| TarSlipImprov.py:280:21:280:25 | entry | semmle.label | entry | +| TarSlipImprov.py:283:6:283:51 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:283:56:283:58 | tar | semmle.label | tar | +| TarSlipImprov.py:284:5:284:7 | tar | semmle.label | tar | +| TarSlipImprov.py:287:1:287:3 | tar | semmle.label | tar | +| TarSlipImprov.py:287:7:287:28 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:288:49:288:51 | tar | semmle.label | tar | +| TarSlipImprov.py:292:1:292:3 | tar | semmle.label | tar | +| TarSlipImprov.py:292:7:292:39 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:293:1:293:3 | tar | semmle.label | tar | +| TarSlipImprov.py:300:6:300:51 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:300:56:300:58 | tar | semmle.label | tar | +| TarSlipImprov.py:301:49:301:51 | tar | semmle.label | tar | +| TarSlipImprov.py:304:1:304:3 | tar | semmle.label | tar | +| TarSlipImprov.py:304:7:304:39 | After Attribute() | semmle.label | After Attribute() | +| TarSlipImprov.py:306:5:306:10 | member | semmle.label | member | +| TarSlipImprov.py:309:5:309:10 | [post] result | semmle.label | [post] result | +| TarSlipImprov.py:309:19:309:24 | member | semmle.label | member | +| TarSlipImprov.py:310:49:310:54 | result | semmle.label | result | +| TarSlipImprov.py:316:1:316:46 | After Attribute() | semmle.label | After Attribute() | subpaths -| TarSlipImprov.py:39:65:39:67 | ControlFlowNode for tar | TarSlipImprov.py:26:21:26:27 | ControlFlowNode for tarfile | TarSlipImprov.py:36:12:36:17 | ControlFlowNode for result | TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | +| TarSlipImprov.py:39:65:39:67 | tar | TarSlipImprov.py:26:21:26:27 | tarfile | TarSlipImprov.py:36:12:36:17 | result | TarSlipImprov.py:39:49:39:68 | After members_filter1() | #select -| TarSlipImprov.py:22:35:22:40 | ControlFlowNode for result | TarSlipImprov.py:15:7:15:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:22:35:22:40 | ControlFlowNode for result | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:15:7:15:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:22:35:22:40 | ControlFlowNode for result | ControlFlowNode for result | -| TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | TarSlipImprov.py:38:7:38:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:38:7:38:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:39:49:39:68 | ControlFlowNode for members_filter1() | ControlFlowNode for members_filter1() | -| TarSlipImprov.py:47:21:47:25 | ControlFlowNode for entry | TarSlipImprov.py:43:6:43:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:47:21:47:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:43:6:43:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:47:21:47:25 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:58:21:58:25 | ControlFlowNode for entry | TarSlipImprov.py:54:6:54:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:58:21:58:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:54:6:54:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:58:21:58:25 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:91:5:91:7 | ControlFlowNode for tar | TarSlipImprov.py:88:6:88:43 | ControlFlowNode for Attribute() | TarSlipImprov.py:91:5:91:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:88:6:88:43 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:91:5:91:7 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:115:9:115:11 | ControlFlowNode for tar | TarSlipImprov.py:111:7:111:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:115:9:115:11 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:111:7:111:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:115:9:115:11 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:125:36:125:40 | ControlFlowNode for entry | TarSlipImprov.py:123:6:123:29 | ControlFlowNode for Attribute() | TarSlipImprov.py:125:36:125:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:123:6:123:29 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:125:36:125:40 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | TarSlipImprov.py:129:6:129:26 | ControlFlowNode for Attribute() | TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:129:6:129:26 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | TarSlipImprov.py:133:7:133:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:133:7:133:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | TarSlipImprov.py:141:6:141:29 | ControlFlowNode for Attribute() | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:141:6:141:29 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | ControlFlowNode for tarc | -| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | ControlFlowNode for tarc | -| TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | TarSlipImprov.py:182:6:182:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:182:6:182:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:189:1:189:3 | ControlFlowNode for tar | TarSlipImprov.py:188:7:188:27 | ControlFlowNode for Attribute() | TarSlipImprov.py:189:1:189:3 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:188:7:188:27 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:189:1:189:3 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:194:49:194:51 | ControlFlowNode for tar | TarSlipImprov.py:193:6:193:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:194:49:194:51 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:193:6:193:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:194:49:194:51 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:211:5:211:7 | ControlFlowNode for tar | TarSlipImprov.py:210:6:210:43 | ControlFlowNode for Attribute() | TarSlipImprov.py:211:5:211:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:210:6:210:43 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:211:5:211:7 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:236:44:236:50 | ControlFlowNode for members | TarSlipImprov.py:231:6:231:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:236:44:236:50 | ControlFlowNode for members | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:231:6:231:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:236:44:236:50 | ControlFlowNode for members | ControlFlowNode for members | -| TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:254:1:254:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | -| TarSlipImprov.py:261:25:261:29 | ControlFlowNode for entry | TarSlipImprov.py:258:6:258:26 | ControlFlowNode for Attribute() | TarSlipImprov.py:261:25:261:29 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:258:6:258:26 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:261:25:261:29 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:268:21:268:25 | ControlFlowNode for entry | TarSlipImprov.py:264:6:264:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:268:21:268:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:264:6:264:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:268:21:268:25 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:274:25:274:29 | ControlFlowNode for entry | TarSlipImprov.py:271:6:271:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:274:25:274:29 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:271:6:271:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:274:25:274:29 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:280:21:280:25 | ControlFlowNode for entry | TarSlipImprov.py:276:6:276:38 | ControlFlowNode for Attribute() | TarSlipImprov.py:280:21:280:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:276:6:276:38 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:280:21:280:25 | ControlFlowNode for entry | ControlFlowNode for entry | -| TarSlipImprov.py:284:5:284:7 | ControlFlowNode for tar | TarSlipImprov.py:283:6:283:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:284:5:284:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:283:6:283:51 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:284:5:284:7 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:288:49:288:51 | ControlFlowNode for tar | TarSlipImprov.py:287:7:287:28 | ControlFlowNode for Attribute() | TarSlipImprov.py:288:49:288:51 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:287:7:287:28 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:288:49:288:51 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:293:1:293:3 | ControlFlowNode for tar | TarSlipImprov.py:292:7:292:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:293:1:293:3 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:292:7:292:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:293:1:293:3 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:301:49:301:51 | ControlFlowNode for tar | TarSlipImprov.py:300:6:300:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:301:49:301:51 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:300:6:300:51 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:301:49:301:51 | ControlFlowNode for tar | ControlFlowNode for tar | -| TarSlipImprov.py:310:49:310:54 | ControlFlowNode for result | TarSlipImprov.py:304:7:304:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:310:49:310:54 | ControlFlowNode for result | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:304:7:304:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:310:49:310:54 | ControlFlowNode for result | ControlFlowNode for result | -| TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:316:1:316:46 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | +| TarSlipImprov.py:22:35:22:40 | result | TarSlipImprov.py:15:7:15:39 | After Attribute() | TarSlipImprov.py:22:35:22:40 | result | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:15:7:15:39 | After Attribute() | After Attribute() | TarSlipImprov.py:22:35:22:40 | result | result | +| TarSlipImprov.py:39:49:39:68 | After members_filter1() | TarSlipImprov.py:38:7:38:39 | After Attribute() | TarSlipImprov.py:39:49:39:68 | After members_filter1() | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:38:7:38:39 | After Attribute() | After Attribute() | TarSlipImprov.py:39:49:39:68 | After members_filter1() | After members_filter1() | +| TarSlipImprov.py:47:21:47:25 | entry | TarSlipImprov.py:43:6:43:38 | After Attribute() | TarSlipImprov.py:47:21:47:25 | entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:43:6:43:38 | After Attribute() | After Attribute() | TarSlipImprov.py:47:21:47:25 | entry | entry | +| TarSlipImprov.py:58:21:58:25 | entry | TarSlipImprov.py:54:6:54:38 | After Attribute() | TarSlipImprov.py:58:21:58:25 | entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:54:6:54:38 | After Attribute() | After Attribute() | TarSlipImprov.py:58:21:58:25 | entry | entry | +| TarSlipImprov.py:91:5:91:7 | tar | TarSlipImprov.py:88:6:88:43 | After Attribute() | TarSlipImprov.py:91:5:91:7 | tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:88:6:88:43 | After Attribute() | After Attribute() | TarSlipImprov.py:91:5:91:7 | tar | tar | +| TarSlipImprov.py:115:9:115:11 | tar | TarSlipImprov.py:111:7:111:39 | After Attribute() | TarSlipImprov.py:115:9:115:11 | tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:111:7:111:39 | After Attribute() | After Attribute() | TarSlipImprov.py:115:9:115:11 | tar | tar | +| TarSlipImprov.py:125:36:125:40 | entry | TarSlipImprov.py:123:6:123:29 | After Attribute() | TarSlipImprov.py:125:36:125:40 | entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:123:6:123:29 | After Attribute() | After Attribute() | TarSlipImprov.py:125:36:125:40 | entry | entry | +| TarSlipImprov.py:130:5:130:7 | tar | TarSlipImprov.py:129:6:129:26 | After Attribute() | TarSlipImprov.py:130:5:130:7 | tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:129:6:129:26 | After Attribute() | After Attribute() | TarSlipImprov.py:130:5:130:7 | tar | tar | +| TarSlipImprov.py:134:1:134:3 | tar | TarSlipImprov.py:133:7:133:39 | After Attribute() | TarSlipImprov.py:134:1:134:3 | tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:133:7:133:39 | After Attribute() | After Attribute() | TarSlipImprov.py:134:1:134:3 | tar | tar | +| TarSlipImprov.py:143:36:143:40 | entry | TarSlipImprov.py:141:6:141:29 | After Attribute() | TarSlipImprov.py:143:36:143:40 | entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:141:6:141:29 | After Attribute() | After Attribute() | TarSlipImprov.py:143:36:143:40 | entry | entry | +| TarSlipImprov.py:169:9:169:12 | tarc | TarSlipImprov.py:151:22:151:49 | After Attribute() | TarSlipImprov.py:169:9:169:12 | tarc | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:151:22:151:49 | After Attribute() | After Attribute() | TarSlipImprov.py:169:9:169:12 | tarc | tarc | +| TarSlipImprov.py:169:9:169:12 | tarc | TarSlipImprov.py:159:26:159:51 | After Attribute() | TarSlipImprov.py:169:9:169:12 | tarc | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:159:26:159:51 | After Attribute() | After Attribute() | TarSlipImprov.py:169:9:169:12 | tarc | tarc | +| TarSlipImprov.py:178:36:178:40 | entry | TarSlipImprov.py:176:6:176:31 | After Attribute() | TarSlipImprov.py:178:36:178:40 | entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:176:6:176:31 | After Attribute() | After Attribute() | TarSlipImprov.py:178:36:178:40 | entry | entry | +| TarSlipImprov.py:184:21:184:25 | entry | TarSlipImprov.py:182:6:182:31 | After Attribute() | TarSlipImprov.py:184:21:184:25 | entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:182:6:182:31 | After Attribute() | After Attribute() | TarSlipImprov.py:184:21:184:25 | entry | entry | +| TarSlipImprov.py:189:1:189:3 | tar | TarSlipImprov.py:188:7:188:27 | After Attribute() | TarSlipImprov.py:189:1:189:3 | tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:188:7:188:27 | After Attribute() | After Attribute() | TarSlipImprov.py:189:1:189:3 | tar | tar | +| TarSlipImprov.py:194:49:194:51 | tar | TarSlipImprov.py:193:6:193:31 | After Attribute() | TarSlipImprov.py:194:49:194:51 | tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:193:6:193:31 | After Attribute() | After Attribute() | TarSlipImprov.py:194:49:194:51 | tar | tar | +| TarSlipImprov.py:211:5:211:7 | tar | TarSlipImprov.py:210:6:210:43 | After Attribute() | TarSlipImprov.py:211:5:211:7 | tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:210:6:210:43 | After Attribute() | After Attribute() | TarSlipImprov.py:211:5:211:7 | tar | tar | +| TarSlipImprov.py:236:44:236:50 | members | TarSlipImprov.py:231:6:231:38 | After Attribute() | TarSlipImprov.py:236:44:236:50 | members | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:231:6:231:38 | After Attribute() | After Attribute() | TarSlipImprov.py:236:44:236:50 | members | members | +| TarSlipImprov.py:254:1:254:31 | After Attribute() | TarSlipImprov.py:254:1:254:31 | After Attribute() | TarSlipImprov.py:254:1:254:31 | After Attribute() | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:254:1:254:31 | After Attribute() | After Attribute() | TarSlipImprov.py:254:1:254:31 | After Attribute() | After Attribute() | +| TarSlipImprov.py:261:25:261:29 | entry | TarSlipImprov.py:258:6:258:26 | After Attribute() | TarSlipImprov.py:261:25:261:29 | entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:258:6:258:26 | After Attribute() | After Attribute() | TarSlipImprov.py:261:25:261:29 | entry | entry | +| TarSlipImprov.py:268:21:268:25 | entry | TarSlipImprov.py:264:6:264:38 | After Attribute() | TarSlipImprov.py:268:21:268:25 | entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:264:6:264:38 | After Attribute() | After Attribute() | TarSlipImprov.py:268:21:268:25 | entry | entry | +| TarSlipImprov.py:274:25:274:29 | entry | TarSlipImprov.py:271:6:271:39 | After Attribute() | TarSlipImprov.py:274:25:274:29 | entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:271:6:271:39 | After Attribute() | After Attribute() | TarSlipImprov.py:274:25:274:29 | entry | entry | +| TarSlipImprov.py:280:21:280:25 | entry | TarSlipImprov.py:276:6:276:38 | After Attribute() | TarSlipImprov.py:280:21:280:25 | entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:276:6:276:38 | After Attribute() | After Attribute() | TarSlipImprov.py:280:21:280:25 | entry | entry | +| TarSlipImprov.py:284:5:284:7 | tar | TarSlipImprov.py:283:6:283:51 | After Attribute() | TarSlipImprov.py:284:5:284:7 | tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:283:6:283:51 | After Attribute() | After Attribute() | TarSlipImprov.py:284:5:284:7 | tar | tar | +| TarSlipImprov.py:288:49:288:51 | tar | TarSlipImprov.py:287:7:287:28 | After Attribute() | TarSlipImprov.py:288:49:288:51 | tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:287:7:287:28 | After Attribute() | After Attribute() | TarSlipImprov.py:288:49:288:51 | tar | tar | +| TarSlipImprov.py:293:1:293:3 | tar | TarSlipImprov.py:292:7:292:39 | After Attribute() | TarSlipImprov.py:293:1:293:3 | tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:292:7:292:39 | After Attribute() | After Attribute() | TarSlipImprov.py:293:1:293:3 | tar | tar | +| TarSlipImprov.py:301:49:301:51 | tar | TarSlipImprov.py:300:6:300:51 | After Attribute() | TarSlipImprov.py:301:49:301:51 | tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:300:6:300:51 | After Attribute() | After Attribute() | TarSlipImprov.py:301:49:301:51 | tar | tar | +| TarSlipImprov.py:310:49:310:54 | result | TarSlipImprov.py:304:7:304:39 | After Attribute() | TarSlipImprov.py:310:49:310:54 | result | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:304:7:304:39 | After Attribute() | After Attribute() | TarSlipImprov.py:310:49:310:54 | result | result | +| TarSlipImprov.py:316:1:316:46 | After Attribute() | TarSlipImprov.py:316:1:316:46 | After Attribute() | TarSlipImprov.py:316:1:316:46 | After Attribute() | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:316:1:316:46 | After Attribute() | After Attribute() | TarSlipImprov.py:316:1:316:46 | After Attribute() | After Attribute() | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.expected index 6b618335d81..4a0dd8c5b9f 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.expected @@ -1,44 +1,44 @@ edges -| zipslip_bad.py:8:10:8:31 | ControlFlowNode for Attribute() | zipslip_bad.py:8:36:8:39 | ControlFlowNode for zipf | provenance | | -| zipslip_bad.py:8:36:8:39 | ControlFlowNode for zipf | zipslip_bad.py:10:13:10:17 | ControlFlowNode for entry | provenance | | -| zipslip_bad.py:10:13:10:17 | ControlFlowNode for entry | zipslip_bad.py:11:25:11:29 | ControlFlowNode for entry | provenance | | -| zipslip_bad.py:14:10:14:28 | ControlFlowNode for Attribute() | zipslip_bad.py:14:33:14:36 | ControlFlowNode for zipf | provenance | | -| zipslip_bad.py:14:33:14:36 | ControlFlowNode for zipf | zipslip_bad.py:16:13:16:17 | ControlFlowNode for entry | provenance | | -| zipslip_bad.py:16:13:16:17 | ControlFlowNode for entry | zipslip_bad.py:17:26:17:30 | ControlFlowNode for entry | provenance | | -| zipslip_bad.py:20:10:20:27 | ControlFlowNode for Attribute() | zipslip_bad.py:20:32:20:35 | ControlFlowNode for zipf | provenance | | -| zipslip_bad.py:20:32:20:35 | ControlFlowNode for zipf | zipslip_bad.py:22:13:22:17 | ControlFlowNode for entry | provenance | | -| zipslip_bad.py:22:13:22:17 | ControlFlowNode for entry | zipslip_bad.py:23:29:23:33 | ControlFlowNode for entry | provenance | | -| zipslip_bad.py:27:10:27:22 | ControlFlowNode for Attribute() | zipslip_bad.py:27:27:27:34 | ControlFlowNode for filelist | provenance | | -| zipslip_bad.py:27:27:27:34 | ControlFlowNode for filelist | zipslip_bad.py:29:13:29:13 | ControlFlowNode for x | provenance | | -| zipslip_bad.py:29:13:29:13 | ControlFlowNode for x | zipslip_bad.py:30:25:30:25 | ControlFlowNode for x | provenance | | -| zipslip_bad.py:34:5:34:12 | ControlFlowNode for filelist | zipslip_bad.py:35:9:35:9 | ControlFlowNode for x | provenance | | -| zipslip_bad.py:34:16:34:28 | ControlFlowNode for Attribute() | zipslip_bad.py:34:5:34:12 | ControlFlowNode for filelist | provenance | | -| zipslip_bad.py:35:9:35:9 | ControlFlowNode for x | zipslip_bad.py:37:32:37:32 | ControlFlowNode for x | provenance | | +| zipslip_bad.py:8:10:8:31 | After Attribute() | zipslip_bad.py:8:36:8:39 | zipf | provenance | | +| zipslip_bad.py:8:36:8:39 | zipf | zipslip_bad.py:10:13:10:17 | entry | provenance | | +| zipslip_bad.py:10:13:10:17 | entry | zipslip_bad.py:11:25:11:29 | entry | provenance | | +| zipslip_bad.py:14:10:14:28 | After Attribute() | zipslip_bad.py:14:33:14:36 | zipf | provenance | | +| zipslip_bad.py:14:33:14:36 | zipf | zipslip_bad.py:16:13:16:17 | entry | provenance | | +| zipslip_bad.py:16:13:16:17 | entry | zipslip_bad.py:17:26:17:30 | entry | provenance | | +| zipslip_bad.py:20:10:20:27 | After Attribute() | zipslip_bad.py:20:32:20:35 | zipf | provenance | | +| zipslip_bad.py:20:32:20:35 | zipf | zipslip_bad.py:22:13:22:17 | entry | provenance | | +| zipslip_bad.py:22:13:22:17 | entry | zipslip_bad.py:23:29:23:33 | entry | provenance | | +| zipslip_bad.py:27:10:27:22 | After Attribute() | zipslip_bad.py:27:27:27:34 | filelist | provenance | | +| zipslip_bad.py:27:27:27:34 | filelist | zipslip_bad.py:29:13:29:13 | x | provenance | | +| zipslip_bad.py:29:13:29:13 | x | zipslip_bad.py:30:25:30:25 | x | provenance | | +| zipslip_bad.py:34:5:34:12 | filelist | zipslip_bad.py:35:9:35:9 | x | provenance | | +| zipslip_bad.py:34:16:34:28 | After Attribute() | zipslip_bad.py:34:5:34:12 | filelist | provenance | | +| zipslip_bad.py:35:9:35:9 | x | zipslip_bad.py:37:32:37:32 | x | provenance | | nodes -| zipslip_bad.py:8:10:8:31 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| zipslip_bad.py:8:36:8:39 | ControlFlowNode for zipf | semmle.label | ControlFlowNode for zipf | -| zipslip_bad.py:10:13:10:17 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| zipslip_bad.py:11:25:11:29 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| zipslip_bad.py:14:10:14:28 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| zipslip_bad.py:14:33:14:36 | ControlFlowNode for zipf | semmle.label | ControlFlowNode for zipf | -| zipslip_bad.py:16:13:16:17 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| zipslip_bad.py:17:26:17:30 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| zipslip_bad.py:20:10:20:27 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| zipslip_bad.py:20:32:20:35 | ControlFlowNode for zipf | semmle.label | ControlFlowNode for zipf | -| zipslip_bad.py:22:13:22:17 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| zipslip_bad.py:23:29:23:33 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| zipslip_bad.py:27:10:27:22 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| zipslip_bad.py:27:27:27:34 | ControlFlowNode for filelist | semmle.label | ControlFlowNode for filelist | -| zipslip_bad.py:29:13:29:13 | ControlFlowNode for x | semmle.label | ControlFlowNode for x | -| zipslip_bad.py:30:25:30:25 | ControlFlowNode for x | semmle.label | ControlFlowNode for x | -| zipslip_bad.py:34:5:34:12 | ControlFlowNode for filelist | semmle.label | ControlFlowNode for filelist | -| zipslip_bad.py:34:16:34:28 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| zipslip_bad.py:35:9:35:9 | ControlFlowNode for x | semmle.label | ControlFlowNode for x | -| zipslip_bad.py:37:32:37:32 | ControlFlowNode for x | semmle.label | ControlFlowNode for x | +| zipslip_bad.py:8:10:8:31 | After Attribute() | semmle.label | After Attribute() | +| zipslip_bad.py:8:36:8:39 | zipf | semmle.label | zipf | +| zipslip_bad.py:10:13:10:17 | entry | semmle.label | entry | +| zipslip_bad.py:11:25:11:29 | entry | semmle.label | entry | +| zipslip_bad.py:14:10:14:28 | After Attribute() | semmle.label | After Attribute() | +| zipslip_bad.py:14:33:14:36 | zipf | semmle.label | zipf | +| zipslip_bad.py:16:13:16:17 | entry | semmle.label | entry | +| zipslip_bad.py:17:26:17:30 | entry | semmle.label | entry | +| zipslip_bad.py:20:10:20:27 | After Attribute() | semmle.label | After Attribute() | +| zipslip_bad.py:20:32:20:35 | zipf | semmle.label | zipf | +| zipslip_bad.py:22:13:22:17 | entry | semmle.label | entry | +| zipslip_bad.py:23:29:23:33 | entry | semmle.label | entry | +| zipslip_bad.py:27:10:27:22 | After Attribute() | semmle.label | After Attribute() | +| zipslip_bad.py:27:27:27:34 | filelist | semmle.label | filelist | +| zipslip_bad.py:29:13:29:13 | x | semmle.label | x | +| zipslip_bad.py:30:25:30:25 | x | semmle.label | x | +| zipslip_bad.py:34:5:34:12 | filelist | semmle.label | filelist | +| zipslip_bad.py:34:16:34:28 | After Attribute() | semmle.label | After Attribute() | +| zipslip_bad.py:35:9:35:9 | x | semmle.label | x | +| zipslip_bad.py:37:32:37:32 | x | semmle.label | x | subpaths #select -| zipslip_bad.py:8:10:8:31 | ControlFlowNode for Attribute() | zipslip_bad.py:8:10:8:31 | ControlFlowNode for Attribute() | zipslip_bad.py:11:25:11:29 | ControlFlowNode for entry | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:11:25:11:29 | ControlFlowNode for entry | file system operation | -| zipslip_bad.py:14:10:14:28 | ControlFlowNode for Attribute() | zipslip_bad.py:14:10:14:28 | ControlFlowNode for Attribute() | zipslip_bad.py:17:26:17:30 | ControlFlowNode for entry | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:17:26:17:30 | ControlFlowNode for entry | file system operation | -| zipslip_bad.py:20:10:20:27 | ControlFlowNode for Attribute() | zipslip_bad.py:20:10:20:27 | ControlFlowNode for Attribute() | zipslip_bad.py:23:29:23:33 | ControlFlowNode for entry | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:23:29:23:33 | ControlFlowNode for entry | file system operation | -| zipslip_bad.py:27:10:27:22 | ControlFlowNode for Attribute() | zipslip_bad.py:27:10:27:22 | ControlFlowNode for Attribute() | zipslip_bad.py:30:25:30:25 | ControlFlowNode for x | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:30:25:30:25 | ControlFlowNode for x | file system operation | -| zipslip_bad.py:34:16:34:28 | ControlFlowNode for Attribute() | zipslip_bad.py:34:16:34:28 | ControlFlowNode for Attribute() | zipslip_bad.py:37:32:37:32 | ControlFlowNode for x | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:37:32:37:32 | ControlFlowNode for x | file system operation | +| zipslip_bad.py:8:10:8:31 | After Attribute() | zipslip_bad.py:8:10:8:31 | After Attribute() | zipslip_bad.py:11:25:11:29 | entry | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:11:25:11:29 | entry | file system operation | +| zipslip_bad.py:14:10:14:28 | After Attribute() | zipslip_bad.py:14:10:14:28 | After Attribute() | zipslip_bad.py:17:26:17:30 | entry | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:17:26:17:30 | entry | file system operation | +| zipslip_bad.py:20:10:20:27 | After Attribute() | zipslip_bad.py:20:10:20:27 | After Attribute() | zipslip_bad.py:23:29:23:33 | entry | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:23:29:23:33 | entry | file system operation | +| zipslip_bad.py:27:10:27:22 | After Attribute() | zipslip_bad.py:27:10:27:22 | After Attribute() | zipslip_bad.py:30:25:30:25 | x | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:30:25:30:25 | x | file system operation | +| zipslip_bad.py:34:16:34:28 | After Attribute() | zipslip_bad.py:34:16:34:28 | After Attribute() | zipslip_bad.py:37:32:37:32 | x | This unsanitized archive entry, which may contain '..', is used in a $@. | zipslip_bad.py:37:32:37:32 | x | file system operation | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-RemoteCommandExecution/RemoteCommandExecution.expected b/python/ql/test/experimental/query-tests/Security/CWE-074-RemoteCommandExecution/RemoteCommandExecution.expected index 914d6fbbee4..1eb9694fedd 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-074-RemoteCommandExecution/RemoteCommandExecution.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-074-RemoteCommandExecution/RemoteCommandExecution.expected @@ -1,88 +1,88 @@ edges -| AsyncSsh.py:15:16:15:18 | ControlFlowNode for cmd | AsyncSsh.py:17:33:17:35 | ControlFlowNode for cmd | provenance | | -| Netmiko.py:18:16:18:18 | ControlFlowNode for cmd | Netmiko.py:20:45:20:47 | ControlFlowNode for cmd | provenance | | -| Netmiko.py:18:16:18:18 | ControlFlowNode for cmd | Netmiko.py:21:52:21:54 | ControlFlowNode for cmd | provenance | | -| Netmiko.py:18:16:18:18 | ControlFlowNode for cmd | Netmiko.py:22:52:22:54 | ControlFlowNode for cmd | provenance | | -| Netmiko.py:18:16:18:18 | ControlFlowNode for cmd | Netmiko.py:23:41:23:57 | ControlFlowNode for List | provenance | | -| Netmiko.py:18:16:18:18 | ControlFlowNode for cmd | Netmiko.py:24:48:24:50 | ControlFlowNode for cmd | provenance | | -| Pexpect.py:15:16:15:18 | ControlFlowNode for cmd | Pexpect.py:16:14:16:16 | ControlFlowNode for cmd | provenance | | -| Pexpect.py:15:16:15:18 | ControlFlowNode for cmd | Pexpect.py:18:18:18:20 | ControlFlowNode for cmd | provenance | | -| Scrapli.py:13:16:13:18 | ControlFlowNode for cmd | Scrapli.py:24:42:24:44 | ControlFlowNode for cmd | provenance | | -| Scrapli.py:13:16:13:18 | ControlFlowNode for cmd | Scrapli.py:27:42:27:44 | ControlFlowNode for cmd | provenance | | -| Scrapli.py:13:16:13:18 | ControlFlowNode for cmd | Scrapli.py:30:42:30:44 | ControlFlowNode for cmd | provenance | | -| Scrapli.py:13:16:13:18 | ControlFlowNode for cmd | Scrapli.py:33:42:33:44 | ControlFlowNode for cmd | provenance | | -| Scrapli.py:13:16:13:18 | ControlFlowNode for cmd | Scrapli.py:36:42:36:44 | ControlFlowNode for cmd | provenance | | -| Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | Scrapli.py:51:36:51:38 | ControlFlowNode for cmd | provenance | | -| Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | Scrapli.py:54:36:54:38 | ControlFlowNode for cmd | provenance | | -| Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | Scrapli.py:57:36:57:38 | ControlFlowNode for cmd | provenance | | -| Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | Scrapli.py:60:36:60:38 | ControlFlowNode for cmd | provenance | | -| Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | Scrapli.py:63:36:63:38 | ControlFlowNode for cmd | provenance | | -| Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | Scrapli.py:74:36:74:38 | ControlFlowNode for cmd | provenance | | -| Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | Scrapli.py:84:36:84:38 | ControlFlowNode for cmd | provenance | | -| Twisted.py:13:16:13:18 | ControlFlowNode for cmd | Twisted.py:16:5:16:7 | ControlFlowNode for cmd | provenance | | -| Twisted.py:13:16:13:18 | ControlFlowNode for cmd | Twisted.py:24:9:24:11 | ControlFlowNode for cmd | provenance | | -| paramiko.py:15:16:15:18 | ControlFlowNode for cmd | paramiko.py:16:62:16:64 | ControlFlowNode for cmd | provenance | | -| paramiko.py:20:16:20:18 | ControlFlowNode for cmd | paramiko.py:21:70:21:72 | ControlFlowNode for cmd | provenance | | -| ssh2.py:15:16:15:18 | ControlFlowNode for cmd | ssh2.py:17:21:17:23 | ControlFlowNode for cmd | provenance | | +| AsyncSsh.py:15:16:15:18 | cmd | AsyncSsh.py:17:33:17:35 | cmd | provenance | | +| Netmiko.py:18:16:18:18 | cmd | Netmiko.py:20:45:20:47 | cmd | provenance | | +| Netmiko.py:18:16:18:18 | cmd | Netmiko.py:21:52:21:54 | cmd | provenance | | +| Netmiko.py:18:16:18:18 | cmd | Netmiko.py:22:52:22:54 | cmd | provenance | | +| Netmiko.py:18:16:18:18 | cmd | Netmiko.py:23:41:23:57 | After List | provenance | | +| Netmiko.py:18:16:18:18 | cmd | Netmiko.py:24:48:24:50 | cmd | provenance | | +| Pexpect.py:15:16:15:18 | cmd | Pexpect.py:16:14:16:16 | cmd | provenance | | +| Pexpect.py:15:16:15:18 | cmd | Pexpect.py:18:18:18:20 | cmd | provenance | | +| Scrapli.py:13:16:13:18 | cmd | Scrapli.py:24:42:24:44 | cmd | provenance | | +| Scrapli.py:13:16:13:18 | cmd | Scrapli.py:27:42:27:44 | cmd | provenance | | +| Scrapli.py:13:16:13:18 | cmd | Scrapli.py:30:42:30:44 | cmd | provenance | | +| Scrapli.py:13:16:13:18 | cmd | Scrapli.py:33:42:33:44 | cmd | provenance | | +| Scrapli.py:13:16:13:18 | cmd | Scrapli.py:36:42:36:44 | cmd | provenance | | +| Scrapli.py:40:10:40:12 | cmd | Scrapli.py:51:36:51:38 | cmd | provenance | | +| Scrapli.py:40:10:40:12 | cmd | Scrapli.py:54:36:54:38 | cmd | provenance | | +| Scrapli.py:40:10:40:12 | cmd | Scrapli.py:57:36:57:38 | cmd | provenance | | +| Scrapli.py:40:10:40:12 | cmd | Scrapli.py:60:36:60:38 | cmd | provenance | | +| Scrapli.py:40:10:40:12 | cmd | Scrapli.py:63:36:63:38 | cmd | provenance | | +| Scrapli.py:40:10:40:12 | cmd | Scrapli.py:74:36:74:38 | cmd | provenance | | +| Scrapli.py:40:10:40:12 | cmd | Scrapli.py:84:36:84:38 | cmd | provenance | | +| Twisted.py:13:16:13:18 | cmd | Twisted.py:16:5:16:7 | cmd | provenance | | +| Twisted.py:13:16:13:18 | cmd | Twisted.py:24:9:24:11 | cmd | provenance | | +| paramiko.py:15:16:15:18 | cmd | paramiko.py:16:62:16:64 | cmd | provenance | | +| paramiko.py:20:16:20:18 | cmd | paramiko.py:21:70:21:72 | cmd | provenance | | +| ssh2.py:15:16:15:18 | cmd | ssh2.py:17:21:17:23 | cmd | provenance | | nodes -| AsyncSsh.py:15:16:15:18 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| AsyncSsh.py:17:33:17:35 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Netmiko.py:18:16:18:18 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Netmiko.py:20:45:20:47 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Netmiko.py:21:52:21:54 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Netmiko.py:22:52:22:54 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Netmiko.py:23:41:23:57 | ControlFlowNode for List | semmle.label | ControlFlowNode for List | -| Netmiko.py:24:48:24:50 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Pexpect.py:15:16:15:18 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Pexpect.py:16:14:16:16 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Pexpect.py:18:18:18:20 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Scrapli.py:13:16:13:18 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Scrapli.py:24:42:24:44 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Scrapli.py:27:42:27:44 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Scrapli.py:30:42:30:44 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Scrapli.py:33:42:33:44 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Scrapli.py:36:42:36:44 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Scrapli.py:51:36:51:38 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Scrapli.py:54:36:54:38 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Scrapli.py:57:36:57:38 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Scrapli.py:60:36:60:38 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Scrapli.py:63:36:63:38 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Scrapli.py:74:36:74:38 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Scrapli.py:84:36:84:38 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Twisted.py:13:16:13:18 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Twisted.py:16:5:16:7 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| Twisted.py:24:9:24:11 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| paramiko.py:15:16:15:18 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| paramiko.py:16:62:16:64 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| paramiko.py:20:16:20:18 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| paramiko.py:21:70:21:72 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| ssh2.py:15:16:15:18 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| ssh2.py:17:21:17:23 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | +| AsyncSsh.py:15:16:15:18 | cmd | semmle.label | cmd | +| AsyncSsh.py:17:33:17:35 | cmd | semmle.label | cmd | +| Netmiko.py:18:16:18:18 | cmd | semmle.label | cmd | +| Netmiko.py:20:45:20:47 | cmd | semmle.label | cmd | +| Netmiko.py:21:52:21:54 | cmd | semmle.label | cmd | +| Netmiko.py:22:52:22:54 | cmd | semmle.label | cmd | +| Netmiko.py:23:41:23:57 | After List | semmle.label | After List | +| Netmiko.py:24:48:24:50 | cmd | semmle.label | cmd | +| Pexpect.py:15:16:15:18 | cmd | semmle.label | cmd | +| Pexpect.py:16:14:16:16 | cmd | semmle.label | cmd | +| Pexpect.py:18:18:18:20 | cmd | semmle.label | cmd | +| Scrapli.py:13:16:13:18 | cmd | semmle.label | cmd | +| Scrapli.py:24:42:24:44 | cmd | semmle.label | cmd | +| Scrapli.py:27:42:27:44 | cmd | semmle.label | cmd | +| Scrapli.py:30:42:30:44 | cmd | semmle.label | cmd | +| Scrapli.py:33:42:33:44 | cmd | semmle.label | cmd | +| Scrapli.py:36:42:36:44 | cmd | semmle.label | cmd | +| Scrapli.py:40:10:40:12 | cmd | semmle.label | cmd | +| Scrapli.py:51:36:51:38 | cmd | semmle.label | cmd | +| Scrapli.py:54:36:54:38 | cmd | semmle.label | cmd | +| Scrapli.py:57:36:57:38 | cmd | semmle.label | cmd | +| Scrapli.py:60:36:60:38 | cmd | semmle.label | cmd | +| Scrapli.py:63:36:63:38 | cmd | semmle.label | cmd | +| Scrapli.py:74:36:74:38 | cmd | semmle.label | cmd | +| Scrapli.py:84:36:84:38 | cmd | semmle.label | cmd | +| Twisted.py:13:16:13:18 | cmd | semmle.label | cmd | +| Twisted.py:16:5:16:7 | cmd | semmle.label | cmd | +| Twisted.py:24:9:24:11 | cmd | semmle.label | cmd | +| paramiko.py:15:16:15:18 | cmd | semmle.label | cmd | +| paramiko.py:16:62:16:64 | cmd | semmle.label | cmd | +| paramiko.py:20:16:20:18 | cmd | semmle.label | cmd | +| paramiko.py:21:70:21:72 | cmd | semmle.label | cmd | +| ssh2.py:15:16:15:18 | cmd | semmle.label | cmd | +| ssh2.py:17:21:17:23 | cmd | semmle.label | cmd | subpaths #select -| AsyncSsh.py:17:33:17:35 | ControlFlowNode for cmd | AsyncSsh.py:15:16:15:18 | ControlFlowNode for cmd | AsyncSsh.py:17:33:17:35 | ControlFlowNode for cmd | This code execution depends on a $@. | AsyncSsh.py:15:16:15:18 | ControlFlowNode for cmd | a user-provided value | -| Netmiko.py:20:45:20:47 | ControlFlowNode for cmd | Netmiko.py:18:16:18:18 | ControlFlowNode for cmd | Netmiko.py:20:45:20:47 | ControlFlowNode for cmd | This code execution depends on a $@. | Netmiko.py:18:16:18:18 | ControlFlowNode for cmd | a user-provided value | -| Netmiko.py:21:52:21:54 | ControlFlowNode for cmd | Netmiko.py:18:16:18:18 | ControlFlowNode for cmd | Netmiko.py:21:52:21:54 | ControlFlowNode for cmd | This code execution depends on a $@. | Netmiko.py:18:16:18:18 | ControlFlowNode for cmd | a user-provided value | -| Netmiko.py:22:52:22:54 | ControlFlowNode for cmd | Netmiko.py:18:16:18:18 | ControlFlowNode for cmd | Netmiko.py:22:52:22:54 | ControlFlowNode for cmd | This code execution depends on a $@. | Netmiko.py:18:16:18:18 | ControlFlowNode for cmd | a user-provided value | -| Netmiko.py:23:41:23:57 | ControlFlowNode for List | Netmiko.py:18:16:18:18 | ControlFlowNode for cmd | Netmiko.py:23:41:23:57 | ControlFlowNode for List | This code execution depends on a $@. | Netmiko.py:18:16:18:18 | ControlFlowNode for cmd | a user-provided value | -| Netmiko.py:24:48:24:50 | ControlFlowNode for cmd | Netmiko.py:18:16:18:18 | ControlFlowNode for cmd | Netmiko.py:24:48:24:50 | ControlFlowNode for cmd | This code execution depends on a $@. | Netmiko.py:18:16:18:18 | ControlFlowNode for cmd | a user-provided value | -| Pexpect.py:16:14:16:16 | ControlFlowNode for cmd | Pexpect.py:15:16:15:18 | ControlFlowNode for cmd | Pexpect.py:16:14:16:16 | ControlFlowNode for cmd | This code execution depends on a $@. | Pexpect.py:15:16:15:18 | ControlFlowNode for cmd | a user-provided value | -| Pexpect.py:18:18:18:20 | ControlFlowNode for cmd | Pexpect.py:15:16:15:18 | ControlFlowNode for cmd | Pexpect.py:18:18:18:20 | ControlFlowNode for cmd | This code execution depends on a $@. | Pexpect.py:15:16:15:18 | ControlFlowNode for cmd | a user-provided value | -| Scrapli.py:24:42:24:44 | ControlFlowNode for cmd | Scrapli.py:13:16:13:18 | ControlFlowNode for cmd | Scrapli.py:24:42:24:44 | ControlFlowNode for cmd | This code execution depends on a $@. | Scrapli.py:13:16:13:18 | ControlFlowNode for cmd | a user-provided value | -| Scrapli.py:27:42:27:44 | ControlFlowNode for cmd | Scrapli.py:13:16:13:18 | ControlFlowNode for cmd | Scrapli.py:27:42:27:44 | ControlFlowNode for cmd | This code execution depends on a $@. | Scrapli.py:13:16:13:18 | ControlFlowNode for cmd | a user-provided value | -| Scrapli.py:30:42:30:44 | ControlFlowNode for cmd | Scrapli.py:13:16:13:18 | ControlFlowNode for cmd | Scrapli.py:30:42:30:44 | ControlFlowNode for cmd | This code execution depends on a $@. | Scrapli.py:13:16:13:18 | ControlFlowNode for cmd | a user-provided value | -| Scrapli.py:33:42:33:44 | ControlFlowNode for cmd | Scrapli.py:13:16:13:18 | ControlFlowNode for cmd | Scrapli.py:33:42:33:44 | ControlFlowNode for cmd | This code execution depends on a $@. | Scrapli.py:13:16:13:18 | ControlFlowNode for cmd | a user-provided value | -| Scrapli.py:36:42:36:44 | ControlFlowNode for cmd | Scrapli.py:13:16:13:18 | ControlFlowNode for cmd | Scrapli.py:36:42:36:44 | ControlFlowNode for cmd | This code execution depends on a $@. | Scrapli.py:13:16:13:18 | ControlFlowNode for cmd | a user-provided value | -| Scrapli.py:51:36:51:38 | ControlFlowNode for cmd | Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | Scrapli.py:51:36:51:38 | ControlFlowNode for cmd | This code execution depends on a $@. | Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | a user-provided value | -| Scrapli.py:54:36:54:38 | ControlFlowNode for cmd | Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | Scrapli.py:54:36:54:38 | ControlFlowNode for cmd | This code execution depends on a $@. | Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | a user-provided value | -| Scrapli.py:57:36:57:38 | ControlFlowNode for cmd | Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | Scrapli.py:57:36:57:38 | ControlFlowNode for cmd | This code execution depends on a $@. | Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | a user-provided value | -| Scrapli.py:60:36:60:38 | ControlFlowNode for cmd | Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | Scrapli.py:60:36:60:38 | ControlFlowNode for cmd | This code execution depends on a $@. | Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | a user-provided value | -| Scrapli.py:63:36:63:38 | ControlFlowNode for cmd | Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | Scrapli.py:63:36:63:38 | ControlFlowNode for cmd | This code execution depends on a $@. | Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | a user-provided value | -| Scrapli.py:74:36:74:38 | ControlFlowNode for cmd | Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | Scrapli.py:74:36:74:38 | ControlFlowNode for cmd | This code execution depends on a $@. | Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | a user-provided value | -| Scrapli.py:84:36:84:38 | ControlFlowNode for cmd | Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | Scrapli.py:84:36:84:38 | ControlFlowNode for cmd | This code execution depends on a $@. | Scrapli.py:40:10:40:12 | ControlFlowNode for cmd | a user-provided value | -| Twisted.py:16:5:16:7 | ControlFlowNode for cmd | Twisted.py:13:16:13:18 | ControlFlowNode for cmd | Twisted.py:16:5:16:7 | ControlFlowNode for cmd | This code execution depends on a $@. | Twisted.py:13:16:13:18 | ControlFlowNode for cmd | a user-provided value | -| Twisted.py:24:9:24:11 | ControlFlowNode for cmd | Twisted.py:13:16:13:18 | ControlFlowNode for cmd | Twisted.py:24:9:24:11 | ControlFlowNode for cmd | This code execution depends on a $@. | Twisted.py:13:16:13:18 | ControlFlowNode for cmd | a user-provided value | -| paramiko.py:16:62:16:64 | ControlFlowNode for cmd | paramiko.py:15:16:15:18 | ControlFlowNode for cmd | paramiko.py:16:62:16:64 | ControlFlowNode for cmd | This code execution depends on a $@. | paramiko.py:15:16:15:18 | ControlFlowNode for cmd | a user-provided value | -| paramiko.py:21:70:21:72 | ControlFlowNode for cmd | paramiko.py:20:16:20:18 | ControlFlowNode for cmd | paramiko.py:21:70:21:72 | ControlFlowNode for cmd | This code execution depends on a $@. | paramiko.py:20:16:20:18 | ControlFlowNode for cmd | a user-provided value | -| ssh2.py:17:21:17:23 | ControlFlowNode for cmd | ssh2.py:15:16:15:18 | ControlFlowNode for cmd | ssh2.py:17:21:17:23 | ControlFlowNode for cmd | This code execution depends on a $@. | ssh2.py:15:16:15:18 | ControlFlowNode for cmd | a user-provided value | +| AsyncSsh.py:17:33:17:35 | cmd | AsyncSsh.py:15:16:15:18 | cmd | AsyncSsh.py:17:33:17:35 | cmd | This code execution depends on a $@. | AsyncSsh.py:15:16:15:18 | cmd | a user-provided value | +| Netmiko.py:20:45:20:47 | cmd | Netmiko.py:18:16:18:18 | cmd | Netmiko.py:20:45:20:47 | cmd | This code execution depends on a $@. | Netmiko.py:18:16:18:18 | cmd | a user-provided value | +| Netmiko.py:21:52:21:54 | cmd | Netmiko.py:18:16:18:18 | cmd | Netmiko.py:21:52:21:54 | cmd | This code execution depends on a $@. | Netmiko.py:18:16:18:18 | cmd | a user-provided value | +| Netmiko.py:22:52:22:54 | cmd | Netmiko.py:18:16:18:18 | cmd | Netmiko.py:22:52:22:54 | cmd | This code execution depends on a $@. | Netmiko.py:18:16:18:18 | cmd | a user-provided value | +| Netmiko.py:23:41:23:57 | After List | Netmiko.py:18:16:18:18 | cmd | Netmiko.py:23:41:23:57 | After List | This code execution depends on a $@. | Netmiko.py:18:16:18:18 | cmd | a user-provided value | +| Netmiko.py:24:48:24:50 | cmd | Netmiko.py:18:16:18:18 | cmd | Netmiko.py:24:48:24:50 | cmd | This code execution depends on a $@. | Netmiko.py:18:16:18:18 | cmd | a user-provided value | +| Pexpect.py:16:14:16:16 | cmd | Pexpect.py:15:16:15:18 | cmd | Pexpect.py:16:14:16:16 | cmd | This code execution depends on a $@. | Pexpect.py:15:16:15:18 | cmd | a user-provided value | +| Pexpect.py:18:18:18:20 | cmd | Pexpect.py:15:16:15:18 | cmd | Pexpect.py:18:18:18:20 | cmd | This code execution depends on a $@. | Pexpect.py:15:16:15:18 | cmd | a user-provided value | +| Scrapli.py:24:42:24:44 | cmd | Scrapli.py:13:16:13:18 | cmd | Scrapli.py:24:42:24:44 | cmd | This code execution depends on a $@. | Scrapli.py:13:16:13:18 | cmd | a user-provided value | +| Scrapli.py:27:42:27:44 | cmd | Scrapli.py:13:16:13:18 | cmd | Scrapli.py:27:42:27:44 | cmd | This code execution depends on a $@. | Scrapli.py:13:16:13:18 | cmd | a user-provided value | +| Scrapli.py:30:42:30:44 | cmd | Scrapli.py:13:16:13:18 | cmd | Scrapli.py:30:42:30:44 | cmd | This code execution depends on a $@. | Scrapli.py:13:16:13:18 | cmd | a user-provided value | +| Scrapli.py:33:42:33:44 | cmd | Scrapli.py:13:16:13:18 | cmd | Scrapli.py:33:42:33:44 | cmd | This code execution depends on a $@. | Scrapli.py:13:16:13:18 | cmd | a user-provided value | +| Scrapli.py:36:42:36:44 | cmd | Scrapli.py:13:16:13:18 | cmd | Scrapli.py:36:42:36:44 | cmd | This code execution depends on a $@. | Scrapli.py:13:16:13:18 | cmd | a user-provided value | +| Scrapli.py:51:36:51:38 | cmd | Scrapli.py:40:10:40:12 | cmd | Scrapli.py:51:36:51:38 | cmd | This code execution depends on a $@. | Scrapli.py:40:10:40:12 | cmd | a user-provided value | +| Scrapli.py:54:36:54:38 | cmd | Scrapli.py:40:10:40:12 | cmd | Scrapli.py:54:36:54:38 | cmd | This code execution depends on a $@. | Scrapli.py:40:10:40:12 | cmd | a user-provided value | +| Scrapli.py:57:36:57:38 | cmd | Scrapli.py:40:10:40:12 | cmd | Scrapli.py:57:36:57:38 | cmd | This code execution depends on a $@. | Scrapli.py:40:10:40:12 | cmd | a user-provided value | +| Scrapli.py:60:36:60:38 | cmd | Scrapli.py:40:10:40:12 | cmd | Scrapli.py:60:36:60:38 | cmd | This code execution depends on a $@. | Scrapli.py:40:10:40:12 | cmd | a user-provided value | +| Scrapli.py:63:36:63:38 | cmd | Scrapli.py:40:10:40:12 | cmd | Scrapli.py:63:36:63:38 | cmd | This code execution depends on a $@. | Scrapli.py:40:10:40:12 | cmd | a user-provided value | +| Scrapli.py:74:36:74:38 | cmd | Scrapli.py:40:10:40:12 | cmd | Scrapli.py:74:36:74:38 | cmd | This code execution depends on a $@. | Scrapli.py:40:10:40:12 | cmd | a user-provided value | +| Scrapli.py:84:36:84:38 | cmd | Scrapli.py:40:10:40:12 | cmd | Scrapli.py:84:36:84:38 | cmd | This code execution depends on a $@. | Scrapli.py:40:10:40:12 | cmd | a user-provided value | +| Twisted.py:16:5:16:7 | cmd | Twisted.py:13:16:13:18 | cmd | Twisted.py:16:5:16:7 | cmd | This code execution depends on a $@. | Twisted.py:13:16:13:18 | cmd | a user-provided value | +| Twisted.py:24:9:24:11 | cmd | Twisted.py:13:16:13:18 | cmd | Twisted.py:24:9:24:11 | cmd | This code execution depends on a $@. | Twisted.py:13:16:13:18 | cmd | a user-provided value | +| paramiko.py:16:62:16:64 | cmd | paramiko.py:15:16:15:18 | cmd | paramiko.py:16:62:16:64 | cmd | This code execution depends on a $@. | paramiko.py:15:16:15:18 | cmd | a user-provided value | +| paramiko.py:21:70:21:72 | cmd | paramiko.py:20:16:20:18 | cmd | paramiko.py:21:70:21:72 | cmd | This code execution depends on a $@. | paramiko.py:20:16:20:18 | cmd | a user-provided value | +| ssh2.py:17:21:17:23 | cmd | ssh2.py:15:16:15:18 | cmd | ssh2.py:17:21:17:23 | cmd | This code execution depends on a $@. | ssh2.py:15:16:15:18 | cmd | a user-provided value | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.expected b/python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.expected index 8f0493b7927..eac526d9645 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-079/EmailXss.expected @@ -1,94 +1,94 @@ edges -| flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | flask_mail.py:1:19:1:25 | ControlFlowNode for request | provenance | | -| flask_mail.py:1:19:1:25 | ControlFlowNode for request | flask_mail.py:13:22:13:28 | ControlFlowNode for request | provenance | | -| flask_mail.py:1:19:1:25 | ControlFlowNode for request | flask_mail.py:18:14:18:20 | ControlFlowNode for request | provenance | | -| flask_mail.py:1:19:1:25 | ControlFlowNode for request | flask_mail.py:31:24:31:30 | ControlFlowNode for request | provenance | | -| flask_mail.py:13:22:13:28 | ControlFlowNode for request | flask_mail.py:13:22:13:41 | ControlFlowNode for Subscript | provenance | AdditionalTaintStep | -| flask_mail.py:13:22:13:28 | ControlFlowNode for request | flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript | provenance | AdditionalTaintStep | -| flask_mail.py:18:14:18:20 | ControlFlowNode for request | flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript | provenance | AdditionalTaintStep | -| flask_mail.py:31:24:31:30 | ControlFlowNode for request | flask_mail.py:31:24:31:43 | ControlFlowNode for Subscript | provenance | AdditionalTaintStep | -| sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for request | provenance | | -| sendgrid_mail.py:1:19:1:25 | ControlFlowNode for request | sendgrid_mail.py:14:22:14:28 | ControlFlowNode for request | provenance | | -| sendgrid_mail.py:1:19:1:25 | ControlFlowNode for request | sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | provenance | | -| sendgrid_mail.py:1:19:1:25 | ControlFlowNode for request | sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | provenance | | -| sendgrid_mail.py:14:22:14:28 | ControlFlowNode for request | sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | provenance | AdditionalTaintStep | -| sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | sendgrid_mail.py:26:34:26:61 | ControlFlowNode for Subscript | provenance | AdditionalTaintStep | -| sendgrid_mail.py:26:34:26:61 | ControlFlowNode for Subscript | sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | provenance | Config | -| sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | provenance | AdditionalTaintStep | -| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for request | provenance | | -| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request | provenance | | -| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:56 | ControlFlowNode for request | provenance | | -| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:41:50:41:56 | ControlFlowNode for request | provenance | | -| sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | ControlFlowNode for Attribute() | provenance | AdditionalTaintStep | -| sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() | provenance | AdditionalTaintStep | -| sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | provenance | AdditionalTaintStep | -| sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:56 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() | provenance | AdditionalTaintStep | -| sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:56 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | provenance | AdditionalTaintStep | -| sendgrid_via_mail_send_post_request_body_bad.py:41:50:41:56 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | provenance | AdditionalTaintStep | -| smtplib_bad_subparts.py:2:26:2:32 | ControlFlowNode for ImportMember | smtplib_bad_subparts.py:2:26:2:32 | ControlFlowNode for request | provenance | | -| smtplib_bad_subparts.py:2:26:2:32 | ControlFlowNode for request | smtplib_bad_subparts.py:17:12:17:18 | ControlFlowNode for request | provenance | | -| smtplib_bad_subparts.py:17:5:17:8 | ControlFlowNode for name | smtplib_bad_subparts.py:20:5:20:8 | ControlFlowNode for html | provenance | | -| smtplib_bad_subparts.py:17:12:17:18 | ControlFlowNode for request | smtplib_bad_subparts.py:17:5:17:8 | ControlFlowNode for name | provenance | AdditionalTaintStep | -| smtplib_bad_subparts.py:20:5:20:8 | ControlFlowNode for html | smtplib_bad_subparts.py:24:22:24:25 | ControlFlowNode for html | provenance | | -| smtplib_bad_via_attach.py:2:26:2:32 | ControlFlowNode for ImportMember | smtplib_bad_via_attach.py:2:26:2:32 | ControlFlowNode for request | provenance | | -| smtplib_bad_via_attach.py:2:26:2:32 | ControlFlowNode for request | smtplib_bad_via_attach.py:20:12:20:18 | ControlFlowNode for request | provenance | | -| smtplib_bad_via_attach.py:20:5:20:8 | ControlFlowNode for name | smtplib_bad_via_attach.py:23:5:23:8 | ControlFlowNode for html | provenance | | -| smtplib_bad_via_attach.py:20:12:20:18 | ControlFlowNode for request | smtplib_bad_via_attach.py:20:5:20:8 | ControlFlowNode for name | provenance | AdditionalTaintStep | -| smtplib_bad_via_attach.py:23:5:23:8 | ControlFlowNode for html | smtplib_bad_via_attach.py:27:22:27:25 | ControlFlowNode for html | provenance | | +| flask_mail.py:1:19:1:25 | After ImportMember | flask_mail.py:1:19:1:25 | request | provenance | | +| flask_mail.py:1:19:1:25 | request | flask_mail.py:13:22:13:28 | request | provenance | | +| flask_mail.py:1:19:1:25 | request | flask_mail.py:18:14:18:20 | request | provenance | | +| flask_mail.py:1:19:1:25 | request | flask_mail.py:31:24:31:30 | request | provenance | | +| flask_mail.py:13:22:13:28 | request | flask_mail.py:13:22:13:41 | After Subscript | provenance | AdditionalTaintStep | +| flask_mail.py:13:22:13:28 | request | flask_mail.py:18:14:18:33 | After Subscript | provenance | AdditionalTaintStep | +| flask_mail.py:18:14:18:20 | request | flask_mail.py:18:14:18:33 | After Subscript | provenance | AdditionalTaintStep | +| flask_mail.py:31:24:31:30 | request | flask_mail.py:31:24:31:43 | After Subscript | provenance | AdditionalTaintStep | +| sendgrid_mail.py:1:19:1:25 | After ImportMember | sendgrid_mail.py:1:19:1:25 | request | provenance | | +| sendgrid_mail.py:1:19:1:25 | request | sendgrid_mail.py:14:22:14:28 | request | provenance | | +| sendgrid_mail.py:1:19:1:25 | request | sendgrid_mail.py:26:34:26:40 | request | provenance | | +| sendgrid_mail.py:1:19:1:25 | request | sendgrid_mail.py:37:41:37:47 | request | provenance | | +| sendgrid_mail.py:14:22:14:28 | request | sendgrid_mail.py:14:22:14:49 | After Subscript | provenance | AdditionalTaintStep | +| sendgrid_mail.py:26:34:26:40 | request | sendgrid_mail.py:26:34:26:61 | After Subscript | provenance | AdditionalTaintStep | +| sendgrid_mail.py:26:34:26:61 | After Subscript | sendgrid_mail.py:26:22:26:62 | After HtmlContent() | provenance | Config | +| sendgrid_mail.py:37:41:37:47 | request | sendgrid_mail.py:37:41:37:68 | After Subscript | provenance | AdditionalTaintStep | +| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | After ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | request | provenance | | +| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | request | sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | request | provenance | | +| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | request | sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:56 | request | provenance | | +| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | request | sendgrid_via_mail_send_post_request_body_bad.py:41:50:41:56 | request | provenance | | +| sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | request | sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | After Attribute() | provenance | AdditionalTaintStep | +| sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | request | sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | After Attribute() | provenance | AdditionalTaintStep | +| sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | request | sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | After Attribute() | provenance | AdditionalTaintStep | +| sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:56 | request | sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | After Attribute() | provenance | AdditionalTaintStep | +| sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:56 | request | sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | After Attribute() | provenance | AdditionalTaintStep | +| sendgrid_via_mail_send_post_request_body_bad.py:41:50:41:56 | request | sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | After Attribute() | provenance | AdditionalTaintStep | +| smtplib_bad_subparts.py:2:26:2:32 | After ImportMember | smtplib_bad_subparts.py:2:26:2:32 | request | provenance | | +| smtplib_bad_subparts.py:2:26:2:32 | request | smtplib_bad_subparts.py:17:12:17:18 | request | provenance | | +| smtplib_bad_subparts.py:17:5:17:8 | name | smtplib_bad_subparts.py:20:5:20:8 | html | provenance | | +| smtplib_bad_subparts.py:17:12:17:18 | request | smtplib_bad_subparts.py:17:5:17:8 | name | provenance | AdditionalTaintStep | +| smtplib_bad_subparts.py:20:5:20:8 | html | smtplib_bad_subparts.py:24:22:24:25 | html | provenance | | +| smtplib_bad_via_attach.py:2:26:2:32 | After ImportMember | smtplib_bad_via_attach.py:2:26:2:32 | request | provenance | | +| smtplib_bad_via_attach.py:2:26:2:32 | request | smtplib_bad_via_attach.py:20:12:20:18 | request | provenance | | +| smtplib_bad_via_attach.py:20:5:20:8 | name | smtplib_bad_via_attach.py:23:5:23:8 | html | provenance | | +| smtplib_bad_via_attach.py:20:12:20:18 | request | smtplib_bad_via_attach.py:20:5:20:8 | name | provenance | AdditionalTaintStep | +| smtplib_bad_via_attach.py:23:5:23:8 | html | smtplib_bad_via_attach.py:27:22:27:25 | html | provenance | | nodes -| django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| flask_mail.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| flask_mail.py:13:22:13:28 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| flask_mail.py:13:22:13:41 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript | -| flask_mail.py:18:14:18:20 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript | -| flask_mail.py:31:24:31:30 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| flask_mail.py:31:24:31:43 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript | -| sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| sendgrid_mail.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| sendgrid_mail.py:14:22:14:28 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript | -| sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | semmle.label | ControlFlowNode for HtmlContent() | -| sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| sendgrid_mail.py:26:34:26:61 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript | -| sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript | -| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:56 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| sendgrid_via_mail_send_post_request_body_bad.py:41:50:41:56 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| smtplib_bad_subparts.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| smtplib_bad_subparts.py:2:26:2:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| smtplib_bad_subparts.py:17:5:17:8 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | -| smtplib_bad_subparts.py:17:12:17:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| smtplib_bad_subparts.py:20:5:20:8 | ControlFlowNode for html | semmle.label | ControlFlowNode for html | -| smtplib_bad_subparts.py:24:22:24:25 | ControlFlowNode for html | semmle.label | ControlFlowNode for html | -| smtplib_bad_via_attach.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| smtplib_bad_via_attach.py:2:26:2:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| smtplib_bad_via_attach.py:20:5:20:8 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | -| smtplib_bad_via_attach.py:20:12:20:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| smtplib_bad_via_attach.py:23:5:23:8 | ControlFlowNode for html | semmle.label | ControlFlowNode for html | -| smtplib_bad_via_attach.py:27:22:27:25 | ControlFlowNode for html | semmle.label | ControlFlowNode for html | +| django_mail.py:14:48:14:82 | After Attribute() | semmle.label | After Attribute() | +| django_mail.py:23:30:23:64 | After Attribute() | semmle.label | After Attribute() | +| django_mail.py:25:32:25:66 | After Attribute() | semmle.label | After Attribute() | +| flask_mail.py:1:19:1:25 | After ImportMember | semmle.label | After ImportMember | +| flask_mail.py:1:19:1:25 | request | semmle.label | request | +| flask_mail.py:13:22:13:28 | request | semmle.label | request | +| flask_mail.py:13:22:13:41 | After Subscript | semmle.label | After Subscript | +| flask_mail.py:18:14:18:20 | request | semmle.label | request | +| flask_mail.py:18:14:18:33 | After Subscript | semmle.label | After Subscript | +| flask_mail.py:31:24:31:30 | request | semmle.label | request | +| flask_mail.py:31:24:31:43 | After Subscript | semmle.label | After Subscript | +| sendgrid_mail.py:1:19:1:25 | After ImportMember | semmle.label | After ImportMember | +| sendgrid_mail.py:1:19:1:25 | request | semmle.label | request | +| sendgrid_mail.py:14:22:14:28 | request | semmle.label | request | +| sendgrid_mail.py:14:22:14:49 | After Subscript | semmle.label | After Subscript | +| sendgrid_mail.py:26:22:26:62 | After HtmlContent() | semmle.label | After HtmlContent() | +| sendgrid_mail.py:26:34:26:40 | request | semmle.label | request | +| sendgrid_mail.py:26:34:26:61 | After Subscript | semmle.label | After Subscript | +| sendgrid_mail.py:37:41:37:47 | request | semmle.label | request | +| sendgrid_mail.py:37:41:37:68 | After Subscript | semmle.label | After Subscript | +| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | After ImportMember | semmle.label | After ImportMember | +| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | request | semmle.label | request | +| sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | After Attribute() | semmle.label | After Attribute() | +| sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | request | semmle.label | request | +| sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | After Attribute() | semmle.label | After Attribute() | +| sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:56 | request | semmle.label | request | +| sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | After Attribute() | semmle.label | After Attribute() | +| sendgrid_via_mail_send_post_request_body_bad.py:41:50:41:56 | request | semmle.label | request | +| smtplib_bad_subparts.py:2:26:2:32 | After ImportMember | semmle.label | After ImportMember | +| smtplib_bad_subparts.py:2:26:2:32 | request | semmle.label | request | +| smtplib_bad_subparts.py:17:5:17:8 | name | semmle.label | name | +| smtplib_bad_subparts.py:17:12:17:18 | request | semmle.label | request | +| smtplib_bad_subparts.py:20:5:20:8 | html | semmle.label | html | +| smtplib_bad_subparts.py:24:22:24:25 | html | semmle.label | html | +| smtplib_bad_via_attach.py:2:26:2:32 | After ImportMember | semmle.label | After ImportMember | +| smtplib_bad_via_attach.py:2:26:2:32 | request | semmle.label | request | +| smtplib_bad_via_attach.py:20:5:20:8 | name | semmle.label | name | +| smtplib_bad_via_attach.py:20:12:20:18 | request | semmle.label | request | +| smtplib_bad_via_attach.py:23:5:23:8 | html | semmle.label | html | +| smtplib_bad_via_attach.py:27:22:27:25 | html | semmle.label | html | subpaths #select -| django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | a user-provided value | -| django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | a user-provided value | -| django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | a user-provided value | -| flask_mail.py:13:22:13:41 | ControlFlowNode for Subscript | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | flask_mail.py:13:22:13:41 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | -| flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | -| flask_mail.py:31:24:31:43 | ControlFlowNode for Subscript | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | flask_mail.py:31:24:31:43 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | -| sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | -| sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | -| sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:1:19:1:25 | ControlFlowNode for ImportMember | a user-provided value | -| sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | a user-provided value | -| sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | a user-provided value | -| sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | a user-provided value | -| smtplib_bad_subparts.py:24:22:24:25 | ControlFlowNode for html | smtplib_bad_subparts.py:2:26:2:32 | ControlFlowNode for ImportMember | smtplib_bad_subparts.py:24:22:24:25 | ControlFlowNode for html | Cross-site scripting vulnerability due to $@. | smtplib_bad_subparts.py:2:26:2:32 | ControlFlowNode for ImportMember | a user-provided value | -| smtplib_bad_via_attach.py:27:22:27:25 | ControlFlowNode for html | smtplib_bad_via_attach.py:2:26:2:32 | ControlFlowNode for ImportMember | smtplib_bad_via_attach.py:27:22:27:25 | ControlFlowNode for html | Cross-site scripting vulnerability due to $@. | smtplib_bad_via_attach.py:2:26:2:32 | ControlFlowNode for ImportMember | a user-provided value | +| django_mail.py:14:48:14:82 | After Attribute() | django_mail.py:14:48:14:82 | After Attribute() | django_mail.py:14:48:14:82 | After Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:14:48:14:82 | After Attribute() | a user-provided value | +| django_mail.py:23:30:23:64 | After Attribute() | django_mail.py:23:30:23:64 | After Attribute() | django_mail.py:23:30:23:64 | After Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:23:30:23:64 | After Attribute() | a user-provided value | +| django_mail.py:25:32:25:66 | After Attribute() | django_mail.py:25:32:25:66 | After Attribute() | django_mail.py:25:32:25:66 | After Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:25:32:25:66 | After Attribute() | a user-provided value | +| flask_mail.py:13:22:13:41 | After Subscript | flask_mail.py:1:19:1:25 | After ImportMember | flask_mail.py:13:22:13:41 | After Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:1:19:1:25 | After ImportMember | a user-provided value | +| flask_mail.py:18:14:18:33 | After Subscript | flask_mail.py:1:19:1:25 | After ImportMember | flask_mail.py:18:14:18:33 | After Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:1:19:1:25 | After ImportMember | a user-provided value | +| flask_mail.py:31:24:31:43 | After Subscript | flask_mail.py:1:19:1:25 | After ImportMember | flask_mail.py:31:24:31:43 | After Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:1:19:1:25 | After ImportMember | a user-provided value | +| sendgrid_mail.py:14:22:14:49 | After Subscript | sendgrid_mail.py:1:19:1:25 | After ImportMember | sendgrid_mail.py:14:22:14:49 | After Subscript | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:1:19:1:25 | After ImportMember | a user-provided value | +| sendgrid_mail.py:26:22:26:62 | After HtmlContent() | sendgrid_mail.py:1:19:1:25 | After ImportMember | sendgrid_mail.py:26:22:26:62 | After HtmlContent() | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:1:19:1:25 | After ImportMember | a user-provided value | +| sendgrid_mail.py:37:41:37:68 | After Subscript | sendgrid_mail.py:1:19:1:25 | After ImportMember | sendgrid_mail.py:37:41:37:68 | After Subscript | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:1:19:1:25 | After ImportMember | a user-provided value | +| sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | After Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | After ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | After Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | After ImportMember | a user-provided value | +| sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | After Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | After ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | After Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | After ImportMember | a user-provided value | +| sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | After Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | After ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | After Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | After ImportMember | a user-provided value | +| smtplib_bad_subparts.py:24:22:24:25 | html | smtplib_bad_subparts.py:2:26:2:32 | After ImportMember | smtplib_bad_subparts.py:24:22:24:25 | html | Cross-site scripting vulnerability due to $@. | smtplib_bad_subparts.py:2:26:2:32 | After ImportMember | a user-provided value | +| smtplib_bad_via_attach.py:27:22:27:25 | html | smtplib_bad_via_attach.py:2:26:2:32 | After ImportMember | smtplib_bad_via_attach.py:27:22:27:25 | html | Cross-site scripting vulnerability due to $@. | smtplib_bad_via_attach.py:2:26:2:32 | After ImportMember | a user-provided value | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/XsltInjection.expected b/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/XsltInjection.expected index 64b10ac564d..5b997f1d088 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/XsltInjection.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-091-XsltInjection/XsltInjection.expected @@ -1,120 +1,120 @@ edges -| xslt.py:3:26:3:32 | ControlFlowNode for ImportMember | xslt.py:3:26:3:32 | ControlFlowNode for request | provenance | | -| xslt.py:3:26:3:32 | ControlFlowNode for request | xslt.py:10:17:10:23 | ControlFlowNode for request | provenance | | -| xslt.py:10:5:10:13 | ControlFlowNode for xsltQuery | xslt.py:11:27:11:35 | ControlFlowNode for xsltQuery | provenance | | -| xslt.py:10:17:10:23 | ControlFlowNode for request | xslt.py:10:17:10:28 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| xslt.py:10:17:10:28 | ControlFlowNode for Attribute | xslt.py:10:17:10:43 | ControlFlowNode for Attribute() | provenance | dict.get | -| xslt.py:10:17:10:43 | ControlFlowNode for Attribute() | xslt.py:10:5:10:13 | ControlFlowNode for xsltQuery | provenance | | -| xslt.py:11:5:11:13 | ControlFlowNode for xslt_root | xslt.py:14:29:14:37 | ControlFlowNode for xslt_root | provenance | | -| xslt.py:11:17:11:36 | ControlFlowNode for Attribute() | xslt.py:11:5:11:13 | ControlFlowNode for xslt_root | provenance | | -| xslt.py:11:27:11:35 | ControlFlowNode for xsltQuery | xslt.py:11:17:11:36 | ControlFlowNode for Attribute() | provenance | Config | -| xslt.py:11:27:11:35 | ControlFlowNode for xsltQuery | xslt.py:11:17:11:36 | ControlFlowNode for Attribute() | provenance | Decoding-XML | -| xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:3:26:3:32 | ControlFlowNode for request | provenance | | -| xsltInjection.py:3:26:3:32 | ControlFlowNode for request | xsltInjection.py:10:17:10:23 | ControlFlowNode for request | provenance | | -| xsltInjection.py:3:26:3:32 | ControlFlowNode for request | xsltInjection.py:17:17:17:23 | ControlFlowNode for request | provenance | | -| xsltInjection.py:3:26:3:32 | ControlFlowNode for request | xsltInjection.py:26:17:26:23 | ControlFlowNode for request | provenance | | -| xsltInjection.py:3:26:3:32 | ControlFlowNode for request | xsltInjection.py:35:17:35:23 | ControlFlowNode for request | provenance | | -| xsltInjection.py:3:26:3:32 | ControlFlowNode for request | xsltInjection.py:44:17:44:23 | ControlFlowNode for request | provenance | | -| xsltInjection.py:10:5:10:13 | ControlFlowNode for xsltQuery | xsltInjection.py:11:27:11:35 | ControlFlowNode for xsltQuery | provenance | | -| xsltInjection.py:10:17:10:23 | ControlFlowNode for request | xsltInjection.py:10:17:10:28 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| xsltInjection.py:10:17:10:28 | ControlFlowNode for Attribute | xsltInjection.py:10:17:10:43 | ControlFlowNode for Attribute() | provenance | dict.get | -| xsltInjection.py:10:17:10:43 | ControlFlowNode for Attribute() | xsltInjection.py:10:5:10:13 | ControlFlowNode for xsltQuery | provenance | | -| xsltInjection.py:11:5:11:13 | ControlFlowNode for xslt_root | xsltInjection.py:12:28:12:36 | ControlFlowNode for xslt_root | provenance | | -| xsltInjection.py:11:17:11:36 | ControlFlowNode for Attribute() | xsltInjection.py:11:5:11:13 | ControlFlowNode for xslt_root | provenance | | -| xsltInjection.py:11:27:11:35 | ControlFlowNode for xsltQuery | xsltInjection.py:11:17:11:36 | ControlFlowNode for Attribute() | provenance | Config | -| xsltInjection.py:11:27:11:35 | ControlFlowNode for xsltQuery | xsltInjection.py:11:17:11:36 | ControlFlowNode for Attribute() | provenance | Decoding-XML | -| xsltInjection.py:17:5:17:13 | ControlFlowNode for xsltQuery | xsltInjection.py:18:27:18:35 | ControlFlowNode for xsltQuery | provenance | | -| xsltInjection.py:17:17:17:23 | ControlFlowNode for request | xsltInjection.py:17:17:17:28 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| xsltInjection.py:17:17:17:28 | ControlFlowNode for Attribute | xsltInjection.py:17:17:17:43 | ControlFlowNode for Attribute() | provenance | dict.get | -| xsltInjection.py:17:17:17:43 | ControlFlowNode for Attribute() | xsltInjection.py:17:5:17:13 | ControlFlowNode for xsltQuery | provenance | | -| xsltInjection.py:18:5:18:13 | ControlFlowNode for xslt_root | xsltInjection.py:21:29:21:37 | ControlFlowNode for xslt_root | provenance | | -| xsltInjection.py:18:17:18:36 | ControlFlowNode for Attribute() | xsltInjection.py:18:5:18:13 | ControlFlowNode for xslt_root | provenance | | -| xsltInjection.py:18:27:18:35 | ControlFlowNode for xsltQuery | xsltInjection.py:18:17:18:36 | ControlFlowNode for Attribute() | provenance | Config | -| xsltInjection.py:18:27:18:35 | ControlFlowNode for xsltQuery | xsltInjection.py:18:17:18:36 | ControlFlowNode for Attribute() | provenance | Decoding-XML | -| xsltInjection.py:26:5:26:13 | ControlFlowNode for xsltQuery | xsltInjection.py:27:27:27:35 | ControlFlowNode for xsltQuery | provenance | | -| xsltInjection.py:26:17:26:23 | ControlFlowNode for request | xsltInjection.py:26:17:26:28 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| xsltInjection.py:26:17:26:28 | ControlFlowNode for Attribute | xsltInjection.py:26:17:26:43 | ControlFlowNode for Attribute() | provenance | dict.get | -| xsltInjection.py:26:17:26:43 | ControlFlowNode for Attribute() | xsltInjection.py:26:5:26:13 | ControlFlowNode for xsltQuery | provenance | | -| xsltInjection.py:27:5:27:13 | ControlFlowNode for xslt_root | xsltInjection.py:31:24:31:32 | ControlFlowNode for xslt_root | provenance | | -| xsltInjection.py:27:17:27:36 | ControlFlowNode for Attribute() | xsltInjection.py:27:5:27:13 | ControlFlowNode for xslt_root | provenance | | -| xsltInjection.py:27:27:27:35 | ControlFlowNode for xsltQuery | xsltInjection.py:27:17:27:36 | ControlFlowNode for Attribute() | provenance | Config | -| xsltInjection.py:27:27:27:35 | ControlFlowNode for xsltQuery | xsltInjection.py:27:17:27:36 | ControlFlowNode for Attribute() | provenance | Decoding-XML | -| xsltInjection.py:35:5:35:13 | ControlFlowNode for xsltQuery | xsltInjection.py:36:34:36:42 | ControlFlowNode for xsltQuery | provenance | | -| xsltInjection.py:35:17:35:23 | ControlFlowNode for request | xsltInjection.py:35:17:35:28 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| xsltInjection.py:35:17:35:28 | ControlFlowNode for Attribute | xsltInjection.py:35:17:35:43 | ControlFlowNode for Attribute() | provenance | dict.get | -| xsltInjection.py:35:17:35:43 | ControlFlowNode for Attribute() | xsltInjection.py:35:5:35:13 | ControlFlowNode for xsltQuery | provenance | | -| xsltInjection.py:36:5:36:13 | ControlFlowNode for xslt_root | xsltInjection.py:40:24:40:32 | ControlFlowNode for xslt_root | provenance | | -| xsltInjection.py:36:17:36:43 | ControlFlowNode for Attribute() | xsltInjection.py:36:5:36:13 | ControlFlowNode for xslt_root | provenance | | -| xsltInjection.py:36:34:36:42 | ControlFlowNode for xsltQuery | xsltInjection.py:36:17:36:43 | ControlFlowNode for Attribute() | provenance | Config | -| xsltInjection.py:36:34:36:42 | ControlFlowNode for xsltQuery | xsltInjection.py:36:17:36:43 | ControlFlowNode for Attribute() | provenance | Decoding-XML | -| xsltInjection.py:44:5:44:13 | ControlFlowNode for xsltQuery | xsltInjection.py:45:5:45:15 | ControlFlowNode for xsltStrings | provenance | | -| xsltInjection.py:44:17:44:23 | ControlFlowNode for request | xsltInjection.py:44:17:44:28 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| xsltInjection.py:44:17:44:28 | ControlFlowNode for Attribute | xsltInjection.py:44:17:44:43 | ControlFlowNode for Attribute() | provenance | dict.get | -| xsltInjection.py:44:17:44:43 | ControlFlowNode for Attribute() | xsltInjection.py:44:5:44:13 | ControlFlowNode for xsltQuery | provenance | | -| xsltInjection.py:45:5:45:15 | ControlFlowNode for xsltStrings | xsltInjection.py:46:38:46:48 | ControlFlowNode for xsltStrings | provenance | | -| xsltInjection.py:46:5:46:13 | ControlFlowNode for xslt_root | xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | provenance | | -| xsltInjection.py:46:17:46:49 | ControlFlowNode for Attribute() | xsltInjection.py:46:5:46:13 | ControlFlowNode for xslt_root | provenance | | -| xsltInjection.py:46:38:46:48 | ControlFlowNode for xsltStrings | xsltInjection.py:46:17:46:49 | ControlFlowNode for Attribute() | provenance | Config | -| xsltInjection.py:46:38:46:48 | ControlFlowNode for xsltStrings | xsltInjection.py:46:17:46:49 | ControlFlowNode for Attribute() | provenance | Decoding-XML | +| xslt.py:3:26:3:32 | After ImportMember | xslt.py:3:26:3:32 | request | provenance | | +| xslt.py:3:26:3:32 | request | xslt.py:10:17:10:23 | request | provenance | | +| xslt.py:10:5:10:13 | xsltQuery | xslt.py:11:27:11:35 | xsltQuery | provenance | | +| xslt.py:10:17:10:23 | request | xslt.py:10:17:10:28 | After Attribute | provenance | AdditionalTaintStep | +| xslt.py:10:17:10:28 | After Attribute | xslt.py:10:17:10:43 | After Attribute() | provenance | dict.get | +| xslt.py:10:17:10:43 | After Attribute() | xslt.py:10:5:10:13 | xsltQuery | provenance | | +| xslt.py:11:5:11:13 | xslt_root | xslt.py:14:29:14:37 | xslt_root | provenance | | +| xslt.py:11:17:11:36 | After Attribute() | xslt.py:11:5:11:13 | xslt_root | provenance | | +| xslt.py:11:27:11:35 | xsltQuery | xslt.py:11:17:11:36 | After Attribute() | provenance | Config | +| xslt.py:11:27:11:35 | xsltQuery | xslt.py:11:17:11:36 | After Attribute() | provenance | Decoding-XML | +| xsltInjection.py:3:26:3:32 | After ImportMember | xsltInjection.py:3:26:3:32 | request | provenance | | +| xsltInjection.py:3:26:3:32 | request | xsltInjection.py:10:17:10:23 | request | provenance | | +| xsltInjection.py:3:26:3:32 | request | xsltInjection.py:17:17:17:23 | request | provenance | | +| xsltInjection.py:3:26:3:32 | request | xsltInjection.py:26:17:26:23 | request | provenance | | +| xsltInjection.py:3:26:3:32 | request | xsltInjection.py:35:17:35:23 | request | provenance | | +| xsltInjection.py:3:26:3:32 | request | xsltInjection.py:44:17:44:23 | request | provenance | | +| xsltInjection.py:10:5:10:13 | xsltQuery | xsltInjection.py:11:27:11:35 | xsltQuery | provenance | | +| xsltInjection.py:10:17:10:23 | request | xsltInjection.py:10:17:10:28 | After Attribute | provenance | AdditionalTaintStep | +| xsltInjection.py:10:17:10:28 | After Attribute | xsltInjection.py:10:17:10:43 | After Attribute() | provenance | dict.get | +| xsltInjection.py:10:17:10:43 | After Attribute() | xsltInjection.py:10:5:10:13 | xsltQuery | provenance | | +| xsltInjection.py:11:5:11:13 | xslt_root | xsltInjection.py:12:28:12:36 | xslt_root | provenance | | +| xsltInjection.py:11:17:11:36 | After Attribute() | xsltInjection.py:11:5:11:13 | xslt_root | provenance | | +| xsltInjection.py:11:27:11:35 | xsltQuery | xsltInjection.py:11:17:11:36 | After Attribute() | provenance | Config | +| xsltInjection.py:11:27:11:35 | xsltQuery | xsltInjection.py:11:17:11:36 | After Attribute() | provenance | Decoding-XML | +| xsltInjection.py:17:5:17:13 | xsltQuery | xsltInjection.py:18:27:18:35 | xsltQuery | provenance | | +| xsltInjection.py:17:17:17:23 | request | xsltInjection.py:17:17:17:28 | After Attribute | provenance | AdditionalTaintStep | +| xsltInjection.py:17:17:17:28 | After Attribute | xsltInjection.py:17:17:17:43 | After Attribute() | provenance | dict.get | +| xsltInjection.py:17:17:17:43 | After Attribute() | xsltInjection.py:17:5:17:13 | xsltQuery | provenance | | +| xsltInjection.py:18:5:18:13 | xslt_root | xsltInjection.py:21:29:21:37 | xslt_root | provenance | | +| xsltInjection.py:18:17:18:36 | After Attribute() | xsltInjection.py:18:5:18:13 | xslt_root | provenance | | +| xsltInjection.py:18:27:18:35 | xsltQuery | xsltInjection.py:18:17:18:36 | After Attribute() | provenance | Config | +| xsltInjection.py:18:27:18:35 | xsltQuery | xsltInjection.py:18:17:18:36 | After Attribute() | provenance | Decoding-XML | +| xsltInjection.py:26:5:26:13 | xsltQuery | xsltInjection.py:27:27:27:35 | xsltQuery | provenance | | +| xsltInjection.py:26:17:26:23 | request | xsltInjection.py:26:17:26:28 | After Attribute | provenance | AdditionalTaintStep | +| xsltInjection.py:26:17:26:28 | After Attribute | xsltInjection.py:26:17:26:43 | After Attribute() | provenance | dict.get | +| xsltInjection.py:26:17:26:43 | After Attribute() | xsltInjection.py:26:5:26:13 | xsltQuery | provenance | | +| xsltInjection.py:27:5:27:13 | xslt_root | xsltInjection.py:31:24:31:32 | xslt_root | provenance | | +| xsltInjection.py:27:17:27:36 | After Attribute() | xsltInjection.py:27:5:27:13 | xslt_root | provenance | | +| xsltInjection.py:27:27:27:35 | xsltQuery | xsltInjection.py:27:17:27:36 | After Attribute() | provenance | Config | +| xsltInjection.py:27:27:27:35 | xsltQuery | xsltInjection.py:27:17:27:36 | After Attribute() | provenance | Decoding-XML | +| xsltInjection.py:35:5:35:13 | xsltQuery | xsltInjection.py:36:34:36:42 | xsltQuery | provenance | | +| xsltInjection.py:35:17:35:23 | request | xsltInjection.py:35:17:35:28 | After Attribute | provenance | AdditionalTaintStep | +| xsltInjection.py:35:17:35:28 | After Attribute | xsltInjection.py:35:17:35:43 | After Attribute() | provenance | dict.get | +| xsltInjection.py:35:17:35:43 | After Attribute() | xsltInjection.py:35:5:35:13 | xsltQuery | provenance | | +| xsltInjection.py:36:5:36:13 | xslt_root | xsltInjection.py:40:24:40:32 | xslt_root | provenance | | +| xsltInjection.py:36:17:36:43 | After Attribute() | xsltInjection.py:36:5:36:13 | xslt_root | provenance | | +| xsltInjection.py:36:34:36:42 | xsltQuery | xsltInjection.py:36:17:36:43 | After Attribute() | provenance | Config | +| xsltInjection.py:36:34:36:42 | xsltQuery | xsltInjection.py:36:17:36:43 | After Attribute() | provenance | Decoding-XML | +| xsltInjection.py:44:5:44:13 | xsltQuery | xsltInjection.py:45:5:45:15 | xsltStrings | provenance | | +| xsltInjection.py:44:17:44:23 | request | xsltInjection.py:44:17:44:28 | After Attribute | provenance | AdditionalTaintStep | +| xsltInjection.py:44:17:44:28 | After Attribute | xsltInjection.py:44:17:44:43 | After Attribute() | provenance | dict.get | +| xsltInjection.py:44:17:44:43 | After Attribute() | xsltInjection.py:44:5:44:13 | xsltQuery | provenance | | +| xsltInjection.py:45:5:45:15 | xsltStrings | xsltInjection.py:46:38:46:48 | xsltStrings | provenance | | +| xsltInjection.py:46:5:46:13 | xslt_root | xsltInjection.py:50:24:50:32 | xslt_root | provenance | | +| xsltInjection.py:46:17:46:49 | After Attribute() | xsltInjection.py:46:5:46:13 | xslt_root | provenance | | +| xsltInjection.py:46:38:46:48 | xsltStrings | xsltInjection.py:46:17:46:49 | After Attribute() | provenance | Config | +| xsltInjection.py:46:38:46:48 | xsltStrings | xsltInjection.py:46:17:46:49 | After Attribute() | provenance | Decoding-XML | nodes -| xslt.py:3:26:3:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| xslt.py:3:26:3:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| xslt.py:10:5:10:13 | ControlFlowNode for xsltQuery | semmle.label | ControlFlowNode for xsltQuery | -| xslt.py:10:17:10:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| xslt.py:10:17:10:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| xslt.py:10:17:10:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| xslt.py:11:5:11:13 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root | -| xslt.py:11:17:11:36 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| xslt.py:11:27:11:35 | ControlFlowNode for xsltQuery | semmle.label | ControlFlowNode for xsltQuery | -| xslt.py:14:29:14:37 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root | -| xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| xsltInjection.py:3:26:3:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| xsltInjection.py:10:5:10:13 | ControlFlowNode for xsltQuery | semmle.label | ControlFlowNode for xsltQuery | -| xsltInjection.py:10:17:10:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| xsltInjection.py:10:17:10:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| xsltInjection.py:10:17:10:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| xsltInjection.py:11:5:11:13 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root | -| xsltInjection.py:11:17:11:36 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| xsltInjection.py:11:27:11:35 | ControlFlowNode for xsltQuery | semmle.label | ControlFlowNode for xsltQuery | -| xsltInjection.py:12:28:12:36 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root | -| xsltInjection.py:17:5:17:13 | ControlFlowNode for xsltQuery | semmle.label | ControlFlowNode for xsltQuery | -| xsltInjection.py:17:17:17:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| xsltInjection.py:17:17:17:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| xsltInjection.py:17:17:17:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| xsltInjection.py:18:5:18:13 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root | -| xsltInjection.py:18:17:18:36 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| xsltInjection.py:18:27:18:35 | ControlFlowNode for xsltQuery | semmle.label | ControlFlowNode for xsltQuery | -| xsltInjection.py:21:29:21:37 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root | -| xsltInjection.py:26:5:26:13 | ControlFlowNode for xsltQuery | semmle.label | ControlFlowNode for xsltQuery | -| xsltInjection.py:26:17:26:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| xsltInjection.py:26:17:26:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| xsltInjection.py:26:17:26:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| xsltInjection.py:27:5:27:13 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root | -| xsltInjection.py:27:17:27:36 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| xsltInjection.py:27:27:27:35 | ControlFlowNode for xsltQuery | semmle.label | ControlFlowNode for xsltQuery | -| xsltInjection.py:31:24:31:32 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root | -| xsltInjection.py:35:5:35:13 | ControlFlowNode for xsltQuery | semmle.label | ControlFlowNode for xsltQuery | -| xsltInjection.py:35:17:35:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| xsltInjection.py:35:17:35:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| xsltInjection.py:35:17:35:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| xsltInjection.py:36:5:36:13 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root | -| xsltInjection.py:36:17:36:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| xsltInjection.py:36:34:36:42 | ControlFlowNode for xsltQuery | semmle.label | ControlFlowNode for xsltQuery | -| xsltInjection.py:40:24:40:32 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root | -| xsltInjection.py:44:5:44:13 | ControlFlowNode for xsltQuery | semmle.label | ControlFlowNode for xsltQuery | -| xsltInjection.py:44:17:44:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| xsltInjection.py:44:17:44:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| xsltInjection.py:44:17:44:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| xsltInjection.py:45:5:45:15 | ControlFlowNode for xsltStrings | semmle.label | ControlFlowNode for xsltStrings | -| xsltInjection.py:46:5:46:13 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root | -| xsltInjection.py:46:17:46:49 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| xsltInjection.py:46:38:46:48 | ControlFlowNode for xsltStrings | semmle.label | ControlFlowNode for xsltStrings | -| xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root | +| xslt.py:3:26:3:32 | After ImportMember | semmle.label | After ImportMember | +| xslt.py:3:26:3:32 | request | semmle.label | request | +| xslt.py:10:5:10:13 | xsltQuery | semmle.label | xsltQuery | +| xslt.py:10:17:10:23 | request | semmle.label | request | +| xslt.py:10:17:10:28 | After Attribute | semmle.label | After Attribute | +| xslt.py:10:17:10:43 | After Attribute() | semmle.label | After Attribute() | +| xslt.py:11:5:11:13 | xslt_root | semmle.label | xslt_root | +| xslt.py:11:17:11:36 | After Attribute() | semmle.label | After Attribute() | +| xslt.py:11:27:11:35 | xsltQuery | semmle.label | xsltQuery | +| xslt.py:14:29:14:37 | xslt_root | semmle.label | xslt_root | +| xsltInjection.py:3:26:3:32 | After ImportMember | semmle.label | After ImportMember | +| xsltInjection.py:3:26:3:32 | request | semmle.label | request | +| xsltInjection.py:10:5:10:13 | xsltQuery | semmle.label | xsltQuery | +| xsltInjection.py:10:17:10:23 | request | semmle.label | request | +| xsltInjection.py:10:17:10:28 | After Attribute | semmle.label | After Attribute | +| xsltInjection.py:10:17:10:43 | After Attribute() | semmle.label | After Attribute() | +| xsltInjection.py:11:5:11:13 | xslt_root | semmle.label | xslt_root | +| xsltInjection.py:11:17:11:36 | After Attribute() | semmle.label | After Attribute() | +| xsltInjection.py:11:27:11:35 | xsltQuery | semmle.label | xsltQuery | +| xsltInjection.py:12:28:12:36 | xslt_root | semmle.label | xslt_root | +| xsltInjection.py:17:5:17:13 | xsltQuery | semmle.label | xsltQuery | +| xsltInjection.py:17:17:17:23 | request | semmle.label | request | +| xsltInjection.py:17:17:17:28 | After Attribute | semmle.label | After Attribute | +| xsltInjection.py:17:17:17:43 | After Attribute() | semmle.label | After Attribute() | +| xsltInjection.py:18:5:18:13 | xslt_root | semmle.label | xslt_root | +| xsltInjection.py:18:17:18:36 | After Attribute() | semmle.label | After Attribute() | +| xsltInjection.py:18:27:18:35 | xsltQuery | semmle.label | xsltQuery | +| xsltInjection.py:21:29:21:37 | xslt_root | semmle.label | xslt_root | +| xsltInjection.py:26:5:26:13 | xsltQuery | semmle.label | xsltQuery | +| xsltInjection.py:26:17:26:23 | request | semmle.label | request | +| xsltInjection.py:26:17:26:28 | After Attribute | semmle.label | After Attribute | +| xsltInjection.py:26:17:26:43 | After Attribute() | semmle.label | After Attribute() | +| xsltInjection.py:27:5:27:13 | xslt_root | semmle.label | xslt_root | +| xsltInjection.py:27:17:27:36 | After Attribute() | semmle.label | After Attribute() | +| xsltInjection.py:27:27:27:35 | xsltQuery | semmle.label | xsltQuery | +| xsltInjection.py:31:24:31:32 | xslt_root | semmle.label | xslt_root | +| xsltInjection.py:35:5:35:13 | xsltQuery | semmle.label | xsltQuery | +| xsltInjection.py:35:17:35:23 | request | semmle.label | request | +| xsltInjection.py:35:17:35:28 | After Attribute | semmle.label | After Attribute | +| xsltInjection.py:35:17:35:43 | After Attribute() | semmle.label | After Attribute() | +| xsltInjection.py:36:5:36:13 | xslt_root | semmle.label | xslt_root | +| xsltInjection.py:36:17:36:43 | After Attribute() | semmle.label | After Attribute() | +| xsltInjection.py:36:34:36:42 | xsltQuery | semmle.label | xsltQuery | +| xsltInjection.py:40:24:40:32 | xslt_root | semmle.label | xslt_root | +| xsltInjection.py:44:5:44:13 | xsltQuery | semmle.label | xsltQuery | +| xsltInjection.py:44:17:44:23 | request | semmle.label | request | +| xsltInjection.py:44:17:44:28 | After Attribute | semmle.label | After Attribute | +| xsltInjection.py:44:17:44:43 | After Attribute() | semmle.label | After Attribute() | +| xsltInjection.py:45:5:45:15 | xsltStrings | semmle.label | xsltStrings | +| xsltInjection.py:46:5:46:13 | xslt_root | semmle.label | xslt_root | +| xsltInjection.py:46:17:46:49 | After Attribute() | semmle.label | After Attribute() | +| xsltInjection.py:46:38:46:48 | xsltStrings | semmle.label | xsltStrings | +| xsltInjection.py:50:24:50:32 | xslt_root | semmle.label | xslt_root | subpaths #select -| xslt.py:14:29:14:37 | ControlFlowNode for xslt_root | xslt.py:3:26:3:32 | ControlFlowNode for ImportMember | xslt.py:14:29:14:37 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xslt.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | -| xsltInjection.py:12:28:12:36 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:12:28:12:36 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | -| xsltInjection.py:21:29:21:37 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:21:29:21:37 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | -| xsltInjection.py:31:24:31:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:31:24:31:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | -| xsltInjection.py:40:24:40:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:40:24:40:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | -| xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value | +| xslt.py:14:29:14:37 | xslt_root | xslt.py:3:26:3:32 | After ImportMember | xslt.py:14:29:14:37 | xslt_root | This XSLT query depends on $@. | xslt.py:3:26:3:32 | After ImportMember | user-provided value | +| xsltInjection.py:12:28:12:36 | xslt_root | xsltInjection.py:3:26:3:32 | After ImportMember | xsltInjection.py:12:28:12:36 | xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | After ImportMember | user-provided value | +| xsltInjection.py:21:29:21:37 | xslt_root | xsltInjection.py:3:26:3:32 | After ImportMember | xsltInjection.py:21:29:21:37 | xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | After ImportMember | user-provided value | +| xsltInjection.py:31:24:31:32 | xslt_root | xsltInjection.py:3:26:3:32 | After ImportMember | xsltInjection.py:31:24:31:32 | xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | After ImportMember | user-provided value | +| xsltInjection.py:40:24:40:32 | xslt_root | xsltInjection.py:3:26:3:32 | After ImportMember | xsltInjection.py:40:24:40:32 | xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | After ImportMember | user-provided value | +| xsltInjection.py:50:24:50:32 | xslt_root | xsltInjection.py:3:26:3:32 | After ImportMember | xsltInjection.py:50:24:50:32 | xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | After ImportMember | user-provided value | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.expected b/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.expected index 7798cdda143..70e3a597134 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.expected @@ -1,10 +1,10 @@ edges -| Js2PyTest.py:9:5:9:6 | ControlFlowNode for jk | Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | provenance | | -| Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | Js2PyTest.py:9:5:9:6 | ControlFlowNode for jk | provenance | AdditionalTaintStep | +| Js2PyTest.py:9:5:9:6 | jk | Js2PyTest.py:10:18:10:28 | After Fstring | provenance | | +| Js2PyTest.py:9:10:9:22 | After Attribute | Js2PyTest.py:9:5:9:6 | jk | provenance | AdditionalTaintStep | nodes -| Js2PyTest.py:9:5:9:6 | ControlFlowNode for jk | semmle.label | ControlFlowNode for jk | -| Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | semmle.label | ControlFlowNode for Fstring | +| Js2PyTest.py:9:5:9:6 | jk | semmle.label | jk | +| Js2PyTest.py:9:10:9:22 | After Attribute | semmle.label | After Attribute | +| Js2PyTest.py:10:18:10:28 | After Fstring | semmle.label | After Fstring | subpaths #select -| Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | This input to Js2Py depends on a $@. | Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | user-provided value | +| Js2PyTest.py:10:18:10:28 | After Fstring | Js2PyTest.py:9:10:9:22 | After Attribute | Js2PyTest.py:10:18:10:28 | After Fstring | This input to Js2Py depends on a $@. | Js2PyTest.py:9:10:9:22 | After Attribute | user-provided value | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-1236/CsvInjection.expected b/python/ql/test/experimental/query-tests/Security/CWE-1236/CsvInjection.expected index 5152f7353f2..313bad416f3 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-1236/CsvInjection.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-1236/CsvInjection.expected @@ -1,32 +1,32 @@ edges -| csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | csv_bad.py:9:19:9:25 | ControlFlowNode for request | provenance | | -| csv_bad.py:9:19:9:25 | ControlFlowNode for request | csv_bad.py:16:16:16:22 | ControlFlowNode for request | provenance | | -| csv_bad.py:9:19:9:25 | ControlFlowNode for request | csv_bad.py:24:16:24:22 | ControlFlowNode for request | provenance | | -| csv_bad.py:16:5:16:12 | ControlFlowNode for csv_data | csv_bad.py:18:24:18:31 | ControlFlowNode for csv_data | provenance | | -| csv_bad.py:16:5:16:12 | ControlFlowNode for csv_data | csv_bad.py:19:25:19:32 | ControlFlowNode for csv_data | provenance | | -| csv_bad.py:16:16:16:22 | ControlFlowNode for request | csv_bad.py:16:16:16:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| csv_bad.py:16:16:16:27 | ControlFlowNode for Attribute | csv_bad.py:16:16:16:38 | ControlFlowNode for Attribute() | provenance | dict.get | -| csv_bad.py:16:16:16:38 | ControlFlowNode for Attribute() | csv_bad.py:16:5:16:12 | ControlFlowNode for csv_data | provenance | | -| csv_bad.py:24:5:24:12 | ControlFlowNode for csv_data | csv_bad.py:25:46:25:53 | ControlFlowNode for csv_data | provenance | | -| csv_bad.py:24:16:24:22 | ControlFlowNode for request | csv_bad.py:24:16:24:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| csv_bad.py:24:16:24:27 | ControlFlowNode for Attribute | csv_bad.py:24:16:24:38 | ControlFlowNode for Attribute() | provenance | dict.get | -| csv_bad.py:24:16:24:38 | ControlFlowNode for Attribute() | csv_bad.py:24:5:24:12 | ControlFlowNode for csv_data | provenance | | +| csv_bad.py:9:19:9:25 | After ImportMember | csv_bad.py:9:19:9:25 | request | provenance | | +| csv_bad.py:9:19:9:25 | request | csv_bad.py:16:16:16:22 | request | provenance | | +| csv_bad.py:9:19:9:25 | request | csv_bad.py:24:16:24:22 | request | provenance | | +| csv_bad.py:16:5:16:12 | csv_data | csv_bad.py:18:24:18:31 | csv_data | provenance | | +| csv_bad.py:16:5:16:12 | csv_data | csv_bad.py:19:25:19:32 | csv_data | provenance | | +| csv_bad.py:16:16:16:22 | request | csv_bad.py:16:16:16:27 | After Attribute | provenance | AdditionalTaintStep | +| csv_bad.py:16:16:16:27 | After Attribute | csv_bad.py:16:16:16:38 | After Attribute() | provenance | dict.get | +| csv_bad.py:16:16:16:38 | After Attribute() | csv_bad.py:16:5:16:12 | csv_data | provenance | | +| csv_bad.py:24:5:24:12 | csv_data | csv_bad.py:25:46:25:53 | csv_data | provenance | | +| csv_bad.py:24:16:24:22 | request | csv_bad.py:24:16:24:27 | After Attribute | provenance | AdditionalTaintStep | +| csv_bad.py:24:16:24:27 | After Attribute | csv_bad.py:24:16:24:38 | After Attribute() | provenance | dict.get | +| csv_bad.py:24:16:24:38 | After Attribute() | csv_bad.py:24:5:24:12 | csv_data | provenance | | nodes -| csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| csv_bad.py:9:19:9:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| csv_bad.py:16:5:16:12 | ControlFlowNode for csv_data | semmle.label | ControlFlowNode for csv_data | -| csv_bad.py:16:16:16:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| csv_bad.py:16:16:16:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| csv_bad.py:16:16:16:38 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| csv_bad.py:18:24:18:31 | ControlFlowNode for csv_data | semmle.label | ControlFlowNode for csv_data | -| csv_bad.py:19:25:19:32 | ControlFlowNode for csv_data | semmle.label | ControlFlowNode for csv_data | -| csv_bad.py:24:5:24:12 | ControlFlowNode for csv_data | semmle.label | ControlFlowNode for csv_data | -| csv_bad.py:24:16:24:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| csv_bad.py:24:16:24:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| csv_bad.py:24:16:24:38 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| csv_bad.py:25:46:25:53 | ControlFlowNode for csv_data | semmle.label | ControlFlowNode for csv_data | +| csv_bad.py:9:19:9:25 | After ImportMember | semmle.label | After ImportMember | +| csv_bad.py:9:19:9:25 | request | semmle.label | request | +| csv_bad.py:16:5:16:12 | csv_data | semmle.label | csv_data | +| csv_bad.py:16:16:16:22 | request | semmle.label | request | +| csv_bad.py:16:16:16:27 | After Attribute | semmle.label | After Attribute | +| csv_bad.py:16:16:16:38 | After Attribute() | semmle.label | After Attribute() | +| csv_bad.py:18:24:18:31 | csv_data | semmle.label | csv_data | +| csv_bad.py:19:25:19:32 | csv_data | semmle.label | csv_data | +| csv_bad.py:24:5:24:12 | csv_data | semmle.label | csv_data | +| csv_bad.py:24:16:24:22 | request | semmle.label | request | +| csv_bad.py:24:16:24:27 | After Attribute | semmle.label | After Attribute | +| csv_bad.py:24:16:24:38 | After Attribute() | semmle.label | After Attribute() | +| csv_bad.py:25:46:25:53 | csv_data | semmle.label | csv_data | subpaths #select -| csv_bad.py:18:24:18:31 | ControlFlowNode for csv_data | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | csv_bad.py:18:24:18:31 | ControlFlowNode for csv_data | Csv injection might include code from $@. | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | this user input | -| csv_bad.py:19:25:19:32 | ControlFlowNode for csv_data | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | csv_bad.py:19:25:19:32 | ControlFlowNode for csv_data | Csv injection might include code from $@. | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | this user input | -| csv_bad.py:25:46:25:53 | ControlFlowNode for csv_data | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | csv_bad.py:25:46:25:53 | ControlFlowNode for csv_data | Csv injection might include code from $@. | csv_bad.py:9:19:9:25 | ControlFlowNode for ImportMember | this user input | +| csv_bad.py:18:24:18:31 | csv_data | csv_bad.py:9:19:9:25 | After ImportMember | csv_bad.py:18:24:18:31 | csv_data | Csv injection might include code from $@. | csv_bad.py:9:19:9:25 | After ImportMember | this user input | +| csv_bad.py:19:25:19:32 | csv_data | csv_bad.py:9:19:9:25 | After ImportMember | csv_bad.py:19:25:19:32 | csv_data | Csv injection might include code from $@. | csv_bad.py:9:19:9:25 | After ImportMember | this user input | +| csv_bad.py:25:46:25:53 | csv_data | csv_bad.py:9:19:9:25 | After ImportMember | csv_bad.py:25:46:25:53 | csv_data | Csv injection might include code from $@. | csv_bad.py:9:19:9:25 | After ImportMember | this user input | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.expected b/python/ql/test/experimental/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.expected index 6acb03ce7f5..cf4fe1ec784 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.expected @@ -1,87 +1,87 @@ #select -| agent_instructions.py:9:50:9:89 | ControlFlowNode for BinaryExpr | agent_instructions.py:2:26:2:32 | ControlFlowNode for ImportMember | agent_instructions.py:9:50:9:89 | ControlFlowNode for BinaryExpr | This prompt construction depends on a $@. | agent_instructions.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| agent_instructions.py:25:28:25:32 | ControlFlowNode for input | agent_instructions.py:2:26:2:32 | ControlFlowNode for ImportMember | agent_instructions.py:25:28:25:32 | ControlFlowNode for input | This prompt construction depends on a $@. | agent_instructions.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| agent_instructions.py:35:28:35:32 | ControlFlowNode for input | agent_instructions.py:2:26:2:32 | ControlFlowNode for ImportMember | agent_instructions.py:35:28:35:32 | ControlFlowNode for input | This prompt construction depends on a $@. | agent_instructions.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| anthropic_test.py:17:16:17:37 | ControlFlowNode for BinaryExpr | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | anthropic_test.py:17:16:17:37 | ControlFlowNode for BinaryExpr | This prompt construction depends on a $@. | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| anthropic_test.py:21:28:21:32 | ControlFlowNode for query | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | anthropic_test.py:21:28:21:32 | ControlFlowNode for query | This prompt construction depends on a $@. | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| anthropic_test.py:29:16:29:37 | ControlFlowNode for BinaryExpr | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | anthropic_test.py:29:16:29:37 | ControlFlowNode for BinaryExpr | This prompt construction depends on a $@. | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| anthropic_test.py:33:28:33:32 | ControlFlowNode for query | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | anthropic_test.py:33:28:33:32 | ControlFlowNode for query | This prompt construction depends on a $@. | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| anthropic_test.py:41:16:41:37 | ControlFlowNode for BinaryExpr | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | anthropic_test.py:41:16:41:37 | ControlFlowNode for BinaryExpr | This prompt construction depends on a $@. | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| anthropic_test.py:45:28:45:32 | ControlFlowNode for query | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | anthropic_test.py:45:28:45:32 | ControlFlowNode for query | This prompt construction depends on a $@. | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| anthropic_test.py:53:16:53:37 | ControlFlowNode for BinaryExpr | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | anthropic_test.py:53:16:53:37 | ControlFlowNode for BinaryExpr | This prompt construction depends on a $@. | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| anthropic_test.py:57:28:57:32 | ControlFlowNode for query | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | anthropic_test.py:57:28:57:32 | ControlFlowNode for query | This prompt construction depends on a $@. | anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| openai_test.py:17:22:17:46 | ControlFlowNode for BinaryExpr | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:17:22:17:46 | ControlFlowNode for BinaryExpr | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| openai_test.py:18:15:18:19 | ControlFlowNode for query | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:18:15:18:19 | ControlFlowNode for query | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| openai_test.py:22:22:22:46 | ControlFlowNode for BinaryExpr | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:22:22:22:46 | ControlFlowNode for BinaryExpr | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| openai_test.py:23:15:37:9 | ControlFlowNode for List | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:23:15:37:9 | ControlFlowNode for List | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| openai_test.py:26:28:26:51 | ControlFlowNode for BinaryExpr | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:26:28:26:51 | ControlFlowNode for BinaryExpr | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| openai_test.py:33:33:33:37 | ControlFlowNode for query | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:33:33:33:37 | ControlFlowNode for query | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| openai_test.py:41:22:41:46 | ControlFlowNode for BinaryExpr | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:41:22:41:46 | ControlFlowNode for BinaryExpr | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| openai_test.py:42:15:42:19 | ControlFlowNode for query | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:42:15:42:19 | ControlFlowNode for query | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| openai_test.py:53:33:53:37 | ControlFlowNode for query | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:53:33:53:37 | ControlFlowNode for query | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| openai_test.py:63:28:63:51 | ControlFlowNode for BinaryExpr | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:63:28:63:51 | ControlFlowNode for BinaryExpr | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| openai_test.py:67:28:67:32 | ControlFlowNode for query | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:67:28:67:32 | ControlFlowNode for query | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| openai_test.py:71:28:71:32 | ControlFlowNode for query | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:71:28:71:32 | ControlFlowNode for query | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| openai_test.py:80:28:80:51 | ControlFlowNode for BinaryExpr | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:80:28:80:51 | ControlFlowNode for BinaryExpr | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| openai_test.py:84:28:84:32 | ControlFlowNode for query | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:84:28:84:32 | ControlFlowNode for query | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| openai_test.py:92:22:92:46 | ControlFlowNode for BinaryExpr | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:92:22:92:46 | ControlFlowNode for BinaryExpr | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| agent_instructions.py:9:50:9:89 | After BinaryExpr | agent_instructions.py:2:26:2:32 | After ImportMember | agent_instructions.py:9:50:9:89 | After BinaryExpr | This prompt construction depends on a $@. | agent_instructions.py:2:26:2:32 | After ImportMember | user-provided value | +| agent_instructions.py:25:28:25:32 | input | agent_instructions.py:2:26:2:32 | After ImportMember | agent_instructions.py:25:28:25:32 | input | This prompt construction depends on a $@. | agent_instructions.py:2:26:2:32 | After ImportMember | user-provided value | +| agent_instructions.py:35:28:35:32 | input | agent_instructions.py:2:26:2:32 | After ImportMember | agent_instructions.py:35:28:35:32 | input | This prompt construction depends on a $@. | agent_instructions.py:2:26:2:32 | After ImportMember | user-provided value | +| anthropic_test.py:17:16:17:37 | After BinaryExpr | anthropic_test.py:2:26:2:32 | After ImportMember | anthropic_test.py:17:16:17:37 | After BinaryExpr | This prompt construction depends on a $@. | anthropic_test.py:2:26:2:32 | After ImportMember | user-provided value | +| anthropic_test.py:21:28:21:32 | query | anthropic_test.py:2:26:2:32 | After ImportMember | anthropic_test.py:21:28:21:32 | query | This prompt construction depends on a $@. | anthropic_test.py:2:26:2:32 | After ImportMember | user-provided value | +| anthropic_test.py:29:16:29:37 | After BinaryExpr | anthropic_test.py:2:26:2:32 | After ImportMember | anthropic_test.py:29:16:29:37 | After BinaryExpr | This prompt construction depends on a $@. | anthropic_test.py:2:26:2:32 | After ImportMember | user-provided value | +| anthropic_test.py:33:28:33:32 | query | anthropic_test.py:2:26:2:32 | After ImportMember | anthropic_test.py:33:28:33:32 | query | This prompt construction depends on a $@. | anthropic_test.py:2:26:2:32 | After ImportMember | user-provided value | +| anthropic_test.py:41:16:41:37 | After BinaryExpr | anthropic_test.py:2:26:2:32 | After ImportMember | anthropic_test.py:41:16:41:37 | After BinaryExpr | This prompt construction depends on a $@. | anthropic_test.py:2:26:2:32 | After ImportMember | user-provided value | +| anthropic_test.py:45:28:45:32 | query | anthropic_test.py:2:26:2:32 | After ImportMember | anthropic_test.py:45:28:45:32 | query | This prompt construction depends on a $@. | anthropic_test.py:2:26:2:32 | After ImportMember | user-provided value | +| anthropic_test.py:53:16:53:37 | After BinaryExpr | anthropic_test.py:2:26:2:32 | After ImportMember | anthropic_test.py:53:16:53:37 | After BinaryExpr | This prompt construction depends on a $@. | anthropic_test.py:2:26:2:32 | After ImportMember | user-provided value | +| anthropic_test.py:57:28:57:32 | query | anthropic_test.py:2:26:2:32 | After ImportMember | anthropic_test.py:57:28:57:32 | query | This prompt construction depends on a $@. | anthropic_test.py:2:26:2:32 | After ImportMember | user-provided value | +| openai_test.py:17:22:17:46 | After BinaryExpr | openai_test.py:2:26:2:32 | After ImportMember | openai_test.py:17:22:17:46 | After BinaryExpr | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | After ImportMember | user-provided value | +| openai_test.py:18:15:18:19 | query | openai_test.py:2:26:2:32 | After ImportMember | openai_test.py:18:15:18:19 | query | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | After ImportMember | user-provided value | +| openai_test.py:22:22:22:46 | After BinaryExpr | openai_test.py:2:26:2:32 | After ImportMember | openai_test.py:22:22:22:46 | After BinaryExpr | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | After ImportMember | user-provided value | +| openai_test.py:23:15:37:9 | After List | openai_test.py:2:26:2:32 | After ImportMember | openai_test.py:23:15:37:9 | After List | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | After ImportMember | user-provided value | +| openai_test.py:26:28:26:51 | After BinaryExpr | openai_test.py:2:26:2:32 | After ImportMember | openai_test.py:26:28:26:51 | After BinaryExpr | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | After ImportMember | user-provided value | +| openai_test.py:33:33:33:37 | query | openai_test.py:2:26:2:32 | After ImportMember | openai_test.py:33:33:33:37 | query | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | After ImportMember | user-provided value | +| openai_test.py:41:22:41:46 | After BinaryExpr | openai_test.py:2:26:2:32 | After ImportMember | openai_test.py:41:22:41:46 | After BinaryExpr | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | After ImportMember | user-provided value | +| openai_test.py:42:15:42:19 | query | openai_test.py:2:26:2:32 | After ImportMember | openai_test.py:42:15:42:19 | query | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | After ImportMember | user-provided value | +| openai_test.py:53:33:53:37 | query | openai_test.py:2:26:2:32 | After ImportMember | openai_test.py:53:33:53:37 | query | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | After ImportMember | user-provided value | +| openai_test.py:63:28:63:51 | After BinaryExpr | openai_test.py:2:26:2:32 | After ImportMember | openai_test.py:63:28:63:51 | After BinaryExpr | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | After ImportMember | user-provided value | +| openai_test.py:67:28:67:32 | query | openai_test.py:2:26:2:32 | After ImportMember | openai_test.py:67:28:67:32 | query | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | After ImportMember | user-provided value | +| openai_test.py:71:28:71:32 | query | openai_test.py:2:26:2:32 | After ImportMember | openai_test.py:71:28:71:32 | query | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | After ImportMember | user-provided value | +| openai_test.py:80:28:80:51 | After BinaryExpr | openai_test.py:2:26:2:32 | After ImportMember | openai_test.py:80:28:80:51 | After BinaryExpr | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | After ImportMember | user-provided value | +| openai_test.py:84:28:84:32 | query | openai_test.py:2:26:2:32 | After ImportMember | openai_test.py:84:28:84:32 | query | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | After ImportMember | user-provided value | +| openai_test.py:92:22:92:46 | After BinaryExpr | openai_test.py:2:26:2:32 | After ImportMember | openai_test.py:92:22:92:46 | After BinaryExpr | This prompt construction depends on a $@. | openai_test.py:2:26:2:32 | After ImportMember | user-provided value | edges -| agent_instructions.py:2:26:2:32 | ControlFlowNode for ImportMember | agent_instructions.py:2:26:2:32 | ControlFlowNode for request | provenance | | -| agent_instructions.py:2:26:2:32 | ControlFlowNode for request | agent_instructions.py:7:13:7:19 | ControlFlowNode for request | provenance | | -| agent_instructions.py:2:26:2:32 | ControlFlowNode for request | agent_instructions.py:17:13:17:19 | ControlFlowNode for request | provenance | | -| agent_instructions.py:7:5:7:9 | ControlFlowNode for input | agent_instructions.py:9:50:9:89 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:11 | -| agent_instructions.py:7:13:7:19 | ControlFlowNode for request | agent_instructions.py:7:13:7:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| agent_instructions.py:7:13:7:24 | ControlFlowNode for Attribute | agent_instructions.py:7:13:7:37 | ControlFlowNode for Attribute() | provenance | dict.get | -| agent_instructions.py:7:13:7:37 | ControlFlowNode for Attribute() | agent_instructions.py:7:5:7:9 | ControlFlowNode for input | provenance | | -| agent_instructions.py:17:5:17:9 | ControlFlowNode for input | agent_instructions.py:25:28:25:32 | ControlFlowNode for input | provenance | | -| agent_instructions.py:17:5:17:9 | ControlFlowNode for input | agent_instructions.py:35:28:35:32 | ControlFlowNode for input | provenance | | -| agent_instructions.py:17:13:17:19 | ControlFlowNode for request | agent_instructions.py:17:13:17:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| agent_instructions.py:17:13:17:24 | ControlFlowNode for Attribute | agent_instructions.py:17:13:17:37 | ControlFlowNode for Attribute() | provenance | dict.get | -| agent_instructions.py:17:13:17:37 | ControlFlowNode for Attribute() | agent_instructions.py:17:5:17:9 | ControlFlowNode for input | provenance | | -| anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | anthropic_test.py:2:26:2:32 | ControlFlowNode for request | provenance | | -| anthropic_test.py:2:26:2:32 | ControlFlowNode for request | anthropic_test.py:11:15:11:21 | ControlFlowNode for request | provenance | | -| anthropic_test.py:2:26:2:32 | ControlFlowNode for request | anthropic_test.py:12:13:12:19 | ControlFlowNode for request | provenance | | -| anthropic_test.py:11:5:11:11 | ControlFlowNode for persona | anthropic_test.py:17:16:17:37 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:4 | -| anthropic_test.py:11:5:11:11 | ControlFlowNode for persona | anthropic_test.py:29:16:29:37 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:6 | -| anthropic_test.py:11:5:11:11 | ControlFlowNode for persona | anthropic_test.py:41:16:41:37 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:4 | -| anthropic_test.py:11:5:11:11 | ControlFlowNode for persona | anthropic_test.py:53:16:53:37 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:2 | -| anthropic_test.py:11:15:11:21 | ControlFlowNode for request | anthropic_test.py:11:15:11:26 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| anthropic_test.py:11:15:11:21 | ControlFlowNode for request | anthropic_test.py:12:13:12:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| anthropic_test.py:11:15:11:26 | ControlFlowNode for Attribute | anthropic_test.py:11:15:11:41 | ControlFlowNode for Attribute() | provenance | dict.get | -| anthropic_test.py:11:15:11:41 | ControlFlowNode for Attribute() | anthropic_test.py:11:5:11:11 | ControlFlowNode for persona | provenance | | -| anthropic_test.py:12:5:12:9 | ControlFlowNode for query | anthropic_test.py:21:28:21:32 | ControlFlowNode for query | provenance | Sink:MaD:3 | -| anthropic_test.py:12:5:12:9 | ControlFlowNode for query | anthropic_test.py:33:28:33:32 | ControlFlowNode for query | provenance | Sink:MaD:5 | -| anthropic_test.py:12:5:12:9 | ControlFlowNode for query | anthropic_test.py:45:28:45:32 | ControlFlowNode for query | provenance | Sink:MaD:3 | -| anthropic_test.py:12:5:12:9 | ControlFlowNode for query | anthropic_test.py:57:28:57:32 | ControlFlowNode for query | provenance | Sink:MaD:1 | -| anthropic_test.py:12:13:12:19 | ControlFlowNode for request | anthropic_test.py:12:13:12:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| anthropic_test.py:12:13:12:24 | ControlFlowNode for Attribute | anthropic_test.py:12:13:12:37 | ControlFlowNode for Attribute() | provenance | dict.get | -| anthropic_test.py:12:13:12:37 | ControlFlowNode for Attribute() | anthropic_test.py:12:5:12:9 | ControlFlowNode for query | provenance | | -| openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | openai_test.py:2:26:2:32 | ControlFlowNode for request | provenance | | -| openai_test.py:2:26:2:32 | ControlFlowNode for request | openai_test.py:12:15:12:21 | ControlFlowNode for request | provenance | | -| openai_test.py:2:26:2:32 | ControlFlowNode for request | openai_test.py:13:13:13:19 | ControlFlowNode for request | provenance | | -| openai_test.py:12:5:12:11 | ControlFlowNode for persona | openai_test.py:17:22:17:46 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:10 | -| openai_test.py:12:5:12:11 | ControlFlowNode for persona | openai_test.py:22:22:22:46 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:10 | -| openai_test.py:12:5:12:11 | ControlFlowNode for persona | openai_test.py:23:15:37:9 | ControlFlowNode for List | provenance | Sink:MaD:9 | -| openai_test.py:12:5:12:11 | ControlFlowNode for persona | openai_test.py:26:28:26:51 | ControlFlowNode for BinaryExpr | provenance | | -| openai_test.py:12:5:12:11 | ControlFlowNode for persona | openai_test.py:41:22:41:46 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:10 | -| openai_test.py:12:5:12:11 | ControlFlowNode for persona | openai_test.py:63:28:63:51 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:8 | -| openai_test.py:12:5:12:11 | ControlFlowNode for persona | openai_test.py:80:28:80:51 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:8 | -| openai_test.py:12:5:12:11 | ControlFlowNode for persona | openai_test.py:92:22:92:46 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:7 | -| openai_test.py:12:15:12:21 | ControlFlowNode for request | openai_test.py:12:15:12:26 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| openai_test.py:12:15:12:21 | ControlFlowNode for request | openai_test.py:13:13:13:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| openai_test.py:12:15:12:26 | ControlFlowNode for Attribute | openai_test.py:12:15:12:41 | ControlFlowNode for Attribute() | provenance | dict.get | -| openai_test.py:12:15:12:41 | ControlFlowNode for Attribute() | openai_test.py:12:5:12:11 | ControlFlowNode for persona | provenance | | -| openai_test.py:13:5:13:9 | ControlFlowNode for query | openai_test.py:18:15:18:19 | ControlFlowNode for query | provenance | Sink:MaD:9 | -| openai_test.py:13:5:13:9 | ControlFlowNode for query | openai_test.py:23:15:37:9 | ControlFlowNode for List | provenance | Sink:MaD:9 | -| openai_test.py:13:5:13:9 | ControlFlowNode for query | openai_test.py:33:33:33:37 | ControlFlowNode for query | provenance | | -| openai_test.py:13:5:13:9 | ControlFlowNode for query | openai_test.py:42:15:42:19 | ControlFlowNode for query | provenance | Sink:MaD:9 | -| openai_test.py:13:5:13:9 | ControlFlowNode for query | openai_test.py:53:33:53:37 | ControlFlowNode for query | provenance | | -| openai_test.py:13:5:13:9 | ControlFlowNode for query | openai_test.py:67:28:67:32 | ControlFlowNode for query | provenance | Sink:MaD:8 | -| openai_test.py:13:5:13:9 | ControlFlowNode for query | openai_test.py:71:28:71:32 | ControlFlowNode for query | provenance | Sink:MaD:8 | -| openai_test.py:13:5:13:9 | ControlFlowNode for query | openai_test.py:84:28:84:32 | ControlFlowNode for query | provenance | Sink:MaD:8 | -| openai_test.py:13:13:13:19 | ControlFlowNode for request | openai_test.py:13:13:13:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| openai_test.py:13:13:13:24 | ControlFlowNode for Attribute | openai_test.py:13:13:13:37 | ControlFlowNode for Attribute() | provenance | dict.get | -| openai_test.py:13:13:13:37 | ControlFlowNode for Attribute() | openai_test.py:13:5:13:9 | ControlFlowNode for query | provenance | | +| agent_instructions.py:2:26:2:32 | After ImportMember | agent_instructions.py:2:26:2:32 | request | provenance | | +| agent_instructions.py:2:26:2:32 | request | agent_instructions.py:7:13:7:19 | request | provenance | | +| agent_instructions.py:2:26:2:32 | request | agent_instructions.py:17:13:17:19 | request | provenance | | +| agent_instructions.py:7:5:7:9 | input | agent_instructions.py:9:50:9:89 | After BinaryExpr | provenance | Sink:MaD:11 | +| agent_instructions.py:7:13:7:19 | request | agent_instructions.py:7:13:7:24 | After Attribute | provenance | AdditionalTaintStep | +| agent_instructions.py:7:13:7:24 | After Attribute | agent_instructions.py:7:13:7:37 | After Attribute() | provenance | dict.get | +| agent_instructions.py:7:13:7:37 | After Attribute() | agent_instructions.py:7:5:7:9 | input | provenance | | +| agent_instructions.py:17:5:17:9 | input | agent_instructions.py:25:28:25:32 | input | provenance | | +| agent_instructions.py:17:5:17:9 | input | agent_instructions.py:35:28:35:32 | input | provenance | | +| agent_instructions.py:17:13:17:19 | request | agent_instructions.py:17:13:17:24 | After Attribute | provenance | AdditionalTaintStep | +| agent_instructions.py:17:13:17:24 | After Attribute | agent_instructions.py:17:13:17:37 | After Attribute() | provenance | dict.get | +| agent_instructions.py:17:13:17:37 | After Attribute() | agent_instructions.py:17:5:17:9 | input | provenance | | +| anthropic_test.py:2:26:2:32 | After ImportMember | anthropic_test.py:2:26:2:32 | request | provenance | | +| anthropic_test.py:2:26:2:32 | request | anthropic_test.py:11:15:11:21 | request | provenance | | +| anthropic_test.py:2:26:2:32 | request | anthropic_test.py:12:13:12:19 | request | provenance | | +| anthropic_test.py:11:5:11:11 | persona | anthropic_test.py:17:16:17:37 | After BinaryExpr | provenance | Sink:MaD:4 | +| anthropic_test.py:11:5:11:11 | persona | anthropic_test.py:29:16:29:37 | After BinaryExpr | provenance | Sink:MaD:6 | +| anthropic_test.py:11:5:11:11 | persona | anthropic_test.py:41:16:41:37 | After BinaryExpr | provenance | Sink:MaD:4 | +| anthropic_test.py:11:5:11:11 | persona | anthropic_test.py:53:16:53:37 | After BinaryExpr | provenance | Sink:MaD:2 | +| anthropic_test.py:11:15:11:21 | request | anthropic_test.py:11:15:11:26 | After Attribute | provenance | AdditionalTaintStep | +| anthropic_test.py:11:15:11:21 | request | anthropic_test.py:12:13:12:24 | After Attribute | provenance | AdditionalTaintStep | +| anthropic_test.py:11:15:11:26 | After Attribute | anthropic_test.py:11:15:11:41 | After Attribute() | provenance | dict.get | +| anthropic_test.py:11:15:11:41 | After Attribute() | anthropic_test.py:11:5:11:11 | persona | provenance | | +| anthropic_test.py:12:5:12:9 | query | anthropic_test.py:21:28:21:32 | query | provenance | Sink:MaD:3 | +| anthropic_test.py:12:5:12:9 | query | anthropic_test.py:33:28:33:32 | query | provenance | Sink:MaD:5 | +| anthropic_test.py:12:5:12:9 | query | anthropic_test.py:45:28:45:32 | query | provenance | Sink:MaD:3 | +| anthropic_test.py:12:5:12:9 | query | anthropic_test.py:57:28:57:32 | query | provenance | Sink:MaD:1 | +| anthropic_test.py:12:13:12:19 | request | anthropic_test.py:12:13:12:24 | After Attribute | provenance | AdditionalTaintStep | +| anthropic_test.py:12:13:12:24 | After Attribute | anthropic_test.py:12:13:12:37 | After Attribute() | provenance | dict.get | +| anthropic_test.py:12:13:12:37 | After Attribute() | anthropic_test.py:12:5:12:9 | query | provenance | | +| openai_test.py:2:26:2:32 | After ImportMember | openai_test.py:2:26:2:32 | request | provenance | | +| openai_test.py:2:26:2:32 | request | openai_test.py:12:15:12:21 | request | provenance | | +| openai_test.py:2:26:2:32 | request | openai_test.py:13:13:13:19 | request | provenance | | +| openai_test.py:12:5:12:11 | persona | openai_test.py:17:22:17:46 | After BinaryExpr | provenance | Sink:MaD:10 | +| openai_test.py:12:5:12:11 | persona | openai_test.py:22:22:22:46 | After BinaryExpr | provenance | Sink:MaD:10 | +| openai_test.py:12:5:12:11 | persona | openai_test.py:23:15:37:9 | After List | provenance | Sink:MaD:9 | +| openai_test.py:12:5:12:11 | persona | openai_test.py:26:28:26:51 | After BinaryExpr | provenance | | +| openai_test.py:12:5:12:11 | persona | openai_test.py:41:22:41:46 | After BinaryExpr | provenance | Sink:MaD:10 | +| openai_test.py:12:5:12:11 | persona | openai_test.py:63:28:63:51 | After BinaryExpr | provenance | Sink:MaD:8 | +| openai_test.py:12:5:12:11 | persona | openai_test.py:80:28:80:51 | After BinaryExpr | provenance | Sink:MaD:8 | +| openai_test.py:12:5:12:11 | persona | openai_test.py:92:22:92:46 | After BinaryExpr | provenance | Sink:MaD:7 | +| openai_test.py:12:15:12:21 | request | openai_test.py:12:15:12:26 | After Attribute | provenance | AdditionalTaintStep | +| openai_test.py:12:15:12:21 | request | openai_test.py:13:13:13:24 | After Attribute | provenance | AdditionalTaintStep | +| openai_test.py:12:15:12:26 | After Attribute | openai_test.py:12:15:12:41 | After Attribute() | provenance | dict.get | +| openai_test.py:12:15:12:41 | After Attribute() | openai_test.py:12:5:12:11 | persona | provenance | | +| openai_test.py:13:5:13:9 | query | openai_test.py:18:15:18:19 | query | provenance | Sink:MaD:9 | +| openai_test.py:13:5:13:9 | query | openai_test.py:23:15:37:9 | After List | provenance | Sink:MaD:9 | +| openai_test.py:13:5:13:9 | query | openai_test.py:33:33:33:37 | query | provenance | | +| openai_test.py:13:5:13:9 | query | openai_test.py:42:15:42:19 | query | provenance | Sink:MaD:9 | +| openai_test.py:13:5:13:9 | query | openai_test.py:53:33:53:37 | query | provenance | | +| openai_test.py:13:5:13:9 | query | openai_test.py:67:28:67:32 | query | provenance | Sink:MaD:8 | +| openai_test.py:13:5:13:9 | query | openai_test.py:71:28:71:32 | query | provenance | Sink:MaD:8 | +| openai_test.py:13:5:13:9 | query | openai_test.py:84:28:84:32 | query | provenance | Sink:MaD:8 | +| openai_test.py:13:13:13:19 | request | openai_test.py:13:13:13:24 | After Attribute | provenance | AdditionalTaintStep | +| openai_test.py:13:13:13:24 | After Attribute | openai_test.py:13:13:13:37 | After Attribute() | provenance | dict.get | +| openai_test.py:13:13:13:37 | After Attribute() | openai_test.py:13:5:13:9 | query | provenance | | models | 1 | Sink: Anthropic; Member[beta].Member[messages].Member[create].Argument[messages:].ListElement.DictionaryElement[content]; prompt-injection | | 2 | Sink: Anthropic; Member[beta].Member[messages].Member[create].Argument[system:]; prompt-injection | @@ -95,60 +95,60 @@ models | 10 | Sink: OpenAI; Member[responses].Member[create].Argument[instructions:]; prompt-injection | | 11 | Sink: agents; Member[Agent].Argument[instructions:]; prompt-injection | nodes -| agent_instructions.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| agent_instructions.py:2:26:2:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| agent_instructions.py:7:5:7:9 | ControlFlowNode for input | semmle.label | ControlFlowNode for input | -| agent_instructions.py:7:13:7:19 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| agent_instructions.py:7:13:7:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| agent_instructions.py:7:13:7:37 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| agent_instructions.py:9:50:9:89 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| agent_instructions.py:17:5:17:9 | ControlFlowNode for input | semmle.label | ControlFlowNode for input | -| agent_instructions.py:17:13:17:19 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| agent_instructions.py:17:13:17:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| agent_instructions.py:17:13:17:37 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| agent_instructions.py:25:28:25:32 | ControlFlowNode for input | semmle.label | ControlFlowNode for input | -| agent_instructions.py:35:28:35:32 | ControlFlowNode for input | semmle.label | ControlFlowNode for input | -| anthropic_test.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| anthropic_test.py:2:26:2:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| anthropic_test.py:11:5:11:11 | ControlFlowNode for persona | semmle.label | ControlFlowNode for persona | -| anthropic_test.py:11:15:11:21 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| anthropic_test.py:11:15:11:26 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| anthropic_test.py:11:15:11:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| anthropic_test.py:12:5:12:9 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | -| anthropic_test.py:12:13:12:19 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| anthropic_test.py:12:13:12:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| anthropic_test.py:12:13:12:37 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| anthropic_test.py:17:16:17:37 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| anthropic_test.py:21:28:21:32 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | -| anthropic_test.py:29:16:29:37 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| anthropic_test.py:33:28:33:32 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | -| anthropic_test.py:41:16:41:37 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| anthropic_test.py:45:28:45:32 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | -| anthropic_test.py:53:16:53:37 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| anthropic_test.py:57:28:57:32 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | -| openai_test.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| openai_test.py:2:26:2:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| openai_test.py:12:5:12:11 | ControlFlowNode for persona | semmle.label | ControlFlowNode for persona | -| openai_test.py:12:15:12:21 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| openai_test.py:12:15:12:26 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| openai_test.py:12:15:12:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| openai_test.py:13:5:13:9 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | -| openai_test.py:13:13:13:19 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| openai_test.py:13:13:13:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| openai_test.py:13:13:13:37 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| openai_test.py:17:22:17:46 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| openai_test.py:18:15:18:19 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | -| openai_test.py:22:22:22:46 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| openai_test.py:23:15:37:9 | ControlFlowNode for List | semmle.label | ControlFlowNode for List | -| openai_test.py:26:28:26:51 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| openai_test.py:33:33:33:37 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | -| openai_test.py:41:22:41:46 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| openai_test.py:42:15:42:19 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | -| openai_test.py:53:33:53:37 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | -| openai_test.py:63:28:63:51 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| openai_test.py:67:28:67:32 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | -| openai_test.py:71:28:71:32 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | -| openai_test.py:80:28:80:51 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| openai_test.py:84:28:84:32 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | -| openai_test.py:92:22:92:46 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | +| agent_instructions.py:2:26:2:32 | After ImportMember | semmle.label | After ImportMember | +| agent_instructions.py:2:26:2:32 | request | semmle.label | request | +| agent_instructions.py:7:5:7:9 | input | semmle.label | input | +| agent_instructions.py:7:13:7:19 | request | semmle.label | request | +| agent_instructions.py:7:13:7:24 | After Attribute | semmle.label | After Attribute | +| agent_instructions.py:7:13:7:37 | After Attribute() | semmle.label | After Attribute() | +| agent_instructions.py:9:50:9:89 | After BinaryExpr | semmle.label | After BinaryExpr | +| agent_instructions.py:17:5:17:9 | input | semmle.label | input | +| agent_instructions.py:17:13:17:19 | request | semmle.label | request | +| agent_instructions.py:17:13:17:24 | After Attribute | semmle.label | After Attribute | +| agent_instructions.py:17:13:17:37 | After Attribute() | semmle.label | After Attribute() | +| agent_instructions.py:25:28:25:32 | input | semmle.label | input | +| agent_instructions.py:35:28:35:32 | input | semmle.label | input | +| anthropic_test.py:2:26:2:32 | After ImportMember | semmle.label | After ImportMember | +| anthropic_test.py:2:26:2:32 | request | semmle.label | request | +| anthropic_test.py:11:5:11:11 | persona | semmle.label | persona | +| anthropic_test.py:11:15:11:21 | request | semmle.label | request | +| anthropic_test.py:11:15:11:26 | After Attribute | semmle.label | After Attribute | +| anthropic_test.py:11:15:11:41 | After Attribute() | semmle.label | After Attribute() | +| anthropic_test.py:12:5:12:9 | query | semmle.label | query | +| anthropic_test.py:12:13:12:19 | request | semmle.label | request | +| anthropic_test.py:12:13:12:24 | After Attribute | semmle.label | After Attribute | +| anthropic_test.py:12:13:12:37 | After Attribute() | semmle.label | After Attribute() | +| anthropic_test.py:17:16:17:37 | After BinaryExpr | semmle.label | After BinaryExpr | +| anthropic_test.py:21:28:21:32 | query | semmle.label | query | +| anthropic_test.py:29:16:29:37 | After BinaryExpr | semmle.label | After BinaryExpr | +| anthropic_test.py:33:28:33:32 | query | semmle.label | query | +| anthropic_test.py:41:16:41:37 | After BinaryExpr | semmle.label | After BinaryExpr | +| anthropic_test.py:45:28:45:32 | query | semmle.label | query | +| anthropic_test.py:53:16:53:37 | After BinaryExpr | semmle.label | After BinaryExpr | +| anthropic_test.py:57:28:57:32 | query | semmle.label | query | +| openai_test.py:2:26:2:32 | After ImportMember | semmle.label | After ImportMember | +| openai_test.py:2:26:2:32 | request | semmle.label | request | +| openai_test.py:12:5:12:11 | persona | semmle.label | persona | +| openai_test.py:12:15:12:21 | request | semmle.label | request | +| openai_test.py:12:15:12:26 | After Attribute | semmle.label | After Attribute | +| openai_test.py:12:15:12:41 | After Attribute() | semmle.label | After Attribute() | +| openai_test.py:13:5:13:9 | query | semmle.label | query | +| openai_test.py:13:13:13:19 | request | semmle.label | request | +| openai_test.py:13:13:13:24 | After Attribute | semmle.label | After Attribute | +| openai_test.py:13:13:13:37 | After Attribute() | semmle.label | After Attribute() | +| openai_test.py:17:22:17:46 | After BinaryExpr | semmle.label | After BinaryExpr | +| openai_test.py:18:15:18:19 | query | semmle.label | query | +| openai_test.py:22:22:22:46 | After BinaryExpr | semmle.label | After BinaryExpr | +| openai_test.py:23:15:37:9 | After List | semmle.label | After List | +| openai_test.py:26:28:26:51 | After BinaryExpr | semmle.label | After BinaryExpr | +| openai_test.py:33:33:33:37 | query | semmle.label | query | +| openai_test.py:41:22:41:46 | After BinaryExpr | semmle.label | After BinaryExpr | +| openai_test.py:42:15:42:19 | query | semmle.label | query | +| openai_test.py:53:33:53:37 | query | semmle.label | query | +| openai_test.py:63:28:63:51 | After BinaryExpr | semmle.label | After BinaryExpr | +| openai_test.py:67:28:67:32 | query | semmle.label | query | +| openai_test.py:71:28:71:32 | query | semmle.label | query | +| openai_test.py:80:28:80:51 | After BinaryExpr | semmle.label | After BinaryExpr | +| openai_test.py:84:28:84:32 | query | semmle.label | query | +| openai_test.py:92:22:92:46 | After BinaryExpr | semmle.label | After BinaryExpr | subpaths diff --git a/python/ql/test/experimental/query-tests/Security/CWE-176/UnicodeBypassValidation.expected b/python/ql/test/experimental/query-tests/Security/CWE-176/UnicodeBypassValidation.expected index b667a4bd04d..0f6c72bc3f1 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-176/UnicodeBypassValidation.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-176/UnicodeBypassValidation.expected @@ -1,33 +1,33 @@ edges -| samples.py:2:26:2:32 | ControlFlowNode for ImportMember | samples.py:2:26:2:32 | ControlFlowNode for request | provenance | | -| samples.py:2:26:2:32 | ControlFlowNode for request | samples.py:9:25:9:31 | ControlFlowNode for request | provenance | | -| samples.py:2:26:2:32 | ControlFlowNode for request | samples.py:16:25:16:31 | ControlFlowNode for request | provenance | | -| samples.py:9:5:9:14 | ControlFlowNode for user_input | samples.py:10:59:10:68 | ControlFlowNode for user_input | provenance | | -| samples.py:9:18:9:47 | ControlFlowNode for escape() | samples.py:9:5:9:14 | ControlFlowNode for user_input | provenance | | -| samples.py:9:25:9:31 | ControlFlowNode for request | samples.py:9:25:9:36 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| samples.py:9:25:9:36 | ControlFlowNode for Attribute | samples.py:9:25:9:46 | ControlFlowNode for Attribute() | provenance | dict.get | -| samples.py:9:25:9:46 | ControlFlowNode for Attribute() | samples.py:9:18:9:47 | ControlFlowNode for escape() | provenance | Config | -| samples.py:16:5:16:14 | ControlFlowNode for user_input | samples.py:20:62:20:71 | ControlFlowNode for user_input | provenance | | -| samples.py:16:18:16:47 | ControlFlowNode for escape() | samples.py:16:5:16:14 | ControlFlowNode for user_input | provenance | | -| samples.py:16:25:16:31 | ControlFlowNode for request | samples.py:16:25:16:36 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| samples.py:16:25:16:36 | ControlFlowNode for Attribute | samples.py:16:25:16:46 | ControlFlowNode for Attribute() | provenance | dict.get | -| samples.py:16:25:16:46 | ControlFlowNode for Attribute() | samples.py:16:18:16:47 | ControlFlowNode for escape() | provenance | Config | +| samples.py:2:26:2:32 | After ImportMember | samples.py:2:26:2:32 | request | provenance | | +| samples.py:2:26:2:32 | request | samples.py:9:25:9:31 | request | provenance | | +| samples.py:2:26:2:32 | request | samples.py:16:25:16:31 | request | provenance | | +| samples.py:9:5:9:14 | user_input | samples.py:10:59:10:68 | user_input | provenance | | +| samples.py:9:18:9:47 | After escape() | samples.py:9:5:9:14 | user_input | provenance | | +| samples.py:9:25:9:31 | request | samples.py:9:25:9:36 | After Attribute | provenance | AdditionalTaintStep | +| samples.py:9:25:9:36 | After Attribute | samples.py:9:25:9:46 | After Attribute() | provenance | dict.get | +| samples.py:9:25:9:46 | After Attribute() | samples.py:9:18:9:47 | After escape() | provenance | Config | +| samples.py:16:5:16:14 | user_input | samples.py:20:62:20:71 | user_input | provenance | | +| samples.py:16:18:16:47 | After escape() | samples.py:16:5:16:14 | user_input | provenance | | +| samples.py:16:25:16:31 | request | samples.py:16:25:16:36 | After Attribute | provenance | AdditionalTaintStep | +| samples.py:16:25:16:36 | After Attribute | samples.py:16:25:16:46 | After Attribute() | provenance | dict.get | +| samples.py:16:25:16:46 | After Attribute() | samples.py:16:18:16:47 | After escape() | provenance | Config | nodes -| samples.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| samples.py:2:26:2:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| samples.py:9:5:9:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| samples.py:9:18:9:47 | ControlFlowNode for escape() | semmle.label | ControlFlowNode for escape() | -| samples.py:9:25:9:31 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| samples.py:9:25:9:36 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| samples.py:9:25:9:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| samples.py:10:59:10:68 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| samples.py:16:5:16:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| samples.py:16:18:16:47 | ControlFlowNode for escape() | semmle.label | ControlFlowNode for escape() | -| samples.py:16:25:16:31 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| samples.py:16:25:16:36 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| samples.py:16:25:16:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| samples.py:20:62:20:71 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| samples.py:2:26:2:32 | After ImportMember | semmle.label | After ImportMember | +| samples.py:2:26:2:32 | request | semmle.label | request | +| samples.py:9:5:9:14 | user_input | semmle.label | user_input | +| samples.py:9:18:9:47 | After escape() | semmle.label | After escape() | +| samples.py:9:25:9:31 | request | semmle.label | request | +| samples.py:9:25:9:36 | After Attribute | semmle.label | After Attribute | +| samples.py:9:25:9:46 | After Attribute() | semmle.label | After Attribute() | +| samples.py:10:59:10:68 | user_input | semmle.label | user_input | +| samples.py:16:5:16:14 | user_input | semmle.label | user_input | +| samples.py:16:18:16:47 | After escape() | semmle.label | After escape() | +| samples.py:16:25:16:31 | request | semmle.label | request | +| samples.py:16:25:16:36 | After Attribute | semmle.label | After Attribute | +| samples.py:16:25:16:46 | After Attribute() | semmle.label | After Attribute() | +| samples.py:20:62:20:71 | user_input | semmle.label | user_input | subpaths #select -| samples.py:10:59:10:68 | ControlFlowNode for user_input | samples.py:2:26:2:32 | ControlFlowNode for ImportMember | samples.py:10:59:10:68 | ControlFlowNode for user_input | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | samples.py:10:59:10:68 | ControlFlowNode for user_input | Unicode transformation (Unicode normalization) | samples.py:2:26:2:32 | ControlFlowNode for ImportMember | remote user-controlled data | -| samples.py:20:62:20:71 | ControlFlowNode for user_input | samples.py:2:26:2:32 | ControlFlowNode for ImportMember | samples.py:20:62:20:71 | ControlFlowNode for user_input | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | samples.py:20:62:20:71 | ControlFlowNode for user_input | Unicode transformation (Unicode normalization) | samples.py:2:26:2:32 | ControlFlowNode for ImportMember | remote user-controlled data | +| samples.py:10:59:10:68 | user_input | samples.py:2:26:2:32 | After ImportMember | samples.py:10:59:10:68 | user_input | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | samples.py:10:59:10:68 | user_input | Unicode transformation (Unicode normalization) | samples.py:2:26:2:32 | After ImportMember | remote user-controlled data | +| samples.py:20:62:20:71 | user_input | samples.py:2:26:2:32 | After ImportMember | samples.py:20:62:20:71 | user_input | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | samples.py:20:62:20:71 | user_input | Unicode transformation (Unicode normalization) | samples.py:2:26:2:32 | After ImportMember | remote user-controlled data | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.expected b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.expected index 1577182b2dc..232ee1f587c 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.expected @@ -1,14 +1,14 @@ edges -| TimingAttackAgainstHash.py:26:5:26:13 | ControlFlowNode for signature | TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | provenance | | -| TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:26:5:26:13 | ControlFlowNode for signature | provenance | | -| TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | provenance | | +| TimingAttackAgainstHash.py:26:5:26:13 | signature | TimingAttackAgainstHash.py:27:24:27:32 | signature | provenance | | +| TimingAttackAgainstHash.py:26:17:26:41 | After Attribute() | TimingAttackAgainstHash.py:26:5:26:13 | signature | provenance | | +| TimingAttackAgainstHash.py:30:12:30:47 | After Attribute() | TimingAttackAgainstHash.py:37:19:37:48 | After sign() | provenance | | nodes -| TimingAttackAgainstHash.py:26:5:26:13 | ControlFlowNode for signature | semmle.label | ControlFlowNode for signature | -| TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | semmle.label | ControlFlowNode for signature | -| TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | semmle.label | ControlFlowNode for sign() | +| TimingAttackAgainstHash.py:26:5:26:13 | signature | semmle.label | signature | +| TimingAttackAgainstHash.py:26:17:26:41 | After Attribute() | semmle.label | After Attribute() | +| TimingAttackAgainstHash.py:27:24:27:32 | signature | semmle.label | signature | +| TimingAttackAgainstHash.py:30:12:30:47 | After Attribute() | semmle.label | After Attribute() | +| TimingAttackAgainstHash.py:37:19:37:48 | After sign() | semmle.label | After sign() | subpaths #select -| TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | Possible Timing attack against $@ validation. | TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | signature message | -| TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | Possible Timing attack against $@ validation. | TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | MAC message | +| TimingAttackAgainstHash.py:27:24:27:32 | signature | TimingAttackAgainstHash.py:26:17:26:41 | After Attribute() | TimingAttackAgainstHash.py:27:24:27:32 | signature | Possible Timing attack against $@ validation. | TimingAttackAgainstHash.py:26:17:26:41 | After Attribute() | signature message | +| TimingAttackAgainstHash.py:37:19:37:48 | After sign() | TimingAttackAgainstHash.py:30:12:30:47 | After Attribute() | TimingAttackAgainstHash.py:37:19:37:48 | After sign() | Possible Timing attack against $@ validation. | TimingAttackAgainstHash.py:30:12:30:47 | After Attribute() | MAC message | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.expected b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.expected index 0b7b2de8ddb..ea0d313f636 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.expected @@ -1,12 +1,12 @@ edges -| TimingAttackAgainstHash.py:26:5:26:13 | ControlFlowNode for signature | TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | provenance | | -| TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:26:5:26:13 | ControlFlowNode for signature | provenance | | -| TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | provenance | | +| TimingAttackAgainstHash.py:26:5:26:13 | signature | TimingAttackAgainstHash.py:27:24:27:32 | signature | provenance | | +| TimingAttackAgainstHash.py:26:17:26:41 | After Attribute() | TimingAttackAgainstHash.py:26:5:26:13 | signature | provenance | | +| TimingAttackAgainstHash.py:30:12:30:47 | After Attribute() | TimingAttackAgainstHash.py:37:19:37:48 | After sign() | provenance | | nodes -| TimingAttackAgainstHash.py:26:5:26:13 | ControlFlowNode for signature | semmle.label | ControlFlowNode for signature | -| TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | semmle.label | ControlFlowNode for signature | -| TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | semmle.label | ControlFlowNode for sign() | +| TimingAttackAgainstHash.py:26:5:26:13 | signature | semmle.label | signature | +| TimingAttackAgainstHash.py:26:17:26:41 | After Attribute() | semmle.label | After Attribute() | +| TimingAttackAgainstHash.py:27:24:27:32 | signature | semmle.label | signature | +| TimingAttackAgainstHash.py:30:12:30:47 | After Attribute() | semmle.label | After Attribute() | +| TimingAttackAgainstHash.py:37:19:37:48 | After sign() | semmle.label | After sign() | subpaths #select diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.expected b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.expected index 14c8b8bf1eb..9649a60033a 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.expected @@ -1,6 +1,6 @@ edges nodes -| TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | +| TimingAttackAgainstHeader.py:14:12:14:46 | After Attribute() | semmle.label | After Attribute() | subpaths #select -| TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | Timing attack against $@ validation. | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | client-supplied token | +| TimingAttackAgainstHeader.py:14:12:14:46 | After Attribute() | TimingAttackAgainstHeader.py:14:12:14:46 | After Attribute() | TimingAttackAgainstHeader.py:14:12:14:46 | After Attribute() | Timing attack against $@ validation. | TimingAttackAgainstHeader.py:14:12:14:46 | After Attribute() | client-supplied token | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.expected b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.expected index 80b07434896..9eb436d0e38 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.expected @@ -1,9 +1,9 @@ edges -| TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | provenance | | +| TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | password | provenance | | nodes -| TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | -| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | +| TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | password | semmle.label | password | +| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | password | semmle.label | password | subpaths #select -| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | ControlFlowNode for password | client-supplied token | -| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | client-supplied token | +| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | password | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | password | client-supplied token | +| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | password | client-supplied token | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.expected b/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.expected index 00c32be4267..7bdbc80c2d2 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.expected @@ -1,44 +1,44 @@ edges -| app_unsafe.py:4:1:4:9 | ControlFlowNode for aConstant | app_unsafe.py:5:28:5:36 | ControlFlowNode for aConstant | provenance | | -| app_unsafe.py:4:1:4:9 | ControlFlowNode for aConstant | app_unsafe.py:6:18:6:26 | ControlFlowNode for aConstant | provenance | | -| app_unsafe.py:4:1:4:9 | ControlFlowNode for aConstant | app_unsafe.py:7:30:7:38 | ControlFlowNode for aConstant | provenance | | -| app_unsafe.py:4:1:4:9 | ControlFlowNode for aConstant | app_unsafe.py:8:36:8:44 | ControlFlowNode for aConstant | provenance | | -| app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:4:1:4:9 | ControlFlowNode for aConstant | provenance | | -| config.py:7:1:7:9 | ControlFlowNode for aConstant | config.py:12:18:12:26 | ControlFlowNode for aConstant | provenance | | -| config.py:7:1:7:9 | ControlFlowNode for aConstant | config.py:12:18:12:26 | ControlFlowNode for aConstant | provenance | | -| config.py:7:1:7:9 | ControlFlowNode for aConstant | config.py:17:38:17:46 | ControlFlowNode for aConstant | provenance | | -| config.py:7:1:7:9 | ControlFlowNode for aConstant | config.py:18:43:18:51 | ControlFlowNode for aConstant | provenance | | -| config.py:7:13:7:23 | ControlFlowNode for StringLiteral | config.py:7:1:7:9 | ControlFlowNode for aConstant | provenance | | -| config.py:12:18:12:26 | ControlFlowNode for aConstant | config.py:17:38:17:46 | ControlFlowNode for aConstant | provenance | | -| config.py:12:18:12:26 | ControlFlowNode for aConstant | config.py:18:43:18:51 | ControlFlowNode for aConstant | provenance | | -| config.py:17:38:17:46 | ControlFlowNode for aConstant | config.py:17:18:17:47 | ControlFlowNode for Attribute() | provenance | os.getenv | -| config.py:17:38:17:46 | ControlFlowNode for aConstant | config.py:18:43:18:51 | ControlFlowNode for aConstant | provenance | | -| config.py:18:43:18:51 | ControlFlowNode for aConstant | config.py:18:18:18:52 | ControlFlowNode for Attribute() | provenance | dict.get | +| app_unsafe.py:4:1:4:9 | aConstant | app_unsafe.py:5:28:5:36 | aConstant | provenance | | +| app_unsafe.py:4:1:4:9 | aConstant | app_unsafe.py:6:18:6:26 | aConstant | provenance | | +| app_unsafe.py:4:1:4:9 | aConstant | app_unsafe.py:7:30:7:38 | aConstant | provenance | | +| app_unsafe.py:4:1:4:9 | aConstant | app_unsafe.py:8:36:8:44 | aConstant | provenance | | +| app_unsafe.py:4:13:4:23 | StringLiteral | app_unsafe.py:4:1:4:9 | aConstant | provenance | | +| config.py:7:1:7:9 | aConstant | config.py:12:18:12:26 | aConstant | provenance | | +| config.py:7:1:7:9 | aConstant | config.py:12:18:12:26 | aConstant | provenance | | +| config.py:7:1:7:9 | aConstant | config.py:17:38:17:46 | aConstant | provenance | | +| config.py:7:1:7:9 | aConstant | config.py:18:43:18:51 | aConstant | provenance | | +| config.py:7:13:7:23 | StringLiteral | config.py:7:1:7:9 | aConstant | provenance | | +| config.py:12:18:12:26 | aConstant | config.py:17:38:17:46 | aConstant | provenance | | +| config.py:12:18:12:26 | aConstant | config.py:18:43:18:51 | aConstant | provenance | | +| config.py:17:38:17:46 | aConstant | config.py:17:18:17:47 | After Attribute() | provenance | os.getenv | +| config.py:17:38:17:46 | aConstant | config.py:18:43:18:51 | aConstant | provenance | | +| config.py:18:43:18:51 | aConstant | config.py:18:18:18:52 | After Attribute() | provenance | dict.get | nodes -| app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral | -| app_unsafe.py:4:1:4:9 | ControlFlowNode for aConstant | semmle.label | ControlFlowNode for aConstant | -| app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral | -| app_unsafe.py:5:28:5:36 | ControlFlowNode for aConstant | semmle.label | ControlFlowNode for aConstant | -| app_unsafe.py:6:18:6:26 | ControlFlowNode for aConstant | semmle.label | ControlFlowNode for aConstant | -| app_unsafe.py:7:30:7:38 | ControlFlowNode for aConstant | semmle.label | ControlFlowNode for aConstant | -| app_unsafe.py:8:36:8:44 | ControlFlowNode for aConstant | semmle.label | ControlFlowNode for aConstant | -| config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral | -| config.py:7:1:7:9 | ControlFlowNode for aConstant | semmle.label | ControlFlowNode for aConstant | -| config.py:7:13:7:23 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral | -| config.py:12:18:12:26 | ControlFlowNode for aConstant | semmle.label | ControlFlowNode for aConstant | -| config.py:12:18:12:26 | ControlFlowNode for aConstant | semmle.label | ControlFlowNode for aConstant | -| config.py:17:18:17:47 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| config.py:17:38:17:46 | ControlFlowNode for aConstant | semmle.label | ControlFlowNode for aConstant | -| config.py:18:18:18:52 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| config.py:18:43:18:51 | ControlFlowNode for aConstant | semmle.label | ControlFlowNode for aConstant | +| app_safe.py:5:28:5:37 | StringLiteral | semmle.label | StringLiteral | +| app_unsafe.py:4:1:4:9 | aConstant | semmle.label | aConstant | +| app_unsafe.py:4:13:4:23 | StringLiteral | semmle.label | StringLiteral | +| app_unsafe.py:5:28:5:36 | aConstant | semmle.label | aConstant | +| app_unsafe.py:6:18:6:26 | aConstant | semmle.label | aConstant | +| app_unsafe.py:7:30:7:38 | aConstant | semmle.label | aConstant | +| app_unsafe.py:8:36:8:44 | aConstant | semmle.label | aConstant | +| config2.py:5:14:5:24 | StringLiteral | semmle.label | StringLiteral | +| config.py:7:1:7:9 | aConstant | semmle.label | aConstant | +| config.py:7:13:7:23 | StringLiteral | semmle.label | StringLiteral | +| config.py:12:18:12:26 | aConstant | semmle.label | aConstant | +| config.py:12:18:12:26 | aConstant | semmle.label | aConstant | +| config.py:17:18:17:47 | After Attribute() | semmle.label | After Attribute() | +| config.py:17:38:17:46 | aConstant | semmle.label | aConstant | +| config.py:18:18:18:52 | After Attribute() | semmle.label | After Attribute() | +| config.py:18:43:18:51 | aConstant | semmle.label | aConstant | subpaths #select -| app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | The SECRET_KEY config variable is assigned by $@. | app_safe.py:5:28:5:37 | ControlFlowNode for StringLiteral | this constant String | -| app_unsafe.py:5:28:5:36 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:5:28:5:36 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | -| app_unsafe.py:6:18:6:26 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:6:18:6:26 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | -| app_unsafe.py:7:30:7:38 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:7:30:7:38 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | -| app_unsafe.py:8:36:8:44 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | app_unsafe.py:8:36:8:44 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for StringLiteral | this constant String | -| config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | The SECRET_KEY config variable is assigned by $@. | config2.py:5:14:5:24 | ControlFlowNode for StringLiteral | this constant String | -| config.py:12:18:12:26 | ControlFlowNode for aConstant | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | config.py:12:18:12:26 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | this constant String | -| config.py:17:18:17:47 | ControlFlowNode for Attribute() | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | config.py:17:18:17:47 | ControlFlowNode for Attribute() | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | this constant String | -| config.py:18:18:18:52 | ControlFlowNode for Attribute() | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | config.py:18:18:18:52 | ControlFlowNode for Attribute() | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | ControlFlowNode for StringLiteral | this constant String | +| app_safe.py:5:28:5:37 | StringLiteral | app_safe.py:5:28:5:37 | StringLiteral | app_safe.py:5:28:5:37 | StringLiteral | The SECRET_KEY config variable is assigned by $@. | app_safe.py:5:28:5:37 | StringLiteral | this constant String | +| app_unsafe.py:5:28:5:36 | aConstant | app_unsafe.py:4:13:4:23 | StringLiteral | app_unsafe.py:5:28:5:36 | aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | StringLiteral | this constant String | +| app_unsafe.py:6:18:6:26 | aConstant | app_unsafe.py:4:13:4:23 | StringLiteral | app_unsafe.py:6:18:6:26 | aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | StringLiteral | this constant String | +| app_unsafe.py:7:30:7:38 | aConstant | app_unsafe.py:4:13:4:23 | StringLiteral | app_unsafe.py:7:30:7:38 | aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | StringLiteral | this constant String | +| app_unsafe.py:8:36:8:44 | aConstant | app_unsafe.py:4:13:4:23 | StringLiteral | app_unsafe.py:8:36:8:44 | aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | StringLiteral | this constant String | +| config2.py:5:14:5:24 | StringLiteral | config2.py:5:14:5:24 | StringLiteral | config2.py:5:14:5:24 | StringLiteral | The SECRET_KEY config variable is assigned by $@. | config2.py:5:14:5:24 | StringLiteral | this constant String | +| config.py:12:18:12:26 | aConstant | config.py:7:13:7:23 | StringLiteral | config.py:12:18:12:26 | aConstant | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | StringLiteral | this constant String | +| config.py:17:18:17:47 | After Attribute() | config.py:7:13:7:23 | StringLiteral | config.py:17:18:17:47 | After Attribute() | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | StringLiteral | this constant String | +| config.py:18:18:18:52 | After Attribute() | config.py:7:13:7:23 | StringLiteral | config.py:18:18:18:52 | After Attribute() | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | StringLiteral | this constant String | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-287/ImproperLdapAuth.expected b/python/ql/test/experimental/query-tests/Security/CWE-287/ImproperLdapAuth.expected index 224c1a33902..4198c71a897 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-287/ImproperLdapAuth.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-287/ImproperLdapAuth.expected @@ -1,10 +1,10 @@ -| auth_bad_2.py:19:5:19:42 | ControlFlowNode for Attribute() | The following LDAP bind operation is executed without authentication. | -| auth_bad_2.py:33:5:33:44 | ControlFlowNode for Attribute() | The following LDAP bind operation is executed without authentication. | -| auth_bad_2.py:47:5:47:43 | ControlFlowNode for Attribute() | The following LDAP bind operation is executed without authentication. | -| auth_bad_2.py:60:5:60:52 | ControlFlowNode for Attribute() | The following LDAP bind operation is executed without authentication. | -| auth_bad_2.py:73:5:73:39 | ControlFlowNode for Attribute() | The following LDAP bind operation is executed without authentication. | -| auth_bad_2.py:87:5:87:48 | ControlFlowNode for Attribute() | The following LDAP bind operation is executed without authentication. | -| auth_bad_3.py:19:12:19:43 | ControlFlowNode for Connection() | The following LDAP bind operation is executed without authentication. | -| auth_bad_3.py:33:12:33:57 | ControlFlowNode for Connection() | The following LDAP bind operation is executed without authentication. | -| auth_bad_3.py:46:12:46:55 | ControlFlowNode for Connection() | The following LDAP bind operation is executed without authentication. | -| auth_bad_3.py:60:12:60:42 | ControlFlowNode for Connection() | The following LDAP bind operation is executed without authentication. | +| auth_bad_2.py:19:5:19:42 | After Attribute() | The following LDAP bind operation is executed without authentication. | +| auth_bad_2.py:33:5:33:44 | After Attribute() | The following LDAP bind operation is executed without authentication. | +| auth_bad_2.py:47:5:47:43 | After Attribute() | The following LDAP bind operation is executed without authentication. | +| auth_bad_2.py:60:5:60:52 | After Attribute() | The following LDAP bind operation is executed without authentication. | +| auth_bad_2.py:73:5:73:39 | After Attribute() | The following LDAP bind operation is executed without authentication. | +| auth_bad_2.py:87:5:87:48 | After Attribute() | The following LDAP bind operation is executed without authentication. | +| auth_bad_3.py:19:12:19:43 | After Connection() | The following LDAP bind operation is executed without authentication. | +| auth_bad_3.py:33:12:33:57 | After Connection() | The following LDAP bind operation is executed without authentication. | +| auth_bad_3.py:46:12:46:55 | After Connection() | The following LDAP bind operation is executed without authentication. | +| auth_bad_3.py:60:12:60:42 | After Connection() | The following LDAP bind operation is executed without authentication. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.expected b/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.expected index 29ecd398a0a..d8c15f53d11 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-338/InsecureRandomness.expected @@ -1,6 +1,6 @@ edges nodes -| InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | +| InsecureRandomness.py:5:12:5:26 | After Attribute() | semmle.label | After Attribute() | subpaths #select -| InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | Cryptographically insecure $@ in a security context. | InsecureRandomness.py:5:12:5:26 | ControlFlowNode for Attribute() | random value | +| InsecureRandomness.py:5:12:5:26 | After Attribute() | InsecureRandomness.py:5:12:5:26 | After Attribute() | InsecureRandomness.py:5:12:5:26 | After Attribute() | Cryptographically insecure $@ in a security context. | InsecureRandomness.py:5:12:5:26 | After Attribute() | random value | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.expected b/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.expected index 32d807c6f6e..3b8cdb6c1a6 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-346/CorsBypass.expected @@ -1,13 +1,13 @@ edges -| Cors.py:7:9:7:14 | ControlFlowNode for origin | Cors.py:8:12:8:17 | ControlFlowNode for origin | provenance | | -| Cors.py:7:18:7:32 | ControlFlowNode for Attribute | Cors.py:7:18:7:52 | ControlFlowNode for Attribute() | provenance | Config | -| Cors.py:7:18:7:32 | ControlFlowNode for Attribute | Cors.py:7:18:7:52 | ControlFlowNode for Attribute() | provenance | dict.get | -| Cors.py:7:18:7:52 | ControlFlowNode for Attribute() | Cors.py:7:9:7:14 | ControlFlowNode for origin | provenance | | +| Cors.py:7:9:7:14 | origin | Cors.py:8:12:8:17 | origin | provenance | | +| Cors.py:7:18:7:32 | After Attribute | Cors.py:7:18:7:52 | After Attribute() | provenance | Config | +| Cors.py:7:18:7:32 | After Attribute | Cors.py:7:18:7:52 | After Attribute() | provenance | dict.get | +| Cors.py:7:18:7:52 | After Attribute() | Cors.py:7:9:7:14 | origin | provenance | | nodes -| Cors.py:7:9:7:14 | ControlFlowNode for origin | semmle.label | ControlFlowNode for origin | -| Cors.py:7:18:7:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| Cors.py:7:18:7:52 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| Cors.py:8:12:8:17 | ControlFlowNode for origin | semmle.label | ControlFlowNode for origin | +| Cors.py:7:9:7:14 | origin | semmle.label | origin | +| Cors.py:7:18:7:32 | After Attribute | semmle.label | After Attribute | +| Cors.py:7:18:7:52 | After Attribute() | semmle.label | After Attribute() | +| Cors.py:8:12:8:17 | origin | semmle.label | origin | subpaths #select -| Cors.py:8:12:8:17 | ControlFlowNode for origin | Cors.py:7:18:7:32 | ControlFlowNode for Attribute | Cors.py:8:12:8:17 | ControlFlowNode for origin | Potentially incorrect string comparison which could lead to a CORS bypass. | +| Cors.py:8:12:8:17 | origin | Cors.py:7:18:7:32 | After Attribute | Cors.py:8:12:8:17 | origin | Potentially incorrect string comparison which could lead to a CORS bypass. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-347/JWTEmptyKeyOrAlgorithm.expected b/python/ql/test/experimental/query-tests/Security/CWE-347/JWTEmptyKeyOrAlgorithm.expected index a429fa386da..74a42fe4ba6 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-347/JWTEmptyKeyOrAlgorithm.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-347/JWTEmptyKeyOrAlgorithm.expected @@ -1,8 +1,8 @@ -| authlib.py:11:1:11:39 | ControlFlowNode for Attribute() | This JWT encoding has an empty key. | -| authlib.py:12:1:12:50 | ControlFlowNode for Attribute() | This JWT encoding has an empty key. | -| pyjwt.py:10:1:10:29 | ControlFlowNode for Attribute() | This JWT encoding has an empty algorithm. | -| pyjwt.py:10:1:10:29 | ControlFlowNode for Attribute() | This JWT encoding has an empty key. | -| pyjwt.py:13:1:13:40 | ControlFlowNode for Attribute() | This JWT encoding has an empty key. | -| pyjwt.py:14:1:14:44 | ControlFlowNode for Attribute() | This JWT encoding has an empty key. | -| python_jose.py:10:1:10:40 | ControlFlowNode for Attribute() | This JWT encoding has an empty key. | -| python_jose.py:11:1:11:44 | ControlFlowNode for Attribute() | This JWT encoding has an empty key. | +| authlib.py:11:1:11:39 | After Attribute() | This JWT encoding has an empty key. | +| authlib.py:12:1:12:50 | After Attribute() | This JWT encoding has an empty key. | +| pyjwt.py:10:1:10:29 | After Attribute() | This JWT encoding has an empty algorithm. | +| pyjwt.py:10:1:10:29 | After Attribute() | This JWT encoding has an empty key. | +| pyjwt.py:13:1:13:40 | After Attribute() | This JWT encoding has an empty key. | +| pyjwt.py:14:1:14:44 | After Attribute() | This JWT encoding has an empty key. | +| python_jose.py:10:1:10:40 | After Attribute() | This JWT encoding has an empty key. | +| python_jose.py:11:1:11:44 | After Attribute() | This JWT encoding has an empty key. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.expected b/python/ql/test/experimental/query-tests/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.expected index 4ce437fdb9b..fc5167a002c 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.expected @@ -1,4 +1,4 @@ -| pyjwt.py:22:12:22:16 | ControlFlowNode for token | is not verified with a cryptographic secret or public key. | -| pyjwt.py:23:12:23:16 | ControlFlowNode for token | is not verified with a cryptographic secret or public key. | -| python_jose.py:19:12:19:16 | ControlFlowNode for token | is not verified with a cryptographic secret or public key. | -| python_jwt.py:14:28:14:32 | ControlFlowNode for token | is not verified with a cryptographic secret or public key. | +| pyjwt.py:22:12:22:16 | token | is not verified with a cryptographic secret or public key. | +| pyjwt.py:23:12:23:16 | token | is not verified with a cryptographic secret or public key. | +| python_jose.py:19:12:19:16 | token | is not verified with a cryptographic secret or public key. | +| python_jwt.py:14:28:14:32 | token | is not verified with a cryptographic secret or public key. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected b/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected index 1d529f3b3ea..67e3afd4042 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected @@ -1,22 +1,22 @@ edges -| flask_bad.py:13:5:13:13 | ControlFlowNode for client_ip | flask_bad.py:14:12:14:20 | ControlFlowNode for client_ip | provenance | | -| flask_bad.py:13:17:13:54 | ControlFlowNode for Attribute() | flask_bad.py:13:5:13:13 | ControlFlowNode for client_ip | provenance | | -| flask_bad.py:20:5:20:13 | ControlFlowNode for client_ip | flask_bad.py:21:12:21:20 | ControlFlowNode for client_ip | provenance | | -| flask_bad.py:20:17:20:54 | ControlFlowNode for Attribute() | flask_bad.py:20:5:20:13 | ControlFlowNode for client_ip | provenance | | -| tornado_bad.py:22:13:22:21 | ControlFlowNode for client_ip | tornado_bad.py:23:16:23:24 | ControlFlowNode for client_ip | provenance | | -| tornado_bad.py:22:25:22:69 | ControlFlowNode for Attribute() | tornado_bad.py:22:13:22:21 | ControlFlowNode for client_ip | provenance | | +| flask_bad.py:13:5:13:13 | client_ip | flask_bad.py:14:12:14:20 | client_ip | provenance | | +| flask_bad.py:13:17:13:54 | After Attribute() | flask_bad.py:13:5:13:13 | client_ip | provenance | | +| flask_bad.py:20:5:20:13 | client_ip | flask_bad.py:21:12:21:20 | client_ip | provenance | | +| flask_bad.py:20:17:20:54 | After Attribute() | flask_bad.py:20:5:20:13 | client_ip | provenance | | +| tornado_bad.py:22:13:22:21 | client_ip | tornado_bad.py:23:16:23:24 | client_ip | provenance | | +| tornado_bad.py:22:25:22:69 | After Attribute() | tornado_bad.py:22:13:22:21 | client_ip | provenance | | nodes -| flask_bad.py:13:5:13:13 | ControlFlowNode for client_ip | semmle.label | ControlFlowNode for client_ip | -| flask_bad.py:13:17:13:54 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| flask_bad.py:14:12:14:20 | ControlFlowNode for client_ip | semmle.label | ControlFlowNode for client_ip | -| flask_bad.py:20:5:20:13 | ControlFlowNode for client_ip | semmle.label | ControlFlowNode for client_ip | -| flask_bad.py:20:17:20:54 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| flask_bad.py:21:12:21:20 | ControlFlowNode for client_ip | semmle.label | ControlFlowNode for client_ip | -| tornado_bad.py:22:13:22:21 | ControlFlowNode for client_ip | semmle.label | ControlFlowNode for client_ip | -| tornado_bad.py:22:25:22:69 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| tornado_bad.py:23:16:23:24 | ControlFlowNode for client_ip | semmle.label | ControlFlowNode for client_ip | +| flask_bad.py:13:5:13:13 | client_ip | semmle.label | client_ip | +| flask_bad.py:13:17:13:54 | After Attribute() | semmle.label | After Attribute() | +| flask_bad.py:14:12:14:20 | client_ip | semmle.label | client_ip | +| flask_bad.py:20:5:20:13 | client_ip | semmle.label | client_ip | +| flask_bad.py:20:17:20:54 | After Attribute() | semmle.label | After Attribute() | +| flask_bad.py:21:12:21:20 | client_ip | semmle.label | client_ip | +| tornado_bad.py:22:13:22:21 | client_ip | semmle.label | client_ip | +| tornado_bad.py:22:25:22:69 | After Attribute() | semmle.label | After Attribute() | +| tornado_bad.py:23:16:23:24 | client_ip | semmle.label | client_ip | subpaths #select -| flask_bad.py:14:12:14:20 | ControlFlowNode for client_ip | flask_bad.py:13:17:13:54 | ControlFlowNode for Attribute() | flask_bad.py:14:12:14:20 | ControlFlowNode for client_ip | IP address spoofing might include code from $@. | flask_bad.py:13:17:13:54 | ControlFlowNode for Attribute() | this user input | -| flask_bad.py:21:12:21:20 | ControlFlowNode for client_ip | flask_bad.py:20:17:20:54 | ControlFlowNode for Attribute() | flask_bad.py:21:12:21:20 | ControlFlowNode for client_ip | IP address spoofing might include code from $@. | flask_bad.py:20:17:20:54 | ControlFlowNode for Attribute() | this user input | -| tornado_bad.py:23:16:23:24 | ControlFlowNode for client_ip | tornado_bad.py:22:25:22:69 | ControlFlowNode for Attribute() | tornado_bad.py:23:16:23:24 | ControlFlowNode for client_ip | IP address spoofing might include code from $@. | tornado_bad.py:22:25:22:69 | ControlFlowNode for Attribute() | this user input | +| flask_bad.py:14:12:14:20 | client_ip | flask_bad.py:13:17:13:54 | After Attribute() | flask_bad.py:14:12:14:20 | client_ip | IP address spoofing might include code from $@. | flask_bad.py:13:17:13:54 | After Attribute() | this user input | +| flask_bad.py:21:12:21:20 | client_ip | flask_bad.py:20:17:20:54 | After Attribute() | flask_bad.py:21:12:21:20 | client_ip | IP address spoofing might include code from $@. | flask_bad.py:20:17:20:54 | After Attribute() | this user input | +| tornado_bad.py:23:16:23:24 | client_ip | tornado_bad.py:22:25:22:69 | After Attribute() | tornado_bad.py:23:16:23:24 | client_ip | IP address spoofing might include code from $@. | tornado_bad.py:22:25:22:69 | After Attribute() | this user input | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-409/DecompressionBombs.expected b/python/ql/test/experimental/query-tests/Security/CWE-409/DecompressionBombs.expected index c9f584c987e..19253b561cb 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-409/DecompressionBombs.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-409/DecompressionBombs.expected @@ -1,126 +1,126 @@ #select -| test.py:11:5:11:52 | ControlFlowNode for Attribute() | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:11:5:11:52 | ControlFlowNode for Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:12:5:12:48 | ControlFlowNode for Attribute() | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:12:5:12:48 | ControlFlowNode for Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:15:14:15:29 | ControlFlowNode for Attribute() | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:15:14:15:29 | ControlFlowNode for Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:19:14:19:39 | ControlFlowNode for Attribute() | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:19:14:19:39 | ControlFlowNode for Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:22:5:22:60 | ControlFlowNode for Attribute() | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:22:5:22:60 | ControlFlowNode for Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:24:5:24:52 | ControlFlowNode for Attribute() | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:24:5:24:52 | ControlFlowNode for Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:25:5:25:55 | ControlFlowNode for Attribute() | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:25:5:25:55 | ControlFlowNode for Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:26:5:26:57 | ControlFlowNode for Attribute() | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:26:5:26:57 | ControlFlowNode for Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:27:5:27:50 | ControlFlowNode for Attribute() | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:27:5:27:50 | ControlFlowNode for Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:28:5:28:60 | ControlFlowNode for Attribute() | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:28:5:28:60 | ControlFlowNode for Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:35:27:35:35 | ControlFlowNode for file_path | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:35:27:35:35 | ControlFlowNode for file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:39:15:39:23 | ControlFlowNode for file_path | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:39:15:39:23 | ControlFlowNode for file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:40:19:40:27 | ControlFlowNode for file_path | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:40:19:40:27 | ControlFlowNode for file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:44:14:44:22 | ControlFlowNode for file_path | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:44:14:44:22 | ControlFlowNode for file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:45:17:45:25 | ControlFlowNode for file_path | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:45:17:45:25 | ControlFlowNode for file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:49:15:49:23 | ControlFlowNode for file_path | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:49:15:49:23 | ControlFlowNode for file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:50:19:50:27 | ControlFlowNode for file_path | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:50:19:50:27 | ControlFlowNode for file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:54:15:54:23 | ControlFlowNode for file_path | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:54:15:54:23 | ControlFlowNode for file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:55:19:55:27 | ControlFlowNode for file_path | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:55:19:55:27 | ControlFlowNode for file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:59:40:59:48 | ControlFlowNode for file_path | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:59:40:59:48 | ControlFlowNode for file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:61:23:61:31 | ControlFlowNode for file_path | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:61:23:61:31 | ControlFlowNode for file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:62:21:62:29 | ControlFlowNode for file_path | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:62:21:62:29 | ControlFlowNode for file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:64:40:64:48 | ControlFlowNode for file_path | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:64:40:64:48 | ControlFlowNode for file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:65:22:65:30 | ControlFlowNode for file_path | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:65:22:65:30 | ControlFlowNode for file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:66:21:66:29 | ControlFlowNode for file_path | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:66:21:66:29 | ControlFlowNode for file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:67:42:67:50 | ControlFlowNode for file_path | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:67:42:67:50 | ControlFlowNode for file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:68:23:68:31 | ControlFlowNode for file_path | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:68:23:68:31 | ControlFlowNode for file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | -| test.py:69:36:69:44 | ControlFlowNode for file_path | test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:69:36:69:44 | ControlFlowNode for file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | ControlFlowNode for file_path | depends on this user controlled data | +| test.py:11:5:11:52 | After Attribute() | test.py:10:16:10:24 | file_path | test.py:11:5:11:52 | After Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:12:5:12:48 | After Attribute() | test.py:10:16:10:24 | file_path | test.py:12:5:12:48 | After Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:15:14:15:29 | After Attribute() | test.py:10:16:10:24 | file_path | test.py:15:14:15:29 | After Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:19:14:19:39 | After Attribute() | test.py:10:16:10:24 | file_path | test.py:19:14:19:39 | After Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:22:5:22:60 | After Attribute() | test.py:10:16:10:24 | file_path | test.py:22:5:22:60 | After Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:24:5:24:52 | After Attribute() | test.py:10:16:10:24 | file_path | test.py:24:5:24:52 | After Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:25:5:25:55 | After Attribute() | test.py:10:16:10:24 | file_path | test.py:25:5:25:55 | After Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:26:5:26:57 | After Attribute() | test.py:10:16:10:24 | file_path | test.py:26:5:26:57 | After Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:27:5:27:50 | After Attribute() | test.py:10:16:10:24 | file_path | test.py:27:5:27:50 | After Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:28:5:28:60 | After Attribute() | test.py:10:16:10:24 | file_path | test.py:28:5:28:60 | After Attribute() | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:35:27:35:35 | file_path | test.py:10:16:10:24 | file_path | test.py:35:27:35:35 | file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:39:15:39:23 | file_path | test.py:10:16:10:24 | file_path | test.py:39:15:39:23 | file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:40:19:40:27 | file_path | test.py:10:16:10:24 | file_path | test.py:40:19:40:27 | file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:44:14:44:22 | file_path | test.py:10:16:10:24 | file_path | test.py:44:14:44:22 | file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:45:17:45:25 | file_path | test.py:10:16:10:24 | file_path | test.py:45:17:45:25 | file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:49:15:49:23 | file_path | test.py:10:16:10:24 | file_path | test.py:49:15:49:23 | file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:50:19:50:27 | file_path | test.py:10:16:10:24 | file_path | test.py:50:19:50:27 | file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:54:15:54:23 | file_path | test.py:10:16:10:24 | file_path | test.py:54:15:54:23 | file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:55:19:55:27 | file_path | test.py:10:16:10:24 | file_path | test.py:55:19:55:27 | file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:59:40:59:48 | file_path | test.py:10:16:10:24 | file_path | test.py:59:40:59:48 | file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:61:23:61:31 | file_path | test.py:10:16:10:24 | file_path | test.py:61:23:61:31 | file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:62:21:62:29 | file_path | test.py:10:16:10:24 | file_path | test.py:62:21:62:29 | file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:64:40:64:48 | file_path | test.py:10:16:10:24 | file_path | test.py:64:40:64:48 | file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:65:22:65:30 | file_path | test.py:10:16:10:24 | file_path | test.py:65:22:65:30 | file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:66:21:66:29 | file_path | test.py:10:16:10:24 | file_path | test.py:66:21:66:29 | file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:67:42:67:50 | file_path | test.py:10:16:10:24 | file_path | test.py:67:42:67:50 | file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:68:23:68:31 | file_path | test.py:10:16:10:24 | file_path | test.py:68:23:68:31 | file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | +| test.py:69:36:69:44 | file_path | test.py:10:16:10:24 | file_path | test.py:69:36:69:44 | file_path | This uncontrolled file extraction is $@. | test.py:10:16:10:24 | file_path | depends on this user controlled data | edges -| test.py:10:16:10:24 | ControlFlowNode for file_path | test.py:11:21:11:29 | ControlFlowNode for file_path | provenance | | -| test.py:11:5:11:35 | ControlFlowNode for Attribute() | test.py:11:5:11:52 | ControlFlowNode for Attribute() | provenance | Config | -| test.py:11:21:11:29 | ControlFlowNode for file_path | test.py:11:5:11:35 | ControlFlowNode for Attribute() | provenance | MaD:1 | -| test.py:11:21:11:29 | ControlFlowNode for file_path | test.py:11:5:11:52 | ControlFlowNode for Attribute() | provenance | Config | -| test.py:11:21:11:29 | ControlFlowNode for file_path | test.py:12:21:12:29 | ControlFlowNode for file_path | provenance | | -| test.py:12:5:12:35 | ControlFlowNode for Attribute() | test.py:12:5:12:48 | ControlFlowNode for Attribute() | provenance | Config | -| test.py:12:21:12:29 | ControlFlowNode for file_path | test.py:12:5:12:35 | ControlFlowNode for Attribute() | provenance | MaD:1 | -| test.py:12:21:12:29 | ControlFlowNode for file_path | test.py:12:5:12:48 | ControlFlowNode for Attribute() | provenance | Config | -| test.py:12:21:12:29 | ControlFlowNode for file_path | test.py:14:26:14:34 | ControlFlowNode for file_path | provenance | | -| test.py:14:10:14:35 | ControlFlowNode for Attribute() | test.py:15:14:15:29 | ControlFlowNode for Attribute() | provenance | Config | -| test.py:14:26:14:34 | ControlFlowNode for file_path | test.py:14:10:14:35 | ControlFlowNode for Attribute() | provenance | MaD:1 | -| test.py:14:26:14:34 | ControlFlowNode for file_path | test.py:15:14:15:29 | ControlFlowNode for Attribute() | provenance | Config | -| test.py:14:26:14:34 | ControlFlowNode for file_path | test.py:18:26:18:34 | ControlFlowNode for file_path | provenance | | -| test.py:18:10:18:35 | ControlFlowNode for Attribute() | test.py:19:14:19:39 | ControlFlowNode for Attribute() | provenance | Config | -| test.py:18:26:18:34 | ControlFlowNode for file_path | test.py:18:10:18:35 | ControlFlowNode for Attribute() | provenance | MaD:1 | -| test.py:18:26:18:34 | ControlFlowNode for file_path | test.py:19:14:19:39 | ControlFlowNode for Attribute() | provenance | Config | -| test.py:18:26:18:34 | ControlFlowNode for file_path | test.py:22:21:22:29 | ControlFlowNode for file_path | provenance | | -| test.py:22:5:22:30 | ControlFlowNode for Attribute() | test.py:22:5:22:60 | ControlFlowNode for Attribute() | provenance | Config | -| test.py:22:21:22:29 | ControlFlowNode for file_path | test.py:22:5:22:30 | ControlFlowNode for Attribute() | provenance | MaD:1 | -| test.py:22:21:22:29 | ControlFlowNode for file_path | test.py:22:5:22:60 | ControlFlowNode for Attribute() | provenance | Config | -| test.py:22:21:22:29 | ControlFlowNode for file_path | test.py:24:18:24:26 | ControlFlowNode for file_path | provenance | | -| test.py:24:18:24:26 | ControlFlowNode for file_path | test.py:24:5:24:52 | ControlFlowNode for Attribute() | provenance | Config | -| test.py:24:18:24:26 | ControlFlowNode for file_path | test.py:25:26:25:34 | ControlFlowNode for file_path | provenance | | -| test.py:25:26:25:34 | ControlFlowNode for file_path | test.py:25:5:25:55 | ControlFlowNode for Attribute() | provenance | Config | -| test.py:25:26:25:34 | ControlFlowNode for file_path | test.py:26:28:26:36 | ControlFlowNode for file_path | provenance | | -| test.py:26:28:26:36 | ControlFlowNode for file_path | test.py:26:5:26:57 | ControlFlowNode for Attribute() | provenance | Config | -| test.py:26:28:26:36 | ControlFlowNode for file_path | test.py:27:28:27:36 | ControlFlowNode for file_path | provenance | | -| test.py:27:28:27:36 | ControlFlowNode for file_path | test.py:27:5:27:50 | ControlFlowNode for Attribute() | provenance | Config | -| test.py:27:28:27:36 | ControlFlowNode for file_path | test.py:28:26:28:34 | ControlFlowNode for file_path | provenance | | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:28:5:28:60 | ControlFlowNode for Attribute() | provenance | Config | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:35:27:35:35 | ControlFlowNode for file_path | provenance | | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:39:15:39:23 | ControlFlowNode for file_path | provenance | | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:40:19:40:27 | ControlFlowNode for file_path | provenance | | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:44:14:44:22 | ControlFlowNode for file_path | provenance | | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:45:17:45:25 | ControlFlowNode for file_path | provenance | | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:49:15:49:23 | ControlFlowNode for file_path | provenance | | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:50:19:50:27 | ControlFlowNode for file_path | provenance | | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:54:15:54:23 | ControlFlowNode for file_path | provenance | | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:55:19:55:27 | ControlFlowNode for file_path | provenance | | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:59:40:59:48 | ControlFlowNode for file_path | provenance | | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:61:23:61:31 | ControlFlowNode for file_path | provenance | | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:62:21:62:29 | ControlFlowNode for file_path | provenance | | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:64:40:64:48 | ControlFlowNode for file_path | provenance | | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:65:22:65:30 | ControlFlowNode for file_path | provenance | | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:66:21:66:29 | ControlFlowNode for file_path | provenance | | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:67:42:67:50 | ControlFlowNode for file_path | provenance | | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:68:23:68:31 | ControlFlowNode for file_path | provenance | | -| test.py:28:26:28:34 | ControlFlowNode for file_path | test.py:69:36:69:44 | ControlFlowNode for file_path | provenance | | +| test.py:10:16:10:24 | file_path | test.py:11:21:11:29 | file_path | provenance | | +| test.py:11:5:11:35 | After Attribute() | test.py:11:5:11:52 | After Attribute() | provenance | Config | +| test.py:11:21:11:29 | file_path | test.py:11:5:11:35 | After Attribute() | provenance | MaD:1 | +| test.py:11:21:11:29 | file_path | test.py:11:5:11:52 | After Attribute() | provenance | Config | +| test.py:11:21:11:29 | file_path | test.py:12:21:12:29 | file_path | provenance | | +| test.py:12:5:12:35 | After Attribute() | test.py:12:5:12:48 | After Attribute() | provenance | Config | +| test.py:12:21:12:29 | file_path | test.py:12:5:12:35 | After Attribute() | provenance | MaD:1 | +| test.py:12:21:12:29 | file_path | test.py:12:5:12:48 | After Attribute() | provenance | Config | +| test.py:12:21:12:29 | file_path | test.py:14:26:14:34 | file_path | provenance | | +| test.py:14:10:14:35 | After Attribute() | test.py:15:14:15:29 | After Attribute() | provenance | Config | +| test.py:14:26:14:34 | file_path | test.py:14:10:14:35 | After Attribute() | provenance | MaD:1 | +| test.py:14:26:14:34 | file_path | test.py:15:14:15:29 | After Attribute() | provenance | Config | +| test.py:14:26:14:34 | file_path | test.py:18:26:18:34 | file_path | provenance | | +| test.py:18:10:18:35 | After Attribute() | test.py:19:14:19:39 | After Attribute() | provenance | Config | +| test.py:18:26:18:34 | file_path | test.py:18:10:18:35 | After Attribute() | provenance | MaD:1 | +| test.py:18:26:18:34 | file_path | test.py:19:14:19:39 | After Attribute() | provenance | Config | +| test.py:18:26:18:34 | file_path | test.py:22:21:22:29 | file_path | provenance | | +| test.py:22:5:22:30 | After Attribute() | test.py:22:5:22:60 | After Attribute() | provenance | Config | +| test.py:22:21:22:29 | file_path | test.py:22:5:22:30 | After Attribute() | provenance | MaD:1 | +| test.py:22:21:22:29 | file_path | test.py:22:5:22:60 | After Attribute() | provenance | Config | +| test.py:22:21:22:29 | file_path | test.py:24:18:24:26 | file_path | provenance | | +| test.py:24:18:24:26 | file_path | test.py:24:5:24:52 | After Attribute() | provenance | Config | +| test.py:24:18:24:26 | file_path | test.py:25:26:25:34 | file_path | provenance | | +| test.py:25:26:25:34 | file_path | test.py:25:5:25:55 | After Attribute() | provenance | Config | +| test.py:25:26:25:34 | file_path | test.py:26:28:26:36 | file_path | provenance | | +| test.py:26:28:26:36 | file_path | test.py:26:5:26:57 | After Attribute() | provenance | Config | +| test.py:26:28:26:36 | file_path | test.py:27:28:27:36 | file_path | provenance | | +| test.py:27:28:27:36 | file_path | test.py:27:5:27:50 | After Attribute() | provenance | Config | +| test.py:27:28:27:36 | file_path | test.py:28:26:28:34 | file_path | provenance | | +| test.py:28:26:28:34 | file_path | test.py:28:5:28:60 | After Attribute() | provenance | Config | +| test.py:28:26:28:34 | file_path | test.py:35:27:35:35 | file_path | provenance | | +| test.py:28:26:28:34 | file_path | test.py:39:15:39:23 | file_path | provenance | | +| test.py:28:26:28:34 | file_path | test.py:40:19:40:27 | file_path | provenance | | +| test.py:28:26:28:34 | file_path | test.py:44:14:44:22 | file_path | provenance | | +| test.py:28:26:28:34 | file_path | test.py:45:17:45:25 | file_path | provenance | | +| test.py:28:26:28:34 | file_path | test.py:49:15:49:23 | file_path | provenance | | +| test.py:28:26:28:34 | file_path | test.py:50:19:50:27 | file_path | provenance | | +| test.py:28:26:28:34 | file_path | test.py:54:15:54:23 | file_path | provenance | | +| test.py:28:26:28:34 | file_path | test.py:55:19:55:27 | file_path | provenance | | +| test.py:28:26:28:34 | file_path | test.py:59:40:59:48 | file_path | provenance | | +| test.py:28:26:28:34 | file_path | test.py:61:23:61:31 | file_path | provenance | | +| test.py:28:26:28:34 | file_path | test.py:62:21:62:29 | file_path | provenance | | +| test.py:28:26:28:34 | file_path | test.py:64:40:64:48 | file_path | provenance | | +| test.py:28:26:28:34 | file_path | test.py:65:22:65:30 | file_path | provenance | | +| test.py:28:26:28:34 | file_path | test.py:66:21:66:29 | file_path | provenance | | +| test.py:28:26:28:34 | file_path | test.py:67:42:67:50 | file_path | provenance | | +| test.py:28:26:28:34 | file_path | test.py:68:23:68:31 | file_path | provenance | | +| test.py:28:26:28:34 | file_path | test.py:69:36:69:44 | file_path | provenance | | models | 1 | Summary: zipfile.ZipFile!; Subclass.Call; Argument[0,file:]; ReturnValue; taint | nodes -| test.py:10:16:10:24 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:11:5:11:35 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:11:5:11:52 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:11:21:11:29 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:12:5:12:35 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:12:5:12:48 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:12:21:12:29 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:14:10:14:35 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:14:26:14:34 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:15:14:15:29 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:18:10:18:35 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:18:26:18:34 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:19:14:19:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:22:5:22:30 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:22:5:22:60 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:22:21:22:29 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:24:5:24:52 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:24:18:24:26 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:25:5:25:55 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:25:26:25:34 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:26:5:26:57 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:26:28:26:36 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:27:5:27:50 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:27:28:27:36 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:28:5:28:60 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:28:26:28:34 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:35:27:35:35 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:39:15:39:23 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:40:19:40:27 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:44:14:44:22 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:45:17:45:25 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:49:15:49:23 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:50:19:50:27 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:54:15:54:23 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:55:19:55:27 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:59:40:59:48 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:61:23:61:31 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:62:21:62:29 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:64:40:64:48 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:65:22:65:30 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:66:21:66:29 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:67:42:67:50 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:68:23:68:31 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| test.py:69:36:69:44 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | +| test.py:10:16:10:24 | file_path | semmle.label | file_path | +| test.py:11:5:11:35 | After Attribute() | semmle.label | After Attribute() | +| test.py:11:5:11:52 | After Attribute() | semmle.label | After Attribute() | +| test.py:11:21:11:29 | file_path | semmle.label | file_path | +| test.py:12:5:12:35 | After Attribute() | semmle.label | After Attribute() | +| test.py:12:5:12:48 | After Attribute() | semmle.label | After Attribute() | +| test.py:12:21:12:29 | file_path | semmle.label | file_path | +| test.py:14:10:14:35 | After Attribute() | semmle.label | After Attribute() | +| test.py:14:26:14:34 | file_path | semmle.label | file_path | +| test.py:15:14:15:29 | After Attribute() | semmle.label | After Attribute() | +| test.py:18:10:18:35 | After Attribute() | semmle.label | After Attribute() | +| test.py:18:26:18:34 | file_path | semmle.label | file_path | +| test.py:19:14:19:39 | After Attribute() | semmle.label | After Attribute() | +| test.py:22:5:22:30 | After Attribute() | semmle.label | After Attribute() | +| test.py:22:5:22:60 | After Attribute() | semmle.label | After Attribute() | +| test.py:22:21:22:29 | file_path | semmle.label | file_path | +| test.py:24:5:24:52 | After Attribute() | semmle.label | After Attribute() | +| test.py:24:18:24:26 | file_path | semmle.label | file_path | +| test.py:25:5:25:55 | After Attribute() | semmle.label | After Attribute() | +| test.py:25:26:25:34 | file_path | semmle.label | file_path | +| test.py:26:5:26:57 | After Attribute() | semmle.label | After Attribute() | +| test.py:26:28:26:36 | file_path | semmle.label | file_path | +| test.py:27:5:27:50 | After Attribute() | semmle.label | After Attribute() | +| test.py:27:28:27:36 | file_path | semmle.label | file_path | +| test.py:28:5:28:60 | After Attribute() | semmle.label | After Attribute() | +| test.py:28:26:28:34 | file_path | semmle.label | file_path | +| test.py:35:27:35:35 | file_path | semmle.label | file_path | +| test.py:39:15:39:23 | file_path | semmle.label | file_path | +| test.py:40:19:40:27 | file_path | semmle.label | file_path | +| test.py:44:14:44:22 | file_path | semmle.label | file_path | +| test.py:45:17:45:25 | file_path | semmle.label | file_path | +| test.py:49:15:49:23 | file_path | semmle.label | file_path | +| test.py:50:19:50:27 | file_path | semmle.label | file_path | +| test.py:54:15:54:23 | file_path | semmle.label | file_path | +| test.py:55:19:55:27 | file_path | semmle.label | file_path | +| test.py:59:40:59:48 | file_path | semmle.label | file_path | +| test.py:61:23:61:31 | file_path | semmle.label | file_path | +| test.py:62:21:62:29 | file_path | semmle.label | file_path | +| test.py:64:40:64:48 | file_path | semmle.label | file_path | +| test.py:65:22:65:30 | file_path | semmle.label | file_path | +| test.py:66:21:66:29 | file_path | semmle.label | file_path | +| test.py:67:42:67:50 | file_path | semmle.label | file_path | +| test.py:68:23:68:31 | file_path | semmle.label | file_path | +| test.py:69:36:69:44 | file_path | semmle.label | file_path | subpaths diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.expected b/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.expected index b07d47c203c..edf097ffb8b 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-522/LdapInsecureAuth.expected @@ -1,36 +1,36 @@ edges -| ldap3_remote.py:2:19:2:25 | ControlFlowNode for ImportMember | ldap3_remote.py:2:19:2:25 | ControlFlowNode for request | provenance | | -| ldap3_remote.py:2:19:2:25 | ControlFlowNode for request | ldap3_remote.py:138:21:138:27 | ControlFlowNode for request | provenance | | -| ldap3_remote.py:101:5:101:8 | ControlFlowNode for host | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | provenance | | -| ldap3_remote.py:101:12:101:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:101:5:101:8 | ControlFlowNode for host | provenance | | -| ldap3_remote.py:114:5:114:8 | ControlFlowNode for host | ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | provenance | | -| ldap3_remote.py:114:12:114:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:114:5:114:8 | ControlFlowNode for host | provenance | | -| ldap3_remote.py:126:5:126:8 | ControlFlowNode for host | ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | provenance | | -| ldap3_remote.py:126:12:126:31 | ControlFlowNode for BinaryExpr | ldap3_remote.py:126:5:126:8 | ControlFlowNode for host | provenance | | -| ldap3_remote.py:138:5:138:8 | ControlFlowNode for host | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | provenance | | -| ldap3_remote.py:138:21:138:27 | ControlFlowNode for request | ldap3_remote.py:138:5:138:8 | ControlFlowNode for host | provenance | AdditionalTaintStep | +| ldap3_remote.py:2:19:2:25 | After ImportMember | ldap3_remote.py:2:19:2:25 | request | provenance | | +| ldap3_remote.py:2:19:2:25 | request | ldap3_remote.py:138:21:138:27 | request | provenance | | +| ldap3_remote.py:101:5:101:8 | host | ldap3_remote.py:102:18:102:21 | host | provenance | | +| ldap3_remote.py:101:12:101:49 | After BinaryExpr | ldap3_remote.py:101:5:101:8 | host | provenance | | +| ldap3_remote.py:114:5:114:8 | host | ldap3_remote.py:115:18:115:21 | host | provenance | | +| ldap3_remote.py:114:12:114:49 | After BinaryExpr | ldap3_remote.py:114:5:114:8 | host | provenance | | +| ldap3_remote.py:126:5:126:8 | host | ldap3_remote.py:127:18:127:21 | host | provenance | | +| ldap3_remote.py:126:12:126:31 | After BinaryExpr | ldap3_remote.py:126:5:126:8 | host | provenance | | +| ldap3_remote.py:138:5:138:8 | host | ldap3_remote.py:139:18:139:21 | host | provenance | | +| ldap3_remote.py:138:21:138:27 | request | ldap3_remote.py:138:5:138:8 | host | provenance | AdditionalTaintStep | nodes -| ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| ldap3_remote.py:2:19:2:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| ldap3_remote.py:2:19:2:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap3_remote.py:101:5:101:8 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | -| ldap3_remote.py:101:12:101:49 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | -| ldap3_remote.py:114:5:114:8 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | -| ldap3_remote.py:114:12:114:49 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | -| ldap3_remote.py:126:5:126:8 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | -| ldap3_remote.py:126:12:126:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | -| ldap3_remote.py:138:5:138:8 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | -| ldap3_remote.py:138:21:138:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | +| ldap2_remote.py:45:41:45:60 | After BinaryExpr | semmle.label | After BinaryExpr | +| ldap2_remote.py:56:41:56:60 | After BinaryExpr | semmle.label | After BinaryExpr | +| ldap3_remote.py:2:19:2:25 | After ImportMember | semmle.label | After ImportMember | +| ldap3_remote.py:2:19:2:25 | request | semmle.label | request | +| ldap3_remote.py:101:5:101:8 | host | semmle.label | host | +| ldap3_remote.py:101:12:101:49 | After BinaryExpr | semmle.label | After BinaryExpr | +| ldap3_remote.py:102:18:102:21 | host | semmle.label | host | +| ldap3_remote.py:114:5:114:8 | host | semmle.label | host | +| ldap3_remote.py:114:12:114:49 | After BinaryExpr | semmle.label | After BinaryExpr | +| ldap3_remote.py:115:18:115:21 | host | semmle.label | host | +| ldap3_remote.py:126:5:126:8 | host | semmle.label | host | +| ldap3_remote.py:126:12:126:31 | After BinaryExpr | semmle.label | After BinaryExpr | +| ldap3_remote.py:127:18:127:21 | host | semmle.label | host | +| ldap3_remote.py:138:5:138:8 | host | semmle.label | host | +| ldap3_remote.py:138:21:138:27 | request | semmle.label | request | +| ldap3_remote.py:139:18:139:21 | host | semmle.label | host | subpaths #select -| ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:45:41:45:60 | ControlFlowNode for BinaryExpr | This LDAP host is authenticated insecurely. | -| ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | ldap2_remote.py:56:41:56:60 | ControlFlowNode for BinaryExpr | This LDAP host is authenticated insecurely. | -| ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | ldap3_remote.py:101:12:101:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | -| ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | ldap3_remote.py:114:12:114:49 | ControlFlowNode for BinaryExpr | ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | -| ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | ldap3_remote.py:126:12:126:31 | ControlFlowNode for BinaryExpr | ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | -| ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | ldap3_remote.py:2:19:2:25 | ControlFlowNode for ImportMember | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | +| ldap2_remote.py:45:41:45:60 | After BinaryExpr | ldap2_remote.py:45:41:45:60 | After BinaryExpr | ldap2_remote.py:45:41:45:60 | After BinaryExpr | This LDAP host is authenticated insecurely. | +| ldap2_remote.py:56:41:56:60 | After BinaryExpr | ldap2_remote.py:56:41:56:60 | After BinaryExpr | ldap2_remote.py:56:41:56:60 | After BinaryExpr | This LDAP host is authenticated insecurely. | +| ldap3_remote.py:102:18:102:21 | host | ldap3_remote.py:101:12:101:49 | After BinaryExpr | ldap3_remote.py:102:18:102:21 | host | This LDAP host is authenticated insecurely. | +| ldap3_remote.py:115:18:115:21 | host | ldap3_remote.py:114:12:114:49 | After BinaryExpr | ldap3_remote.py:115:18:115:21 | host | This LDAP host is authenticated insecurely. | +| ldap3_remote.py:127:18:127:21 | host | ldap3_remote.py:126:12:126:31 | After BinaryExpr | ldap3_remote.py:127:18:127:21 | host | This LDAP host is authenticated insecurely. | +| ldap3_remote.py:139:18:139:21 | host | ldap3_remote.py:2:19:2:25 | After ImportMember | ldap3_remote.py:139:18:139:21 | host | This LDAP host is authenticated insecurely. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-611-SimpleXmlRpcServer/SimpleXmlRpcServer.expected b/python/ql/test/experimental/query-tests/Security/CWE-611-SimpleXmlRpcServer/SimpleXmlRpcServer.expected index 30438f41083..efe35edb600 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-611-SimpleXmlRpcServer/SimpleXmlRpcServer.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-611-SimpleXmlRpcServer/SimpleXmlRpcServer.expected @@ -1 +1 @@ -| xmlrpc_server.py:7:10:7:48 | ControlFlowNode for SimpleXMLRPCServer() | SimpleXMLRPCServer is vulnerable to XML bombs. | +| xmlrpc_server.py:7:10:7:48 | After SimpleXMLRPCServer() | SimpleXMLRPCServer is vulnerable to XML bombs. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.expected b/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.expected index 430e7558fdc..6da3a668b3e 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.expected @@ -1,73 +1,73 @@ edges -| tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:1:35:1:41 | ControlFlowNode for request | provenance | | -| tests.py:1:35:1:41 | ControlFlowNode for request | tests.py:12:17:12:23 | ControlFlowNode for request | provenance | | -| tests.py:1:35:1:41 | ControlFlowNode for request | tests.py:24:9:24:15 | ControlFlowNode for request | provenance | | -| tests.py:1:35:1:41 | ControlFlowNode for request | tests.py:36:9:36:15 | ControlFlowNode for request | provenance | | -| tests.py:1:35:1:41 | ControlFlowNode for request | tests.py:48:9:48:15 | ControlFlowNode for request | provenance | | -| tests.py:1:35:1:41 | ControlFlowNode for request | tests.py:60:9:60:15 | ControlFlowNode for request | provenance | | -| tests.py:1:35:1:41 | ControlFlowNode for request | tests.py:72:9:72:15 | ControlFlowNode for request | provenance | | -| tests.py:12:5:12:13 | ControlFlowNode for file_path | tests.py:16:39:16:47 | ControlFlowNode for file_path | provenance | | -| tests.py:12:17:12:23 | ControlFlowNode for request | tests.py:12:17:12:28 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| tests.py:12:17:12:28 | ControlFlowNode for Attribute | tests.py:12:17:12:49 | ControlFlowNode for Attribute() | provenance | dict.get | -| tests.py:12:17:12:49 | ControlFlowNode for Attribute() | tests.py:12:5:12:13 | ControlFlowNode for file_path | provenance | | -| tests.py:24:5:24:5 | ControlFlowNode for r | tests.py:28:43:28:43 | ControlFlowNode for r | provenance | | -| tests.py:24:9:24:15 | ControlFlowNode for request | tests.py:24:9:24:20 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| tests.py:24:9:24:20 | ControlFlowNode for Attribute | tests.py:24:9:24:33 | ControlFlowNode for Attribute() | provenance | dict.get | -| tests.py:24:9:24:33 | ControlFlowNode for Attribute() | tests.py:24:5:24:5 | ControlFlowNode for r | provenance | | -| tests.py:36:5:36:5 | ControlFlowNode for r | tests.py:40:43:40:43 | ControlFlowNode for r | provenance | | -| tests.py:36:9:36:15 | ControlFlowNode for request | tests.py:36:9:36:20 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| tests.py:36:9:36:20 | ControlFlowNode for Attribute | tests.py:36:9:36:33 | ControlFlowNode for Attribute() | provenance | dict.get | -| tests.py:36:9:36:33 | ControlFlowNode for Attribute() | tests.py:36:5:36:5 | ControlFlowNode for r | provenance | | -| tests.py:48:5:48:5 | ControlFlowNode for r | tests.py:52:43:52:43 | ControlFlowNode for r | provenance | | -| tests.py:48:9:48:15 | ControlFlowNode for request | tests.py:48:9:48:20 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| tests.py:48:9:48:20 | ControlFlowNode for Attribute | tests.py:48:9:48:33 | ControlFlowNode for Attribute() | provenance | dict.get | -| tests.py:48:9:48:33 | ControlFlowNode for Attribute() | tests.py:48:5:48:5 | ControlFlowNode for r | provenance | | -| tests.py:60:5:60:5 | ControlFlowNode for r | tests.py:64:43:64:43 | ControlFlowNode for r | provenance | | -| tests.py:60:9:60:15 | ControlFlowNode for request | tests.py:60:9:60:20 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| tests.py:60:9:60:20 | ControlFlowNode for Attribute | tests.py:60:9:60:33 | ControlFlowNode for Attribute() | provenance | dict.get | -| tests.py:60:9:60:33 | ControlFlowNode for Attribute() | tests.py:60:5:60:5 | ControlFlowNode for r | provenance | | -| tests.py:72:5:72:5 | ControlFlowNode for r | tests.py:76:43:76:43 | ControlFlowNode for r | provenance | | -| tests.py:72:9:72:15 | ControlFlowNode for request | tests.py:72:9:72:20 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| tests.py:72:9:72:20 | ControlFlowNode for Attribute | tests.py:72:9:72:33 | ControlFlowNode for Attribute() | provenance | dict.get | -| tests.py:72:9:72:33 | ControlFlowNode for Attribute() | tests.py:72:5:72:5 | ControlFlowNode for r | provenance | | +| tests.py:1:35:1:41 | After ImportMember | tests.py:1:35:1:41 | request | provenance | | +| tests.py:1:35:1:41 | request | tests.py:12:17:12:23 | request | provenance | | +| tests.py:1:35:1:41 | request | tests.py:24:9:24:15 | request | provenance | | +| tests.py:1:35:1:41 | request | tests.py:36:9:36:15 | request | provenance | | +| tests.py:1:35:1:41 | request | tests.py:48:9:48:15 | request | provenance | | +| tests.py:1:35:1:41 | request | tests.py:60:9:60:15 | request | provenance | | +| tests.py:1:35:1:41 | request | tests.py:72:9:72:15 | request | provenance | | +| tests.py:12:5:12:13 | file_path | tests.py:16:39:16:47 | file_path | provenance | | +| tests.py:12:17:12:23 | request | tests.py:12:17:12:28 | After Attribute | provenance | AdditionalTaintStep | +| tests.py:12:17:12:28 | After Attribute | tests.py:12:17:12:49 | After Attribute() | provenance | dict.get | +| tests.py:12:17:12:49 | After Attribute() | tests.py:12:5:12:13 | file_path | provenance | | +| tests.py:24:5:24:5 | r | tests.py:28:43:28:43 | r | provenance | | +| tests.py:24:9:24:15 | request | tests.py:24:9:24:20 | After Attribute | provenance | AdditionalTaintStep | +| tests.py:24:9:24:20 | After Attribute | tests.py:24:9:24:33 | After Attribute() | provenance | dict.get | +| tests.py:24:9:24:33 | After Attribute() | tests.py:24:5:24:5 | r | provenance | | +| tests.py:36:5:36:5 | r | tests.py:40:43:40:43 | r | provenance | | +| tests.py:36:9:36:15 | request | tests.py:36:9:36:20 | After Attribute | provenance | AdditionalTaintStep | +| tests.py:36:9:36:20 | After Attribute | tests.py:36:9:36:33 | After Attribute() | provenance | dict.get | +| tests.py:36:9:36:33 | After Attribute() | tests.py:36:5:36:5 | r | provenance | | +| tests.py:48:5:48:5 | r | tests.py:52:43:52:43 | r | provenance | | +| tests.py:48:9:48:15 | request | tests.py:48:9:48:20 | After Attribute | provenance | AdditionalTaintStep | +| tests.py:48:9:48:20 | After Attribute | tests.py:48:9:48:33 | After Attribute() | provenance | dict.get | +| tests.py:48:9:48:33 | After Attribute() | tests.py:48:5:48:5 | r | provenance | | +| tests.py:60:5:60:5 | r | tests.py:64:43:64:43 | r | provenance | | +| tests.py:60:9:60:15 | request | tests.py:60:9:60:20 | After Attribute | provenance | AdditionalTaintStep | +| tests.py:60:9:60:20 | After Attribute | tests.py:60:9:60:33 | After Attribute() | provenance | dict.get | +| tests.py:60:9:60:33 | After Attribute() | tests.py:60:5:60:5 | r | provenance | | +| tests.py:72:5:72:5 | r | tests.py:76:43:76:43 | r | provenance | | +| tests.py:72:9:72:15 | request | tests.py:72:9:72:20 | After Attribute | provenance | AdditionalTaintStep | +| tests.py:72:9:72:20 | After Attribute | tests.py:72:9:72:33 | After Attribute() | provenance | dict.get | +| tests.py:72:9:72:33 | After Attribute() | tests.py:72:5:72:5 | r | provenance | | nodes -| tests.py:1:35:1:41 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| tests.py:1:35:1:41 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| tests.py:12:5:12:13 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| tests.py:12:17:12:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| tests.py:12:17:12:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| tests.py:12:17:12:49 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| tests.py:16:39:16:47 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | -| tests.py:24:5:24:5 | ControlFlowNode for r | semmle.label | ControlFlowNode for r | -| tests.py:24:9:24:15 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| tests.py:24:9:24:20 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| tests.py:24:9:24:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| tests.py:28:43:28:43 | ControlFlowNode for r | semmle.label | ControlFlowNode for r | -| tests.py:36:5:36:5 | ControlFlowNode for r | semmle.label | ControlFlowNode for r | -| tests.py:36:9:36:15 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| tests.py:36:9:36:20 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| tests.py:36:9:36:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| tests.py:40:43:40:43 | ControlFlowNode for r | semmle.label | ControlFlowNode for r | -| tests.py:48:5:48:5 | ControlFlowNode for r | semmle.label | ControlFlowNode for r | -| tests.py:48:9:48:15 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| tests.py:48:9:48:20 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| tests.py:48:9:48:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| tests.py:52:43:52:43 | ControlFlowNode for r | semmle.label | ControlFlowNode for r | -| tests.py:60:5:60:5 | ControlFlowNode for r | semmle.label | ControlFlowNode for r | -| tests.py:60:9:60:15 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| tests.py:60:9:60:20 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| tests.py:60:9:60:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| tests.py:64:43:64:43 | ControlFlowNode for r | semmle.label | ControlFlowNode for r | -| tests.py:72:5:72:5 | ControlFlowNode for r | semmle.label | ControlFlowNode for r | -| tests.py:72:9:72:15 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| tests.py:72:9:72:20 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| tests.py:72:9:72:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| tests.py:76:43:76:43 | ControlFlowNode for r | semmle.label | ControlFlowNode for r | +| tests.py:1:35:1:41 | After ImportMember | semmle.label | After ImportMember | +| tests.py:1:35:1:41 | request | semmle.label | request | +| tests.py:12:5:12:13 | file_path | semmle.label | file_path | +| tests.py:12:17:12:23 | request | semmle.label | request | +| tests.py:12:17:12:28 | After Attribute | semmle.label | After Attribute | +| tests.py:12:17:12:49 | After Attribute() | semmle.label | After Attribute() | +| tests.py:16:39:16:47 | file_path | semmle.label | file_path | +| tests.py:24:5:24:5 | r | semmle.label | r | +| tests.py:24:9:24:15 | request | semmle.label | request | +| tests.py:24:9:24:20 | After Attribute | semmle.label | After Attribute | +| tests.py:24:9:24:33 | After Attribute() | semmle.label | After Attribute() | +| tests.py:28:43:28:43 | r | semmle.label | r | +| tests.py:36:5:36:5 | r | semmle.label | r | +| tests.py:36:9:36:15 | request | semmle.label | request | +| tests.py:36:9:36:20 | After Attribute | semmle.label | After Attribute | +| tests.py:36:9:36:33 | After Attribute() | semmle.label | After Attribute() | +| tests.py:40:43:40:43 | r | semmle.label | r | +| tests.py:48:5:48:5 | r | semmle.label | r | +| tests.py:48:9:48:15 | request | semmle.label | request | +| tests.py:48:9:48:20 | After Attribute | semmle.label | After Attribute | +| tests.py:48:9:48:33 | After Attribute() | semmle.label | After Attribute() | +| tests.py:52:43:52:43 | r | semmle.label | r | +| tests.py:60:5:60:5 | r | semmle.label | r | +| tests.py:60:9:60:15 | request | semmle.label | request | +| tests.py:60:9:60:20 | After Attribute | semmle.label | After Attribute | +| tests.py:60:9:60:33 | After Attribute() | semmle.label | After Attribute() | +| tests.py:64:43:64:43 | r | semmle.label | r | +| tests.py:72:5:72:5 | r | semmle.label | r | +| tests.py:72:9:72:15 | request | semmle.label | request | +| tests.py:72:9:72:20 | After Attribute | semmle.label | After Attribute | +| tests.py:72:9:72:33 | After Attribute() | semmle.label | After Attribute() | +| tests.py:76:43:76:43 | r | semmle.label | r | subpaths #select -| tests.py:16:39:16:47 | ControlFlowNode for file_path | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:16:39:16:47 | ControlFlowNode for file_path | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:16:39:16:47 | ControlFlowNode for file_path | costly Unicode normalization operation | -| tests.py:28:43:28:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:28:43:28:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:28:43:28:43 | ControlFlowNode for r | costly Unicode normalization operation | -| tests.py:40:43:40:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:40:43:40:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:40:43:40:43 | ControlFlowNode for r | costly Unicode normalization operation | -| tests.py:52:43:52:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:52:43:52:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:52:43:52:43 | ControlFlowNode for r | costly Unicode normalization operation | -| tests.py:64:43:64:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:64:43:64:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:64:43:64:43 | ControlFlowNode for r | costly Unicode normalization operation | -| tests.py:76:43:76:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:76:43:76:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:76:43:76:43 | ControlFlowNode for r | costly Unicode normalization operation | +| tests.py:16:39:16:47 | file_path | tests.py:1:35:1:41 | After ImportMember | tests.py:16:39:16:47 | file_path | This $@ can reach a $@. | tests.py:1:35:1:41 | After ImportMember | user-provided value | tests.py:16:39:16:47 | file_path | costly Unicode normalization operation | +| tests.py:28:43:28:43 | r | tests.py:1:35:1:41 | After ImportMember | tests.py:28:43:28:43 | r | This $@ can reach a $@. | tests.py:1:35:1:41 | After ImportMember | user-provided value | tests.py:28:43:28:43 | r | costly Unicode normalization operation | +| tests.py:40:43:40:43 | r | tests.py:1:35:1:41 | After ImportMember | tests.py:40:43:40:43 | r | This $@ can reach a $@. | tests.py:1:35:1:41 | After ImportMember | user-provided value | tests.py:40:43:40:43 | r | costly Unicode normalization operation | +| tests.py:52:43:52:43 | r | tests.py:1:35:1:41 | After ImportMember | tests.py:52:43:52:43 | r | This $@ can reach a $@. | tests.py:1:35:1:41 | After ImportMember | user-provided value | tests.py:52:43:52:43 | r | costly Unicode normalization operation | +| tests.py:64:43:64:43 | r | tests.py:1:35:1:41 | After ImportMember | tests.py:64:43:64:43 | r | This $@ can reach a $@. | tests.py:1:35:1:41 | After ImportMember | user-provided value | tests.py:64:43:64:43 | r | costly Unicode normalization operation | +| tests.py:76:43:76:43 | r | tests.py:1:35:1:41 | After ImportMember | tests.py:76:43:76:43 | r | This $@ can reach a $@. | tests.py:1:35:1:41 | After ImportMember | user-provided value | tests.py:76:43:76:43 | r | costly Unicode normalization operation | diff --git a/python/ql/test/library-tests/frameworks/cryptography/EcKeygenOrigin.expected b/python/ql/test/library-tests/frameworks/cryptography/EcKeygenOrigin.expected index a94092533f0..672e394a727 100644 --- a/python/ql/test/library-tests/frameworks/cryptography/EcKeygenOrigin.expected +++ b/python/ql/test/library-tests/frameworks/cryptography/EcKeygenOrigin.expected @@ -1,5 +1,5 @@ -| ec_keygen_origin.py:8:1:8:45 | ControlFlowNode for Attribute() | 384 | ec_keygen_origin.py:8:31:8:42 | ControlFlowNode for Attribute | -| ec_keygen_origin.py:9:1:9:43 | ControlFlowNode for Attribute() | 384 | ec_keygen_origin.py:9:31:9:42 | ControlFlowNode for Attribute | -| ec_keygen_origin.py:12:1:12:36 | ControlFlowNode for Attribute() | 384 | ec_keygen_origin.py:11:9:11:20 | ControlFlowNode for Attribute | -| ec_keygen_origin.py:15:1:15:39 | ControlFlowNode for Attribute() | 384 | ec_keygen_origin.py:11:9:11:20 | ControlFlowNode for Attribute | -| ec_keygen_origin.py:20:1:20:32 | ControlFlowNode for Attribute() | 384 | ec_keygen_origin.py:6:58:6:66 | ControlFlowNode for ImportMember | +| ec_keygen_origin.py:8:1:8:45 | After Attribute() | 384 | ec_keygen_origin.py:8:31:8:42 | After Attribute | +| ec_keygen_origin.py:9:1:9:43 | After Attribute() | 384 | ec_keygen_origin.py:9:31:9:42 | After Attribute | +| ec_keygen_origin.py:12:1:12:36 | After Attribute() | 384 | ec_keygen_origin.py:11:9:11:20 | After Attribute | +| ec_keygen_origin.py:15:1:15:39 | After Attribute() | 384 | ec_keygen_origin.py:11:9:11:20 | After Attribute | +| ec_keygen_origin.py:20:1:20:32 | After Attribute() | 384 | ec_keygen_origin.py:6:58:6:66 | After ImportMember | diff --git a/python/ql/test/library-tests/frameworks/data/test.expected b/python/ql/test/library-tests/frameworks/data/test.expected index 84cc34585ca..db383626b49 100644 --- a/python/ql/test/library-tests/frameworks/data/test.expected +++ b/python/ql/test/library-tests/frameworks/data/test.expected @@ -1,114 +1,114 @@ taintFlow -| test.py:3:5:3:15 | ControlFlowNode for getSource() | test.py:4:8:4:8 | ControlFlowNode for x | -| test.py:3:5:3:15 | ControlFlowNode for getSource() | test.py:7:17:7:17 | ControlFlowNode for x | -| test.py:9:8:9:14 | ControlFlowNode for alias() | test.py:9:8:9:14 | ControlFlowNode for alias() | -| test.py:10:8:10:22 | ControlFlowNode for Attribute() | test.py:10:8:10:22 | ControlFlowNode for Attribute() | -| test.py:11:8:11:30 | ControlFlowNode for Attribute() | test.py:11:8:11:30 | ControlFlowNode for Attribute() | -| test.py:71:28:71:38 | ControlFlowNode for getSource() | test.py:71:8:71:39 | ControlFlowNode for Attribute() | -| test.py:75:5:75:15 | ControlFlowNode for getSource() | test.py:76:22:76:22 | ControlFlowNode for x | -| test.py:75:5:75:15 | ControlFlowNode for getSource() | test.py:77:22:77:22 | ControlFlowNode for y | -| test.py:81:36:81:46 | ControlFlowNode for getSource() | test.py:81:8:81:47 | ControlFlowNode for Attribute() | -| test.py:83:50:83:60 | ControlFlowNode for getSource() | test.py:83:8:83:61 | ControlFlowNode for Attribute() | -| test.py:86:49:86:59 | ControlFlowNode for getSource() | test.py:86:8:86:60 | ControlFlowNode for Attribute() | -| test.py:87:56:87:66 | ControlFlowNode for getSource() | test.py:87:8:87:67 | ControlFlowNode for Attribute() | -| test.py:114:19:114:29 | ControlFlowNode for getSource() | test.py:114:19:114:29 | ControlFlowNode for getSource() | -| test.py:115:20:115:30 | ControlFlowNode for getSource() | test.py:115:20:115:30 | ControlFlowNode for getSource() | -| test.py:116:31:116:41 | ControlFlowNode for getSource() | test.py:116:31:116:41 | ControlFlowNode for getSource() | -| test.py:117:31:117:41 | ControlFlowNode for getSource() | test.py:117:31:117:41 | ControlFlowNode for getSource() | -| test.py:118:35:118:45 | ControlFlowNode for getSource() | test.py:118:35:118:45 | ControlFlowNode for getSource() | +| test.py:3:5:3:15 | After getSource() | test.py:4:8:4:8 | x | +| test.py:3:5:3:15 | After getSource() | test.py:7:17:7:17 | x | +| test.py:9:8:9:14 | After alias() | test.py:9:8:9:14 | After alias() | +| test.py:10:8:10:22 | After Attribute() | test.py:10:8:10:22 | After Attribute() | +| test.py:11:8:11:30 | After Attribute() | test.py:11:8:11:30 | After Attribute() | +| test.py:71:28:71:38 | After getSource() | test.py:71:8:71:39 | After Attribute() | +| test.py:75:5:75:15 | After getSource() | test.py:76:22:76:22 | x | +| test.py:75:5:75:15 | After getSource() | test.py:77:22:77:22 | y | +| test.py:81:36:81:46 | After getSource() | test.py:81:8:81:47 | After Attribute() | +| test.py:83:50:83:60 | After getSource() | test.py:83:8:83:61 | After Attribute() | +| test.py:86:49:86:59 | After getSource() | test.py:86:8:86:60 | After Attribute() | +| test.py:87:56:87:66 | After getSource() | test.py:87:8:87:67 | After Attribute() | +| test.py:114:19:114:29 | After getSource() | test.py:114:19:114:29 | After getSource() | +| test.py:115:20:115:30 | After getSource() | test.py:115:20:115:30 | After getSource() | +| test.py:116:31:116:41 | After getSource() | test.py:116:31:116:41 | After getSource() | +| test.py:117:31:117:41 | After getSource() | test.py:117:31:117:41 | After getSource() | +| test.py:118:35:118:45 | After getSource() | test.py:118:35:118:45 | After getSource() | isSink -| test.py:4:8:4:8 | ControlFlowNode for x | test-sink | -| test.py:7:17:7:17 | ControlFlowNode for x | test-sink | -| test.py:9:8:9:14 | ControlFlowNode for alias() | test-sink | -| test.py:10:8:10:22 | ControlFlowNode for Attribute() | test-sink | -| test.py:11:8:11:30 | ControlFlowNode for Attribute() | test-sink | -| test.py:12:8:12:34 | ControlFlowNode for Attribute() | test-sink | -| test.py:16:11:16:13 | ControlFlowNode for one | test-sink | -| test.py:17:19:17:21 | ControlFlowNode for two | test-sink | -| test.py:17:24:17:28 | ControlFlowNode for three | test-sink | -| test.py:17:31:17:34 | ControlFlowNode for four | test-sink | -| test.py:18:37:18:40 | ControlFlowNode for five | test-sink | -| test.py:19:21:19:26 | ControlFlowNode for second | test-sink | -| test.py:30:21:30:23 | ControlFlowNode for one | test-sink | -| test.py:32:22:32:24 | ControlFlowNode for one | test-sink | -| test.py:32:27:32:29 | ControlFlowNode for two | test-sink | -| test.py:33:22:33:24 | ControlFlowNode for one | test-sink | -| test.py:33:27:33:29 | ControlFlowNode for two | test-sink | -| test.py:33:32:33:36 | ControlFlowNode for three | test-sink | -| test.py:57:27:57:33 | ControlFlowNode for arg_pos | test-sink | -| test.py:66:17:66:20 | ControlFlowNode for arg1 | test-sink | -| test.py:66:23:66:26 | ControlFlowNode for arg2 | test-sink | -| test.py:66:34:66:43 | ControlFlowNode for namedThing | test-sink | -| test.py:67:34:67:44 | ControlFlowNode for secondNamed | test-sink | -| test.py:71:8:71:39 | ControlFlowNode for Attribute() | test-sink | -| test.py:72:8:72:47 | ControlFlowNode for Attribute() | test-sink | -| test.py:76:22:76:22 | ControlFlowNode for x | test-sink | -| test.py:77:22:77:22 | ControlFlowNode for y | test-sink | -| test.py:78:22:78:22 | ControlFlowNode for z | test-sink | -| test.py:81:8:81:47 | ControlFlowNode for Attribute() | test-sink | -| test.py:82:8:82:54 | ControlFlowNode for Attribute() | test-sink | -| test.py:83:8:83:61 | ControlFlowNode for Attribute() | test-sink | -| test.py:85:8:85:53 | ControlFlowNode for Attribute() | test-sink | -| test.py:86:8:86:60 | ControlFlowNode for Attribute() | test-sink | -| test.py:87:8:87:67 | ControlFlowNode for Attribute() | test-sink | -| test.py:89:21:89:23 | ControlFlowNode for one | test-sink | -| test.py:91:21:91:23 | ControlFlowNode for one | test-sink | -| test.py:91:30:91:32 | ControlFlowNode for two | test-sink | -| test.py:98:6:98:9 | ControlFlowNode for baz2 | test-sink | -| test.py:114:19:114:29 | ControlFlowNode for getSource() | test-sink | -| test.py:115:20:115:30 | ControlFlowNode for getSource() | test-sink | -| test.py:116:31:116:41 | ControlFlowNode for getSource() | test-sink | -| test.py:117:31:117:41 | ControlFlowNode for getSource() | test-sink | -| test.py:118:35:118:45 | ControlFlowNode for getSource() | test-sink | +| test.py:4:8:4:8 | x | test-sink | +| test.py:7:17:7:17 | x | test-sink | +| test.py:9:8:9:14 | After alias() | test-sink | +| test.py:10:8:10:22 | After Attribute() | test-sink | +| test.py:11:8:11:30 | After Attribute() | test-sink | +| test.py:12:8:12:34 | After Attribute() | test-sink | +| test.py:16:11:16:13 | one | test-sink | +| test.py:17:19:17:21 | two | test-sink | +| test.py:17:24:17:28 | three | test-sink | +| test.py:17:31:17:34 | four | test-sink | +| test.py:18:37:18:40 | five | test-sink | +| test.py:19:21:19:26 | second | test-sink | +| test.py:30:21:30:23 | one | test-sink | +| test.py:32:22:32:24 | one | test-sink | +| test.py:32:27:32:29 | two | test-sink | +| test.py:33:22:33:24 | one | test-sink | +| test.py:33:27:33:29 | two | test-sink | +| test.py:33:32:33:36 | three | test-sink | +| test.py:57:27:57:33 | arg_pos | test-sink | +| test.py:66:17:66:20 | arg1 | test-sink | +| test.py:66:23:66:26 | arg2 | test-sink | +| test.py:66:34:66:43 | namedThing | test-sink | +| test.py:67:34:67:44 | secondNamed | test-sink | +| test.py:71:8:71:39 | After Attribute() | test-sink | +| test.py:72:8:72:47 | After Attribute() | test-sink | +| test.py:76:22:76:22 | x | test-sink | +| test.py:77:22:77:22 | y | test-sink | +| test.py:78:22:78:22 | z | test-sink | +| test.py:81:8:81:47 | After Attribute() | test-sink | +| test.py:82:8:82:54 | After Attribute() | test-sink | +| test.py:83:8:83:61 | After Attribute() | test-sink | +| test.py:85:8:85:53 | After Attribute() | test-sink | +| test.py:86:8:86:60 | After Attribute() | test-sink | +| test.py:87:8:87:67 | After Attribute() | test-sink | +| test.py:89:21:89:23 | one | test-sink | +| test.py:91:21:91:23 | one | test-sink | +| test.py:91:30:91:32 | two | test-sink | +| test.py:98:6:98:9 | baz2 | test-sink | +| test.py:114:19:114:29 | After getSource() | test-sink | +| test.py:115:20:115:30 | After getSource() | test-sink | +| test.py:116:31:116:41 | After getSource() | test-sink | +| test.py:117:31:117:41 | After getSource() | test-sink | +| test.py:118:35:118:45 | After getSource() | test-sink | isSource -| test.py:3:5:3:15 | ControlFlowNode for getSource() | test-source | -| test.py:9:8:9:14 | ControlFlowNode for alias() | test-source | -| test.py:10:8:10:14 | ControlFlowNode for alias() | test-source | -| test.py:10:8:10:22 | ControlFlowNode for Attribute() | test-source | -| test.py:11:8:11:14 | ControlFlowNode for alias() | test-source | -| test.py:11:8:11:22 | ControlFlowNode for Attribute() | test-source | -| test.py:11:8:11:30 | ControlFlowNode for Attribute() | test-source | -| test.py:12:8:12:14 | ControlFlowNode for alias() | test-source | -| test.py:12:8:12:22 | ControlFlowNode for Attribute() | test-source | -| test.py:23:24:23:26 | ControlFlowNode for one | test-source | -| test.py:24:33:24:35 | ControlFlowNode for two | test-source | -| test.py:24:38:24:42 | ControlFlowNode for three | test-source | -| test.py:24:45:24:48 | ControlFlowNode for four | test-source | -| test.py:25:34:25:39 | ControlFlowNode for second | test-source | -| test.py:39:11:39:20 | ControlFlowNode for Await | test-source | -| test.py:41:8:41:27 | ControlFlowNode for Attribute() | test-source | -| test.py:46:7:46:16 | ControlFlowNode for SubClass() | test-source | -| test.py:51:8:51:18 | ControlFlowNode for Sub2Class() | test-source | -| test.py:53:7:53:16 | ControlFlowNode for Attribute() | test-source | -| test.py:60:13:60:16 | ControlFlowNode for self | test-source | -| test.py:60:24:60:28 | ControlFlowNode for named | test-source | -| test.py:63:36:63:39 | ControlFlowNode for arg2 | test-source | -| test.py:63:42:63:45 | ControlFlowNode for arg3 | test-source | -| test.py:63:48:63:51 | ControlFlowNode for arg4 | test-source | -| test.py:63:54:63:57 | ControlFlowNode for arg5 | test-source | -| test.py:71:28:71:38 | ControlFlowNode for getSource() | test-source | -| test.py:72:36:72:46 | ControlFlowNode for getSource() | test-source | -| test.py:75:5:75:15 | ControlFlowNode for getSource() | test-source | -| test.py:81:36:81:46 | ControlFlowNode for getSource() | test-source | -| test.py:82:43:82:53 | ControlFlowNode for getSource() | test-source | -| test.py:83:50:83:60 | ControlFlowNode for getSource() | test-source | -| test.py:85:42:85:52 | ControlFlowNode for getSource() | test-source | -| test.py:86:49:86:59 | ControlFlowNode for getSource() | test-source | -| test.py:87:56:87:66 | ControlFlowNode for getSource() | test-source | -| test.py:101:29:101:31 | ControlFlowNode for arg | test-source | -| test.py:104:24:104:29 | ControlFlowNode for param1 | test-source | -| test.py:104:32:104:37 | ControlFlowNode for param2 | test-source | -| test.py:107:24:107:28 | ControlFlowNode for name1 | test-source | -| test.py:107:31:107:35 | ControlFlowNode for name2 | test-source | -| test.py:114:19:114:29 | ControlFlowNode for getSource() | test-source | -| test.py:115:20:115:30 | ControlFlowNode for getSource() | test-source | -| test.py:116:31:116:41 | ControlFlowNode for getSource() | test-source | -| test.py:117:31:117:41 | ControlFlowNode for getSource() | test-source | -| test.py:118:35:118:45 | ControlFlowNode for getSource() | test-source | -| test.py:119:20:119:30 | ControlFlowNode for getSource() | test-source | -| test.py:124:1:124:33 | ControlFlowNode for Attribute() | test-source | -| test.py:126:11:126:43 | ControlFlowNode for Attribute() | test-source | -| test.py:129:11:129:39 | ControlFlowNode for Attribute() | test-source | +| test.py:3:5:3:15 | After getSource() | test-source | +| test.py:9:8:9:14 | After alias() | test-source | +| test.py:10:8:10:14 | After alias() | test-source | +| test.py:10:8:10:22 | After Attribute() | test-source | +| test.py:11:8:11:14 | After alias() | test-source | +| test.py:11:8:11:22 | After Attribute() | test-source | +| test.py:11:8:11:30 | After Attribute() | test-source | +| test.py:12:8:12:14 | After alias() | test-source | +| test.py:12:8:12:22 | After Attribute() | test-source | +| test.py:23:24:23:26 | one | test-source | +| test.py:24:33:24:35 | two | test-source | +| test.py:24:38:24:42 | three | test-source | +| test.py:24:45:24:48 | four | test-source | +| test.py:25:34:25:39 | second | test-source | +| test.py:39:11:39:20 | After Await | test-source | +| test.py:41:8:41:27 | After Attribute() | test-source | +| test.py:46:7:46:16 | After SubClass() | test-source | +| test.py:51:8:51:18 | After Sub2Class() | test-source | +| test.py:53:7:53:16 | After Attribute() | test-source | +| test.py:60:13:60:16 | self | test-source | +| test.py:60:24:60:28 | named | test-source | +| test.py:63:36:63:39 | arg2 | test-source | +| test.py:63:42:63:45 | arg3 | test-source | +| test.py:63:48:63:51 | arg4 | test-source | +| test.py:63:54:63:57 | arg5 | test-source | +| test.py:71:28:71:38 | After getSource() | test-source | +| test.py:72:36:72:46 | After getSource() | test-source | +| test.py:75:5:75:15 | After getSource() | test-source | +| test.py:81:36:81:46 | After getSource() | test-source | +| test.py:82:43:82:53 | After getSource() | test-source | +| test.py:83:50:83:60 | After getSource() | test-source | +| test.py:85:42:85:52 | After getSource() | test-source | +| test.py:86:49:86:59 | After getSource() | test-source | +| test.py:87:56:87:66 | After getSource() | test-source | +| test.py:101:29:101:31 | arg | test-source | +| test.py:104:24:104:29 | param1 | test-source | +| test.py:104:32:104:37 | param2 | test-source | +| test.py:107:24:107:28 | name1 | test-source | +| test.py:107:31:107:35 | name2 | test-source | +| test.py:114:19:114:29 | After getSource() | test-source | +| test.py:115:20:115:30 | After getSource() | test-source | +| test.py:116:31:116:41 | After getSource() | test-source | +| test.py:117:31:117:41 | After getSource() | test-source | +| test.py:118:35:118:45 | After getSource() | test-source | +| test.py:119:20:119:30 | After getSource() | test-source | +| test.py:124:1:124:33 | After Attribute() | test-source | +| test.py:126:11:126:43 | After Attribute() | test-source | +| test.py:129:11:129:39 | After Attribute() | test-source | syntaxErrors | Member[foo | | Member[foo] .Member[bar] | diff --git a/python/ql/test/library-tests/frameworks/gradio/taint_step_test.expected b/python/ql/test/library-tests/frameworks/gradio/taint_step_test.expected index 2ebf825a19b..4843afe82a4 100644 --- a/python/ql/test/library-tests/frameworks/gradio/taint_step_test.expected +++ b/python/ql/test/library-tests/frameworks/gradio/taint_step_test.expected @@ -1,26 +1,26 @@ edges -| taint_step_test.py:5:5:5:8 | ControlFlowNode for path | taint_step_test.py:19:43:19:46 | ControlFlowNode for path | provenance | | -| taint_step_test.py:5:12:5:35 | ControlFlowNode for Attribute() | taint_step_test.py:5:5:5:8 | ControlFlowNode for path | provenance | | -| taint_step_test.py:6:5:6:8 | ControlFlowNode for file | taint_step_test.py:19:48:19:51 | ControlFlowNode for file | provenance | | -| taint_step_test.py:6:12:6:35 | ControlFlowNode for Attribute() | taint_step_test.py:6:5:6:8 | ControlFlowNode for file | provenance | | -| taint_step_test.py:11:18:11:21 | ControlFlowNode for path | taint_step_test.py:12:9:12:16 | ControlFlowNode for filepath | provenance | | -| taint_step_test.py:11:18:11:21 | ControlFlowNode for path | taint_step_test.py:12:9:12:16 | ControlFlowNode for filepath | provenance | AdditionalTaintStep | -| taint_step_test.py:11:24:11:27 | ControlFlowNode for file | taint_step_test.py:12:9:12:16 | ControlFlowNode for filepath | provenance | AdditionalTaintStep | -| taint_step_test.py:12:9:12:16 | ControlFlowNode for filepath | taint_step_test.py:13:19:13:26 | ControlFlowNode for filepath | provenance | | -| taint_step_test.py:19:43:19:46 | ControlFlowNode for path | taint_step_test.py:11:18:11:21 | ControlFlowNode for path | provenance | AdditionalTaintStep | -| taint_step_test.py:19:48:19:51 | ControlFlowNode for file | taint_step_test.py:11:24:11:27 | ControlFlowNode for file | provenance | AdditionalTaintStep | +| taint_step_test.py:5:5:5:8 | path | taint_step_test.py:19:43:19:46 | path | provenance | | +| taint_step_test.py:5:12:5:35 | After Attribute() | taint_step_test.py:5:5:5:8 | path | provenance | | +| taint_step_test.py:6:5:6:8 | file | taint_step_test.py:19:48:19:51 | file | provenance | | +| taint_step_test.py:6:12:6:35 | After Attribute() | taint_step_test.py:6:5:6:8 | file | provenance | | +| taint_step_test.py:11:18:11:21 | path | taint_step_test.py:12:9:12:16 | filepath | provenance | | +| taint_step_test.py:11:18:11:21 | path | taint_step_test.py:12:9:12:16 | filepath | provenance | AdditionalTaintStep | +| taint_step_test.py:11:24:11:27 | file | taint_step_test.py:12:9:12:16 | filepath | provenance | AdditionalTaintStep | +| taint_step_test.py:12:9:12:16 | filepath | taint_step_test.py:13:19:13:26 | filepath | provenance | | +| taint_step_test.py:19:43:19:46 | path | taint_step_test.py:11:18:11:21 | path | provenance | AdditionalTaintStep | +| taint_step_test.py:19:48:19:51 | file | taint_step_test.py:11:24:11:27 | file | provenance | AdditionalTaintStep | nodes -| taint_step_test.py:5:5:5:8 | ControlFlowNode for path | semmle.label | ControlFlowNode for path | -| taint_step_test.py:5:12:5:35 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| taint_step_test.py:6:5:6:8 | ControlFlowNode for file | semmle.label | ControlFlowNode for file | -| taint_step_test.py:6:12:6:35 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| taint_step_test.py:11:18:11:21 | ControlFlowNode for path | semmle.label | ControlFlowNode for path | -| taint_step_test.py:11:24:11:27 | ControlFlowNode for file | semmle.label | ControlFlowNode for file | -| taint_step_test.py:12:9:12:16 | ControlFlowNode for filepath | semmle.label | ControlFlowNode for filepath | -| taint_step_test.py:13:19:13:26 | ControlFlowNode for filepath | semmle.label | ControlFlowNode for filepath | -| taint_step_test.py:19:43:19:46 | ControlFlowNode for path | semmle.label | ControlFlowNode for path | -| taint_step_test.py:19:48:19:51 | ControlFlowNode for file | semmle.label | ControlFlowNode for file | +| taint_step_test.py:5:5:5:8 | path | semmle.label | path | +| taint_step_test.py:5:12:5:35 | After Attribute() | semmle.label | After Attribute() | +| taint_step_test.py:6:5:6:8 | file | semmle.label | file | +| taint_step_test.py:6:12:6:35 | After Attribute() | semmle.label | After Attribute() | +| taint_step_test.py:11:18:11:21 | path | semmle.label | path | +| taint_step_test.py:11:24:11:27 | file | semmle.label | file | +| taint_step_test.py:12:9:12:16 | filepath | semmle.label | filepath | +| taint_step_test.py:13:19:13:26 | filepath | semmle.label | filepath | +| taint_step_test.py:19:43:19:46 | path | semmle.label | path | +| taint_step_test.py:19:48:19:51 | file | semmle.label | file | subpaths #select -| taint_step_test.py:13:19:13:26 | ControlFlowNode for filepath | taint_step_test.py:5:12:5:35 | ControlFlowNode for Attribute() | taint_step_test.py:13:19:13:26 | ControlFlowNode for filepath | This path depends on a $@. | taint_step_test.py:5:12:5:35 | ControlFlowNode for Attribute() | user-provided value | -| taint_step_test.py:13:19:13:26 | ControlFlowNode for filepath | taint_step_test.py:6:12:6:35 | ControlFlowNode for Attribute() | taint_step_test.py:13:19:13:26 | ControlFlowNode for filepath | This path depends on a $@. | taint_step_test.py:6:12:6:35 | ControlFlowNode for Attribute() | user-provided value | +| taint_step_test.py:13:19:13:26 | filepath | taint_step_test.py:5:12:5:35 | After Attribute() | taint_step_test.py:13:19:13:26 | filepath | This path depends on a $@. | taint_step_test.py:5:12:5:35 | After Attribute() | user-provided value | +| taint_step_test.py:13:19:13:26 | filepath | taint_step_test.py:6:12:6:35 | After Attribute() | taint_step_test.py:13:19:13:26 | filepath | This path depends on a $@. | taint_step_test.py:6:12:6:35 | After Attribute() | user-provided value | diff --git a/python/ql/test/query-tests/Classes/init-calls-subclass-method/InitCallsSubclassMethod.expected b/python/ql/test/query-tests/Classes/init-calls-subclass-method/InitCallsSubclassMethod.expected index f06282e133b..d5dda619abb 100644 --- a/python/ql/test/query-tests/Classes/init-calls-subclass-method/InitCallsSubclassMethod.expected +++ b/python/ql/test/query-tests/Classes/init-calls-subclass-method/InitCallsSubclassMethod.expected @@ -1,2 +1,2 @@ -| init_calls_subclass.py:8:13:8:28 | ControlFlowNode for Attribute() | This call to $@ in an initialization method is overridden by $@. | init_calls_subclass.py:11:9:11:30 | Function set_up | bad1.Super.set_up | init_calls_subclass.py:20:9:20:30 | Function set_up | bad1.Sub.set_up | -| init_calls_subclass.py:32:13:32:27 | ControlFlowNode for Attribute() | This call to $@ in an initialization method is overridden by $@. | init_calls_subclass.py:34:9:34:27 | Function postproc | bad2.Super.postproc | init_calls_subclass.py:43:9:43:27 | Function postproc | bad2.Sub.postproc | +| init_calls_subclass.py:8:13:8:28 | After Attribute() | This call to $@ in an initialization method is overridden by $@. | init_calls_subclass.py:11:9:11:30 | Function set_up | bad1.Super.set_up | init_calls_subclass.py:20:9:20:30 | Function set_up | bad1.Sub.set_up | +| init_calls_subclass.py:32:13:32:27 | After Attribute() | This call to $@ in an initialization method is overridden by $@. | init_calls_subclass.py:34:9:34:27 | Function postproc | bad2.Super.postproc | init_calls_subclass.py:43:9:43:27 | Function postproc | bad2.Sub.postproc | diff --git a/python/ql/test/query-tests/Classes/multiple/multiple-del/SuperclassDelCalledMultipleTimes.expected b/python/ql/test/query-tests/Classes/multiple/multiple-del/SuperclassDelCalledMultipleTimes.expected index b7ee48feba7..6e16880914b 100644 --- a/python/ql/test/query-tests/Classes/multiple/multiple-del/SuperclassDelCalledMultipleTimes.expected +++ b/python/ql/test/query-tests/Classes/multiple/multiple-del/SuperclassDelCalledMultipleTimes.expected @@ -1,2 +1,2 @@ -| multiple_del.py:21:5:21:22 | Function __del__ | This finalization method calls $@ multiple times, via $@ and $@, resolving to $@ and $@ respectively. | multiple_del.py:9:5:9:22 | Function __del__ | Y1.__del__ | multiple_del.py:23:9:23:24 | ControlFlowNode for Attribute() | this call | multiple_del.py:24:9:24:24 | ControlFlowNode for Attribute() | this call | multiple_del.py:9:5:9:22 | Function __del__ | Y1.__del__ | multiple_del.py:15:5:15:22 | Function __del__ | Y2.__del__ | -| multiple_del.py:43:5:43:22 | Function __del__ | This finalization method calls $@ multiple times, via $@ and $@, resolving to $@ and $@ respectively. | multiple_del.py:32:5:32:22 | Function __del__ | Z1.__del__ | multiple_del.py:45:9:45:24 | ControlFlowNode for Attribute() | this call | multiple_del.py:46:9:46:24 | ControlFlowNode for Attribute() | this call | multiple_del.py:32:5:32:22 | Function __del__ | Z1.__del__ | multiple_del.py:37:5:37:22 | Function __del__ | Z2.__del__ | +| multiple_del.py:21:5:21:22 | Function __del__ | This finalization method calls $@ multiple times, via $@ and $@, resolving to $@ and $@ respectively. | multiple_del.py:9:5:9:22 | Function __del__ | Y1.__del__ | multiple_del.py:23:9:23:24 | After Attribute() | this call | multiple_del.py:24:9:24:24 | After Attribute() | this call | multiple_del.py:9:5:9:22 | Function __del__ | Y1.__del__ | multiple_del.py:15:5:15:22 | Function __del__ | Y2.__del__ | +| multiple_del.py:43:5:43:22 | Function __del__ | This finalization method calls $@ multiple times, via $@ and $@, resolving to $@ and $@ respectively. | multiple_del.py:32:5:32:22 | Function __del__ | Z1.__del__ | multiple_del.py:45:9:45:24 | After Attribute() | this call | multiple_del.py:46:9:46:24 | After Attribute() | this call | multiple_del.py:32:5:32:22 | Function __del__ | Z1.__del__ | multiple_del.py:37:5:37:22 | Function __del__ | Z2.__del__ | diff --git a/python/ql/test/query-tests/Classes/multiple/multiple-init/SuperclassInitCalledMultipleTimes.expected b/python/ql/test/query-tests/Classes/multiple/multiple-init/SuperclassInitCalledMultipleTimes.expected index 024d0c6425a..8c032ebb673 100644 --- a/python/ql/test/query-tests/Classes/multiple/multiple-init/SuperclassInitCalledMultipleTimes.expected +++ b/python/ql/test/query-tests/Classes/multiple/multiple-init/SuperclassInitCalledMultipleTimes.expected @@ -1,4 +1,4 @@ -| multiple_init.py:21:5:21:23 | Function __init__ | This initialization method calls $@ multiple times, via $@ and $@, resolving to $@ and $@ respectively. | multiple_init.py:9:5:9:23 | Function __init__ | C1.__init__ | multiple_init.py:23:9:23:25 | ControlFlowNode for Attribute() | this call | multiple_init.py:24:9:24:25 | ControlFlowNode for Attribute() | this call | multiple_init.py:9:5:9:23 | Function __init__ | C1.__init__ | multiple_init.py:15:5:15:23 | Function __init__ | C2.__init__ | -| multiple_init.py:42:5:42:23 | Function __init__ | This initialization method calls $@ multiple times, via $@ and $@, resolving to $@ and $@ respectively. | multiple_init.py:31:5:31:23 | Function __init__ | D1.__init__ | multiple_init.py:44:9:44:25 | ControlFlowNode for Attribute() | this call | multiple_init.py:45:9:45:25 | ControlFlowNode for Attribute() | this call | multiple_init.py:31:5:31:23 | Function __init__ | D1.__init__ | multiple_init.py:36:5:36:23 | Function __init__ | D2.__init__ | -| multiple_init.py:84:5:84:23 | Function __init__ | This initialization method calls $@ multiple times, via $@ and $@, resolving to $@ and $@ respectively. | multiple_init.py:80:5:80:23 | Function __init__ | F3.__init__ | multiple_init.py:86:9:86:25 | ControlFlowNode for Attribute() | this call | multiple_init.py:87:9:87:25 | ControlFlowNode for Attribute() | this call | multiple_init.py:75:5:75:23 | Function __init__ | F2.__init__ | multiple_init.py:80:5:80:23 | Function __init__ | F3.__init__ | -| multiple_init.py:111:5:111:23 | Function __init__ | This initialization method calls $@ multiple times, via $@ and $@, resolving to $@ and $@ respectively. | multiple_init.py:92:5:92:23 | Function __init__ | G1.__init__ | multiple_init.py:113:9:113:25 | ControlFlowNode for Attribute() | this call | multiple_init.py:114:9:114:25 | ControlFlowNode for Attribute() | this call | multiple_init.py:96:5:96:23 | Function __init__ | G2.__init__ | multiple_init.py:101:5:101:23 | Function __init__ | G3.__init__ | +| multiple_init.py:21:5:21:23 | Function __init__ | This initialization method calls $@ multiple times, via $@ and $@, resolving to $@ and $@ respectively. | multiple_init.py:9:5:9:23 | Function __init__ | C1.__init__ | multiple_init.py:23:9:23:25 | After Attribute() | this call | multiple_init.py:24:9:24:25 | After Attribute() | this call | multiple_init.py:9:5:9:23 | Function __init__ | C1.__init__ | multiple_init.py:15:5:15:23 | Function __init__ | C2.__init__ | +| multiple_init.py:42:5:42:23 | Function __init__ | This initialization method calls $@ multiple times, via $@ and $@, resolving to $@ and $@ respectively. | multiple_init.py:31:5:31:23 | Function __init__ | D1.__init__ | multiple_init.py:44:9:44:25 | After Attribute() | this call | multiple_init.py:45:9:45:25 | After Attribute() | this call | multiple_init.py:31:5:31:23 | Function __init__ | D1.__init__ | multiple_init.py:36:5:36:23 | Function __init__ | D2.__init__ | +| multiple_init.py:84:5:84:23 | Function __init__ | This initialization method calls $@ multiple times, via $@ and $@, resolving to $@ and $@ respectively. | multiple_init.py:80:5:80:23 | Function __init__ | F3.__init__ | multiple_init.py:86:9:86:25 | After Attribute() | this call | multiple_init.py:87:9:87:25 | After Attribute() | this call | multiple_init.py:75:5:75:23 | Function __init__ | F2.__init__ | multiple_init.py:80:5:80:23 | Function __init__ | F3.__init__ | +| multiple_init.py:111:5:111:23 | Function __init__ | This initialization method calls $@ multiple times, via $@ and $@, resolving to $@ and $@ respectively. | multiple_init.py:92:5:92:23 | Function __init__ | G1.__init__ | multiple_init.py:113:9:113:25 | After Attribute() | this call | multiple_init.py:114:9:114:25 | After Attribute() | this call | multiple_init.py:96:5:96:23 | Function __init__ | G2.__init__ | multiple_init.py:101:5:101:23 | Function __init__ | G3.__init__ | diff --git a/python/ql/test/query-tests/Classes/subclass-shadowing/SubclassShadowing.expected b/python/ql/test/query-tests/Classes/subclass-shadowing/SubclassShadowing.expected index 94912eb1f91..172fc487f46 100644 --- a/python/ql/test/query-tests/Classes/subclass-shadowing/SubclassShadowing.expected +++ b/python/ql/test/query-tests/Classes/subclass-shadowing/SubclassShadowing.expected @@ -1,2 +1,2 @@ -| subclass_shadowing.py:11:5:11:21 | Function shadow | This method is shadowed by $@ in superclass $@. | subclass_shadowing.py:7:9:7:19 | ControlFlowNode for Attribute | attribute shadow | subclass_shadowing.py:4:1:4:11 | Class Base | Base | -| subclass_shadowing.py:41:5:41:18 | Function foo | This method is shadowed by $@ in superclass $@. (read-only property may cause an error if written to in the superclass) | subclass_shadowing.py:35:9:35:16 | ControlFlowNode for Attribute | attribute foo | subclass_shadowing.py:33:1:33:12 | Class Base3 | Base3 | +| subclass_shadowing.py:11:5:11:21 | Function shadow | This method is shadowed by $@ in superclass $@. | subclass_shadowing.py:7:9:7:19 | After Attribute | attribute shadow | subclass_shadowing.py:4:1:4:11 | Class Base | Base | +| subclass_shadowing.py:41:5:41:18 | Function foo | This method is shadowed by $@ in superclass $@. (read-only property may cause an error if written to in the superclass) | subclass_shadowing.py:35:9:35:16 | After Attribute | attribute foo | subclass_shadowing.py:33:1:33:12 | Class Base3 | Base3 | diff --git a/python/ql/test/query-tests/Expressions/super/CallToSuperWrongClass.expected b/python/ql/test/query-tests/Expressions/super/CallToSuperWrongClass.expected index 859e4624a01..8db50031231 100644 --- a/python/ql/test/query-tests/Expressions/super/CallToSuperWrongClass.expected +++ b/python/ql/test/query-tests/Expressions/super/CallToSuperWrongClass.expected @@ -1 +1 @@ -| test.py:10:9:10:27 | ControlFlowNode for super() | First argument to super() should be NotMyDict. | +| test.py:10:9:10:27 | After super() | First argument to super() should be NotMyDict. | diff --git a/python/ql/test/query-tests/Numerics/Pythagorean.expected b/python/ql/test/query-tests/Numerics/Pythagorean.expected index a289983af53..f2fb01bbb54 100644 --- a/python/ql/test/query-tests/Numerics/Pythagorean.expected +++ b/python/ql/test/query-tests/Numerics/Pythagorean.expected @@ -1,3 +1,3 @@ -| pythagorean_test.py:6:12:6:28 | ControlFlowNode for sqrt() | Pythagorean calculation with sub-optimal numerics. | -| pythagorean_test.py:9:12:9:26 | ControlFlowNode for sqrt() | Pythagorean calculation with sub-optimal numerics. | -| pythagorean_test.py:14:12:14:24 | ControlFlowNode for sqrt() | Pythagorean calculation with sub-optimal numerics. | +| pythagorean_test.py:6:12:6:28 | After sqrt() | Pythagorean calculation with sub-optimal numerics. | +| pythagorean_test.py:9:12:9:26 | After sqrt() | Pythagorean calculation with sub-optimal numerics. | +| pythagorean_test.py:14:12:14:24 | After sqrt() | Pythagorean calculation with sub-optimal numerics. | diff --git a/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.expected b/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.expected index 0b96b2df650..418e969391d 100644 --- a/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.expected +++ b/python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.expected @@ -1,63 +1,63 @@ #select -| BindToAllInterfaces_test.py:5:9:5:24 | ControlFlowNode for Tuple | BindToAllInterfaces_test.py:5:9:5:17 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:5:9:5:24 | ControlFlowNode for Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:5:9:5:17 | ControlFlowNode for StringLiteral | '0.0.0.0' | -| BindToAllInterfaces_test.py:9:9:9:16 | ControlFlowNode for Tuple | BindToAllInterfaces_test.py:9:9:9:10 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:9:9:9:16 | ControlFlowNode for Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:9:9:9:10 | ControlFlowNode for StringLiteral | '' | -| BindToAllInterfaces_test.py:17:9:17:24 | ControlFlowNode for Tuple | BindToAllInterfaces_test.py:16:14:16:22 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:17:9:17:24 | ControlFlowNode for Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:16:14:16:22 | ControlFlowNode for StringLiteral | '0.0.0.0' | -| BindToAllInterfaces_test.py:21:8:21:10 | ControlFlowNode for tup | BindToAllInterfaces_test.py:16:14:16:22 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:21:8:21:10 | ControlFlowNode for tup | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:16:14:16:22 | ControlFlowNode for StringLiteral | '0.0.0.0' | -| BindToAllInterfaces_test.py:26:9:26:18 | ControlFlowNode for Tuple | BindToAllInterfaces_test.py:26:9:26:12 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:26:9:26:18 | ControlFlowNode for Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:26:9:26:12 | ControlFlowNode for StringLiteral | '::' | -| BindToAllInterfaces_test.py:39:17:39:41 | ControlFlowNode for Tuple | BindToAllInterfaces_test.py:34:26:34:34 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:39:17:39:41 | ControlFlowNode for Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:34:26:34:34 | ControlFlowNode for StringLiteral | '0.0.0.0' | -| BindToAllInterfaces_test.py:48:9:48:18 | ControlFlowNode for Tuple | BindToAllInterfaces_test.py:46:35:46:43 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:48:9:48:18 | ControlFlowNode for Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:46:35:46:43 | ControlFlowNode for StringLiteral | '0.0.0.0' | -| BindToAllInterfaces_test.py:53:10:53:25 | ControlFlowNode for Tuple | BindToAllInterfaces_test.py:53:10:53:18 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:53:10:53:25 | ControlFlowNode for Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:53:10:53:18 | ControlFlowNode for StringLiteral | '0.0.0.0' | -| BindToAllInterfaces_test.py:58:10:58:25 | ControlFlowNode for Tuple | BindToAllInterfaces_test.py:58:10:58:18 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:58:10:58:25 | ControlFlowNode for Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:58:10:58:18 | ControlFlowNode for StringLiteral | '0.0.0.0' | +| BindToAllInterfaces_test.py:5:9:5:24 | After Tuple | BindToAllInterfaces_test.py:5:9:5:17 | StringLiteral | BindToAllInterfaces_test.py:5:9:5:24 | After Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:5:9:5:17 | StringLiteral | '0.0.0.0' | +| BindToAllInterfaces_test.py:9:9:9:16 | After Tuple | BindToAllInterfaces_test.py:9:9:9:10 | StringLiteral | BindToAllInterfaces_test.py:9:9:9:16 | After Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:9:9:9:10 | StringLiteral | '' | +| BindToAllInterfaces_test.py:17:9:17:24 | After Tuple | BindToAllInterfaces_test.py:16:14:16:22 | StringLiteral | BindToAllInterfaces_test.py:17:9:17:24 | After Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:16:14:16:22 | StringLiteral | '0.0.0.0' | +| BindToAllInterfaces_test.py:21:8:21:10 | tup | BindToAllInterfaces_test.py:16:14:16:22 | StringLiteral | BindToAllInterfaces_test.py:21:8:21:10 | tup | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:16:14:16:22 | StringLiteral | '0.0.0.0' | +| BindToAllInterfaces_test.py:26:9:26:18 | After Tuple | BindToAllInterfaces_test.py:26:9:26:12 | StringLiteral | BindToAllInterfaces_test.py:26:9:26:18 | After Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:26:9:26:12 | StringLiteral | '::' | +| BindToAllInterfaces_test.py:39:17:39:41 | After Tuple | BindToAllInterfaces_test.py:34:26:34:34 | StringLiteral | BindToAllInterfaces_test.py:39:17:39:41 | After Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:34:26:34:34 | StringLiteral | '0.0.0.0' | +| BindToAllInterfaces_test.py:48:9:48:18 | After Tuple | BindToAllInterfaces_test.py:46:35:46:43 | StringLiteral | BindToAllInterfaces_test.py:48:9:48:18 | After Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:46:35:46:43 | StringLiteral | '0.0.0.0' | +| BindToAllInterfaces_test.py:53:10:53:25 | After Tuple | BindToAllInterfaces_test.py:53:10:53:18 | StringLiteral | BindToAllInterfaces_test.py:53:10:53:25 | After Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:53:10:53:18 | StringLiteral | '0.0.0.0' | +| BindToAllInterfaces_test.py:58:10:58:25 | After Tuple | BindToAllInterfaces_test.py:58:10:58:18 | StringLiteral | BindToAllInterfaces_test.py:58:10:58:25 | After Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:58:10:58:18 | StringLiteral | '0.0.0.0' | edges -| BindToAllInterfaces_test.py:5:9:5:17 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:5:9:5:24 | ControlFlowNode for Tuple | provenance | Sink:MaD:63 | -| BindToAllInterfaces_test.py:9:9:9:10 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:9:9:9:16 | ControlFlowNode for Tuple | provenance | Sink:MaD:63 | -| BindToAllInterfaces_test.py:16:1:16:10 | ControlFlowNode for ALL_LOCALS | BindToAllInterfaces_test.py:17:9:17:24 | ControlFlowNode for Tuple | provenance | Sink:MaD:63 | -| BindToAllInterfaces_test.py:16:1:16:10 | ControlFlowNode for ALL_LOCALS | BindToAllInterfaces_test.py:20:1:20:3 | ControlFlowNode for tup | provenance | | -| BindToAllInterfaces_test.py:16:14:16:22 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:16:1:16:10 | ControlFlowNode for ALL_LOCALS | provenance | | -| BindToAllInterfaces_test.py:20:1:20:3 | ControlFlowNode for tup | BindToAllInterfaces_test.py:21:8:21:10 | ControlFlowNode for tup | provenance | Sink:MaD:63 | -| BindToAllInterfaces_test.py:26:9:26:12 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:26:9:26:18 | ControlFlowNode for Tuple | provenance | Sink:MaD:63 | -| BindToAllInterfaces_test.py:33:18:33:21 | ControlFlowNode for self [Return] [Attribute bind_addr] | BindToAllInterfaces_test.py:41:10:41:17 | ControlFlowNode for Server() [Attribute bind_addr] | provenance | | -| BindToAllInterfaces_test.py:34:9:34:12 | [post] ControlFlowNode for self [Attribute bind_addr] | BindToAllInterfaces_test.py:33:18:33:21 | ControlFlowNode for self [Return] [Attribute bind_addr] | provenance | | -| BindToAllInterfaces_test.py:34:26:34:34 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:34:9:34:12 | [post] ControlFlowNode for self [Attribute bind_addr] | provenance | | -| BindToAllInterfaces_test.py:37:15:37:18 | ControlFlowNode for self [Attribute bind_addr] | BindToAllInterfaces_test.py:39:17:39:20 | ControlFlowNode for self [Attribute bind_addr] | provenance | | -| BindToAllInterfaces_test.py:39:17:39:20 | ControlFlowNode for self [Attribute bind_addr] | BindToAllInterfaces_test.py:39:17:39:30 | ControlFlowNode for Attribute | provenance | | -| BindToAllInterfaces_test.py:39:17:39:30 | ControlFlowNode for Attribute | BindToAllInterfaces_test.py:39:17:39:41 | ControlFlowNode for Tuple | provenance | Sink:MaD:63 | -| BindToAllInterfaces_test.py:41:1:41:6 | ControlFlowNode for server [Attribute bind_addr] | BindToAllInterfaces_test.py:42:1:42:6 | ControlFlowNode for server [Attribute bind_addr] | provenance | | -| BindToAllInterfaces_test.py:41:10:41:17 | ControlFlowNode for Server() [Attribute bind_addr] | BindToAllInterfaces_test.py:41:1:41:6 | ControlFlowNode for server [Attribute bind_addr] | provenance | | -| BindToAllInterfaces_test.py:42:1:42:6 | ControlFlowNode for server [Attribute bind_addr] | BindToAllInterfaces_test.py:37:15:37:18 | ControlFlowNode for self [Attribute bind_addr] | provenance | | -| BindToAllInterfaces_test.py:46:1:46:4 | ControlFlowNode for host | BindToAllInterfaces_test.py:48:9:48:18 | ControlFlowNode for Tuple | provenance | Sink:MaD:63 | -| BindToAllInterfaces_test.py:46:8:46:44 | ControlFlowNode for Attribute() | BindToAllInterfaces_test.py:46:1:46:4 | ControlFlowNode for host | provenance | | -| BindToAllInterfaces_test.py:46:35:46:43 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:46:8:46:44 | ControlFlowNode for Attribute() | provenance | dict.get | -| BindToAllInterfaces_test.py:53:10:53:18 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:53:10:53:25 | ControlFlowNode for Tuple | provenance | Sink:MaD:63 | -| BindToAllInterfaces_test.py:58:10:58:18 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:58:10:58:25 | ControlFlowNode for Tuple | provenance | Sink:MaD:63 | +| BindToAllInterfaces_test.py:5:9:5:17 | StringLiteral | BindToAllInterfaces_test.py:5:9:5:24 | After Tuple | provenance | Sink:MaD:63 | +| BindToAllInterfaces_test.py:9:9:9:10 | StringLiteral | BindToAllInterfaces_test.py:9:9:9:16 | After Tuple | provenance | Sink:MaD:63 | +| BindToAllInterfaces_test.py:16:1:16:10 | ALL_LOCALS | BindToAllInterfaces_test.py:17:9:17:24 | After Tuple | provenance | Sink:MaD:63 | +| BindToAllInterfaces_test.py:16:1:16:10 | ALL_LOCALS | BindToAllInterfaces_test.py:20:1:20:3 | tup | provenance | | +| BindToAllInterfaces_test.py:16:14:16:22 | StringLiteral | BindToAllInterfaces_test.py:16:1:16:10 | ALL_LOCALS | provenance | | +| BindToAllInterfaces_test.py:20:1:20:3 | tup | BindToAllInterfaces_test.py:21:8:21:10 | tup | provenance | Sink:MaD:63 | +| BindToAllInterfaces_test.py:26:9:26:12 | StringLiteral | BindToAllInterfaces_test.py:26:9:26:18 | After Tuple | provenance | Sink:MaD:63 | +| BindToAllInterfaces_test.py:33:18:33:21 | self [Return] [Attribute bind_addr] | BindToAllInterfaces_test.py:41:10:41:17 | After Server() [Attribute bind_addr] | provenance | | +| BindToAllInterfaces_test.py:34:9:34:12 | [post] self [Attribute bind_addr] | BindToAllInterfaces_test.py:33:18:33:21 | self [Return] [Attribute bind_addr] | provenance | | +| BindToAllInterfaces_test.py:34:26:34:34 | StringLiteral | BindToAllInterfaces_test.py:34:9:34:12 | [post] self [Attribute bind_addr] | provenance | | +| BindToAllInterfaces_test.py:37:15:37:18 | self [Attribute bind_addr] | BindToAllInterfaces_test.py:39:17:39:20 | self [Attribute bind_addr] | provenance | | +| BindToAllInterfaces_test.py:39:17:39:20 | self [Attribute bind_addr] | BindToAllInterfaces_test.py:39:17:39:30 | After Attribute | provenance | | +| BindToAllInterfaces_test.py:39:17:39:30 | After Attribute | BindToAllInterfaces_test.py:39:17:39:41 | After Tuple | provenance | Sink:MaD:63 | +| BindToAllInterfaces_test.py:41:1:41:6 | server [Attribute bind_addr] | BindToAllInterfaces_test.py:42:1:42:6 | server [Attribute bind_addr] | provenance | | +| BindToAllInterfaces_test.py:41:10:41:17 | After Server() [Attribute bind_addr] | BindToAllInterfaces_test.py:41:1:41:6 | server [Attribute bind_addr] | provenance | | +| BindToAllInterfaces_test.py:42:1:42:6 | server [Attribute bind_addr] | BindToAllInterfaces_test.py:37:15:37:18 | self [Attribute bind_addr] | provenance | | +| BindToAllInterfaces_test.py:46:1:46:4 | host | BindToAllInterfaces_test.py:48:9:48:18 | After Tuple | provenance | Sink:MaD:63 | +| BindToAllInterfaces_test.py:46:8:46:44 | After Attribute() | BindToAllInterfaces_test.py:46:1:46:4 | host | provenance | | +| BindToAllInterfaces_test.py:46:35:46:43 | StringLiteral | BindToAllInterfaces_test.py:46:8:46:44 | After Attribute() | provenance | dict.get | +| BindToAllInterfaces_test.py:53:10:53:18 | StringLiteral | BindToAllInterfaces_test.py:53:10:53:25 | After Tuple | provenance | Sink:MaD:63 | +| BindToAllInterfaces_test.py:58:10:58:18 | StringLiteral | BindToAllInterfaces_test.py:58:10:58:25 | After Tuple | provenance | Sink:MaD:63 | nodes -| BindToAllInterfaces_test.py:5:9:5:17 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral | -| BindToAllInterfaces_test.py:5:9:5:24 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple | -| BindToAllInterfaces_test.py:9:9:9:10 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral | -| BindToAllInterfaces_test.py:9:9:9:16 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple | -| BindToAllInterfaces_test.py:16:1:16:10 | ControlFlowNode for ALL_LOCALS | semmle.label | ControlFlowNode for ALL_LOCALS | -| BindToAllInterfaces_test.py:16:14:16:22 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral | -| BindToAllInterfaces_test.py:17:9:17:24 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple | -| BindToAllInterfaces_test.py:20:1:20:3 | ControlFlowNode for tup | semmle.label | ControlFlowNode for tup | -| BindToAllInterfaces_test.py:21:8:21:10 | ControlFlowNode for tup | semmle.label | ControlFlowNode for tup | -| BindToAllInterfaces_test.py:26:9:26:12 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral | -| BindToAllInterfaces_test.py:26:9:26:18 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple | -| BindToAllInterfaces_test.py:33:18:33:21 | ControlFlowNode for self [Return] [Attribute bind_addr] | semmle.label | ControlFlowNode for self [Return] [Attribute bind_addr] | -| BindToAllInterfaces_test.py:34:9:34:12 | [post] ControlFlowNode for self [Attribute bind_addr] | semmle.label | [post] ControlFlowNode for self [Attribute bind_addr] | -| BindToAllInterfaces_test.py:34:26:34:34 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral | -| BindToAllInterfaces_test.py:37:15:37:18 | ControlFlowNode for self [Attribute bind_addr] | semmle.label | ControlFlowNode for self [Attribute bind_addr] | -| BindToAllInterfaces_test.py:39:17:39:20 | ControlFlowNode for self [Attribute bind_addr] | semmle.label | ControlFlowNode for self [Attribute bind_addr] | -| BindToAllInterfaces_test.py:39:17:39:30 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| BindToAllInterfaces_test.py:39:17:39:41 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple | -| BindToAllInterfaces_test.py:41:1:41:6 | ControlFlowNode for server [Attribute bind_addr] | semmle.label | ControlFlowNode for server [Attribute bind_addr] | -| BindToAllInterfaces_test.py:41:10:41:17 | ControlFlowNode for Server() [Attribute bind_addr] | semmle.label | ControlFlowNode for Server() [Attribute bind_addr] | -| BindToAllInterfaces_test.py:42:1:42:6 | ControlFlowNode for server [Attribute bind_addr] | semmle.label | ControlFlowNode for server [Attribute bind_addr] | -| BindToAllInterfaces_test.py:46:1:46:4 | ControlFlowNode for host | semmle.label | ControlFlowNode for host | -| BindToAllInterfaces_test.py:46:8:46:44 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| BindToAllInterfaces_test.py:46:35:46:43 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral | -| BindToAllInterfaces_test.py:48:9:48:18 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple | -| BindToAllInterfaces_test.py:53:10:53:18 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral | -| BindToAllInterfaces_test.py:53:10:53:25 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple | -| BindToAllInterfaces_test.py:58:10:58:18 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral | -| BindToAllInterfaces_test.py:58:10:58:25 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple | +| BindToAllInterfaces_test.py:5:9:5:17 | StringLiteral | semmle.label | StringLiteral | +| BindToAllInterfaces_test.py:5:9:5:24 | After Tuple | semmle.label | After Tuple | +| BindToAllInterfaces_test.py:9:9:9:10 | StringLiteral | semmle.label | StringLiteral | +| BindToAllInterfaces_test.py:9:9:9:16 | After Tuple | semmle.label | After Tuple | +| BindToAllInterfaces_test.py:16:1:16:10 | ALL_LOCALS | semmle.label | ALL_LOCALS | +| BindToAllInterfaces_test.py:16:14:16:22 | StringLiteral | semmle.label | StringLiteral | +| BindToAllInterfaces_test.py:17:9:17:24 | After Tuple | semmle.label | After Tuple | +| BindToAllInterfaces_test.py:20:1:20:3 | tup | semmle.label | tup | +| BindToAllInterfaces_test.py:21:8:21:10 | tup | semmle.label | tup | +| BindToAllInterfaces_test.py:26:9:26:12 | StringLiteral | semmle.label | StringLiteral | +| BindToAllInterfaces_test.py:26:9:26:18 | After Tuple | semmle.label | After Tuple | +| BindToAllInterfaces_test.py:33:18:33:21 | self [Return] [Attribute bind_addr] | semmle.label | self [Return] [Attribute bind_addr] | +| BindToAllInterfaces_test.py:34:9:34:12 | [post] self [Attribute bind_addr] | semmle.label | [post] self [Attribute bind_addr] | +| BindToAllInterfaces_test.py:34:26:34:34 | StringLiteral | semmle.label | StringLiteral | +| BindToAllInterfaces_test.py:37:15:37:18 | self [Attribute bind_addr] | semmle.label | self [Attribute bind_addr] | +| BindToAllInterfaces_test.py:39:17:39:20 | self [Attribute bind_addr] | semmle.label | self [Attribute bind_addr] | +| BindToAllInterfaces_test.py:39:17:39:30 | After Attribute | semmle.label | After Attribute | +| BindToAllInterfaces_test.py:39:17:39:41 | After Tuple | semmle.label | After Tuple | +| BindToAllInterfaces_test.py:41:1:41:6 | server [Attribute bind_addr] | semmle.label | server [Attribute bind_addr] | +| BindToAllInterfaces_test.py:41:10:41:17 | After Server() [Attribute bind_addr] | semmle.label | After Server() [Attribute bind_addr] | +| BindToAllInterfaces_test.py:42:1:42:6 | server [Attribute bind_addr] | semmle.label | server [Attribute bind_addr] | +| BindToAllInterfaces_test.py:46:1:46:4 | host | semmle.label | host | +| BindToAllInterfaces_test.py:46:8:46:44 | After Attribute() | semmle.label | After Attribute() | +| BindToAllInterfaces_test.py:46:35:46:43 | StringLiteral | semmle.label | StringLiteral | +| BindToAllInterfaces_test.py:48:9:48:18 | After Tuple | semmle.label | After Tuple | +| BindToAllInterfaces_test.py:53:10:53:18 | StringLiteral | semmle.label | StringLiteral | +| BindToAllInterfaces_test.py:53:10:53:25 | After Tuple | semmle.label | After Tuple | +| BindToAllInterfaces_test.py:58:10:58:18 | StringLiteral | semmle.label | StringLiteral | +| BindToAllInterfaces_test.py:58:10:58:25 | After Tuple | semmle.label | After Tuple | subpaths diff --git a/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.expected b/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.expected index cf3a06ac7c8..f5a3607f047 100644 --- a/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.expected @@ -1,28 +1,28 @@ edges -| django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:6:21:6:31 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:7:21:7:31 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| django_tests.py:6:21:6:31 | ControlFlowNode for Attribute | django_tests.py:6:21:6:43 | ControlFlowNode for Attribute() | provenance | dict.get | -| django_tests.py:7:21:7:31 | ControlFlowNode for Attribute | django_tests.py:7:21:7:44 | ControlFlowNode for Attribute() | provenance | dict.get | -| django_tests.py:11:26:11:32 | ControlFlowNode for request | django_tests.py:13:33:13:43 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| django_tests.py:11:26:11:32 | ControlFlowNode for request | django_tests.py:13:59:13:69 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| django_tests.py:13:33:13:43 | ControlFlowNode for Attribute | django_tests.py:13:33:13:55 | ControlFlowNode for Attribute() | provenance | dict.get | -| django_tests.py:13:33:13:55 | ControlFlowNode for Attribute() | django_tests.py:13:30:13:100 | ControlFlowNode for Fstring | provenance | | -| django_tests.py:13:59:13:69 | ControlFlowNode for Attribute | django_tests.py:13:59:13:82 | ControlFlowNode for Attribute() | provenance | dict.get | -| django_tests.py:13:59:13:82 | ControlFlowNode for Attribute() | django_tests.py:13:30:13:100 | ControlFlowNode for Fstring | provenance | | +| django_tests.py:4:25:4:31 | request | django_tests.py:6:21:6:31 | After Attribute | provenance | AdditionalTaintStep | +| django_tests.py:4:25:4:31 | request | django_tests.py:7:21:7:31 | After Attribute | provenance | AdditionalTaintStep | +| django_tests.py:6:21:6:31 | After Attribute | django_tests.py:6:21:6:43 | After Attribute() | provenance | dict.get | +| django_tests.py:7:21:7:31 | After Attribute | django_tests.py:7:21:7:44 | After Attribute() | provenance | dict.get | +| django_tests.py:11:26:11:32 | request | django_tests.py:13:33:13:43 | After Attribute | provenance | AdditionalTaintStep | +| django_tests.py:11:26:11:32 | request | django_tests.py:13:59:13:69 | After Attribute | provenance | AdditionalTaintStep | +| django_tests.py:13:33:13:43 | After Attribute | django_tests.py:13:33:13:55 | After Attribute() | provenance | dict.get | +| django_tests.py:13:33:13:55 | After Attribute() | django_tests.py:13:30:13:100 | After Fstring | provenance | | +| django_tests.py:13:59:13:69 | After Attribute | django_tests.py:13:59:13:82 | After Attribute() | provenance | dict.get | +| django_tests.py:13:59:13:82 | After Attribute() | django_tests.py:13:30:13:100 | After Fstring | provenance | | nodes -| django_tests.py:4:25:4:31 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| django_tests.py:6:21:6:31 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| django_tests.py:6:21:6:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| django_tests.py:7:21:7:31 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| django_tests.py:7:21:7:44 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| django_tests.py:11:26:11:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| django_tests.py:13:30:13:100 | ControlFlowNode for Fstring | semmle.label | ControlFlowNode for Fstring | -| django_tests.py:13:33:13:43 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| django_tests.py:13:33:13:55 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| django_tests.py:13:59:13:69 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| django_tests.py:13:59:13:82 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | +| django_tests.py:4:25:4:31 | request | semmle.label | request | +| django_tests.py:6:21:6:31 | After Attribute | semmle.label | After Attribute | +| django_tests.py:6:21:6:43 | After Attribute() | semmle.label | After Attribute() | +| django_tests.py:7:21:7:31 | After Attribute | semmle.label | After Attribute | +| django_tests.py:7:21:7:44 | After Attribute() | semmle.label | After Attribute() | +| django_tests.py:11:26:11:32 | request | semmle.label | request | +| django_tests.py:13:30:13:100 | After Fstring | semmle.label | After Fstring | +| django_tests.py:13:33:13:43 | After Attribute | semmle.label | After Attribute | +| django_tests.py:13:33:13:55 | After Attribute() | semmle.label | After Attribute() | +| django_tests.py:13:59:13:69 | After Attribute | semmle.label | After Attribute | +| django_tests.py:13:59:13:82 | After Attribute() | semmle.label | After Attribute() | subpaths #select -| django_tests.py:6:21:6:43 | ControlFlowNode for Attribute() | django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:6:21:6:43 | ControlFlowNode for Attribute() | Cookie is constructed from a $@. | django_tests.py:4:25:4:31 | ControlFlowNode for request | user-supplied input | -| django_tests.py:7:21:7:44 | ControlFlowNode for Attribute() | django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:7:21:7:44 | ControlFlowNode for Attribute() | Cookie is constructed from a $@. | django_tests.py:4:25:4:31 | ControlFlowNode for request | user-supplied input | -| django_tests.py:13:30:13:100 | ControlFlowNode for Fstring | django_tests.py:11:26:11:32 | ControlFlowNode for request | django_tests.py:13:30:13:100 | ControlFlowNode for Fstring | Cookie is constructed from a $@. | django_tests.py:11:26:11:32 | ControlFlowNode for request | user-supplied input | +| django_tests.py:6:21:6:43 | After Attribute() | django_tests.py:4:25:4:31 | request | django_tests.py:6:21:6:43 | After Attribute() | Cookie is constructed from a $@. | django_tests.py:4:25:4:31 | request | user-supplied input | +| django_tests.py:7:21:7:44 | After Attribute() | django_tests.py:4:25:4:31 | request | django_tests.py:7:21:7:44 | After Attribute() | Cookie is constructed from a $@. | django_tests.py:4:25:4:31 | request | user-supplied input | +| django_tests.py:13:30:13:100 | After Fstring | django_tests.py:11:26:11:32 | request | django_tests.py:13:30:13:100 | After Fstring | Cookie is constructed from a $@. | django_tests.py:11:26:11:32 | request | user-supplied input | diff --git a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected index 08a5b798f71..bfa1ee5b7d9 100644 --- a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected +++ b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected @@ -1,75 +1,75 @@ edges -| test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:5:26:5:32 | ControlFlowNode for request | provenance | | -| test.py:5:26:5:32 | ControlFlowNode for request | test.py:13:16:13:22 | ControlFlowNode for request | provenance | | -| test.py:5:26:5:32 | ControlFlowNode for request | test.py:23:16:23:22 | ControlFlowNode for request | provenance | | -| test.py:5:26:5:32 | ControlFlowNode for request | test.py:34:12:34:18 | ControlFlowNode for request | provenance | | -| test.py:5:26:5:32 | ControlFlowNode for request | test.py:42:12:42:18 | ControlFlowNode for request | provenance | | -| test.py:5:26:5:32 | ControlFlowNode for request | test.py:54:12:54:18 | ControlFlowNode for request | provenance | | -| test.py:13:5:13:12 | ControlFlowNode for data_raw | test.py:14:5:14:8 | ControlFlowNode for data | provenance | Decoding-Base64 | -| test.py:13:16:13:22 | ControlFlowNode for request | test.py:13:16:13:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| test.py:13:16:13:27 | ControlFlowNode for Attribute | test.py:13:16:13:39 | ControlFlowNode for Attribute() | provenance | dict.get | -| test.py:13:16:13:39 | ControlFlowNode for Attribute() | test.py:13:5:13:12 | ControlFlowNode for data_raw | provenance | | -| test.py:14:5:14:8 | ControlFlowNode for data | test.py:15:36:15:39 | ControlFlowNode for data | provenance | | -| test.py:23:5:23:12 | ControlFlowNode for data_raw | test.py:24:5:24:8 | ControlFlowNode for data | provenance | Decoding-Base64 | -| test.py:23:16:23:22 | ControlFlowNode for request | test.py:23:16:23:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| test.py:23:16:23:27 | ControlFlowNode for Attribute | test.py:23:16:23:39 | ControlFlowNode for Attribute() | provenance | dict.get | -| test.py:23:16:23:39 | ControlFlowNode for Attribute() | test.py:23:5:23:12 | ControlFlowNode for data_raw | provenance | | -| test.py:24:5:24:8 | ControlFlowNode for data | test.py:25:44:25:47 | ControlFlowNode for data | provenance | | -| test.py:34:5:34:8 | ControlFlowNode for data | test.py:35:10:35:13 | ControlFlowNode for data | provenance | | -| test.py:34:5:34:8 | ControlFlowNode for data | test.py:36:13:36:16 | ControlFlowNode for data | provenance | | -| test.py:34:12:34:18 | ControlFlowNode for request | test.py:34:12:34:23 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| test.py:34:12:34:23 | ControlFlowNode for Attribute | test.py:34:12:34:35 | ControlFlowNode for Attribute() | provenance | dict.get | -| test.py:34:12:34:35 | ControlFlowNode for Attribute() | test.py:34:5:34:8 | ControlFlowNode for data | provenance | | -| test.py:42:5:42:8 | ControlFlowNode for data | test.py:43:22:43:25 | ControlFlowNode for data | provenance | | -| test.py:42:5:42:8 | ControlFlowNode for data | test.py:44:25:44:28 | ControlFlowNode for data | provenance | | -| test.py:42:12:42:18 | ControlFlowNode for request | test.py:42:12:42:23 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| test.py:42:12:42:23 | ControlFlowNode for Attribute | test.py:42:12:42:35 | ControlFlowNode for Attribute() | provenance | dict.get | -| test.py:42:12:42:35 | ControlFlowNode for Attribute() | test.py:42:5:42:8 | ControlFlowNode for data | provenance | | -| test.py:47:17:47:19 | ControlFlowNode for arg | test.py:50:32:50:34 | ControlFlowNode for arg | provenance | | -| test.py:54:5:54:8 | ControlFlowNode for data | test.py:55:17:55:20 | ControlFlowNode for data | provenance | | -| test.py:54:12:54:18 | ControlFlowNode for request | test.py:54:12:54:23 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| test.py:54:12:54:23 | ControlFlowNode for Attribute | test.py:54:12:54:35 | ControlFlowNode for Attribute() | provenance | dict.get | -| test.py:54:12:54:35 | ControlFlowNode for Attribute() | test.py:54:5:54:8 | ControlFlowNode for data | provenance | | -| test.py:55:17:55:20 | ControlFlowNode for data | test.py:47:17:47:19 | ControlFlowNode for arg | provenance | | +| test.py:5:26:5:32 | After ImportMember | test.py:5:26:5:32 | request | provenance | | +| test.py:5:26:5:32 | request | test.py:13:16:13:22 | request | provenance | | +| test.py:5:26:5:32 | request | test.py:23:16:23:22 | request | provenance | | +| test.py:5:26:5:32 | request | test.py:34:12:34:18 | request | provenance | | +| test.py:5:26:5:32 | request | test.py:42:12:42:18 | request | provenance | | +| test.py:5:26:5:32 | request | test.py:54:12:54:18 | request | provenance | | +| test.py:13:5:13:12 | data_raw | test.py:14:5:14:8 | data | provenance | Decoding-Base64 | +| test.py:13:16:13:22 | request | test.py:13:16:13:27 | After Attribute | provenance | AdditionalTaintStep | +| test.py:13:16:13:27 | After Attribute | test.py:13:16:13:39 | After Attribute() | provenance | dict.get | +| test.py:13:16:13:39 | After Attribute() | test.py:13:5:13:12 | data_raw | provenance | | +| test.py:14:5:14:8 | data | test.py:15:36:15:39 | data | provenance | | +| test.py:23:5:23:12 | data_raw | test.py:24:5:24:8 | data | provenance | Decoding-Base64 | +| test.py:23:16:23:22 | request | test.py:23:16:23:27 | After Attribute | provenance | AdditionalTaintStep | +| test.py:23:16:23:27 | After Attribute | test.py:23:16:23:39 | After Attribute() | provenance | dict.get | +| test.py:23:16:23:39 | After Attribute() | test.py:23:5:23:12 | data_raw | provenance | | +| test.py:24:5:24:8 | data | test.py:25:44:25:47 | data | provenance | | +| test.py:34:5:34:8 | data | test.py:35:10:35:13 | data | provenance | | +| test.py:34:5:34:8 | data | test.py:36:13:36:16 | data | provenance | | +| test.py:34:12:34:18 | request | test.py:34:12:34:23 | After Attribute | provenance | AdditionalTaintStep | +| test.py:34:12:34:23 | After Attribute | test.py:34:12:34:35 | After Attribute() | provenance | dict.get | +| test.py:34:12:34:35 | After Attribute() | test.py:34:5:34:8 | data | provenance | | +| test.py:42:5:42:8 | data | test.py:43:22:43:25 | data | provenance | | +| test.py:42:5:42:8 | data | test.py:44:25:44:28 | data | provenance | | +| test.py:42:12:42:18 | request | test.py:42:12:42:23 | After Attribute | provenance | AdditionalTaintStep | +| test.py:42:12:42:23 | After Attribute | test.py:42:12:42:35 | After Attribute() | provenance | dict.get | +| test.py:42:12:42:35 | After Attribute() | test.py:42:5:42:8 | data | provenance | | +| test.py:47:17:47:19 | arg | test.py:50:32:50:34 | arg | provenance | | +| test.py:54:5:54:8 | data | test.py:55:17:55:20 | data | provenance | | +| test.py:54:12:54:18 | request | test.py:54:12:54:23 | After Attribute | provenance | AdditionalTaintStep | +| test.py:54:12:54:23 | After Attribute | test.py:54:12:54:35 | After Attribute() | provenance | dict.get | +| test.py:54:12:54:35 | After Attribute() | test.py:54:5:54:8 | data | provenance | | +| test.py:55:17:55:20 | data | test.py:47:17:47:19 | arg | provenance | | nodes -| test.py:5:26:5:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| test.py:5:26:5:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:13:5:13:12 | ControlFlowNode for data_raw | semmle.label | ControlFlowNode for data_raw | -| test.py:13:16:13:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:13:16:13:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:13:16:13:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:14:5:14:8 | ControlFlowNode for data | semmle.label | ControlFlowNode for data | -| test.py:15:36:15:39 | ControlFlowNode for data | semmle.label | ControlFlowNode for data | -| test.py:23:5:23:12 | ControlFlowNode for data_raw | semmle.label | ControlFlowNode for data_raw | -| test.py:23:16:23:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:23:16:23:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:23:16:23:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:24:5:24:8 | ControlFlowNode for data | semmle.label | ControlFlowNode for data | -| test.py:25:44:25:47 | ControlFlowNode for data | semmle.label | ControlFlowNode for data | -| test.py:34:5:34:8 | ControlFlowNode for data | semmle.label | ControlFlowNode for data | -| test.py:34:12:34:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:34:12:34:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:34:12:34:35 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:35:10:35:13 | ControlFlowNode for data | semmle.label | ControlFlowNode for data | -| test.py:36:13:36:16 | ControlFlowNode for data | semmle.label | ControlFlowNode for data | -| test.py:42:5:42:8 | ControlFlowNode for data | semmle.label | ControlFlowNode for data | -| test.py:42:12:42:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:42:12:42:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:42:12:42:35 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:43:22:43:25 | ControlFlowNode for data | semmle.label | ControlFlowNode for data | -| test.py:44:25:44:28 | ControlFlowNode for data | semmle.label | ControlFlowNode for data | -| test.py:47:17:47:19 | ControlFlowNode for arg | semmle.label | ControlFlowNode for arg | -| test.py:50:32:50:34 | ControlFlowNode for arg | semmle.label | ControlFlowNode for arg | -| test.py:54:5:54:8 | ControlFlowNode for data | semmle.label | ControlFlowNode for data | -| test.py:54:12:54:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:54:12:54:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:54:12:54:35 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:55:17:55:20 | ControlFlowNode for data | semmle.label | ControlFlowNode for data | +| test.py:5:26:5:32 | After ImportMember | semmle.label | After ImportMember | +| test.py:5:26:5:32 | request | semmle.label | request | +| test.py:13:5:13:12 | data_raw | semmle.label | data_raw | +| test.py:13:16:13:22 | request | semmle.label | request | +| test.py:13:16:13:27 | After Attribute | semmle.label | After Attribute | +| test.py:13:16:13:39 | After Attribute() | semmle.label | After Attribute() | +| test.py:14:5:14:8 | data | semmle.label | data | +| test.py:15:36:15:39 | data | semmle.label | data | +| test.py:23:5:23:12 | data_raw | semmle.label | data_raw | +| test.py:23:16:23:22 | request | semmle.label | request | +| test.py:23:16:23:27 | After Attribute | semmle.label | After Attribute | +| test.py:23:16:23:39 | After Attribute() | semmle.label | After Attribute() | +| test.py:24:5:24:8 | data | semmle.label | data | +| test.py:25:44:25:47 | data | semmle.label | data | +| test.py:34:5:34:8 | data | semmle.label | data | +| test.py:34:12:34:18 | request | semmle.label | request | +| test.py:34:12:34:23 | After Attribute | semmle.label | After Attribute | +| test.py:34:12:34:35 | After Attribute() | semmle.label | After Attribute() | +| test.py:35:10:35:13 | data | semmle.label | data | +| test.py:36:13:36:16 | data | semmle.label | data | +| test.py:42:5:42:8 | data | semmle.label | data | +| test.py:42:12:42:18 | request | semmle.label | request | +| test.py:42:12:42:23 | After Attribute | semmle.label | After Attribute | +| test.py:42:12:42:35 | After Attribute() | semmle.label | After Attribute() | +| test.py:43:22:43:25 | data | semmle.label | data | +| test.py:44:25:44:28 | data | semmle.label | data | +| test.py:47:17:47:19 | arg | semmle.label | arg | +| test.py:50:32:50:34 | arg | semmle.label | arg | +| test.py:54:5:54:8 | data | semmle.label | data | +| test.py:54:12:54:18 | request | semmle.label | request | +| test.py:54:12:54:23 | After Attribute | semmle.label | After Attribute | +| test.py:54:12:54:35 | After Attribute() | semmle.label | After Attribute() | +| test.py:55:17:55:20 | data | semmle.label | data | subpaths #select -| test.py:15:36:15:39 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:15:36:15:39 | ControlFlowNode for data | Call to hmac.new [position 1] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | -| test.py:25:44:25:47 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:25:44:25:47 | ControlFlowNode for data | Call to hmac.new [keyword msg] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | -| test.py:35:10:35:13 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:35:10:35:13 | ControlFlowNode for data | Call to unknown.lib.func [position 0] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | -| test.py:36:13:36:16 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:36:13:36:16 | ControlFlowNode for data | Call to unknown.lib.func [keyword kw] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | -| test.py:43:22:43:25 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:43:22:43:25 | ControlFlowNode for data | Call to unknown.lib.func [position 0] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | -| test.py:44:25:44:28 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:44:25:44:28 | ControlFlowNode for data | Call to unknown.lib.func [keyword kw] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember | +| test.py:15:36:15:39 | data | test.py:5:26:5:32 | After ImportMember | test.py:15:36:15:39 | data | Call to hmac.new [position 1] with untrusted data from $@. | test.py:5:26:5:32 | After ImportMember | After ImportMember | +| test.py:25:44:25:47 | data | test.py:5:26:5:32 | After ImportMember | test.py:25:44:25:47 | data | Call to hmac.new [keyword msg] with untrusted data from $@. | test.py:5:26:5:32 | After ImportMember | After ImportMember | +| test.py:35:10:35:13 | data | test.py:5:26:5:32 | After ImportMember | test.py:35:10:35:13 | data | Call to unknown.lib.func [position 0] with untrusted data from $@. | test.py:5:26:5:32 | After ImportMember | After ImportMember | +| test.py:36:13:36:16 | data | test.py:5:26:5:32 | After ImportMember | test.py:36:13:36:16 | data | Call to unknown.lib.func [keyword kw] with untrusted data from $@. | test.py:5:26:5:32 | After ImportMember | After ImportMember | +| test.py:43:22:43:25 | data | test.py:5:26:5:32 | After ImportMember | test.py:43:22:43:25 | data | Call to unknown.lib.func [position 0] with untrusted data from $@. | test.py:5:26:5:32 | After ImportMember | After ImportMember | +| test.py:44:25:44:28 | data | test.py:5:26:5:32 | After ImportMember | test.py:44:25:44:28 | data | Call to unknown.lib.func [keyword kw] with untrusted data from $@. | test.py:5:26:5:32 | After ImportMember | After ImportMember | diff --git a/python/ql/test/query-tests/Security/CWE-020-IncompleteHostnameRegExp/IncompleteHostnameRegExp.expected b/python/ql/test/query-tests/Security/CWE-020-IncompleteHostnameRegExp/IncompleteHostnameRegExp.expected index 046a00a7194..41ab8538dcc 100644 --- a/python/ql/test/query-tests/Security/CWE-020-IncompleteHostnameRegExp/IncompleteHostnameRegExp.expected +++ b/python/ql/test/query-tests/Security/CWE-020-IncompleteHostnameRegExp/IncompleteHostnameRegExp.expected @@ -1 +1 @@ -| hosttest.py:6:28:6:50 | (www\|beta).example.com/ | This regular expression has an unescaped '.' before 'example.com/', so it might match more hosts than expected. | hosttest.py:6:27:6:51 | ControlFlowNode for StringLiteral | here | +| hosttest.py:6:28:6:50 | (www\|beta).example.com/ | This regular expression has an unescaped '.' before 'example.com/', so it might match more hosts than expected. | hosttest.py:6:27:6:51 | StringLiteral | here | diff --git a/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected b/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected index f9210772839..4e076105786 100644 --- a/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected @@ -1,16 +1,16 @@ edges -| JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | provenance | AdditionalTaintStep | -| JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | provenance | | -| JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | JinjaSsti.py:19:5:19:12 | ControlFlowNode for template | provenance | AdditionalTaintStep | -| JinjaSsti.py:19:5:19:12 | ControlFlowNode for template | JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | provenance | | +| JinjaSsti.py:7:7:7:13 | request | JinjaSsti.py:9:5:9:12 | template | provenance | AdditionalTaintStep | +| JinjaSsti.py:9:5:9:12 | template | JinjaSsti.py:10:18:10:25 | template | provenance | | +| JinjaSsti.py:16:7:16:13 | request | JinjaSsti.py:19:5:19:12 | template | provenance | AdditionalTaintStep | +| JinjaSsti.py:19:5:19:12 | template | JinjaSsti.py:21:25:21:32 | template | provenance | | nodes -| JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| JinjaSsti.py:19:5:19:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | -| JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | semmle.label | ControlFlowNode for template | +| JinjaSsti.py:7:7:7:13 | request | semmle.label | request | +| JinjaSsti.py:9:5:9:12 | template | semmle.label | template | +| JinjaSsti.py:10:18:10:25 | template | semmle.label | template | +| JinjaSsti.py:16:7:16:13 | request | semmle.label | request | +| JinjaSsti.py:19:5:19:12 | template | semmle.label | template | +| JinjaSsti.py:21:25:21:32 | template | semmle.label | template | subpaths #select -| JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:10:18:10:25 | ControlFlowNode for template | This template construction depends on a $@. | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | user-provided value | -| JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | JinjaSsti.py:21:25:21:32 | ControlFlowNode for template | This template construction depends on a $@. | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | user-provided value | +| JinjaSsti.py:10:18:10:25 | template | JinjaSsti.py:7:7:7:13 | request | JinjaSsti.py:10:18:10:25 | template | This template construction depends on a $@. | JinjaSsti.py:7:7:7:13 | request | user-provided value | +| JinjaSsti.py:21:25:21:32 | template | JinjaSsti.py:16:7:16:13 | request | JinjaSsti.py:21:25:21:32 | template | This template construction depends on a $@. | JinjaSsti.py:16:7:16:13 | request | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/CommandInjection.expected b/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/CommandInjection.expected index 563a0ac74ae..ee1131e0c16 100644 --- a/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/CommandInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-078-CommandInjection-py2/CommandInjection.expected @@ -1,42 +1,42 @@ edges -| command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:5:26:5:32 | ControlFlowNode for request | provenance | | -| command_injection.py:5:26:5:32 | ControlFlowNode for request | command_injection.py:18:13:18:19 | ControlFlowNode for request | provenance | | -| command_injection.py:18:5:18:9 | ControlFlowNode for files | command_injection.py:19:15:19:27 | ControlFlowNode for BinaryExpr | provenance | | -| command_injection.py:18:5:18:9 | ControlFlowNode for files | command_injection.py:20:15:20:27 | ControlFlowNode for BinaryExpr | provenance | | -| command_injection.py:18:5:18:9 | ControlFlowNode for files | command_injection.py:21:15:21:27 | ControlFlowNode for BinaryExpr | provenance | | -| command_injection.py:18:5:18:9 | ControlFlowNode for files | command_injection.py:23:20:23:32 | ControlFlowNode for BinaryExpr | provenance | | -| command_injection.py:18:5:18:9 | ControlFlowNode for files | command_injection.py:25:19:25:31 | ControlFlowNode for BinaryExpr | provenance | | -| command_injection.py:18:5:18:9 | ControlFlowNode for files | command_injection.py:26:19:26:31 | ControlFlowNode for BinaryExpr | provenance | | -| command_injection.py:18:5:18:9 | ControlFlowNode for files | command_injection.py:27:19:27:31 | ControlFlowNode for BinaryExpr | provenance | | -| command_injection.py:18:5:18:9 | ControlFlowNode for files | command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr | provenance | | -| command_injection.py:18:5:18:9 | ControlFlowNode for files | command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr | provenance | | -| command_injection.py:18:13:18:19 | ControlFlowNode for request | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:18:13:18:41 | ControlFlowNode for Attribute() | provenance | dict.get | -| command_injection.py:18:13:18:41 | ControlFlowNode for Attribute() | command_injection.py:18:5:18:9 | ControlFlowNode for files | provenance | | +| command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:5:26:5:32 | request | provenance | | +| command_injection.py:5:26:5:32 | request | command_injection.py:18:13:18:19 | request | provenance | | +| command_injection.py:18:5:18:9 | files | command_injection.py:19:15:19:27 | After BinaryExpr | provenance | | +| command_injection.py:18:5:18:9 | files | command_injection.py:20:15:20:27 | After BinaryExpr | provenance | | +| command_injection.py:18:5:18:9 | files | command_injection.py:21:15:21:27 | After BinaryExpr | provenance | | +| command_injection.py:18:5:18:9 | files | command_injection.py:23:20:23:32 | After BinaryExpr | provenance | | +| command_injection.py:18:5:18:9 | files | command_injection.py:25:19:25:31 | After BinaryExpr | provenance | | +| command_injection.py:18:5:18:9 | files | command_injection.py:26:19:26:31 | After BinaryExpr | provenance | | +| command_injection.py:18:5:18:9 | files | command_injection.py:27:19:27:31 | After BinaryExpr | provenance | | +| command_injection.py:18:5:18:9 | files | command_injection.py:28:19:28:31 | After BinaryExpr | provenance | | +| command_injection.py:18:5:18:9 | files | command_injection.py:29:19:29:31 | After BinaryExpr | provenance | | +| command_injection.py:18:13:18:19 | request | command_injection.py:18:13:18:24 | After Attribute | provenance | AdditionalTaintStep | +| command_injection.py:18:13:18:24 | After Attribute | command_injection.py:18:13:18:41 | After Attribute() | provenance | dict.get | +| command_injection.py:18:13:18:41 | After Attribute() | command_injection.py:18:5:18:9 | files | provenance | | nodes -| command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| command_injection.py:5:26:5:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| command_injection.py:18:5:18:9 | ControlFlowNode for files | semmle.label | ControlFlowNode for files | -| command_injection.py:18:13:18:19 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| command_injection.py:18:13:18:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| command_injection.py:19:15:19:27 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| command_injection.py:20:15:20:27 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| command_injection.py:21:15:21:27 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| command_injection.py:23:20:23:32 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| command_injection.py:25:19:25:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| command_injection.py:26:19:26:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| command_injection.py:27:19:27:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | +| command_injection.py:5:26:5:32 | After ImportMember | semmle.label | After ImportMember | +| command_injection.py:5:26:5:32 | request | semmle.label | request | +| command_injection.py:18:5:18:9 | files | semmle.label | files | +| command_injection.py:18:13:18:19 | request | semmle.label | request | +| command_injection.py:18:13:18:24 | After Attribute | semmle.label | After Attribute | +| command_injection.py:18:13:18:41 | After Attribute() | semmle.label | After Attribute() | +| command_injection.py:19:15:19:27 | After BinaryExpr | semmle.label | After BinaryExpr | +| command_injection.py:20:15:20:27 | After BinaryExpr | semmle.label | After BinaryExpr | +| command_injection.py:21:15:21:27 | After BinaryExpr | semmle.label | After BinaryExpr | +| command_injection.py:23:20:23:32 | After BinaryExpr | semmle.label | After BinaryExpr | +| command_injection.py:25:19:25:31 | After BinaryExpr | semmle.label | After BinaryExpr | +| command_injection.py:26:19:26:31 | After BinaryExpr | semmle.label | After BinaryExpr | +| command_injection.py:27:19:27:31 | After BinaryExpr | semmle.label | After BinaryExpr | +| command_injection.py:28:19:28:31 | After BinaryExpr | semmle.label | After BinaryExpr | +| command_injection.py:29:19:29:31 | After BinaryExpr | semmle.label | After BinaryExpr | subpaths #select -| command_injection.py:19:15:19:27 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:19:15:19:27 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:20:15:20:27 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:20:15:20:27 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:21:15:21:27 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:21:15:21:27 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:23:20:23:32 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:23:20:23:32 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:25:19:25:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:25:19:25:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:26:19:26:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:26:19:26:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:27:19:27:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:27:19:27:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:28:19:28:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:29:19:29:31 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | +| command_injection.py:19:15:19:27 | After BinaryExpr | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:19:15:19:27 | After BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:20:15:20:27 | After BinaryExpr | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:20:15:20:27 | After BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:21:15:21:27 | After BinaryExpr | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:21:15:21:27 | After BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:23:20:23:32 | After BinaryExpr | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:23:20:23:32 | After BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:25:19:25:31 | After BinaryExpr | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:25:19:25:31 | After BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:26:19:26:31 | After BinaryExpr | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:26:19:26:31 | After BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:27:19:27:31 | After BinaryExpr | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:27:19:27:31 | After BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:28:19:28:31 | After BinaryExpr | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:28:19:28:31 | After BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:29:19:29:31 | After BinaryExpr | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:29:19:29:31 | After BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-078-CommandInjection/CommandInjection.expected b/python/ql/test/query-tests/Security/CWE-078-CommandInjection/CommandInjection.expected index 1e75c67db66..db538752d42 100644 --- a/python/ql/test/query-tests/Security/CWE-078-CommandInjection/CommandInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-078-CommandInjection/CommandInjection.expected @@ -1,110 +1,110 @@ edges -| command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:5:26:5:32 | ControlFlowNode for request | provenance | | -| command_injection.py:5:26:5:32 | ControlFlowNode for request | command_injection.py:11:13:11:19 | ControlFlowNode for request | provenance | | -| command_injection.py:5:26:5:32 | ControlFlowNode for request | command_injection.py:18:13:18:19 | ControlFlowNode for request | provenance | | -| command_injection.py:5:26:5:32 | ControlFlowNode for request | command_injection.py:25:11:25:17 | ControlFlowNode for request | provenance | | -| command_injection.py:5:26:5:32 | ControlFlowNode for request | command_injection.py:31:13:31:19 | ControlFlowNode for request | provenance | | -| command_injection.py:5:26:5:32 | ControlFlowNode for request | command_injection.py:38:15:38:21 | ControlFlowNode for request | provenance | | -| command_injection.py:5:26:5:32 | ControlFlowNode for request | command_injection.py:54:15:54:21 | ControlFlowNode for request | provenance | | -| command_injection.py:5:26:5:32 | ControlFlowNode for request | command_injection.py:71:12:71:18 | ControlFlowNode for request | provenance | | -| command_injection.py:5:26:5:32 | ControlFlowNode for request | command_injection.py:78:12:78:18 | ControlFlowNode for request | provenance | | -| command_injection.py:11:5:11:9 | ControlFlowNode for files | command_injection.py:13:15:13:27 | ControlFlowNode for BinaryExpr | provenance | | -| command_injection.py:11:13:11:19 | ControlFlowNode for request | command_injection.py:11:13:11:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| command_injection.py:11:13:11:24 | ControlFlowNode for Attribute | command_injection.py:11:13:11:41 | ControlFlowNode for Attribute() | provenance | dict.get | -| command_injection.py:11:13:11:41 | ControlFlowNode for Attribute() | command_injection.py:11:5:11:9 | ControlFlowNode for files | provenance | | -| command_injection.py:18:5:18:9 | ControlFlowNode for files | command_injection.py:20:22:20:34 | ControlFlowNode for BinaryExpr | provenance | | -| command_injection.py:18:13:18:19 | ControlFlowNode for request | command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | command_injection.py:18:13:18:41 | ControlFlowNode for Attribute() | provenance | dict.get | -| command_injection.py:18:13:18:41 | ControlFlowNode for Attribute() | command_injection.py:18:5:18:9 | ControlFlowNode for files | provenance | | -| command_injection.py:25:5:25:7 | ControlFlowNode for cmd | command_injection.py:26:23:26:25 | ControlFlowNode for cmd | provenance | | -| command_injection.py:25:11:25:17 | ControlFlowNode for request | command_injection.py:25:11:25:22 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| command_injection.py:25:11:25:22 | ControlFlowNode for Attribute | command_injection.py:25:11:25:37 | ControlFlowNode for Attribute() | provenance | dict.get | -| command_injection.py:25:11:25:37 | ControlFlowNode for Attribute() | command_injection.py:25:5:25:7 | ControlFlowNode for cmd | provenance | | -| command_injection.py:31:5:31:9 | ControlFlowNode for files | command_injection.py:33:14:33:26 | ControlFlowNode for BinaryExpr | provenance | | -| command_injection.py:31:13:31:19 | ControlFlowNode for request | command_injection.py:31:13:31:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| command_injection.py:31:13:31:24 | ControlFlowNode for Attribute | command_injection.py:31:13:31:41 | ControlFlowNode for Attribute() | provenance | dict.get | -| command_injection.py:31:13:31:41 | ControlFlowNode for Attribute() | command_injection.py:31:5:31:9 | ControlFlowNode for files | provenance | | -| command_injection.py:38:5:38:11 | ControlFlowNode for command | command_injection.py:41:15:41:21 | ControlFlowNode for command | provenance | | -| command_injection.py:38:5:38:11 | ControlFlowNode for command | command_injection.py:42:15:42:21 | ControlFlowNode for command | provenance | | -| command_injection.py:38:15:38:21 | ControlFlowNode for request | command_injection.py:38:15:38:26 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| command_injection.py:38:15:38:26 | ControlFlowNode for Attribute | command_injection.py:38:15:38:45 | ControlFlowNode for Attribute() | provenance | dict.get | -| command_injection.py:38:15:38:45 | ControlFlowNode for Attribute() | command_injection.py:38:5:38:11 | ControlFlowNode for command | provenance | | -| command_injection.py:54:5:54:11 | ControlFlowNode for command | command_injection.py:55:15:55:21 | ControlFlowNode for command | provenance | | -| command_injection.py:54:5:54:11 | ControlFlowNode for command | command_injection.py:56:14:56:20 | ControlFlowNode for command | provenance | | -| command_injection.py:54:5:54:11 | ControlFlowNode for command | command_injection.py:57:21:57:27 | ControlFlowNode for command | provenance | | -| command_injection.py:54:5:54:11 | ControlFlowNode for command | command_injection.py:58:27:58:33 | ControlFlowNode for command | provenance | | -| command_injection.py:54:5:54:11 | ControlFlowNode for command | command_injection.py:59:20:59:26 | ControlFlowNode for command | provenance | | -| command_injection.py:54:15:54:21 | ControlFlowNode for request | command_injection.py:54:15:54:26 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| command_injection.py:54:15:54:26 | ControlFlowNode for Attribute | command_injection.py:54:15:54:45 | ControlFlowNode for Attribute() | provenance | dict.get | -| command_injection.py:54:15:54:45 | ControlFlowNode for Attribute() | command_injection.py:54:5:54:11 | ControlFlowNode for command | provenance | | -| command_injection.py:71:5:71:8 | ControlFlowNode for path | command_injection.py:73:19:73:30 | ControlFlowNode for BinaryExpr | provenance | | -| command_injection.py:71:12:71:18 | ControlFlowNode for request | command_injection.py:71:12:71:23 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| command_injection.py:71:12:71:23 | ControlFlowNode for Attribute | command_injection.py:71:12:71:39 | ControlFlowNode for Attribute() | provenance | dict.get | -| command_injection.py:71:12:71:39 | ControlFlowNode for Attribute() | command_injection.py:71:5:71:8 | ControlFlowNode for path | provenance | | -| command_injection.py:78:5:78:8 | ControlFlowNode for path | command_injection.py:80:19:80:30 | ControlFlowNode for BinaryExpr | provenance | | -| command_injection.py:78:12:78:18 | ControlFlowNode for request | command_injection.py:78:12:78:23 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| command_injection.py:78:12:78:23 | ControlFlowNode for Attribute | command_injection.py:78:12:78:39 | ControlFlowNode for Attribute() | provenance | dict.get | -| command_injection.py:78:12:78:39 | ControlFlowNode for Attribute() | command_injection.py:78:5:78:8 | ControlFlowNode for path | provenance | | +| command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:5:26:5:32 | request | provenance | | +| command_injection.py:5:26:5:32 | request | command_injection.py:11:13:11:19 | request | provenance | | +| command_injection.py:5:26:5:32 | request | command_injection.py:18:13:18:19 | request | provenance | | +| command_injection.py:5:26:5:32 | request | command_injection.py:25:11:25:17 | request | provenance | | +| command_injection.py:5:26:5:32 | request | command_injection.py:31:13:31:19 | request | provenance | | +| command_injection.py:5:26:5:32 | request | command_injection.py:38:15:38:21 | request | provenance | | +| command_injection.py:5:26:5:32 | request | command_injection.py:54:15:54:21 | request | provenance | | +| command_injection.py:5:26:5:32 | request | command_injection.py:71:12:71:18 | request | provenance | | +| command_injection.py:5:26:5:32 | request | command_injection.py:78:12:78:18 | request | provenance | | +| command_injection.py:11:5:11:9 | files | command_injection.py:13:15:13:27 | After BinaryExpr | provenance | | +| command_injection.py:11:13:11:19 | request | command_injection.py:11:13:11:24 | After Attribute | provenance | AdditionalTaintStep | +| command_injection.py:11:13:11:24 | After Attribute | command_injection.py:11:13:11:41 | After Attribute() | provenance | dict.get | +| command_injection.py:11:13:11:41 | After Attribute() | command_injection.py:11:5:11:9 | files | provenance | | +| command_injection.py:18:5:18:9 | files | command_injection.py:20:22:20:34 | After BinaryExpr | provenance | | +| command_injection.py:18:13:18:19 | request | command_injection.py:18:13:18:24 | After Attribute | provenance | AdditionalTaintStep | +| command_injection.py:18:13:18:24 | After Attribute | command_injection.py:18:13:18:41 | After Attribute() | provenance | dict.get | +| command_injection.py:18:13:18:41 | After Attribute() | command_injection.py:18:5:18:9 | files | provenance | | +| command_injection.py:25:5:25:7 | cmd | command_injection.py:26:23:26:25 | cmd | provenance | | +| command_injection.py:25:11:25:17 | request | command_injection.py:25:11:25:22 | After Attribute | provenance | AdditionalTaintStep | +| command_injection.py:25:11:25:22 | After Attribute | command_injection.py:25:11:25:37 | After Attribute() | provenance | dict.get | +| command_injection.py:25:11:25:37 | After Attribute() | command_injection.py:25:5:25:7 | cmd | provenance | | +| command_injection.py:31:5:31:9 | files | command_injection.py:33:14:33:26 | After BinaryExpr | provenance | | +| command_injection.py:31:13:31:19 | request | command_injection.py:31:13:31:24 | After Attribute | provenance | AdditionalTaintStep | +| command_injection.py:31:13:31:24 | After Attribute | command_injection.py:31:13:31:41 | After Attribute() | provenance | dict.get | +| command_injection.py:31:13:31:41 | After Attribute() | command_injection.py:31:5:31:9 | files | provenance | | +| command_injection.py:38:5:38:11 | command | command_injection.py:41:15:41:21 | command | provenance | | +| command_injection.py:38:5:38:11 | command | command_injection.py:42:15:42:21 | command | provenance | | +| command_injection.py:38:15:38:21 | request | command_injection.py:38:15:38:26 | After Attribute | provenance | AdditionalTaintStep | +| command_injection.py:38:15:38:26 | After Attribute | command_injection.py:38:15:38:45 | After Attribute() | provenance | dict.get | +| command_injection.py:38:15:38:45 | After Attribute() | command_injection.py:38:5:38:11 | command | provenance | | +| command_injection.py:54:5:54:11 | command | command_injection.py:55:15:55:21 | command | provenance | | +| command_injection.py:54:5:54:11 | command | command_injection.py:56:14:56:20 | command | provenance | | +| command_injection.py:54:5:54:11 | command | command_injection.py:57:21:57:27 | command | provenance | | +| command_injection.py:54:5:54:11 | command | command_injection.py:58:27:58:33 | command | provenance | | +| command_injection.py:54:5:54:11 | command | command_injection.py:59:20:59:26 | command | provenance | | +| command_injection.py:54:15:54:21 | request | command_injection.py:54:15:54:26 | After Attribute | provenance | AdditionalTaintStep | +| command_injection.py:54:15:54:26 | After Attribute | command_injection.py:54:15:54:45 | After Attribute() | provenance | dict.get | +| command_injection.py:54:15:54:45 | After Attribute() | command_injection.py:54:5:54:11 | command | provenance | | +| command_injection.py:71:5:71:8 | path | command_injection.py:73:19:73:30 | After BinaryExpr | provenance | | +| command_injection.py:71:12:71:18 | request | command_injection.py:71:12:71:23 | After Attribute | provenance | AdditionalTaintStep | +| command_injection.py:71:12:71:23 | After Attribute | command_injection.py:71:12:71:39 | After Attribute() | provenance | dict.get | +| command_injection.py:71:12:71:39 | After Attribute() | command_injection.py:71:5:71:8 | path | provenance | | +| command_injection.py:78:5:78:8 | path | command_injection.py:80:19:80:30 | After BinaryExpr | provenance | | +| command_injection.py:78:12:78:18 | request | command_injection.py:78:12:78:23 | After Attribute | provenance | AdditionalTaintStep | +| command_injection.py:78:12:78:23 | After Attribute | command_injection.py:78:12:78:39 | After Attribute() | provenance | dict.get | +| command_injection.py:78:12:78:39 | After Attribute() | command_injection.py:78:5:78:8 | path | provenance | | nodes -| command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| command_injection.py:5:26:5:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| command_injection.py:11:5:11:9 | ControlFlowNode for files | semmle.label | ControlFlowNode for files | -| command_injection.py:11:13:11:19 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| command_injection.py:11:13:11:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| command_injection.py:11:13:11:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| command_injection.py:13:15:13:27 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| command_injection.py:18:5:18:9 | ControlFlowNode for files | semmle.label | ControlFlowNode for files | -| command_injection.py:18:13:18:19 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| command_injection.py:18:13:18:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| command_injection.py:18:13:18:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| command_injection.py:20:22:20:34 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| command_injection.py:25:5:25:7 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| command_injection.py:25:11:25:17 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| command_injection.py:25:11:25:22 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| command_injection.py:25:11:25:37 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| command_injection.py:26:23:26:25 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | -| command_injection.py:31:5:31:9 | ControlFlowNode for files | semmle.label | ControlFlowNode for files | -| command_injection.py:31:13:31:19 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| command_injection.py:31:13:31:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| command_injection.py:31:13:31:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| command_injection.py:33:14:33:26 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| command_injection.py:38:5:38:11 | ControlFlowNode for command | semmle.label | ControlFlowNode for command | -| command_injection.py:38:15:38:21 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| command_injection.py:38:15:38:26 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| command_injection.py:38:15:38:45 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| command_injection.py:41:15:41:21 | ControlFlowNode for command | semmle.label | ControlFlowNode for command | -| command_injection.py:42:15:42:21 | ControlFlowNode for command | semmle.label | ControlFlowNode for command | -| command_injection.py:54:5:54:11 | ControlFlowNode for command | semmle.label | ControlFlowNode for command | -| command_injection.py:54:15:54:21 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| command_injection.py:54:15:54:26 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| command_injection.py:54:15:54:45 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| command_injection.py:55:15:55:21 | ControlFlowNode for command | semmle.label | ControlFlowNode for command | -| command_injection.py:56:14:56:20 | ControlFlowNode for command | semmle.label | ControlFlowNode for command | -| command_injection.py:57:21:57:27 | ControlFlowNode for command | semmle.label | ControlFlowNode for command | -| command_injection.py:58:27:58:33 | ControlFlowNode for command | semmle.label | ControlFlowNode for command | -| command_injection.py:59:20:59:26 | ControlFlowNode for command | semmle.label | ControlFlowNode for command | -| command_injection.py:71:5:71:8 | ControlFlowNode for path | semmle.label | ControlFlowNode for path | -| command_injection.py:71:12:71:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| command_injection.py:71:12:71:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| command_injection.py:71:12:71:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| command_injection.py:73:19:73:30 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| command_injection.py:78:5:78:8 | ControlFlowNode for path | semmle.label | ControlFlowNode for path | -| command_injection.py:78:12:78:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| command_injection.py:78:12:78:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| command_injection.py:78:12:78:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| command_injection.py:80:19:80:30 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | +| command_injection.py:5:26:5:32 | After ImportMember | semmle.label | After ImportMember | +| command_injection.py:5:26:5:32 | request | semmle.label | request | +| command_injection.py:11:5:11:9 | files | semmle.label | files | +| command_injection.py:11:13:11:19 | request | semmle.label | request | +| command_injection.py:11:13:11:24 | After Attribute | semmle.label | After Attribute | +| command_injection.py:11:13:11:41 | After Attribute() | semmle.label | After Attribute() | +| command_injection.py:13:15:13:27 | After BinaryExpr | semmle.label | After BinaryExpr | +| command_injection.py:18:5:18:9 | files | semmle.label | files | +| command_injection.py:18:13:18:19 | request | semmle.label | request | +| command_injection.py:18:13:18:24 | After Attribute | semmle.label | After Attribute | +| command_injection.py:18:13:18:41 | After Attribute() | semmle.label | After Attribute() | +| command_injection.py:20:22:20:34 | After BinaryExpr | semmle.label | After BinaryExpr | +| command_injection.py:25:5:25:7 | cmd | semmle.label | cmd | +| command_injection.py:25:11:25:17 | request | semmle.label | request | +| command_injection.py:25:11:25:22 | After Attribute | semmle.label | After Attribute | +| command_injection.py:25:11:25:37 | After Attribute() | semmle.label | After Attribute() | +| command_injection.py:26:23:26:25 | cmd | semmle.label | cmd | +| command_injection.py:31:5:31:9 | files | semmle.label | files | +| command_injection.py:31:13:31:19 | request | semmle.label | request | +| command_injection.py:31:13:31:24 | After Attribute | semmle.label | After Attribute | +| command_injection.py:31:13:31:41 | After Attribute() | semmle.label | After Attribute() | +| command_injection.py:33:14:33:26 | After BinaryExpr | semmle.label | After BinaryExpr | +| command_injection.py:38:5:38:11 | command | semmle.label | command | +| command_injection.py:38:15:38:21 | request | semmle.label | request | +| command_injection.py:38:15:38:26 | After Attribute | semmle.label | After Attribute | +| command_injection.py:38:15:38:45 | After Attribute() | semmle.label | After Attribute() | +| command_injection.py:41:15:41:21 | command | semmle.label | command | +| command_injection.py:42:15:42:21 | command | semmle.label | command | +| command_injection.py:54:5:54:11 | command | semmle.label | command | +| command_injection.py:54:15:54:21 | request | semmle.label | request | +| command_injection.py:54:15:54:26 | After Attribute | semmle.label | After Attribute | +| command_injection.py:54:15:54:45 | After Attribute() | semmle.label | After Attribute() | +| command_injection.py:55:15:55:21 | command | semmle.label | command | +| command_injection.py:56:14:56:20 | command | semmle.label | command | +| command_injection.py:57:21:57:27 | command | semmle.label | command | +| command_injection.py:58:27:58:33 | command | semmle.label | command | +| command_injection.py:59:20:59:26 | command | semmle.label | command | +| command_injection.py:71:5:71:8 | path | semmle.label | path | +| command_injection.py:71:12:71:18 | request | semmle.label | request | +| command_injection.py:71:12:71:23 | After Attribute | semmle.label | After Attribute | +| command_injection.py:71:12:71:39 | After Attribute() | semmle.label | After Attribute() | +| command_injection.py:73:19:73:30 | After BinaryExpr | semmle.label | After BinaryExpr | +| command_injection.py:78:5:78:8 | path | semmle.label | path | +| command_injection.py:78:12:78:18 | request | semmle.label | request | +| command_injection.py:78:12:78:23 | After Attribute | semmle.label | After Attribute | +| command_injection.py:78:12:78:39 | After Attribute() | semmle.label | After Attribute() | +| command_injection.py:80:19:80:30 | After BinaryExpr | semmle.label | After BinaryExpr | subpaths #select -| command_injection.py:13:15:13:27 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:13:15:13:27 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:20:22:20:34 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:20:22:20:34 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:26:23:26:25 | ControlFlowNode for cmd | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:26:23:26:25 | ControlFlowNode for cmd | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:33:14:33:26 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:33:14:33:26 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:41:15:41:21 | ControlFlowNode for command | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:41:15:41:21 | ControlFlowNode for command | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:42:15:42:21 | ControlFlowNode for command | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:42:15:42:21 | ControlFlowNode for command | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:55:15:55:21 | ControlFlowNode for command | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:55:15:55:21 | ControlFlowNode for command | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:56:14:56:20 | ControlFlowNode for command | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:56:14:56:20 | ControlFlowNode for command | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:57:21:57:27 | ControlFlowNode for command | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:57:21:57:27 | ControlFlowNode for command | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:58:27:58:33 | ControlFlowNode for command | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:58:27:58:33 | ControlFlowNode for command | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:59:20:59:26 | ControlFlowNode for command | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:59:20:59:26 | ControlFlowNode for command | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:73:19:73:30 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:73:19:73:30 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | -| command_injection.py:80:19:80:30 | ControlFlowNode for BinaryExpr | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | command_injection.py:80:19:80:30 | ControlFlowNode for BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | ControlFlowNode for ImportMember | user-provided value | +| command_injection.py:13:15:13:27 | After BinaryExpr | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:13:15:13:27 | After BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:20:22:20:34 | After BinaryExpr | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:20:22:20:34 | After BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:26:23:26:25 | cmd | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:26:23:26:25 | cmd | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:33:14:33:26 | After BinaryExpr | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:33:14:33:26 | After BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:41:15:41:21 | command | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:41:15:41:21 | command | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:42:15:42:21 | command | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:42:15:42:21 | command | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:55:15:55:21 | command | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:55:15:55:21 | command | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:56:14:56:20 | command | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:56:14:56:20 | command | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:57:21:57:27 | command | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:57:21:57:27 | command | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:58:27:58:33 | command | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:58:27:58:33 | command | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:59:20:59:26 | command | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:59:20:59:26 | command | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:73:19:73:30 | After BinaryExpr | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:73:19:73:30 | After BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | +| command_injection.py:80:19:80:30 | After BinaryExpr | command_injection.py:5:26:5:32 | After ImportMember | command_injection.py:80:19:80:30 | After BinaryExpr | This command line depends on a $@. | command_injection.py:5:26:5:32 | After ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected b/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected index e53508f61a5..e2864afc53e 100644 --- a/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected +++ b/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected @@ -1,38 +1,38 @@ edges -| src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | src/unsafe_shell_test.py:5:25:5:28 | ControlFlowNode for name | provenance | | -| src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | src/unsafe_shell_test.py:8:23:8:26 | ControlFlowNode for name | provenance | | -| src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | src/unsafe_shell_test.py:11:25:11:38 | ControlFlowNode for Attribute() | provenance | | -| src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | src/unsafe_shell_test.py:14:25:14:40 | ControlFlowNode for Attribute() | provenance | | -| src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | src/unsafe_shell_test.py:17:32:17:35 | ControlFlowNode for name | provenance | | -| src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | src/unsafe_shell_test.py:20:27:20:30 | ControlFlowNode for name | provenance | | -| src/unsafe_shell_test.py:26:20:26:23 | ControlFlowNode for name | src/unsafe_shell_test.py:29:30:29:33 | ControlFlowNode for name | provenance | | -| src/unsafe_shell_test.py:36:22:36:25 | ControlFlowNode for name | src/unsafe_shell_test.py:39:30:39:33 | ControlFlowNode for name | provenance | | -| src/unsafe_shell_test.py:36:22:36:25 | ControlFlowNode for name | src/unsafe_shell_test.py:44:20:44:23 | ControlFlowNode for name | provenance | | -| src/unsafe_shell_test.py:41:24:41:24 | ControlFlowNode for x | src/unsafe_shell_test.py:42:34:42:34 | ControlFlowNode for x | provenance | | -| src/unsafe_shell_test.py:44:20:44:23 | ControlFlowNode for name | src/unsafe_shell_test.py:41:24:41:24 | ControlFlowNode for x | provenance | | +| src/unsafe_shell_test.py:4:22:4:25 | name | src/unsafe_shell_test.py:5:25:5:28 | name | provenance | | +| src/unsafe_shell_test.py:4:22:4:25 | name | src/unsafe_shell_test.py:8:23:8:26 | name | provenance | | +| src/unsafe_shell_test.py:4:22:4:25 | name | src/unsafe_shell_test.py:11:25:11:38 | After Attribute() | provenance | | +| src/unsafe_shell_test.py:4:22:4:25 | name | src/unsafe_shell_test.py:14:25:14:40 | After Attribute() | provenance | | +| src/unsafe_shell_test.py:4:22:4:25 | name | src/unsafe_shell_test.py:17:32:17:35 | name | provenance | | +| src/unsafe_shell_test.py:4:22:4:25 | name | src/unsafe_shell_test.py:20:27:20:30 | name | provenance | | +| src/unsafe_shell_test.py:26:20:26:23 | name | src/unsafe_shell_test.py:29:30:29:33 | name | provenance | | +| src/unsafe_shell_test.py:36:22:36:25 | name | src/unsafe_shell_test.py:39:30:39:33 | name | provenance | | +| src/unsafe_shell_test.py:36:22:36:25 | name | src/unsafe_shell_test.py:44:20:44:23 | name | provenance | | +| src/unsafe_shell_test.py:41:24:41:24 | x | src/unsafe_shell_test.py:42:34:42:34 | x | provenance | | +| src/unsafe_shell_test.py:44:20:44:23 | name | src/unsafe_shell_test.py:41:24:41:24 | x | provenance | | nodes -| src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | -| src/unsafe_shell_test.py:5:25:5:28 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | -| src/unsafe_shell_test.py:8:23:8:26 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | -| src/unsafe_shell_test.py:11:25:11:38 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| src/unsafe_shell_test.py:14:25:14:40 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| src/unsafe_shell_test.py:17:32:17:35 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | -| src/unsafe_shell_test.py:20:27:20:30 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | -| src/unsafe_shell_test.py:26:20:26:23 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | -| src/unsafe_shell_test.py:29:30:29:33 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | -| src/unsafe_shell_test.py:36:22:36:25 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | -| src/unsafe_shell_test.py:39:30:39:33 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | -| src/unsafe_shell_test.py:41:24:41:24 | ControlFlowNode for x | semmle.label | ControlFlowNode for x | -| src/unsafe_shell_test.py:42:34:42:34 | ControlFlowNode for x | semmle.label | ControlFlowNode for x | -| src/unsafe_shell_test.py:44:20:44:23 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | +| src/unsafe_shell_test.py:4:22:4:25 | name | semmle.label | name | +| src/unsafe_shell_test.py:5:25:5:28 | name | semmle.label | name | +| src/unsafe_shell_test.py:8:23:8:26 | name | semmle.label | name | +| src/unsafe_shell_test.py:11:25:11:38 | After Attribute() | semmle.label | After Attribute() | +| src/unsafe_shell_test.py:14:25:14:40 | After Attribute() | semmle.label | After Attribute() | +| src/unsafe_shell_test.py:17:32:17:35 | name | semmle.label | name | +| src/unsafe_shell_test.py:20:27:20:30 | name | semmle.label | name | +| src/unsafe_shell_test.py:26:20:26:23 | name | semmle.label | name | +| src/unsafe_shell_test.py:29:30:29:33 | name | semmle.label | name | +| src/unsafe_shell_test.py:36:22:36:25 | name | semmle.label | name | +| src/unsafe_shell_test.py:39:30:39:33 | name | semmle.label | name | +| src/unsafe_shell_test.py:41:24:41:24 | x | semmle.label | x | +| src/unsafe_shell_test.py:42:34:42:34 | x | semmle.label | x | +| src/unsafe_shell_test.py:44:20:44:23 | name | semmle.label | name | subpaths #select -| src/unsafe_shell_test.py:5:15:5:28 | ControlFlowNode for BinaryExpr | src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | src/unsafe_shell_test.py:5:25:5:28 | ControlFlowNode for name | This string concatenation which depends on $@ is later used in a $@. | src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | library input | src/unsafe_shell_test.py:5:5:5:29 | ControlFlowNode for Attribute() | shell command | -| src/unsafe_shell_test.py:8:15:8:28 | ControlFlowNode for Fstring | src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | src/unsafe_shell_test.py:8:23:8:26 | ControlFlowNode for name | This f-string which depends on $@ is later used in a $@. | src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | library input | src/unsafe_shell_test.py:8:5:8:29 | ControlFlowNode for Attribute() | shell command | -| src/unsafe_shell_test.py:11:15:11:38 | ControlFlowNode for BinaryExpr | src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | src/unsafe_shell_test.py:11:25:11:38 | ControlFlowNode for Attribute() | This string concatenation which depends on $@ is later used in a $@. | src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | library input | src/unsafe_shell_test.py:11:5:11:39 | ControlFlowNode for Attribute() | shell command | -| src/unsafe_shell_test.py:14:15:14:40 | ControlFlowNode for BinaryExpr | src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | src/unsafe_shell_test.py:14:25:14:40 | ControlFlowNode for Attribute() | This string concatenation which depends on $@ is later used in a $@. | src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | library input | src/unsafe_shell_test.py:14:5:14:41 | ControlFlowNode for Attribute() | shell command | -| src/unsafe_shell_test.py:17:15:17:36 | ControlFlowNode for Attribute() | src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | src/unsafe_shell_test.py:17:32:17:35 | ControlFlowNode for name | This formatted string which depends on $@ is later used in a $@. | src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | library input | src/unsafe_shell_test.py:17:5:17:37 | ControlFlowNode for Attribute() | shell command | -| src/unsafe_shell_test.py:20:15:20:30 | ControlFlowNode for BinaryExpr | src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | src/unsafe_shell_test.py:20:27:20:30 | ControlFlowNode for name | This formatted string which depends on $@ is later used in a $@. | src/unsafe_shell_test.py:4:22:4:25 | ControlFlowNode for name | library input | src/unsafe_shell_test.py:20:5:20:31 | ControlFlowNode for Attribute() | shell command | -| src/unsafe_shell_test.py:29:20:29:33 | ControlFlowNode for BinaryExpr | src/unsafe_shell_test.py:26:20:26:23 | ControlFlowNode for name | src/unsafe_shell_test.py:29:30:29:33 | ControlFlowNode for name | This string concatenation which depends on $@ is later used in a $@. | src/unsafe_shell_test.py:26:20:26:23 | ControlFlowNode for name | library input | src/unsafe_shell_test.py:29:5:29:46 | ControlFlowNode for Attribute() | shell command | -| src/unsafe_shell_test.py:39:20:39:33 | ControlFlowNode for BinaryExpr | src/unsafe_shell_test.py:36:22:36:25 | ControlFlowNode for name | src/unsafe_shell_test.py:39:30:39:33 | ControlFlowNode for name | This string concatenation which depends on $@ is later used in a $@. | src/unsafe_shell_test.py:36:22:36:25 | ControlFlowNode for name | library input | src/unsafe_shell_test.py:39:5:39:46 | ControlFlowNode for Attribute() | shell command | -| src/unsafe_shell_test.py:42:24:42:34 | ControlFlowNode for BinaryExpr | src/unsafe_shell_test.py:36:22:36:25 | ControlFlowNode for name | src/unsafe_shell_test.py:42:34:42:34 | ControlFlowNode for x | This string concatenation which depends on $@ is later used in a $@. | src/unsafe_shell_test.py:36:22:36:25 | ControlFlowNode for name | library input | src/unsafe_shell_test.py:42:9:42:47 | ControlFlowNode for Attribute() | shell command | +| src/unsafe_shell_test.py:5:15:5:28 | After BinaryExpr | src/unsafe_shell_test.py:4:22:4:25 | name | src/unsafe_shell_test.py:5:25:5:28 | name | This string concatenation which depends on $@ is later used in a $@. | src/unsafe_shell_test.py:4:22:4:25 | name | library input | src/unsafe_shell_test.py:5:5:5:29 | After Attribute() | shell command | +| src/unsafe_shell_test.py:8:15:8:28 | After Fstring | src/unsafe_shell_test.py:4:22:4:25 | name | src/unsafe_shell_test.py:8:23:8:26 | name | This f-string which depends on $@ is later used in a $@. | src/unsafe_shell_test.py:4:22:4:25 | name | library input | src/unsafe_shell_test.py:8:5:8:29 | After Attribute() | shell command | +| src/unsafe_shell_test.py:11:15:11:38 | After BinaryExpr | src/unsafe_shell_test.py:4:22:4:25 | name | src/unsafe_shell_test.py:11:25:11:38 | After Attribute() | This string concatenation which depends on $@ is later used in a $@. | src/unsafe_shell_test.py:4:22:4:25 | name | library input | src/unsafe_shell_test.py:11:5:11:39 | After Attribute() | shell command | +| src/unsafe_shell_test.py:14:15:14:40 | After BinaryExpr | src/unsafe_shell_test.py:4:22:4:25 | name | src/unsafe_shell_test.py:14:25:14:40 | After Attribute() | This string concatenation which depends on $@ is later used in a $@. | src/unsafe_shell_test.py:4:22:4:25 | name | library input | src/unsafe_shell_test.py:14:5:14:41 | After Attribute() | shell command | +| src/unsafe_shell_test.py:17:15:17:36 | After Attribute() | src/unsafe_shell_test.py:4:22:4:25 | name | src/unsafe_shell_test.py:17:32:17:35 | name | This formatted string which depends on $@ is later used in a $@. | src/unsafe_shell_test.py:4:22:4:25 | name | library input | src/unsafe_shell_test.py:17:5:17:37 | After Attribute() | shell command | +| src/unsafe_shell_test.py:20:15:20:30 | After BinaryExpr | src/unsafe_shell_test.py:4:22:4:25 | name | src/unsafe_shell_test.py:20:27:20:30 | name | This formatted string which depends on $@ is later used in a $@. | src/unsafe_shell_test.py:4:22:4:25 | name | library input | src/unsafe_shell_test.py:20:5:20:31 | After Attribute() | shell command | +| src/unsafe_shell_test.py:29:20:29:33 | After BinaryExpr | src/unsafe_shell_test.py:26:20:26:23 | name | src/unsafe_shell_test.py:29:30:29:33 | name | This string concatenation which depends on $@ is later used in a $@. | src/unsafe_shell_test.py:26:20:26:23 | name | library input | src/unsafe_shell_test.py:29:5:29:46 | After Attribute() | shell command | +| src/unsafe_shell_test.py:39:20:39:33 | After BinaryExpr | src/unsafe_shell_test.py:36:22:36:25 | name | src/unsafe_shell_test.py:39:30:39:33 | name | This string concatenation which depends on $@ is later used in a $@. | src/unsafe_shell_test.py:36:22:36:25 | name | library input | src/unsafe_shell_test.py:39:5:39:46 | After Attribute() | shell command | +| src/unsafe_shell_test.py:42:24:42:34 | After BinaryExpr | src/unsafe_shell_test.py:36:22:36:25 | name | src/unsafe_shell_test.py:42:34:42:34 | x | This string concatenation which depends on $@ is later used in a $@. | src/unsafe_shell_test.py:36:22:36:25 | name | library input | src/unsafe_shell_test.py:42:9:42:47 | After Attribute() | shell command | diff --git a/python/ql/test/query-tests/Security/CWE-079-Jinja2WithoutEscaping/Jinja2WithoutEscaping.expected b/python/ql/test/query-tests/Security/CWE-079-Jinja2WithoutEscaping/Jinja2WithoutEscaping.expected index 918fbdf604d..fb4064af455 100644 --- a/python/ql/test/query-tests/Security/CWE-079-Jinja2WithoutEscaping/Jinja2WithoutEscaping.expected +++ b/python/ql/test/query-tests/Security/CWE-079-Jinja2WithoutEscaping/Jinja2WithoutEscaping.expected @@ -1,6 +1,6 @@ -| jinja2_escaping.py:9:14:9:39 | ControlFlowNode for Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. | -| jinja2_escaping.py:41:5:41:29 | ControlFlowNode for Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. | -| jinja2_escaping.py:43:1:43:3 | ControlFlowNode for E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. | -| jinja2_escaping.py:44:1:44:15 | ControlFlowNode for E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. | -| jinja2_escaping.py:50:13:50:40 | ControlFlowNode for Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. | -| jinja2_escaping.py:53:15:53:43 | ControlFlowNode for Template() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. | +| jinja2_escaping.py:9:14:9:39 | After Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. | +| jinja2_escaping.py:41:5:41:29 | After Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. | +| jinja2_escaping.py:43:1:43:3 | After E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. | +| jinja2_escaping.py:44:1:44:15 | After E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. | +| jinja2_escaping.py:50:13:50:40 | After Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. | +| jinja2_escaping.py:53:15:53:43 | After Template() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. | diff --git a/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected b/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected index 2e6c5c33fbc..f2bceb5c02a 100644 --- a/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected +++ b/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected @@ -1,32 +1,32 @@ edges -| reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:2:26:2:32 | ControlFlowNode for request | provenance | | -| reflected_xss.py:2:26:2:32 | ControlFlowNode for request | reflected_xss.py:9:18:9:24 | ControlFlowNode for request | provenance | | -| reflected_xss.py:2:26:2:32 | ControlFlowNode for request | reflected_xss.py:21:23:21:29 | ControlFlowNode for request | provenance | | -| reflected_xss.py:2:26:2:32 | ControlFlowNode for request | reflected_xss.py:27:23:27:29 | ControlFlowNode for request | provenance | | -| reflected_xss.py:9:5:9:14 | ControlFlowNode for first_name | reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | provenance | | -| reflected_xss.py:9:18:9:24 | ControlFlowNode for request | reflected_xss.py:9:18:9:29 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| reflected_xss.py:9:18:9:29 | ControlFlowNode for Attribute | reflected_xss.py:9:18:9:45 | ControlFlowNode for Attribute() | provenance | dict.get | -| reflected_xss.py:9:18:9:45 | ControlFlowNode for Attribute() | reflected_xss.py:9:5:9:14 | ControlFlowNode for first_name | provenance | | -| reflected_xss.py:21:5:21:8 | ControlFlowNode for data | reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | provenance | AdditionalTaintStep | -| reflected_xss.py:21:23:21:29 | ControlFlowNode for request | reflected_xss.py:21:5:21:8 | ControlFlowNode for data | provenance | AdditionalTaintStep | -| reflected_xss.py:27:5:27:8 | ControlFlowNode for data | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | provenance | AdditionalTaintStep | -| reflected_xss.py:27:23:27:29 | ControlFlowNode for request | reflected_xss.py:27:5:27:8 | ControlFlowNode for data | provenance | AdditionalTaintStep | +| reflected_xss.py:2:26:2:32 | After ImportMember | reflected_xss.py:2:26:2:32 | request | provenance | | +| reflected_xss.py:2:26:2:32 | request | reflected_xss.py:9:18:9:24 | request | provenance | | +| reflected_xss.py:2:26:2:32 | request | reflected_xss.py:21:23:21:29 | request | provenance | | +| reflected_xss.py:2:26:2:32 | request | reflected_xss.py:27:23:27:29 | request | provenance | | +| reflected_xss.py:9:5:9:14 | first_name | reflected_xss.py:10:26:10:53 | After BinaryExpr | provenance | | +| reflected_xss.py:9:18:9:24 | request | reflected_xss.py:9:18:9:29 | After Attribute | provenance | AdditionalTaintStep | +| reflected_xss.py:9:18:9:29 | After Attribute | reflected_xss.py:9:18:9:45 | After Attribute() | provenance | dict.get | +| reflected_xss.py:9:18:9:45 | After Attribute() | reflected_xss.py:9:5:9:14 | first_name | provenance | | +| reflected_xss.py:21:5:21:8 | data | reflected_xss.py:22:26:22:41 | After Attribute() | provenance | AdditionalTaintStep | +| reflected_xss.py:21:23:21:29 | request | reflected_xss.py:21:5:21:8 | data | provenance | AdditionalTaintStep | +| reflected_xss.py:27:5:27:8 | data | reflected_xss.py:28:26:28:41 | After Attribute() | provenance | AdditionalTaintStep | +| reflected_xss.py:27:23:27:29 | request | reflected_xss.py:27:5:27:8 | data | provenance | AdditionalTaintStep | nodes -| reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| reflected_xss.py:2:26:2:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| reflected_xss.py:9:5:9:14 | ControlFlowNode for first_name | semmle.label | ControlFlowNode for first_name | -| reflected_xss.py:9:18:9:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| reflected_xss.py:9:18:9:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| reflected_xss.py:9:18:9:45 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| reflected_xss.py:21:5:21:8 | ControlFlowNode for data | semmle.label | ControlFlowNode for data | -| reflected_xss.py:21:23:21:29 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| reflected_xss.py:27:5:27:8 | ControlFlowNode for data | semmle.label | ControlFlowNode for data | -| reflected_xss.py:27:23:27:29 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | +| reflected_xss.py:2:26:2:32 | After ImportMember | semmle.label | After ImportMember | +| reflected_xss.py:2:26:2:32 | request | semmle.label | request | +| reflected_xss.py:9:5:9:14 | first_name | semmle.label | first_name | +| reflected_xss.py:9:18:9:24 | request | semmle.label | request | +| reflected_xss.py:9:18:9:29 | After Attribute | semmle.label | After Attribute | +| reflected_xss.py:9:18:9:45 | After Attribute() | semmle.label | After Attribute() | +| reflected_xss.py:10:26:10:53 | After BinaryExpr | semmle.label | After BinaryExpr | +| reflected_xss.py:21:5:21:8 | data | semmle.label | data | +| reflected_xss.py:21:23:21:29 | request | semmle.label | request | +| reflected_xss.py:22:26:22:41 | After Attribute() | semmle.label | After Attribute() | +| reflected_xss.py:27:5:27:8 | data | semmle.label | data | +| reflected_xss.py:27:23:27:29 | request | semmle.label | request | +| reflected_xss.py:28:26:28:41 | After Attribute() | semmle.label | After Attribute() | subpaths #select -| reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| reflected_xss.py:10:26:10:53 | After BinaryExpr | reflected_xss.py:2:26:2:32 | After ImportMember | reflected_xss.py:10:26:10:53 | After BinaryExpr | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | After ImportMember | user-provided value | +| reflected_xss.py:22:26:22:41 | After Attribute() | reflected_xss.py:2:26:2:32 | After ImportMember | reflected_xss.py:22:26:22:41 | After Attribute() | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | After ImportMember | user-provided value | +| reflected_xss.py:28:26:28:41 | After Attribute() | reflected_xss.py:2:26:2:32 | After ImportMember | reflected_xss.py:28:26:28:41 | After Attribute() | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | After ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/SqlInjection.expected b/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/SqlInjection.expected index 8cf2ec7b826..6cee1d5ca8b 100644 --- a/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/SqlInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/SqlInjection.expected @@ -1,10 +1,10 @@ #select -| test.py:6:14:6:24 | ControlFlowNode for Subscript | test.py:6:14:6:21 | ControlFlowNode for Attribute | test.py:6:14:6:24 | ControlFlowNode for Subscript | This SQL query depends on a $@. | test.py:6:14:6:21 | ControlFlowNode for Attribute | user-provided value | +| test.py:6:14:6:24 | After Subscript | test.py:6:14:6:21 | After Attribute | test.py:6:14:6:24 | After Subscript | This SQL query depends on a $@. | test.py:6:14:6:21 | After Attribute | user-provided value | edges -| test.py:6:14:6:21 | ControlFlowNode for Attribute | test.py:6:14:6:24 | ControlFlowNode for Subscript | provenance | Src:MaD:1 | +| test.py:6:14:6:21 | After Attribute | test.py:6:14:6:24 | After Subscript | provenance | Src:MaD:1 | models | 1 | Source: sys; Member[argv]; commandargs | nodes -| test.py:6:14:6:21 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:6:14:6:24 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript | +| test.py:6:14:6:21 | After Attribute | semmle.label | After Attribute | +| test.py:6:14:6:24 | After Subscript | semmle.label | After Subscript | subpaths diff --git a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected index 9ff8b1d718c..59a29d2ad70 100644 --- a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected @@ -1,54 +1,54 @@ edges -| sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | provenance | | -| sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | provenance | | -| sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:25:26:25:83 | ControlFlowNode for BinaryExpr | provenance | | -| sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:26:28:26:85 | ControlFlowNode for BinaryExpr | provenance | | -| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:27:28:27:87 | ControlFlowNode for Attribute() | provenance | | -| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:31:50:31:72 | ControlFlowNode for Attribute() | provenance | | -| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:41:26:41:33 | ControlFlowNode for username | provenance | | -| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:42:31:42:38 | ControlFlowNode for username | provenance | | -| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:43:30:43:37 | ControlFlowNode for username | provenance | | -| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:44:35:44:42 | ControlFlowNode for username | provenance | | -| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:45:41:45:48 | ControlFlowNode for username | provenance | | -| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:46:46:46:53 | ControlFlowNode for username | provenance | | -| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:47:47:47:54 | ControlFlowNode for username | provenance | | -| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:48:52:48:59 | ControlFlowNode for username | provenance | | -| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:50:18:50:25 | ControlFlowNode for username | provenance | | -| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:51:24:51:31 | ControlFlowNode for username | provenance | | +| sql_injection.py:14:15:14:22 | username | sql_injection.py:21:24:21:77 | After BinaryExpr | provenance | | +| sql_injection.py:14:15:14:22 | username | sql_injection.py:24:38:24:95 | After BinaryExpr | provenance | | +| sql_injection.py:14:15:14:22 | username | sql_injection.py:25:26:25:83 | After BinaryExpr | provenance | | +| sql_injection.py:14:15:14:22 | username | sql_injection.py:26:28:26:85 | After BinaryExpr | provenance | | +| sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:27:28:27:87 | After Attribute() | provenance | | +| sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:31:50:31:72 | After Attribute() | provenance | | +| sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:41:26:41:33 | username | provenance | | +| sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:42:31:42:38 | username | provenance | | +| sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:43:30:43:37 | username | provenance | | +| sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:44:35:44:42 | username | provenance | | +| sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:45:41:45:48 | username | provenance | | +| sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:46:46:46:53 | username | provenance | | +| sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:47:47:47:54 | username | provenance | | +| sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:48:52:48:59 | username | provenance | | +| sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:50:18:50:25 | username | provenance | | +| sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:51:24:51:31 | username | provenance | | nodes -| sql_injection.py:14:15:14:22 | ControlFlowNode for username | semmle.label | ControlFlowNode for username | -| sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| sql_injection.py:25:26:25:83 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| sql_injection.py:26:28:26:85 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | semmle.label | ControlFlowNode for username | -| sqlalchemy_textclause.py:27:28:27:87 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| sqlalchemy_textclause.py:31:50:31:72 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| sqlalchemy_textclause.py:41:26:41:33 | ControlFlowNode for username | semmle.label | ControlFlowNode for username | -| sqlalchemy_textclause.py:42:31:42:38 | ControlFlowNode for username | semmle.label | ControlFlowNode for username | -| sqlalchemy_textclause.py:43:30:43:37 | ControlFlowNode for username | semmle.label | ControlFlowNode for username | -| sqlalchemy_textclause.py:44:35:44:42 | ControlFlowNode for username | semmle.label | ControlFlowNode for username | -| sqlalchemy_textclause.py:45:41:45:48 | ControlFlowNode for username | semmle.label | ControlFlowNode for username | -| sqlalchemy_textclause.py:46:46:46:53 | ControlFlowNode for username | semmle.label | ControlFlowNode for username | -| sqlalchemy_textclause.py:47:47:47:54 | ControlFlowNode for username | semmle.label | ControlFlowNode for username | -| sqlalchemy_textclause.py:48:52:48:59 | ControlFlowNode for username | semmle.label | ControlFlowNode for username | -| sqlalchemy_textclause.py:50:18:50:25 | ControlFlowNode for username | semmle.label | ControlFlowNode for username | -| sqlalchemy_textclause.py:51:24:51:31 | ControlFlowNode for username | semmle.label | ControlFlowNode for username | +| sql_injection.py:14:15:14:22 | username | semmle.label | username | +| sql_injection.py:21:24:21:77 | After BinaryExpr | semmle.label | After BinaryExpr | +| sql_injection.py:24:38:24:95 | After BinaryExpr | semmle.label | After BinaryExpr | +| sql_injection.py:25:26:25:83 | After BinaryExpr | semmle.label | After BinaryExpr | +| sql_injection.py:26:28:26:85 | After BinaryExpr | semmle.label | After BinaryExpr | +| sqlalchemy_textclause.py:23:15:23:22 | username | semmle.label | username | +| sqlalchemy_textclause.py:27:28:27:87 | After Attribute() | semmle.label | After Attribute() | +| sqlalchemy_textclause.py:31:50:31:72 | After Attribute() | semmle.label | After Attribute() | +| sqlalchemy_textclause.py:41:26:41:33 | username | semmle.label | username | +| sqlalchemy_textclause.py:42:31:42:38 | username | semmle.label | username | +| sqlalchemy_textclause.py:43:30:43:37 | username | semmle.label | username | +| sqlalchemy_textclause.py:44:35:44:42 | username | semmle.label | username | +| sqlalchemy_textclause.py:45:41:45:48 | username | semmle.label | username | +| sqlalchemy_textclause.py:46:46:46:53 | username | semmle.label | username | +| sqlalchemy_textclause.py:47:47:47:54 | username | semmle.label | username | +| sqlalchemy_textclause.py:48:52:48:59 | username | semmle.label | username | +| sqlalchemy_textclause.py:50:18:50:25 | username | semmle.label | username | +| sqlalchemy_textclause.py:51:24:51:31 | username | semmle.label | username | subpaths #select -| sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | -| sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:24:38:24:95 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | -| sql_injection.py:25:26:25:83 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:25:26:25:83 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | -| sql_injection.py:26:28:26:85 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:26:28:26:85 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:27:28:27:87 | ControlFlowNode for Attribute() | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:27:28:27:87 | ControlFlowNode for Attribute() | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:31:50:31:72 | ControlFlowNode for Attribute() | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:31:50:31:72 | ControlFlowNode for Attribute() | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:41:26:41:33 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:41:26:41:33 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:42:31:42:38 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:42:31:42:38 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:43:30:43:37 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:43:30:43:37 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:44:35:44:42 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:44:35:44:42 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:45:41:45:48 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:45:41:45:48 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:46:46:46:53 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:46:46:46:53 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:47:47:47:54 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:47:47:47:54 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:48:52:48:59 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:48:52:48:59 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:50:18:50:25 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:50:18:50:25 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | -| sqlalchemy_textclause.py:51:24:51:31 | ControlFlowNode for username | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | sqlalchemy_textclause.py:51:24:51:31 | ControlFlowNode for username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | ControlFlowNode for username | user-provided value | +| sql_injection.py:21:24:21:77 | After BinaryExpr | sql_injection.py:14:15:14:22 | username | sql_injection.py:21:24:21:77 | After BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | username | user-provided value | +| sql_injection.py:24:38:24:95 | After BinaryExpr | sql_injection.py:14:15:14:22 | username | sql_injection.py:24:38:24:95 | After BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | username | user-provided value | +| sql_injection.py:25:26:25:83 | After BinaryExpr | sql_injection.py:14:15:14:22 | username | sql_injection.py:25:26:25:83 | After BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | username | user-provided value | +| sql_injection.py:26:28:26:85 | After BinaryExpr | sql_injection.py:14:15:14:22 | username | sql_injection.py:26:28:26:85 | After BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | username | user-provided value | +| sqlalchemy_textclause.py:27:28:27:87 | After Attribute() | sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:27:28:27:87 | After Attribute() | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | username | user-provided value | +| sqlalchemy_textclause.py:31:50:31:72 | After Attribute() | sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:31:50:31:72 | After Attribute() | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | username | user-provided value | +| sqlalchemy_textclause.py:41:26:41:33 | username | sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:41:26:41:33 | username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | username | user-provided value | +| sqlalchemy_textclause.py:42:31:42:38 | username | sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:42:31:42:38 | username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | username | user-provided value | +| sqlalchemy_textclause.py:43:30:43:37 | username | sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:43:30:43:37 | username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | username | user-provided value | +| sqlalchemy_textclause.py:44:35:44:42 | username | sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:44:35:44:42 | username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | username | user-provided value | +| sqlalchemy_textclause.py:45:41:45:48 | username | sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:45:41:45:48 | username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | username | user-provided value | +| sqlalchemy_textclause.py:46:46:46:53 | username | sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:46:46:46:53 | username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | username | user-provided value | +| sqlalchemy_textclause.py:47:47:47:54 | username | sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:47:47:47:54 | username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | username | user-provided value | +| sqlalchemy_textclause.py:48:52:48:59 | username | sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:48:52:48:59 | username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | username | user-provided value | +| sqlalchemy_textclause.py:50:18:50:25 | username | sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:50:18:50:25 | username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | username | user-provided value | +| sqlalchemy_textclause.py:51:24:51:31 | username | sqlalchemy_textclause.py:23:15:23:22 | username | sqlalchemy_textclause.py:51:24:51:31 | username | This SQL query depends on a $@. | sqlalchemy_textclause.py:23:15:23:22 | username | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-090-LdapInjection/LdapInjection.expected b/python/ql/test/query-tests/Security/CWE-090-LdapInjection/LdapInjection.expected index 20170029899..635960e2c48 100644 --- a/python/ql/test/query-tests/Security/CWE-090-LdapInjection/LdapInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-090-LdapInjection/LdapInjection.expected @@ -1,121 +1,121 @@ edges -| ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:1:19:1:25 | ControlFlowNode for request | provenance | | -| ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:1:19:1:25 | ControlFlowNode for request | provenance | | -| ldap3_bad.py:1:19:1:25 | ControlFlowNode for request | ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | provenance | | -| ldap3_bad.py:1:19:1:25 | ControlFlowNode for request | ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | provenance | | -| ldap3_bad.py:1:19:1:25 | ControlFlowNode for request | ldap3_bad.py:14:21:14:27 | ControlFlowNode for request | provenance | | -| ldap3_bad.py:1:19:1:25 | ControlFlowNode for request | ldap3_bad.py:30:17:30:23 | ControlFlowNode for request | provenance | | -| ldap3_bad.py:1:19:1:25 | ControlFlowNode for request | ldap3_bad.py:30:17:30:23 | ControlFlowNode for request | provenance | | -| ldap3_bad.py:1:19:1:25 | ControlFlowNode for request | ldap3_bad.py:31:21:31:27 | ControlFlowNode for request | provenance | | -| ldap3_bad.py:13:5:13:13 | ControlFlowNode for unsafe_dc | ldap3_bad.py:16:5:16:6 | ControlFlowNode for dn | provenance | | -| ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | ldap3_bad.py:13:5:13:13 | ControlFlowNode for unsafe_dc | provenance | AdditionalTaintStep | -| ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | ldap3_bad.py:14:5:14:17 | ControlFlowNode for unsafe_filter | provenance | AdditionalTaintStep | -| ldap3_bad.py:14:5:14:17 | ControlFlowNode for unsafe_filter | ldap3_bad.py:17:5:17:17 | ControlFlowNode for search_filter | provenance | | -| ldap3_bad.py:14:21:14:27 | ControlFlowNode for request | ldap3_bad.py:14:5:14:17 | ControlFlowNode for unsafe_filter | provenance | AdditionalTaintStep | -| ldap3_bad.py:16:5:16:6 | ControlFlowNode for dn | ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | provenance | | -| ldap3_bad.py:17:5:17:17 | ControlFlowNode for search_filter | ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | provenance | | -| ldap3_bad.py:30:5:30:13 | ControlFlowNode for unsafe_dc | ldap3_bad.py:33:5:33:6 | ControlFlowNode for dn | provenance | | -| ldap3_bad.py:30:17:30:23 | ControlFlowNode for request | ldap3_bad.py:30:5:30:13 | ControlFlowNode for unsafe_dc | provenance | AdditionalTaintStep | -| ldap3_bad.py:30:17:30:23 | ControlFlowNode for request | ldap3_bad.py:31:5:31:17 | ControlFlowNode for unsafe_filter | provenance | AdditionalTaintStep | -| ldap3_bad.py:31:5:31:17 | ControlFlowNode for unsafe_filter | ldap3_bad.py:34:5:34:17 | ControlFlowNode for search_filter | provenance | | -| ldap3_bad.py:31:21:31:27 | ControlFlowNode for request | ldap3_bad.py:31:5:31:17 | ControlFlowNode for unsafe_filter | provenance | AdditionalTaintStep | -| ldap3_bad.py:33:5:33:6 | ControlFlowNode for dn | ldap3_bad.py:38:9:38:10 | ControlFlowNode for dn | provenance | | -| ldap3_bad.py:34:5:34:17 | ControlFlowNode for search_filter | ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | provenance | | -| ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:1:19:1:25 | ControlFlowNode for request | provenance | | -| ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:1:19:1:25 | ControlFlowNode for request | provenance | | -| ldap_bad.py:1:19:1:25 | ControlFlowNode for request | ldap_bad.py:13:17:13:23 | ControlFlowNode for request | provenance | | -| ldap_bad.py:1:19:1:25 | ControlFlowNode for request | ldap_bad.py:13:17:13:23 | ControlFlowNode for request | provenance | | -| ldap_bad.py:1:19:1:25 | ControlFlowNode for request | ldap_bad.py:14:21:14:27 | ControlFlowNode for request | provenance | | -| ldap_bad.py:1:19:1:25 | ControlFlowNode for request | ldap_bad.py:30:17:30:23 | ControlFlowNode for request | provenance | | -| ldap_bad.py:1:19:1:25 | ControlFlowNode for request | ldap_bad.py:30:17:30:23 | ControlFlowNode for request | provenance | | -| ldap_bad.py:1:19:1:25 | ControlFlowNode for request | ldap_bad.py:31:21:31:27 | ControlFlowNode for request | provenance | | -| ldap_bad.py:1:19:1:25 | ControlFlowNode for request | ldap_bad.py:47:17:47:23 | ControlFlowNode for request | provenance | | -| ldap_bad.py:1:19:1:25 | ControlFlowNode for request | ldap_bad.py:47:17:47:23 | ControlFlowNode for request | provenance | | -| ldap_bad.py:1:19:1:25 | ControlFlowNode for request | ldap_bad.py:48:21:48:27 | ControlFlowNode for request | provenance | | -| ldap_bad.py:13:5:13:13 | ControlFlowNode for unsafe_dc | ldap_bad.py:16:5:16:6 | ControlFlowNode for dn | provenance | | -| ldap_bad.py:13:17:13:23 | ControlFlowNode for request | ldap_bad.py:13:5:13:13 | ControlFlowNode for unsafe_dc | provenance | AdditionalTaintStep | -| ldap_bad.py:13:17:13:23 | ControlFlowNode for request | ldap_bad.py:14:5:14:17 | ControlFlowNode for unsafe_filter | provenance | AdditionalTaintStep | -| ldap_bad.py:14:5:14:17 | ControlFlowNode for unsafe_filter | ldap_bad.py:17:5:17:17 | ControlFlowNode for search_filter | provenance | | -| ldap_bad.py:14:21:14:27 | ControlFlowNode for request | ldap_bad.py:14:5:14:17 | ControlFlowNode for unsafe_filter | provenance | AdditionalTaintStep | -| ldap_bad.py:16:5:16:6 | ControlFlowNode for dn | ldap_bad.py:21:9:21:10 | ControlFlowNode for dn | provenance | | -| ldap_bad.py:17:5:17:17 | ControlFlowNode for search_filter | ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | provenance | | -| ldap_bad.py:30:5:30:13 | ControlFlowNode for unsafe_dc | ldap_bad.py:33:5:33:6 | ControlFlowNode for dn | provenance | | -| ldap_bad.py:30:17:30:23 | ControlFlowNode for request | ldap_bad.py:30:5:30:13 | ControlFlowNode for unsafe_dc | provenance | AdditionalTaintStep | -| ldap_bad.py:30:17:30:23 | ControlFlowNode for request | ldap_bad.py:31:5:31:17 | ControlFlowNode for unsafe_filter | provenance | AdditionalTaintStep | -| ldap_bad.py:31:5:31:17 | ControlFlowNode for unsafe_filter | ldap_bad.py:34:5:34:17 | ControlFlowNode for search_filter | provenance | | -| ldap_bad.py:31:21:31:27 | ControlFlowNode for request | ldap_bad.py:31:5:31:17 | ControlFlowNode for unsafe_filter | provenance | AdditionalTaintStep | -| ldap_bad.py:33:5:33:6 | ControlFlowNode for dn | ldap_bad.py:37:9:37:10 | ControlFlowNode for dn | provenance | | -| ldap_bad.py:34:5:34:17 | ControlFlowNode for search_filter | ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | provenance | | -| ldap_bad.py:47:5:47:13 | ControlFlowNode for unsafe_dc | ldap_bad.py:50:5:50:6 | ControlFlowNode for dn | provenance | | -| ldap_bad.py:47:17:47:23 | ControlFlowNode for request | ldap_bad.py:47:5:47:13 | ControlFlowNode for unsafe_dc | provenance | AdditionalTaintStep | -| ldap_bad.py:47:17:47:23 | ControlFlowNode for request | ldap_bad.py:48:5:48:17 | ControlFlowNode for unsafe_filter | provenance | AdditionalTaintStep | -| ldap_bad.py:48:5:48:17 | ControlFlowNode for unsafe_filter | ldap_bad.py:51:5:51:17 | ControlFlowNode for search_filter | provenance | | -| ldap_bad.py:48:21:48:27 | ControlFlowNode for request | ldap_bad.py:48:5:48:17 | ControlFlowNode for unsafe_filter | provenance | AdditionalTaintStep | -| ldap_bad.py:50:5:50:6 | ControlFlowNode for dn | ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | provenance | | -| ldap_bad.py:51:5:51:17 | ControlFlowNode for search_filter | ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | provenance | | +| ldap3_bad.py:1:19:1:25 | After ImportMember | ldap3_bad.py:1:19:1:25 | request | provenance | | +| ldap3_bad.py:1:19:1:25 | After ImportMember | ldap3_bad.py:1:19:1:25 | request | provenance | | +| ldap3_bad.py:1:19:1:25 | request | ldap3_bad.py:13:17:13:23 | request | provenance | | +| ldap3_bad.py:1:19:1:25 | request | ldap3_bad.py:13:17:13:23 | request | provenance | | +| ldap3_bad.py:1:19:1:25 | request | ldap3_bad.py:14:21:14:27 | request | provenance | | +| ldap3_bad.py:1:19:1:25 | request | ldap3_bad.py:30:17:30:23 | request | provenance | | +| ldap3_bad.py:1:19:1:25 | request | ldap3_bad.py:30:17:30:23 | request | provenance | | +| ldap3_bad.py:1:19:1:25 | request | ldap3_bad.py:31:21:31:27 | request | provenance | | +| ldap3_bad.py:13:5:13:13 | unsafe_dc | ldap3_bad.py:16:5:16:6 | dn | provenance | | +| ldap3_bad.py:13:17:13:23 | request | ldap3_bad.py:13:5:13:13 | unsafe_dc | provenance | AdditionalTaintStep | +| ldap3_bad.py:13:17:13:23 | request | ldap3_bad.py:14:5:14:17 | unsafe_filter | provenance | AdditionalTaintStep | +| ldap3_bad.py:14:5:14:17 | unsafe_filter | ldap3_bad.py:17:5:17:17 | search_filter | provenance | | +| ldap3_bad.py:14:21:14:27 | request | ldap3_bad.py:14:5:14:17 | unsafe_filter | provenance | AdditionalTaintStep | +| ldap3_bad.py:16:5:16:6 | dn | ldap3_bad.py:21:17:21:18 | dn | provenance | | +| ldap3_bad.py:17:5:17:17 | search_filter | ldap3_bad.py:21:21:21:33 | search_filter | provenance | | +| ldap3_bad.py:30:5:30:13 | unsafe_dc | ldap3_bad.py:33:5:33:6 | dn | provenance | | +| ldap3_bad.py:30:17:30:23 | request | ldap3_bad.py:30:5:30:13 | unsafe_dc | provenance | AdditionalTaintStep | +| ldap3_bad.py:30:17:30:23 | request | ldap3_bad.py:31:5:31:17 | unsafe_filter | provenance | AdditionalTaintStep | +| ldap3_bad.py:31:5:31:17 | unsafe_filter | ldap3_bad.py:34:5:34:17 | search_filter | provenance | | +| ldap3_bad.py:31:21:31:27 | request | ldap3_bad.py:31:5:31:17 | unsafe_filter | provenance | AdditionalTaintStep | +| ldap3_bad.py:33:5:33:6 | dn | ldap3_bad.py:38:9:38:10 | dn | provenance | | +| ldap3_bad.py:34:5:34:17 | search_filter | ldap3_bad.py:38:13:38:25 | search_filter | provenance | | +| ldap_bad.py:1:19:1:25 | After ImportMember | ldap_bad.py:1:19:1:25 | request | provenance | | +| ldap_bad.py:1:19:1:25 | After ImportMember | ldap_bad.py:1:19:1:25 | request | provenance | | +| ldap_bad.py:1:19:1:25 | request | ldap_bad.py:13:17:13:23 | request | provenance | | +| ldap_bad.py:1:19:1:25 | request | ldap_bad.py:13:17:13:23 | request | provenance | | +| ldap_bad.py:1:19:1:25 | request | ldap_bad.py:14:21:14:27 | request | provenance | | +| ldap_bad.py:1:19:1:25 | request | ldap_bad.py:30:17:30:23 | request | provenance | | +| ldap_bad.py:1:19:1:25 | request | ldap_bad.py:30:17:30:23 | request | provenance | | +| ldap_bad.py:1:19:1:25 | request | ldap_bad.py:31:21:31:27 | request | provenance | | +| ldap_bad.py:1:19:1:25 | request | ldap_bad.py:47:17:47:23 | request | provenance | | +| ldap_bad.py:1:19:1:25 | request | ldap_bad.py:47:17:47:23 | request | provenance | | +| ldap_bad.py:1:19:1:25 | request | ldap_bad.py:48:21:48:27 | request | provenance | | +| ldap_bad.py:13:5:13:13 | unsafe_dc | ldap_bad.py:16:5:16:6 | dn | provenance | | +| ldap_bad.py:13:17:13:23 | request | ldap_bad.py:13:5:13:13 | unsafe_dc | provenance | AdditionalTaintStep | +| ldap_bad.py:13:17:13:23 | request | ldap_bad.py:14:5:14:17 | unsafe_filter | provenance | AdditionalTaintStep | +| ldap_bad.py:14:5:14:17 | unsafe_filter | ldap_bad.py:17:5:17:17 | search_filter | provenance | | +| ldap_bad.py:14:21:14:27 | request | ldap_bad.py:14:5:14:17 | unsafe_filter | provenance | AdditionalTaintStep | +| ldap_bad.py:16:5:16:6 | dn | ldap_bad.py:21:9:21:10 | dn | provenance | | +| ldap_bad.py:17:5:17:17 | search_filter | ldap_bad.py:21:33:21:45 | search_filter | provenance | | +| ldap_bad.py:30:5:30:13 | unsafe_dc | ldap_bad.py:33:5:33:6 | dn | provenance | | +| ldap_bad.py:30:17:30:23 | request | ldap_bad.py:30:5:30:13 | unsafe_dc | provenance | AdditionalTaintStep | +| ldap_bad.py:30:17:30:23 | request | ldap_bad.py:31:5:31:17 | unsafe_filter | provenance | AdditionalTaintStep | +| ldap_bad.py:31:5:31:17 | unsafe_filter | ldap_bad.py:34:5:34:17 | search_filter | provenance | | +| ldap_bad.py:31:21:31:27 | request | ldap_bad.py:31:5:31:17 | unsafe_filter | provenance | AdditionalTaintStep | +| ldap_bad.py:33:5:33:6 | dn | ldap_bad.py:37:9:37:10 | dn | provenance | | +| ldap_bad.py:34:5:34:17 | search_filter | ldap_bad.py:37:33:37:45 | search_filter | provenance | | +| ldap_bad.py:47:5:47:13 | unsafe_dc | ldap_bad.py:50:5:50:6 | dn | provenance | | +| ldap_bad.py:47:17:47:23 | request | ldap_bad.py:47:5:47:13 | unsafe_dc | provenance | AdditionalTaintStep | +| ldap_bad.py:47:17:47:23 | request | ldap_bad.py:48:5:48:17 | unsafe_filter | provenance | AdditionalTaintStep | +| ldap_bad.py:48:5:48:17 | unsafe_filter | ldap_bad.py:51:5:51:17 | search_filter | provenance | | +| ldap_bad.py:48:21:48:27 | request | ldap_bad.py:48:5:48:17 | unsafe_filter | provenance | AdditionalTaintStep | +| ldap_bad.py:50:5:50:6 | dn | ldap_bad.py:55:9:55:10 | dn | provenance | | +| ldap_bad.py:51:5:51:17 | search_filter | ldap_bad.py:55:43:55:55 | search_filter | provenance | | nodes -| ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| ldap3_bad.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap3_bad.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap3_bad.py:13:5:13:13 | ControlFlowNode for unsafe_dc | semmle.label | ControlFlowNode for unsafe_dc | -| ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap3_bad.py:14:5:14:17 | ControlFlowNode for unsafe_filter | semmle.label | ControlFlowNode for unsafe_filter | -| ldap3_bad.py:14:21:14:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap3_bad.py:16:5:16:6 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn | -| ldap3_bad.py:17:5:17:17 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter | -| ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn | -| ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter | -| ldap3_bad.py:30:5:30:13 | ControlFlowNode for unsafe_dc | semmle.label | ControlFlowNode for unsafe_dc | -| ldap3_bad.py:30:17:30:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap3_bad.py:30:17:30:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap3_bad.py:31:5:31:17 | ControlFlowNode for unsafe_filter | semmle.label | ControlFlowNode for unsafe_filter | -| ldap3_bad.py:31:21:31:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap3_bad.py:33:5:33:6 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn | -| ldap3_bad.py:34:5:34:17 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter | -| ldap3_bad.py:38:9:38:10 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn | -| ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter | -| ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| ldap_bad.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap_bad.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap_bad.py:13:5:13:13 | ControlFlowNode for unsafe_dc | semmle.label | ControlFlowNode for unsafe_dc | -| ldap_bad.py:13:17:13:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap_bad.py:13:17:13:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap_bad.py:14:5:14:17 | ControlFlowNode for unsafe_filter | semmle.label | ControlFlowNode for unsafe_filter | -| ldap_bad.py:14:21:14:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap_bad.py:16:5:16:6 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn | -| ldap_bad.py:17:5:17:17 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter | -| ldap_bad.py:21:9:21:10 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn | -| ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter | -| ldap_bad.py:30:5:30:13 | ControlFlowNode for unsafe_dc | semmle.label | ControlFlowNode for unsafe_dc | -| ldap_bad.py:30:17:30:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap_bad.py:30:17:30:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap_bad.py:31:5:31:17 | ControlFlowNode for unsafe_filter | semmle.label | ControlFlowNode for unsafe_filter | -| ldap_bad.py:31:21:31:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap_bad.py:33:5:33:6 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn | -| ldap_bad.py:34:5:34:17 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter | -| ldap_bad.py:37:9:37:10 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn | -| ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter | -| ldap_bad.py:47:5:47:13 | ControlFlowNode for unsafe_dc | semmle.label | ControlFlowNode for unsafe_dc | -| ldap_bad.py:47:17:47:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap_bad.py:47:17:47:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap_bad.py:48:5:48:17 | ControlFlowNode for unsafe_filter | semmle.label | ControlFlowNode for unsafe_filter | -| ldap_bad.py:48:21:48:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| ldap_bad.py:50:5:50:6 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn | -| ldap_bad.py:51:5:51:17 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter | -| ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn | -| ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter | +| ldap3_bad.py:1:19:1:25 | After ImportMember | semmle.label | After ImportMember | +| ldap3_bad.py:1:19:1:25 | After ImportMember | semmle.label | After ImportMember | +| ldap3_bad.py:1:19:1:25 | request | semmle.label | request | +| ldap3_bad.py:1:19:1:25 | request | semmle.label | request | +| ldap3_bad.py:13:5:13:13 | unsafe_dc | semmle.label | unsafe_dc | +| ldap3_bad.py:13:17:13:23 | request | semmle.label | request | +| ldap3_bad.py:13:17:13:23 | request | semmle.label | request | +| ldap3_bad.py:14:5:14:17 | unsafe_filter | semmle.label | unsafe_filter | +| ldap3_bad.py:14:21:14:27 | request | semmle.label | request | +| ldap3_bad.py:16:5:16:6 | dn | semmle.label | dn | +| ldap3_bad.py:17:5:17:17 | search_filter | semmle.label | search_filter | +| ldap3_bad.py:21:17:21:18 | dn | semmle.label | dn | +| ldap3_bad.py:21:21:21:33 | search_filter | semmle.label | search_filter | +| ldap3_bad.py:30:5:30:13 | unsafe_dc | semmle.label | unsafe_dc | +| ldap3_bad.py:30:17:30:23 | request | semmle.label | request | +| ldap3_bad.py:30:17:30:23 | request | semmle.label | request | +| ldap3_bad.py:31:5:31:17 | unsafe_filter | semmle.label | unsafe_filter | +| ldap3_bad.py:31:21:31:27 | request | semmle.label | request | +| ldap3_bad.py:33:5:33:6 | dn | semmle.label | dn | +| ldap3_bad.py:34:5:34:17 | search_filter | semmle.label | search_filter | +| ldap3_bad.py:38:9:38:10 | dn | semmle.label | dn | +| ldap3_bad.py:38:13:38:25 | search_filter | semmle.label | search_filter | +| ldap_bad.py:1:19:1:25 | After ImportMember | semmle.label | After ImportMember | +| ldap_bad.py:1:19:1:25 | After ImportMember | semmle.label | After ImportMember | +| ldap_bad.py:1:19:1:25 | request | semmle.label | request | +| ldap_bad.py:1:19:1:25 | request | semmle.label | request | +| ldap_bad.py:13:5:13:13 | unsafe_dc | semmle.label | unsafe_dc | +| ldap_bad.py:13:17:13:23 | request | semmle.label | request | +| ldap_bad.py:13:17:13:23 | request | semmle.label | request | +| ldap_bad.py:14:5:14:17 | unsafe_filter | semmle.label | unsafe_filter | +| ldap_bad.py:14:21:14:27 | request | semmle.label | request | +| ldap_bad.py:16:5:16:6 | dn | semmle.label | dn | +| ldap_bad.py:17:5:17:17 | search_filter | semmle.label | search_filter | +| ldap_bad.py:21:9:21:10 | dn | semmle.label | dn | +| ldap_bad.py:21:33:21:45 | search_filter | semmle.label | search_filter | +| ldap_bad.py:30:5:30:13 | unsafe_dc | semmle.label | unsafe_dc | +| ldap_bad.py:30:17:30:23 | request | semmle.label | request | +| ldap_bad.py:30:17:30:23 | request | semmle.label | request | +| ldap_bad.py:31:5:31:17 | unsafe_filter | semmle.label | unsafe_filter | +| ldap_bad.py:31:21:31:27 | request | semmle.label | request | +| ldap_bad.py:33:5:33:6 | dn | semmle.label | dn | +| ldap_bad.py:34:5:34:17 | search_filter | semmle.label | search_filter | +| ldap_bad.py:37:9:37:10 | dn | semmle.label | dn | +| ldap_bad.py:37:33:37:45 | search_filter | semmle.label | search_filter | +| ldap_bad.py:47:5:47:13 | unsafe_dc | semmle.label | unsafe_dc | +| ldap_bad.py:47:17:47:23 | request | semmle.label | request | +| ldap_bad.py:47:17:47:23 | request | semmle.label | request | +| ldap_bad.py:48:5:48:17 | unsafe_filter | semmle.label | unsafe_filter | +| ldap_bad.py:48:21:48:27 | request | semmle.label | request | +| ldap_bad.py:50:5:50:6 | dn | semmle.label | dn | +| ldap_bad.py:51:5:51:17 | search_filter | semmle.label | search_filter | +| ldap_bad.py:55:9:55:10 | dn | semmle.label | dn | +| ldap_bad.py:55:43:55:55 | search_filter | semmle.label | search_filter | subpaths #select -| ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap3_bad.py:38:9:38:10 | ControlFlowNode for dn | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:38:9:38:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap3_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap_bad.py:21:9:21:10 | ControlFlowNode for dn | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:21:9:21:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap_bad.py:37:9:37:10 | ControlFlowNode for dn | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:37:9:37:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | LDAP query parameter (DN) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | LDAP query parameter (filter) depends on a $@. | ldap_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| ldap3_bad.py:21:17:21:18 | dn | ldap3_bad.py:1:19:1:25 | After ImportMember | ldap3_bad.py:21:17:21:18 | dn | LDAP query parameter (DN) depends on a $@. | ldap3_bad.py:1:19:1:25 | After ImportMember | user-provided value | +| ldap3_bad.py:21:21:21:33 | search_filter | ldap3_bad.py:1:19:1:25 | After ImportMember | ldap3_bad.py:21:21:21:33 | search_filter | LDAP query parameter (filter) depends on a $@. | ldap3_bad.py:1:19:1:25 | After ImportMember | user-provided value | +| ldap3_bad.py:38:9:38:10 | dn | ldap3_bad.py:1:19:1:25 | After ImportMember | ldap3_bad.py:38:9:38:10 | dn | LDAP query parameter (DN) depends on a $@. | ldap3_bad.py:1:19:1:25 | After ImportMember | user-provided value | +| ldap3_bad.py:38:13:38:25 | search_filter | ldap3_bad.py:1:19:1:25 | After ImportMember | ldap3_bad.py:38:13:38:25 | search_filter | LDAP query parameter (filter) depends on a $@. | ldap3_bad.py:1:19:1:25 | After ImportMember | user-provided value | +| ldap_bad.py:21:9:21:10 | dn | ldap_bad.py:1:19:1:25 | After ImportMember | ldap_bad.py:21:9:21:10 | dn | LDAP query parameter (DN) depends on a $@. | ldap_bad.py:1:19:1:25 | After ImportMember | user-provided value | +| ldap_bad.py:21:33:21:45 | search_filter | ldap_bad.py:1:19:1:25 | After ImportMember | ldap_bad.py:21:33:21:45 | search_filter | LDAP query parameter (filter) depends on a $@. | ldap_bad.py:1:19:1:25 | After ImportMember | user-provided value | +| ldap_bad.py:37:9:37:10 | dn | ldap_bad.py:1:19:1:25 | After ImportMember | ldap_bad.py:37:9:37:10 | dn | LDAP query parameter (DN) depends on a $@. | ldap_bad.py:1:19:1:25 | After ImportMember | user-provided value | +| ldap_bad.py:37:33:37:45 | search_filter | ldap_bad.py:1:19:1:25 | After ImportMember | ldap_bad.py:37:33:37:45 | search_filter | LDAP query parameter (filter) depends on a $@. | ldap_bad.py:1:19:1:25 | After ImportMember | user-provided value | +| ldap_bad.py:55:9:55:10 | dn | ldap_bad.py:1:19:1:25 | After ImportMember | ldap_bad.py:55:9:55:10 | dn | LDAP query parameter (DN) depends on a $@. | ldap_bad.py:1:19:1:25 | After ImportMember | user-provided value | +| ldap_bad.py:55:43:55:55 | search_filter | ldap_bad.py:1:19:1:25 | After ImportMember | ldap_bad.py:55:43:55:55 | search_filter | LDAP query parameter (filter) depends on a $@. | ldap_bad.py:1:19:1:25 | After ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-1004-NonHttpOnlyCookie/NonHttpOnlyCookie.expected b/python/ql/test/query-tests/Security/CWE-1004-NonHttpOnlyCookie/NonHttpOnlyCookie.expected index 7af8af8d870..0911567928d 100644 --- a/python/ql/test/query-tests/Security/CWE-1004-NonHttpOnlyCookie/NonHttpOnlyCookie.expected +++ b/python/ql/test/query-tests/Security/CWE-1004-NonHttpOnlyCookie/NonHttpOnlyCookie.expected @@ -1,3 +1,3 @@ -| test.py:8:5:8:38 | ControlFlowNode for Attribute() | Sensitive server cookie is set without HttpOnly flag. | -| test.py:9:5:9:51 | ControlFlowNode for Attribute() | Sensitive server cookie is set without HttpOnly flag. | -| test.py:11:5:11:57 | ControlFlowNode for Attribute() | Sensitive server cookie is set without HttpOnly flag. | +| test.py:8:5:8:38 | After Attribute() | Sensitive server cookie is set without HttpOnly flag. | +| test.py:9:5:9:51 | After Attribute() | Sensitive server cookie is set without HttpOnly flag. | +| test.py:11:5:11:57 | After Attribute() | Sensitive server cookie is set without HttpOnly flag. | diff --git a/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests1/HeaderInjection.expected b/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests1/HeaderInjection.expected index 4043b933243..3aeb354ce06 100644 --- a/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests1/HeaderInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests1/HeaderInjection.expected @@ -1,68 +1,68 @@ #select -| flask_tests.py:13:17:13:26 | ControlFlowNode for rfs_header | flask_tests.py:1:29:1:35 | ControlFlowNode for ImportMember | flask_tests.py:13:17:13:26 | ControlFlowNode for rfs_header | This HTTP header is constructed from a $@. | flask_tests.py:1:29:1:35 | ControlFlowNode for ImportMember | user-provided value | -| flask_tests.py:20:36:20:61 | ControlFlowNode for Subscript | flask_tests.py:1:29:1:35 | ControlFlowNode for ImportMember | flask_tests.py:20:36:20:61 | ControlFlowNode for Subscript | This HTTP header is constructed from a $@. | flask_tests.py:1:29:1:35 | ControlFlowNode for ImportMember | user-provided value | -| flask_tests.py:33:11:33:20 | ControlFlowNode for rfs_header | flask_tests.py:1:29:1:35 | ControlFlowNode for ImportMember | flask_tests.py:33:11:33:20 | ControlFlowNode for rfs_header | This HTTP header is constructed from a $@. | flask_tests.py:1:29:1:35 | ControlFlowNode for ImportMember | user-provided value | -| flask_tests.py:35:12:35:21 | ControlFlowNode for rfs_header | flask_tests.py:1:29:1:35 | ControlFlowNode for ImportMember | flask_tests.py:35:12:35:21 | ControlFlowNode for rfs_header | This HTTP header is constructed from a $@. | flask_tests.py:1:29:1:35 | ControlFlowNode for ImportMember | user-provided value | -| http_test.py:12:40:12:50 | ControlFlowNode for input_value | http_test.py:5:16:5:19 | ControlFlowNode for self | http_test.py:12:40:12:50 | ControlFlowNode for input_value | This HTTP header is constructed from a $@. | http_test.py:5:16:5:19 | ControlFlowNode for self | user-provided value | -| wsgiref_tests.py:8:17:8:22 | ControlFlowNode for h_name | wsgiref_tests.py:4:14:4:20 | ControlFlowNode for environ | wsgiref_tests.py:8:17:8:22 | ControlFlowNode for h_name | This HTTP header is constructed from a $@. | wsgiref_tests.py:4:14:4:20 | ControlFlowNode for environ | user-provided value | -| wsgiref_tests.py:8:42:8:46 | ControlFlowNode for h_val | wsgiref_tests.py:4:14:4:20 | ControlFlowNode for environ | wsgiref_tests.py:8:42:8:46 | ControlFlowNode for h_val | This HTTP header is constructed from a $@. | wsgiref_tests.py:4:14:4:20 | ControlFlowNode for environ | user-provided value | +| flask_tests.py:13:17:13:26 | rfs_header | flask_tests.py:1:29:1:35 | After ImportMember | flask_tests.py:13:17:13:26 | rfs_header | This HTTP header is constructed from a $@. | flask_tests.py:1:29:1:35 | After ImportMember | user-provided value | +| flask_tests.py:20:36:20:61 | After Subscript | flask_tests.py:1:29:1:35 | After ImportMember | flask_tests.py:20:36:20:61 | After Subscript | This HTTP header is constructed from a $@. | flask_tests.py:1:29:1:35 | After ImportMember | user-provided value | +| flask_tests.py:33:11:33:20 | rfs_header | flask_tests.py:1:29:1:35 | After ImportMember | flask_tests.py:33:11:33:20 | rfs_header | This HTTP header is constructed from a $@. | flask_tests.py:1:29:1:35 | After ImportMember | user-provided value | +| flask_tests.py:35:12:35:21 | rfs_header | flask_tests.py:1:29:1:35 | After ImportMember | flask_tests.py:35:12:35:21 | rfs_header | This HTTP header is constructed from a $@. | flask_tests.py:1:29:1:35 | After ImportMember | user-provided value | +| http_test.py:12:40:12:50 | input_value | http_test.py:5:16:5:19 | self | http_test.py:12:40:12:50 | input_value | This HTTP header is constructed from a $@. | http_test.py:5:16:5:19 | self | user-provided value | +| wsgiref_tests.py:8:17:8:22 | h_name | wsgiref_tests.py:4:14:4:20 | environ | wsgiref_tests.py:8:17:8:22 | h_name | This HTTP header is constructed from a $@. | wsgiref_tests.py:4:14:4:20 | environ | user-provided value | +| wsgiref_tests.py:8:42:8:46 | h_val | wsgiref_tests.py:4:14:4:20 | environ | wsgiref_tests.py:8:42:8:46 | h_val | This HTTP header is constructed from a $@. | wsgiref_tests.py:4:14:4:20 | environ | user-provided value | edges -| flask_tests.py:1:29:1:35 | ControlFlowNode for ImportMember | flask_tests.py:1:29:1:35 | ControlFlowNode for request | provenance | | -| flask_tests.py:1:29:1:35 | ControlFlowNode for request | flask_tests.py:9:18:9:24 | ControlFlowNode for request | provenance | | -| flask_tests.py:1:29:1:35 | ControlFlowNode for request | flask_tests.py:19:18:19:24 | ControlFlowNode for request | provenance | | -| flask_tests.py:1:29:1:35 | ControlFlowNode for request | flask_tests.py:20:36:20:42 | ControlFlowNode for request | provenance | | -| flask_tests.py:1:29:1:35 | ControlFlowNode for request | flask_tests.py:31:18:31:24 | ControlFlowNode for request | provenance | | -| flask_tests.py:9:5:9:14 | ControlFlowNode for rfs_header | flask_tests.py:13:17:13:26 | ControlFlowNode for rfs_header | provenance | | -| flask_tests.py:9:18:9:24 | ControlFlowNode for request | flask_tests.py:9:5:9:14 | ControlFlowNode for rfs_header | provenance | AdditionalTaintStep | -| flask_tests.py:19:18:19:24 | ControlFlowNode for request | flask_tests.py:20:36:20:61 | ControlFlowNode for Subscript | provenance | AdditionalTaintStep | -| flask_tests.py:20:36:20:42 | ControlFlowNode for request | flask_tests.py:20:36:20:61 | ControlFlowNode for Subscript | provenance | AdditionalTaintStep | -| flask_tests.py:31:5:31:14 | ControlFlowNode for rfs_header | flask_tests.py:33:11:33:20 | ControlFlowNode for rfs_header | provenance | | -| flask_tests.py:31:5:31:14 | ControlFlowNode for rfs_header | flask_tests.py:35:12:35:21 | ControlFlowNode for rfs_header | provenance | | -| flask_tests.py:31:18:31:24 | ControlFlowNode for request | flask_tests.py:31:5:31:14 | ControlFlowNode for rfs_header | provenance | AdditionalTaintStep | -| http_test.py:5:16:5:19 | ControlFlowNode for self | http_test.py:6:45:6:53 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| http_test.py:6:9:6:19 | ControlFlowNode for parsed_path | http_test.py:7:40:7:56 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| http_test.py:6:23:6:54 | ControlFlowNode for Attribute() | http_test.py:6:9:6:19 | ControlFlowNode for parsed_path | provenance | | -| http_test.py:6:45:6:53 | ControlFlowNode for Attribute | http_test.py:6:23:6:54 | ControlFlowNode for Attribute() | provenance | MaD:2 | -| http_test.py:7:9:7:14 | ControlFlowNode for params | http_test.py:8:23:8:28 | ControlFlowNode for params | provenance | | -| http_test.py:7:18:7:57 | ControlFlowNode for Attribute() | http_test.py:7:9:7:14 | ControlFlowNode for params | provenance | | -| http_test.py:7:40:7:56 | ControlFlowNode for Attribute | http_test.py:7:18:7:57 | ControlFlowNode for Attribute() | provenance | MaD:1 | -| http_test.py:8:9:8:19 | ControlFlowNode for input_value | http_test.py:12:40:12:50 | ControlFlowNode for input_value | provenance | | -| http_test.py:8:23:8:28 | ControlFlowNode for params | http_test.py:8:23:8:47 | ControlFlowNode for Attribute() | provenance | dict.get | -| http_test.py:8:23:8:47 | ControlFlowNode for Attribute() | http_test.py:8:9:8:19 | ControlFlowNode for input_value | provenance | | -| wsgiref_tests.py:4:14:4:20 | ControlFlowNode for environ | wsgiref_tests.py:6:5:6:10 | ControlFlowNode for h_name | provenance | | -| wsgiref_tests.py:4:14:4:20 | ControlFlowNode for environ | wsgiref_tests.py:7:5:7:9 | ControlFlowNode for h_val | provenance | | -| wsgiref_tests.py:6:5:6:10 | ControlFlowNode for h_name | wsgiref_tests.py:8:17:8:22 | ControlFlowNode for h_name | provenance | | -| wsgiref_tests.py:7:5:7:9 | ControlFlowNode for h_val | wsgiref_tests.py:8:42:8:46 | ControlFlowNode for h_val | provenance | | +| flask_tests.py:1:29:1:35 | After ImportMember | flask_tests.py:1:29:1:35 | request | provenance | | +| flask_tests.py:1:29:1:35 | request | flask_tests.py:9:18:9:24 | request | provenance | | +| flask_tests.py:1:29:1:35 | request | flask_tests.py:19:18:19:24 | request | provenance | | +| flask_tests.py:1:29:1:35 | request | flask_tests.py:20:36:20:42 | request | provenance | | +| flask_tests.py:1:29:1:35 | request | flask_tests.py:31:18:31:24 | request | provenance | | +| flask_tests.py:9:5:9:14 | rfs_header | flask_tests.py:13:17:13:26 | rfs_header | provenance | | +| flask_tests.py:9:18:9:24 | request | flask_tests.py:9:5:9:14 | rfs_header | provenance | AdditionalTaintStep | +| flask_tests.py:19:18:19:24 | request | flask_tests.py:20:36:20:61 | After Subscript | provenance | AdditionalTaintStep | +| flask_tests.py:20:36:20:42 | request | flask_tests.py:20:36:20:61 | After Subscript | provenance | AdditionalTaintStep | +| flask_tests.py:31:5:31:14 | rfs_header | flask_tests.py:33:11:33:20 | rfs_header | provenance | | +| flask_tests.py:31:5:31:14 | rfs_header | flask_tests.py:35:12:35:21 | rfs_header | provenance | | +| flask_tests.py:31:18:31:24 | request | flask_tests.py:31:5:31:14 | rfs_header | provenance | AdditionalTaintStep | +| http_test.py:5:16:5:19 | self | http_test.py:6:45:6:53 | After Attribute | provenance | AdditionalTaintStep | +| http_test.py:6:9:6:19 | parsed_path | http_test.py:7:40:7:56 | After Attribute | provenance | AdditionalTaintStep | +| http_test.py:6:23:6:54 | After Attribute() | http_test.py:6:9:6:19 | parsed_path | provenance | | +| http_test.py:6:45:6:53 | After Attribute | http_test.py:6:23:6:54 | After Attribute() | provenance | MaD:2 | +| http_test.py:7:9:7:14 | params | http_test.py:8:23:8:28 | params | provenance | | +| http_test.py:7:18:7:57 | After Attribute() | http_test.py:7:9:7:14 | params | provenance | | +| http_test.py:7:40:7:56 | After Attribute | http_test.py:7:18:7:57 | After Attribute() | provenance | MaD:1 | +| http_test.py:8:9:8:19 | input_value | http_test.py:12:40:12:50 | input_value | provenance | | +| http_test.py:8:23:8:28 | params | http_test.py:8:23:8:47 | After Attribute() | provenance | dict.get | +| http_test.py:8:23:8:47 | After Attribute() | http_test.py:8:9:8:19 | input_value | provenance | | +| wsgiref_tests.py:4:14:4:20 | environ | wsgiref_tests.py:6:5:6:10 | h_name | provenance | | +| wsgiref_tests.py:4:14:4:20 | environ | wsgiref_tests.py:7:5:7:9 | h_val | provenance | | +| wsgiref_tests.py:6:5:6:10 | h_name | wsgiref_tests.py:8:17:8:22 | h_name | provenance | | +| wsgiref_tests.py:7:5:7:9 | h_val | wsgiref_tests.py:8:42:8:46 | h_val | provenance | | models | 1 | Summary: urllib; Member[parse].Member[parse_qs]; Argument[0,qs:]; ReturnValue; taint | | 2 | Summary: urllib; Member[parse].Member[urlparse]; Argument[0,urlstring:]; ReturnValue; taint | nodes -| flask_tests.py:1:29:1:35 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| flask_tests.py:1:29:1:35 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| flask_tests.py:9:5:9:14 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header | -| flask_tests.py:9:18:9:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| flask_tests.py:13:17:13:26 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header | -| flask_tests.py:19:18:19:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| flask_tests.py:20:36:20:42 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| flask_tests.py:20:36:20:61 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript | -| flask_tests.py:31:5:31:14 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header | -| flask_tests.py:31:18:31:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| flask_tests.py:33:11:33:20 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header | -| flask_tests.py:35:12:35:21 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header | -| http_test.py:5:16:5:19 | ControlFlowNode for self | semmle.label | ControlFlowNode for self | -| http_test.py:6:9:6:19 | ControlFlowNode for parsed_path | semmle.label | ControlFlowNode for parsed_path | -| http_test.py:6:23:6:54 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| http_test.py:6:45:6:53 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| http_test.py:7:9:7:14 | ControlFlowNode for params | semmle.label | ControlFlowNode for params | -| http_test.py:7:18:7:57 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| http_test.py:7:40:7:56 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| http_test.py:8:9:8:19 | ControlFlowNode for input_value | semmle.label | ControlFlowNode for input_value | -| http_test.py:8:23:8:28 | ControlFlowNode for params | semmle.label | ControlFlowNode for params | -| http_test.py:8:23:8:47 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| http_test.py:12:40:12:50 | ControlFlowNode for input_value | semmle.label | ControlFlowNode for input_value | -| wsgiref_tests.py:4:14:4:20 | ControlFlowNode for environ | semmle.label | ControlFlowNode for environ | -| wsgiref_tests.py:6:5:6:10 | ControlFlowNode for h_name | semmle.label | ControlFlowNode for h_name | -| wsgiref_tests.py:7:5:7:9 | ControlFlowNode for h_val | semmle.label | ControlFlowNode for h_val | -| wsgiref_tests.py:8:17:8:22 | ControlFlowNode for h_name | semmle.label | ControlFlowNode for h_name | -| wsgiref_tests.py:8:42:8:46 | ControlFlowNode for h_val | semmle.label | ControlFlowNode for h_val | +| flask_tests.py:1:29:1:35 | After ImportMember | semmle.label | After ImportMember | +| flask_tests.py:1:29:1:35 | request | semmle.label | request | +| flask_tests.py:9:5:9:14 | rfs_header | semmle.label | rfs_header | +| flask_tests.py:9:18:9:24 | request | semmle.label | request | +| flask_tests.py:13:17:13:26 | rfs_header | semmle.label | rfs_header | +| flask_tests.py:19:18:19:24 | request | semmle.label | request | +| flask_tests.py:20:36:20:42 | request | semmle.label | request | +| flask_tests.py:20:36:20:61 | After Subscript | semmle.label | After Subscript | +| flask_tests.py:31:5:31:14 | rfs_header | semmle.label | rfs_header | +| flask_tests.py:31:18:31:24 | request | semmle.label | request | +| flask_tests.py:33:11:33:20 | rfs_header | semmle.label | rfs_header | +| flask_tests.py:35:12:35:21 | rfs_header | semmle.label | rfs_header | +| http_test.py:5:16:5:19 | self | semmle.label | self | +| http_test.py:6:9:6:19 | parsed_path | semmle.label | parsed_path | +| http_test.py:6:23:6:54 | After Attribute() | semmle.label | After Attribute() | +| http_test.py:6:45:6:53 | After Attribute | semmle.label | After Attribute | +| http_test.py:7:9:7:14 | params | semmle.label | params | +| http_test.py:7:18:7:57 | After Attribute() | semmle.label | After Attribute() | +| http_test.py:7:40:7:56 | After Attribute | semmle.label | After Attribute | +| http_test.py:8:9:8:19 | input_value | semmle.label | input_value | +| http_test.py:8:23:8:28 | params | semmle.label | params | +| http_test.py:8:23:8:47 | After Attribute() | semmle.label | After Attribute() | +| http_test.py:12:40:12:50 | input_value | semmle.label | input_value | +| wsgiref_tests.py:4:14:4:20 | environ | semmle.label | environ | +| wsgiref_tests.py:6:5:6:10 | h_name | semmle.label | h_name | +| wsgiref_tests.py:7:5:7:9 | h_val | semmle.label | h_val | +| wsgiref_tests.py:8:17:8:22 | h_name | semmle.label | h_name | +| wsgiref_tests.py:8:42:8:46 | h_val | semmle.label | h_val | subpaths diff --git a/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests2-with-wsgi-validator/HeaderWriteTest.expected b/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests2-with-wsgi-validator/HeaderWriteTest.expected index 1dcb484b8f4..481cfb869df 100644 --- a/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests2-with-wsgi-validator/HeaderWriteTest.expected +++ b/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/Tests2-with-wsgi-validator/HeaderWriteTest.expected @@ -1,8 +1,8 @@ source -| wsgiref_tests.py:7:14:7:20 | ControlFlowNode for environ | +| wsgiref_tests.py:7:14:7:20 | environ | sink headerWrite -| wsgiref_tests.py:12:5:12:35 | ControlFlowNode for start_response() | wsgiref_tests.py:11:17:11:22 | ControlFlowNode for h_name | wsgiref_tests.py:11:25:11:29 | ControlFlowNode for StringLiteral | false | false | -| wsgiref_tests.py:12:5:12:35 | ControlFlowNode for start_response() | wsgiref_tests.py:11:17:11:22 | ControlFlowNode for h_name | wsgiref_tests.py:11:42:11:46 | ControlFlowNode for h_val | false | false | -| wsgiref_tests.py:12:5:12:35 | ControlFlowNode for start_response() | wsgiref_tests.py:11:34:11:39 | ControlFlowNode for StringLiteral | wsgiref_tests.py:11:25:11:29 | ControlFlowNode for StringLiteral | false | false | -| wsgiref_tests.py:12:5:12:35 | ControlFlowNode for start_response() | wsgiref_tests.py:11:34:11:39 | ControlFlowNode for StringLiteral | wsgiref_tests.py:11:42:11:46 | ControlFlowNode for h_val | false | false | +| wsgiref_tests.py:12:5:12:35 | After start_response() | wsgiref_tests.py:11:17:11:22 | h_name | wsgiref_tests.py:11:25:11:29 | StringLiteral | false | false | +| wsgiref_tests.py:12:5:12:35 | After start_response() | wsgiref_tests.py:11:17:11:22 | h_name | wsgiref_tests.py:11:42:11:46 | h_val | false | false | +| wsgiref_tests.py:12:5:12:35 | After start_response() | wsgiref_tests.py:11:34:11:39 | StringLiteral | wsgiref_tests.py:11:25:11:29 | StringLiteral | false | false | +| wsgiref_tests.py:12:5:12:35 | After start_response() | wsgiref_tests.py:11:34:11:39 | StringLiteral | wsgiref_tests.py:11:42:11:46 | h_val | false | false | diff --git a/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjection.expected b/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjection.expected index fd9b5fe6bb6..c6aa178800f 100644 --- a/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-117-LogInjection/LogInjection.expected @@ -1,51 +1,51 @@ edges -| LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for request | provenance | | -| LogInjectionBad.py:7:19:7:25 | ControlFlowNode for request | LogInjectionBad.py:17:12:17:18 | ControlFlowNode for request | provenance | | -| LogInjectionBad.py:7:19:7:25 | ControlFlowNode for request | LogInjectionBad.py:23:12:23:18 | ControlFlowNode for request | provenance | | -| LogInjectionBad.py:7:19:7:25 | ControlFlowNode for request | LogInjectionBad.py:29:12:29:18 | ControlFlowNode for request | provenance | | -| LogInjectionBad.py:7:19:7:25 | ControlFlowNode for request | LogInjectionBad.py:35:12:35:18 | ControlFlowNode for request | provenance | | -| LogInjectionBad.py:17:5:17:8 | ControlFlowNode for name | LogInjectionBad.py:18:21:18:40 | ControlFlowNode for BinaryExpr | provenance | | -| LogInjectionBad.py:17:12:17:18 | ControlFlowNode for request | LogInjectionBad.py:17:12:17:23 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| LogInjectionBad.py:17:12:17:23 | ControlFlowNode for Attribute | LogInjectionBad.py:17:12:17:35 | ControlFlowNode for Attribute() | provenance | dict.get | -| LogInjectionBad.py:17:12:17:35 | ControlFlowNode for Attribute() | LogInjectionBad.py:17:5:17:8 | ControlFlowNode for name | provenance | | -| LogInjectionBad.py:23:5:23:8 | ControlFlowNode for name | LogInjectionBad.py:24:18:24:37 | ControlFlowNode for BinaryExpr | provenance | | -| LogInjectionBad.py:23:12:23:18 | ControlFlowNode for request | LogInjectionBad.py:23:12:23:23 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| LogInjectionBad.py:23:12:23:23 | ControlFlowNode for Attribute | LogInjectionBad.py:23:12:23:35 | ControlFlowNode for Attribute() | provenance | dict.get | -| LogInjectionBad.py:23:12:23:35 | ControlFlowNode for Attribute() | LogInjectionBad.py:23:5:23:8 | ControlFlowNode for name | provenance | | -| LogInjectionBad.py:29:5:29:8 | ControlFlowNode for name | LogInjectionBad.py:30:25:30:44 | ControlFlowNode for BinaryExpr | provenance | | -| LogInjectionBad.py:29:12:29:18 | ControlFlowNode for request | LogInjectionBad.py:29:12:29:23 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| LogInjectionBad.py:29:12:29:23 | ControlFlowNode for Attribute | LogInjectionBad.py:29:12:29:35 | ControlFlowNode for Attribute() | provenance | dict.get | -| LogInjectionBad.py:29:12:29:35 | ControlFlowNode for Attribute() | LogInjectionBad.py:29:5:29:8 | ControlFlowNode for name | provenance | | -| LogInjectionBad.py:35:5:35:8 | ControlFlowNode for name | LogInjectionBad.py:37:19:37:38 | ControlFlowNode for BinaryExpr | provenance | | -| LogInjectionBad.py:35:12:35:18 | ControlFlowNode for request | LogInjectionBad.py:35:12:35:23 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| LogInjectionBad.py:35:12:35:23 | ControlFlowNode for Attribute | LogInjectionBad.py:35:12:35:35 | ControlFlowNode for Attribute() | provenance | dict.get | -| LogInjectionBad.py:35:12:35:35 | ControlFlowNode for Attribute() | LogInjectionBad.py:35:5:35:8 | ControlFlowNode for name | provenance | | +| LogInjectionBad.py:7:19:7:25 | After ImportMember | LogInjectionBad.py:7:19:7:25 | request | provenance | | +| LogInjectionBad.py:7:19:7:25 | request | LogInjectionBad.py:17:12:17:18 | request | provenance | | +| LogInjectionBad.py:7:19:7:25 | request | LogInjectionBad.py:23:12:23:18 | request | provenance | | +| LogInjectionBad.py:7:19:7:25 | request | LogInjectionBad.py:29:12:29:18 | request | provenance | | +| LogInjectionBad.py:7:19:7:25 | request | LogInjectionBad.py:35:12:35:18 | request | provenance | | +| LogInjectionBad.py:17:5:17:8 | name | LogInjectionBad.py:18:21:18:40 | After BinaryExpr | provenance | | +| LogInjectionBad.py:17:12:17:18 | request | LogInjectionBad.py:17:12:17:23 | After Attribute | provenance | AdditionalTaintStep | +| LogInjectionBad.py:17:12:17:23 | After Attribute | LogInjectionBad.py:17:12:17:35 | After Attribute() | provenance | dict.get | +| LogInjectionBad.py:17:12:17:35 | After Attribute() | LogInjectionBad.py:17:5:17:8 | name | provenance | | +| LogInjectionBad.py:23:5:23:8 | name | LogInjectionBad.py:24:18:24:37 | After BinaryExpr | provenance | | +| LogInjectionBad.py:23:12:23:18 | request | LogInjectionBad.py:23:12:23:23 | After Attribute | provenance | AdditionalTaintStep | +| LogInjectionBad.py:23:12:23:23 | After Attribute | LogInjectionBad.py:23:12:23:35 | After Attribute() | provenance | dict.get | +| LogInjectionBad.py:23:12:23:35 | After Attribute() | LogInjectionBad.py:23:5:23:8 | name | provenance | | +| LogInjectionBad.py:29:5:29:8 | name | LogInjectionBad.py:30:25:30:44 | After BinaryExpr | provenance | | +| LogInjectionBad.py:29:12:29:18 | request | LogInjectionBad.py:29:12:29:23 | After Attribute | provenance | AdditionalTaintStep | +| LogInjectionBad.py:29:12:29:23 | After Attribute | LogInjectionBad.py:29:12:29:35 | After Attribute() | provenance | dict.get | +| LogInjectionBad.py:29:12:29:35 | After Attribute() | LogInjectionBad.py:29:5:29:8 | name | provenance | | +| LogInjectionBad.py:35:5:35:8 | name | LogInjectionBad.py:37:19:37:38 | After BinaryExpr | provenance | | +| LogInjectionBad.py:35:12:35:18 | request | LogInjectionBad.py:35:12:35:23 | After Attribute | provenance | AdditionalTaintStep | +| LogInjectionBad.py:35:12:35:23 | After Attribute | LogInjectionBad.py:35:12:35:35 | After Attribute() | provenance | dict.get | +| LogInjectionBad.py:35:12:35:35 | After Attribute() | LogInjectionBad.py:35:5:35:8 | name | provenance | | nodes -| LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| LogInjectionBad.py:7:19:7:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| LogInjectionBad.py:17:5:17:8 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | -| LogInjectionBad.py:17:12:17:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| LogInjectionBad.py:17:12:17:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| LogInjectionBad.py:17:12:17:35 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| LogInjectionBad.py:18:21:18:40 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| LogInjectionBad.py:23:5:23:8 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | -| LogInjectionBad.py:23:12:23:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| LogInjectionBad.py:23:12:23:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| LogInjectionBad.py:23:12:23:35 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| LogInjectionBad.py:24:18:24:37 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| LogInjectionBad.py:29:5:29:8 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | -| LogInjectionBad.py:29:12:29:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| LogInjectionBad.py:29:12:29:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| LogInjectionBad.py:29:12:29:35 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| LogInjectionBad.py:30:25:30:44 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| LogInjectionBad.py:35:5:35:8 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | -| LogInjectionBad.py:35:12:35:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| LogInjectionBad.py:35:12:35:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| LogInjectionBad.py:35:12:35:35 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| LogInjectionBad.py:37:19:37:38 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | +| LogInjectionBad.py:7:19:7:25 | After ImportMember | semmle.label | After ImportMember | +| LogInjectionBad.py:7:19:7:25 | request | semmle.label | request | +| LogInjectionBad.py:17:5:17:8 | name | semmle.label | name | +| LogInjectionBad.py:17:12:17:18 | request | semmle.label | request | +| LogInjectionBad.py:17:12:17:23 | After Attribute | semmle.label | After Attribute | +| LogInjectionBad.py:17:12:17:35 | After Attribute() | semmle.label | After Attribute() | +| LogInjectionBad.py:18:21:18:40 | After BinaryExpr | semmle.label | After BinaryExpr | +| LogInjectionBad.py:23:5:23:8 | name | semmle.label | name | +| LogInjectionBad.py:23:12:23:18 | request | semmle.label | request | +| LogInjectionBad.py:23:12:23:23 | After Attribute | semmle.label | After Attribute | +| LogInjectionBad.py:23:12:23:35 | After Attribute() | semmle.label | After Attribute() | +| LogInjectionBad.py:24:18:24:37 | After BinaryExpr | semmle.label | After BinaryExpr | +| LogInjectionBad.py:29:5:29:8 | name | semmle.label | name | +| LogInjectionBad.py:29:12:29:18 | request | semmle.label | request | +| LogInjectionBad.py:29:12:29:23 | After Attribute | semmle.label | After Attribute | +| LogInjectionBad.py:29:12:29:35 | After Attribute() | semmle.label | After Attribute() | +| LogInjectionBad.py:30:25:30:44 | After BinaryExpr | semmle.label | After BinaryExpr | +| LogInjectionBad.py:35:5:35:8 | name | semmle.label | name | +| LogInjectionBad.py:35:12:35:18 | request | semmle.label | request | +| LogInjectionBad.py:35:12:35:23 | After Attribute | semmle.label | After Attribute | +| LogInjectionBad.py:35:12:35:35 | After Attribute() | semmle.label | After Attribute() | +| LogInjectionBad.py:37:19:37:38 | After BinaryExpr | semmle.label | After BinaryExpr | subpaths #select -| LogInjectionBad.py:18:21:18:40 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:18:21:18:40 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| LogInjectionBad.py:24:18:24:37 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:24:18:24:37 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| LogInjectionBad.py:30:25:30:44 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:30:25:30:44 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| LogInjectionBad.py:37:19:37:38 | ControlFlowNode for BinaryExpr | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | LogInjectionBad.py:37:19:37:38 | ControlFlowNode for BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | +| LogInjectionBad.py:18:21:18:40 | After BinaryExpr | LogInjectionBad.py:7:19:7:25 | After ImportMember | LogInjectionBad.py:18:21:18:40 | After BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | After ImportMember | user-provided value | +| LogInjectionBad.py:24:18:24:37 | After BinaryExpr | LogInjectionBad.py:7:19:7:25 | After ImportMember | LogInjectionBad.py:24:18:24:37 | After BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | After ImportMember | user-provided value | +| LogInjectionBad.py:30:25:30:44 | After BinaryExpr | LogInjectionBad.py:7:19:7:25 | After ImportMember | LogInjectionBad.py:30:25:30:44 | After BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | After ImportMember | user-provided value | +| LogInjectionBad.py:37:19:37:38 | After BinaryExpr | LogInjectionBad.py:7:19:7:25 | After ImportMember | LogInjectionBad.py:37:19:37:38 | After BinaryExpr | This log entry depends on a $@. | LogInjectionBad.py:7:19:7:25 | After ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-1275-SameSiteNoneCookie/SameSiteNoneCookie.expected b/python/ql/test/query-tests/Security/CWE-1275-SameSiteNoneCookie/SameSiteNoneCookie.expected index 7a8e83a732c..15b78c94d42 100644 --- a/python/ql/test/query-tests/Security/CWE-1275-SameSiteNoneCookie/SameSiteNoneCookie.expected +++ b/python/ql/test/query-tests/Security/CWE-1275-SameSiteNoneCookie/SameSiteNoneCookie.expected @@ -1,2 +1,2 @@ -| test.py:10:5:10:60 | ControlFlowNode for Attribute() | Sensitive cookie with SameSite set to 'None'. | -| test.py:13:5:13:78 | ControlFlowNode for Attribute() | Sensitive cookie with SameSite set to 'None'. | +| test.py:10:5:10:60 | After Attribute() | Sensitive cookie with SameSite set to 'None'. | +| test.py:13:5:13:78 | After Attribute() | Sensitive cookie with SameSite set to 'None'. | diff --git a/python/ql/test/query-tests/Security/CWE-215-FlaskDebug/FlaskDebug.expected b/python/ql/test/query-tests/Security/CWE-215-FlaskDebug/FlaskDebug.expected index e6c2a98d930..23962109210 100644 --- a/python/ql/test/query-tests/Security/CWE-215-FlaskDebug/FlaskDebug.expected +++ b/python/ql/test/query-tests/Security/CWE-215-FlaskDebug/FlaskDebug.expected @@ -1,6 +1,6 @@ -| test.py:10:1:10:19 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. | -| test.py:11:1:11:27 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. | -| test.py:26:1:26:20 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. | -| test.py:30:1:30:20 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. | -| test.py:38:1:38:18 | ControlFlowNode for runapp() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. | -| test.py:43:1:43:35 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. | +| test.py:10:1:10:19 | After Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. | +| test.py:11:1:11:27 | After Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. | +| test.py:26:1:26:20 | After Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. | +| test.py:30:1:30:20 | After Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. | +| test.py:38:1:38:18 | After runapp() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. | +| test.py:43:1:43:35 | After Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. | diff --git a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected index 8031d3070c9..5a88aec0922 100644 --- a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected +++ b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected @@ -1,24 +1,24 @@ edges -| pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | pam_test.py:4:26:4:32 | ControlFlowNode for request | provenance | | -| pam_test.py:4:26:4:32 | ControlFlowNode for request | pam_test.py:71:16:71:22 | ControlFlowNode for request | provenance | | -| pam_test.py:71:5:71:12 | ControlFlowNode for username | pam_test.py:74:33:74:40 | ControlFlowNode for username | provenance | | -| pam_test.py:71:16:71:22 | ControlFlowNode for request | pam_test.py:71:16:71:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| pam_test.py:71:16:71:27 | ControlFlowNode for Attribute | pam_test.py:71:16:71:47 | ControlFlowNode for Attribute() | provenance | dict.get | -| pam_test.py:71:16:71:47 | ControlFlowNode for Attribute() | pam_test.py:71:5:71:12 | ControlFlowNode for username | provenance | | -| pam_test.py:74:33:74:40 | ControlFlowNode for username | pam_test.py:74:62:74:67 | ControlFlowNode for handle | provenance | Config | -| pam_test.py:74:62:74:67 | ControlFlowNode for handle | pam_test.py:76:31:76:36 | ControlFlowNode for handle | provenance | | -| pam_test.py:76:31:76:36 | ControlFlowNode for handle | pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | provenance | Config | +| pam_test.py:4:26:4:32 | After ImportMember | pam_test.py:4:26:4:32 | request | provenance | | +| pam_test.py:4:26:4:32 | request | pam_test.py:71:16:71:22 | request | provenance | | +| pam_test.py:71:5:71:12 | username | pam_test.py:74:33:74:40 | username | provenance | | +| pam_test.py:71:16:71:22 | request | pam_test.py:71:16:71:27 | After Attribute | provenance | AdditionalTaintStep | +| pam_test.py:71:16:71:27 | After Attribute | pam_test.py:71:16:71:47 | After Attribute() | provenance | dict.get | +| pam_test.py:71:16:71:47 | After Attribute() | pam_test.py:71:5:71:12 | username | provenance | | +| pam_test.py:74:33:74:40 | username | pam_test.py:74:62:74:67 | handle | provenance | Config | +| pam_test.py:74:62:74:67 | handle | pam_test.py:76:31:76:36 | handle | provenance | | +| pam_test.py:76:31:76:36 | handle | pam_test.py:76:14:76:40 | After pam_authenticate() | provenance | Config | nodes -| pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| pam_test.py:4:26:4:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| pam_test.py:71:5:71:12 | ControlFlowNode for username | semmle.label | ControlFlowNode for username | -| pam_test.py:71:16:71:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| pam_test.py:71:16:71:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| pam_test.py:71:16:71:47 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| pam_test.py:74:33:74:40 | ControlFlowNode for username | semmle.label | ControlFlowNode for username | -| pam_test.py:74:62:74:67 | ControlFlowNode for handle | semmle.label | ControlFlowNode for handle | -| pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | semmle.label | ControlFlowNode for pam_authenticate() | -| pam_test.py:76:31:76:36 | ControlFlowNode for handle | semmle.label | ControlFlowNode for handle | +| pam_test.py:4:26:4:32 | After ImportMember | semmle.label | After ImportMember | +| pam_test.py:4:26:4:32 | request | semmle.label | request | +| pam_test.py:71:5:71:12 | username | semmle.label | username | +| pam_test.py:71:16:71:22 | request | semmle.label | request | +| pam_test.py:71:16:71:27 | After Attribute | semmle.label | After Attribute | +| pam_test.py:71:16:71:47 | After Attribute() | semmle.label | After Attribute() | +| pam_test.py:74:33:74:40 | username | semmle.label | username | +| pam_test.py:74:62:74:67 | handle | semmle.label | handle | +| pam_test.py:76:14:76:40 | After pam_authenticate() | semmle.label | After pam_authenticate() | +| pam_test.py:76:31:76:36 | handle | semmle.label | handle | subpaths #select -| pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | This PAM authentication depends on a $@, and 'pam_acct_mgmt' is not called afterwards. | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | user-provided value | +| pam_test.py:76:14:76:40 | After pam_authenticate() | pam_test.py:4:26:4:32 | After ImportMember | pam_test.py:76:14:76:40 | After pam_authenticate() | This PAM authentication depends on a $@, and 'pam_acct_mgmt' is not called afterwards. | pam_test.py:4:26:4:32 | After ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-295-MissingHostKeyValidation/MissingHostKeyValidation.expected b/python/ql/test/query-tests/Security/CWE-295-MissingHostKeyValidation/MissingHostKeyValidation.expected index d7245c5e602..0831e10c019 100644 --- a/python/ql/test/query-tests/Security/CWE-295-MissingHostKeyValidation/MissingHostKeyValidation.expected +++ b/python/ql/test/query-tests/Security/CWE-295-MissingHostKeyValidation/MissingHostKeyValidation.expected @@ -1,5 +1,5 @@ -| paramiko_host_key.py:5:1:5:49 | ControlFlowNode for Attribute() | Setting missing host key policy to AutoAddPolicy may be unsafe. | -| paramiko_host_key.py:7:1:7:49 | ControlFlowNode for Attribute() | Setting missing host key policy to WarningPolicy may be unsafe. | -| paramiko_host_key.py:11:1:11:51 | ControlFlowNode for Attribute() | Setting missing host key policy to AutoAddPolicy may be unsafe. | -| paramiko_host_key.py:13:1:13:51 | ControlFlowNode for Attribute() | Setting missing host key policy to WarningPolicy may be unsafe. | -| paramiko_host_key.py:20:1:20:58 | ControlFlowNode for Attribute() | Setting missing host key policy to AutoAddPolicy may be unsafe. | +| paramiko_host_key.py:5:1:5:49 | After Attribute() | Setting missing host key policy to AutoAddPolicy may be unsafe. | +| paramiko_host_key.py:7:1:7:49 | After Attribute() | Setting missing host key policy to WarningPolicy may be unsafe. | +| paramiko_host_key.py:11:1:11:51 | After Attribute() | Setting missing host key policy to AutoAddPolicy may be unsafe. | +| paramiko_host_key.py:13:1:13:51 | After Attribute() | Setting missing host key policy to WarningPolicy may be unsafe. | +| paramiko_host_key.py:20:1:20:58 | After Attribute() | Setting missing host key policy to AutoAddPolicy may be unsafe. | diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected b/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected index 7cb9e015190..37bc9a326d4 100644 --- a/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected +++ b/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected @@ -1,100 +1,100 @@ edges -| test.py:19:5:19:12 | ControlFlowNode for password | test.py:20:48:20:55 | ControlFlowNode for password | provenance | | -| test.py:19:5:19:12 | ControlFlowNode for password | test.py:22:58:22:65 | ControlFlowNode for password | provenance | | -| test.py:19:5:19:12 | ControlFlowNode for password | test.py:23:58:23:65 | ControlFlowNode for password | provenance | | -| test.py:19:5:19:12 | ControlFlowNode for password | test.py:27:40:27:47 | ControlFlowNode for password | provenance | | -| test.py:19:5:19:12 | ControlFlowNode for password | test.py:30:58:30:65 | ControlFlowNode for password | provenance | | -| test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:19:5:19:12 | ControlFlowNode for password | provenance | | -| test.py:44:5:44:5 | ControlFlowNode for x | test.py:45:11:45:11 | ControlFlowNode for x | provenance | | -| test.py:44:9:44:25 | ControlFlowNode for Attribute() | test.py:44:5:44:5 | ControlFlowNode for x | provenance | | -| test.py:48:14:48:35 | ControlFlowNode for social_security_number | test.py:49:15:49:36 | ControlFlowNode for social_security_number | provenance | | -| test.py:48:38:48:40 | ControlFlowNode for ssn | test.py:50:15:50:17 | ControlFlowNode for ssn | provenance | | -| test.py:48:54:48:63 | ControlFlowNode for passportNo | test.py:52:15:52:24 | ControlFlowNode for passportNo | provenance | | -| test.py:54:14:54:22 | ControlFlowNode for post_code | test.py:55:15:55:23 | ControlFlowNode for post_code | provenance | | -| test.py:54:25:54:31 | ControlFlowNode for zipCode | test.py:56:15:56:21 | ControlFlowNode for zipCode | provenance | | -| test.py:54:34:54:45 | ControlFlowNode for home_address | test.py:57:15:57:26 | ControlFlowNode for home_address | provenance | | -| test.py:59:14:59:26 | ControlFlowNode for user_latitude | test.py:60:15:60:27 | ControlFlowNode for user_latitude | provenance | | -| test.py:59:29:59:42 | ControlFlowNode for user_longitude | test.py:61:15:61:28 | ControlFlowNode for user_longitude | provenance | | -| test.py:63:14:63:26 | ControlFlowNode for mobile_number | test.py:64:15:64:27 | ControlFlowNode for mobile_number | provenance | | -| test.py:63:29:63:35 | ControlFlowNode for phoneNo | test.py:65:15:65:21 | ControlFlowNode for phoneNo | provenance | | -| test.py:67:14:67:23 | ControlFlowNode for creditcard | test.py:68:15:68:24 | ControlFlowNode for creditcard | provenance | | -| test.py:67:26:67:35 | ControlFlowNode for debit_card | test.py:69:15:69:24 | ControlFlowNode for debit_card | provenance | | -| test.py:67:38:67:48 | ControlFlowNode for bank_number | test.py:70:15:70:25 | ControlFlowNode for bank_number | provenance | | -| test.py:67:76:67:78 | ControlFlowNode for ccn | test.py:73:15:73:17 | ControlFlowNode for ccn | provenance | | -| test.py:67:81:67:88 | ControlFlowNode for user_ccn | test.py:74:15:74:22 | ControlFlowNode for user_ccn | provenance | | -| test.py:101:5:101:10 | ControlFlowNode for config | test.py:105:11:105:31 | ControlFlowNode for Subscript | provenance | | -| test.py:103:21:103:37 | ControlFlowNode for Attribute | test.py:101:5:101:10 | ControlFlowNode for config | provenance | | +| test.py:19:5:19:12 | password | test.py:20:48:20:55 | password | provenance | | +| test.py:19:5:19:12 | password | test.py:22:58:22:65 | password | provenance | | +| test.py:19:5:19:12 | password | test.py:23:58:23:65 | password | provenance | | +| test.py:19:5:19:12 | password | test.py:27:40:27:47 | password | provenance | | +| test.py:19:5:19:12 | password | test.py:30:58:30:65 | password | provenance | | +| test.py:19:16:19:29 | After get_password() | test.py:19:5:19:12 | password | provenance | | +| test.py:44:5:44:5 | x | test.py:45:11:45:11 | x | provenance | | +| test.py:44:9:44:25 | After Attribute() | test.py:44:5:44:5 | x | provenance | | +| test.py:48:14:48:35 | social_security_number | test.py:49:15:49:36 | social_security_number | provenance | | +| test.py:48:38:48:40 | ssn | test.py:50:15:50:17 | ssn | provenance | | +| test.py:48:54:48:63 | passportNo | test.py:52:15:52:24 | passportNo | provenance | | +| test.py:54:14:54:22 | post_code | test.py:55:15:55:23 | post_code | provenance | | +| test.py:54:25:54:31 | zipCode | test.py:56:15:56:21 | zipCode | provenance | | +| test.py:54:34:54:45 | home_address | test.py:57:15:57:26 | home_address | provenance | | +| test.py:59:14:59:26 | user_latitude | test.py:60:15:60:27 | user_latitude | provenance | | +| test.py:59:29:59:42 | user_longitude | test.py:61:15:61:28 | user_longitude | provenance | | +| test.py:63:14:63:26 | mobile_number | test.py:64:15:64:27 | mobile_number | provenance | | +| test.py:63:29:63:35 | phoneNo | test.py:65:15:65:21 | phoneNo | provenance | | +| test.py:67:14:67:23 | creditcard | test.py:68:15:68:24 | creditcard | provenance | | +| test.py:67:26:67:35 | debit_card | test.py:69:15:69:24 | debit_card | provenance | | +| test.py:67:38:67:48 | bank_number | test.py:70:15:70:25 | bank_number | provenance | | +| test.py:67:76:67:78 | ccn | test.py:73:15:73:17 | ccn | provenance | | +| test.py:67:81:67:88 | user_ccn | test.py:74:15:74:22 | user_ccn | provenance | | +| test.py:101:5:101:10 | config | test.py:105:11:105:31 | After Subscript | provenance | | +| test.py:103:21:103:37 | After Attribute | test.py:101:5:101:10 | config | provenance | | nodes -| test.py:19:5:19:12 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | -| test.py:19:16:19:29 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() | -| test.py:20:48:20:55 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | -| test.py:22:58:22:65 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | -| test.py:23:58:23:65 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | -| test.py:27:40:27:47 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | -| test.py:30:58:30:65 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | -| test.py:37:11:37:24 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() | -| test.py:39:22:39:35 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() | -| test.py:40:22:40:35 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() | -| test.py:44:5:44:5 | ControlFlowNode for x | semmle.label | ControlFlowNode for x | -| test.py:44:9:44:25 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:45:11:45:11 | ControlFlowNode for x | semmle.label | ControlFlowNode for x | -| test.py:48:14:48:35 | ControlFlowNode for social_security_number | semmle.label | ControlFlowNode for social_security_number | -| test.py:48:38:48:40 | ControlFlowNode for ssn | semmle.label | ControlFlowNode for ssn | -| test.py:48:54:48:63 | ControlFlowNode for passportNo | semmle.label | ControlFlowNode for passportNo | -| test.py:49:15:49:36 | ControlFlowNode for social_security_number | semmle.label | ControlFlowNode for social_security_number | -| test.py:50:15:50:17 | ControlFlowNode for ssn | semmle.label | ControlFlowNode for ssn | -| test.py:52:15:52:24 | ControlFlowNode for passportNo | semmle.label | ControlFlowNode for passportNo | -| test.py:54:14:54:22 | ControlFlowNode for post_code | semmle.label | ControlFlowNode for post_code | -| test.py:54:25:54:31 | ControlFlowNode for zipCode | semmle.label | ControlFlowNode for zipCode | -| test.py:54:34:54:45 | ControlFlowNode for home_address | semmle.label | ControlFlowNode for home_address | -| test.py:55:15:55:23 | ControlFlowNode for post_code | semmle.label | ControlFlowNode for post_code | -| test.py:56:15:56:21 | ControlFlowNode for zipCode | semmle.label | ControlFlowNode for zipCode | -| test.py:57:15:57:26 | ControlFlowNode for home_address | semmle.label | ControlFlowNode for home_address | -| test.py:59:14:59:26 | ControlFlowNode for user_latitude | semmle.label | ControlFlowNode for user_latitude | -| test.py:59:29:59:42 | ControlFlowNode for user_longitude | semmle.label | ControlFlowNode for user_longitude | -| test.py:60:15:60:27 | ControlFlowNode for user_latitude | semmle.label | ControlFlowNode for user_latitude | -| test.py:61:15:61:28 | ControlFlowNode for user_longitude | semmle.label | ControlFlowNode for user_longitude | -| test.py:63:14:63:26 | ControlFlowNode for mobile_number | semmle.label | ControlFlowNode for mobile_number | -| test.py:63:29:63:35 | ControlFlowNode for phoneNo | semmle.label | ControlFlowNode for phoneNo | -| test.py:64:15:64:27 | ControlFlowNode for mobile_number | semmle.label | ControlFlowNode for mobile_number | -| test.py:65:15:65:21 | ControlFlowNode for phoneNo | semmle.label | ControlFlowNode for phoneNo | -| test.py:67:14:67:23 | ControlFlowNode for creditcard | semmle.label | ControlFlowNode for creditcard | -| test.py:67:26:67:35 | ControlFlowNode for debit_card | semmle.label | ControlFlowNode for debit_card | -| test.py:67:38:67:48 | ControlFlowNode for bank_number | semmle.label | ControlFlowNode for bank_number | -| test.py:67:76:67:78 | ControlFlowNode for ccn | semmle.label | ControlFlowNode for ccn | -| test.py:67:81:67:88 | ControlFlowNode for user_ccn | semmle.label | ControlFlowNode for user_ccn | -| test.py:68:15:68:24 | ControlFlowNode for creditcard | semmle.label | ControlFlowNode for creditcard | -| test.py:69:15:69:24 | ControlFlowNode for debit_card | semmle.label | ControlFlowNode for debit_card | -| test.py:70:15:70:25 | ControlFlowNode for bank_number | semmle.label | ControlFlowNode for bank_number | -| test.py:73:15:73:17 | ControlFlowNode for ccn | semmle.label | ControlFlowNode for ccn | -| test.py:74:15:74:22 | ControlFlowNode for user_ccn | semmle.label | ControlFlowNode for user_ccn | -| test.py:101:5:101:10 | ControlFlowNode for config | semmle.label | ControlFlowNode for config | -| test.py:103:21:103:37 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:105:11:105:31 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript | +| test.py:19:5:19:12 | password | semmle.label | password | +| test.py:19:16:19:29 | After get_password() | semmle.label | After get_password() | +| test.py:20:48:20:55 | password | semmle.label | password | +| test.py:22:58:22:65 | password | semmle.label | password | +| test.py:23:58:23:65 | password | semmle.label | password | +| test.py:27:40:27:47 | password | semmle.label | password | +| test.py:30:58:30:65 | password | semmle.label | password | +| test.py:37:11:37:24 | After get_password() | semmle.label | After get_password() | +| test.py:39:22:39:35 | After get_password() | semmle.label | After get_password() | +| test.py:40:22:40:35 | After get_password() | semmle.label | After get_password() | +| test.py:44:5:44:5 | x | semmle.label | x | +| test.py:44:9:44:25 | After Attribute() | semmle.label | After Attribute() | +| test.py:45:11:45:11 | x | semmle.label | x | +| test.py:48:14:48:35 | social_security_number | semmle.label | social_security_number | +| test.py:48:38:48:40 | ssn | semmle.label | ssn | +| test.py:48:54:48:63 | passportNo | semmle.label | passportNo | +| test.py:49:15:49:36 | social_security_number | semmle.label | social_security_number | +| test.py:50:15:50:17 | ssn | semmle.label | ssn | +| test.py:52:15:52:24 | passportNo | semmle.label | passportNo | +| test.py:54:14:54:22 | post_code | semmle.label | post_code | +| test.py:54:25:54:31 | zipCode | semmle.label | zipCode | +| test.py:54:34:54:45 | home_address | semmle.label | home_address | +| test.py:55:15:55:23 | post_code | semmle.label | post_code | +| test.py:56:15:56:21 | zipCode | semmle.label | zipCode | +| test.py:57:15:57:26 | home_address | semmle.label | home_address | +| test.py:59:14:59:26 | user_latitude | semmle.label | user_latitude | +| test.py:59:29:59:42 | user_longitude | semmle.label | user_longitude | +| test.py:60:15:60:27 | user_latitude | semmle.label | user_latitude | +| test.py:61:15:61:28 | user_longitude | semmle.label | user_longitude | +| test.py:63:14:63:26 | mobile_number | semmle.label | mobile_number | +| test.py:63:29:63:35 | phoneNo | semmle.label | phoneNo | +| test.py:64:15:64:27 | mobile_number | semmle.label | mobile_number | +| test.py:65:15:65:21 | phoneNo | semmle.label | phoneNo | +| test.py:67:14:67:23 | creditcard | semmle.label | creditcard | +| test.py:67:26:67:35 | debit_card | semmle.label | debit_card | +| test.py:67:38:67:48 | bank_number | semmle.label | bank_number | +| test.py:67:76:67:78 | ccn | semmle.label | ccn | +| test.py:67:81:67:88 | user_ccn | semmle.label | user_ccn | +| test.py:68:15:68:24 | creditcard | semmle.label | creditcard | +| test.py:69:15:69:24 | debit_card | semmle.label | debit_card | +| test.py:70:15:70:25 | bank_number | semmle.label | bank_number | +| test.py:73:15:73:17 | ccn | semmle.label | ccn | +| test.py:74:15:74:22 | user_ccn | semmle.label | user_ccn | +| test.py:101:5:101:10 | config | semmle.label | config | +| test.py:103:21:103:37 | After Attribute | semmle.label | After Attribute | +| test.py:105:11:105:31 | After Subscript | semmle.label | After Subscript | subpaths #select -| test.py:20:48:20:55 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:20:48:20:55 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:22:58:22:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:22:58:22:65 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:23:58:23:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:23:58:23:65 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:27:40:27:47 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:27:40:27:47 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:30:58:30:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:30:58:30:65 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:37:11:37:24 | ControlFlowNode for get_password() | test.py:37:11:37:24 | ControlFlowNode for get_password() | test.py:37:11:37:24 | ControlFlowNode for get_password() | This expression logs $@ as clear text. | test.py:37:11:37:24 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:39:22:39:35 | ControlFlowNode for get_password() | test.py:39:22:39:35 | ControlFlowNode for get_password() | test.py:39:22:39:35 | ControlFlowNode for get_password() | This expression logs $@ as clear text. | test.py:39:22:39:35 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:40:22:40:35 | ControlFlowNode for get_password() | test.py:40:22:40:35 | ControlFlowNode for get_password() | test.py:40:22:40:35 | ControlFlowNode for get_password() | This expression logs $@ as clear text. | test.py:40:22:40:35 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:45:11:45:11 | ControlFlowNode for x | test.py:44:9:44:25 | ControlFlowNode for Attribute() | test.py:45:11:45:11 | ControlFlowNode for x | This expression logs $@ as clear text. | test.py:44:9:44:25 | ControlFlowNode for Attribute() | sensitive data (password) | -| test.py:49:15:49:36 | ControlFlowNode for social_security_number | test.py:48:14:48:35 | ControlFlowNode for social_security_number | test.py:49:15:49:36 | ControlFlowNode for social_security_number | This expression logs $@ as clear text. | test.py:48:14:48:35 | ControlFlowNode for social_security_number | sensitive data (private) | -| test.py:50:15:50:17 | ControlFlowNode for ssn | test.py:48:38:48:40 | ControlFlowNode for ssn | test.py:50:15:50:17 | ControlFlowNode for ssn | This expression logs $@ as clear text. | test.py:48:38:48:40 | ControlFlowNode for ssn | sensitive data (private) | -| test.py:52:15:52:24 | ControlFlowNode for passportNo | test.py:48:54:48:63 | ControlFlowNode for passportNo | test.py:52:15:52:24 | ControlFlowNode for passportNo | This expression logs $@ as clear text. | test.py:48:54:48:63 | ControlFlowNode for passportNo | sensitive data (private) | -| test.py:55:15:55:23 | ControlFlowNode for post_code | test.py:54:14:54:22 | ControlFlowNode for post_code | test.py:55:15:55:23 | ControlFlowNode for post_code | This expression logs $@ as clear text. | test.py:54:14:54:22 | ControlFlowNode for post_code | sensitive data (private) | -| test.py:56:15:56:21 | ControlFlowNode for zipCode | test.py:54:25:54:31 | ControlFlowNode for zipCode | test.py:56:15:56:21 | ControlFlowNode for zipCode | This expression logs $@ as clear text. | test.py:54:25:54:31 | ControlFlowNode for zipCode | sensitive data (private) | -| test.py:57:15:57:26 | ControlFlowNode for home_address | test.py:54:34:54:45 | ControlFlowNode for home_address | test.py:57:15:57:26 | ControlFlowNode for home_address | This expression logs $@ as clear text. | test.py:54:34:54:45 | ControlFlowNode for home_address | sensitive data (private) | -| test.py:60:15:60:27 | ControlFlowNode for user_latitude | test.py:59:14:59:26 | ControlFlowNode for user_latitude | test.py:60:15:60:27 | ControlFlowNode for user_latitude | This expression logs $@ as clear text. | test.py:59:14:59:26 | ControlFlowNode for user_latitude | sensitive data (private) | -| test.py:61:15:61:28 | ControlFlowNode for user_longitude | test.py:59:29:59:42 | ControlFlowNode for user_longitude | test.py:61:15:61:28 | ControlFlowNode for user_longitude | This expression logs $@ as clear text. | test.py:59:29:59:42 | ControlFlowNode for user_longitude | sensitive data (private) | -| test.py:64:15:64:27 | ControlFlowNode for mobile_number | test.py:63:14:63:26 | ControlFlowNode for mobile_number | test.py:64:15:64:27 | ControlFlowNode for mobile_number | This expression logs $@ as clear text. | test.py:63:14:63:26 | ControlFlowNode for mobile_number | sensitive data (private) | -| test.py:65:15:65:21 | ControlFlowNode for phoneNo | test.py:63:29:63:35 | ControlFlowNode for phoneNo | test.py:65:15:65:21 | ControlFlowNode for phoneNo | This expression logs $@ as clear text. | test.py:63:29:63:35 | ControlFlowNode for phoneNo | sensitive data (private) | -| test.py:68:15:68:24 | ControlFlowNode for creditcard | test.py:67:14:67:23 | ControlFlowNode for creditcard | test.py:68:15:68:24 | ControlFlowNode for creditcard | This expression logs $@ as clear text. | test.py:67:14:67:23 | ControlFlowNode for creditcard | sensitive data (private) | -| test.py:69:15:69:24 | ControlFlowNode for debit_card | test.py:67:26:67:35 | ControlFlowNode for debit_card | test.py:69:15:69:24 | ControlFlowNode for debit_card | This expression logs $@ as clear text. | test.py:67:26:67:35 | ControlFlowNode for debit_card | sensitive data (private) | -| test.py:70:15:70:25 | ControlFlowNode for bank_number | test.py:67:38:67:48 | ControlFlowNode for bank_number | test.py:70:15:70:25 | ControlFlowNode for bank_number | This expression logs $@ as clear text. | test.py:67:38:67:48 | ControlFlowNode for bank_number | sensitive data (private) | -| test.py:73:15:73:17 | ControlFlowNode for ccn | test.py:67:76:67:78 | ControlFlowNode for ccn | test.py:73:15:73:17 | ControlFlowNode for ccn | This expression logs $@ as clear text. | test.py:67:76:67:78 | ControlFlowNode for ccn | sensitive data (private) | -| test.py:74:15:74:22 | ControlFlowNode for user_ccn | test.py:67:81:67:88 | ControlFlowNode for user_ccn | test.py:74:15:74:22 | ControlFlowNode for user_ccn | This expression logs $@ as clear text. | test.py:67:81:67:88 | ControlFlowNode for user_ccn | sensitive data (private) | -| test.py:105:11:105:31 | ControlFlowNode for Subscript | test.py:103:21:103:37 | ControlFlowNode for Attribute | test.py:105:11:105:31 | ControlFlowNode for Subscript | This expression logs $@ as clear text. | test.py:103:21:103:37 | ControlFlowNode for Attribute | sensitive data (password) | +| test.py:20:48:20:55 | password | test.py:19:16:19:29 | After get_password() | test.py:20:48:20:55 | password | This expression logs $@ as clear text. | test.py:19:16:19:29 | After get_password() | sensitive data (password) | +| test.py:22:58:22:65 | password | test.py:19:16:19:29 | After get_password() | test.py:22:58:22:65 | password | This expression logs $@ as clear text. | test.py:19:16:19:29 | After get_password() | sensitive data (password) | +| test.py:23:58:23:65 | password | test.py:19:16:19:29 | After get_password() | test.py:23:58:23:65 | password | This expression logs $@ as clear text. | test.py:19:16:19:29 | After get_password() | sensitive data (password) | +| test.py:27:40:27:47 | password | test.py:19:16:19:29 | After get_password() | test.py:27:40:27:47 | password | This expression logs $@ as clear text. | test.py:19:16:19:29 | After get_password() | sensitive data (password) | +| test.py:30:58:30:65 | password | test.py:19:16:19:29 | After get_password() | test.py:30:58:30:65 | password | This expression logs $@ as clear text. | test.py:19:16:19:29 | After get_password() | sensitive data (password) | +| test.py:37:11:37:24 | After get_password() | test.py:37:11:37:24 | After get_password() | test.py:37:11:37:24 | After get_password() | This expression logs $@ as clear text. | test.py:37:11:37:24 | After get_password() | sensitive data (password) | +| test.py:39:22:39:35 | After get_password() | test.py:39:22:39:35 | After get_password() | test.py:39:22:39:35 | After get_password() | This expression logs $@ as clear text. | test.py:39:22:39:35 | After get_password() | sensitive data (password) | +| test.py:40:22:40:35 | After get_password() | test.py:40:22:40:35 | After get_password() | test.py:40:22:40:35 | After get_password() | This expression logs $@ as clear text. | test.py:40:22:40:35 | After get_password() | sensitive data (password) | +| test.py:45:11:45:11 | x | test.py:44:9:44:25 | After Attribute() | test.py:45:11:45:11 | x | This expression logs $@ as clear text. | test.py:44:9:44:25 | After Attribute() | sensitive data (password) | +| test.py:49:15:49:36 | social_security_number | test.py:48:14:48:35 | social_security_number | test.py:49:15:49:36 | social_security_number | This expression logs $@ as clear text. | test.py:48:14:48:35 | social_security_number | sensitive data (private) | +| test.py:50:15:50:17 | ssn | test.py:48:38:48:40 | ssn | test.py:50:15:50:17 | ssn | This expression logs $@ as clear text. | test.py:48:38:48:40 | ssn | sensitive data (private) | +| test.py:52:15:52:24 | passportNo | test.py:48:54:48:63 | passportNo | test.py:52:15:52:24 | passportNo | This expression logs $@ as clear text. | test.py:48:54:48:63 | passportNo | sensitive data (private) | +| test.py:55:15:55:23 | post_code | test.py:54:14:54:22 | post_code | test.py:55:15:55:23 | post_code | This expression logs $@ as clear text. | test.py:54:14:54:22 | post_code | sensitive data (private) | +| test.py:56:15:56:21 | zipCode | test.py:54:25:54:31 | zipCode | test.py:56:15:56:21 | zipCode | This expression logs $@ as clear text. | test.py:54:25:54:31 | zipCode | sensitive data (private) | +| test.py:57:15:57:26 | home_address | test.py:54:34:54:45 | home_address | test.py:57:15:57:26 | home_address | This expression logs $@ as clear text. | test.py:54:34:54:45 | home_address | sensitive data (private) | +| test.py:60:15:60:27 | user_latitude | test.py:59:14:59:26 | user_latitude | test.py:60:15:60:27 | user_latitude | This expression logs $@ as clear text. | test.py:59:14:59:26 | user_latitude | sensitive data (private) | +| test.py:61:15:61:28 | user_longitude | test.py:59:29:59:42 | user_longitude | test.py:61:15:61:28 | user_longitude | This expression logs $@ as clear text. | test.py:59:29:59:42 | user_longitude | sensitive data (private) | +| test.py:64:15:64:27 | mobile_number | test.py:63:14:63:26 | mobile_number | test.py:64:15:64:27 | mobile_number | This expression logs $@ as clear text. | test.py:63:14:63:26 | mobile_number | sensitive data (private) | +| test.py:65:15:65:21 | phoneNo | test.py:63:29:63:35 | phoneNo | test.py:65:15:65:21 | phoneNo | This expression logs $@ as clear text. | test.py:63:29:63:35 | phoneNo | sensitive data (private) | +| test.py:68:15:68:24 | creditcard | test.py:67:14:67:23 | creditcard | test.py:68:15:68:24 | creditcard | This expression logs $@ as clear text. | test.py:67:14:67:23 | creditcard | sensitive data (private) | +| test.py:69:15:69:24 | debit_card | test.py:67:26:67:35 | debit_card | test.py:69:15:69:24 | debit_card | This expression logs $@ as clear text. | test.py:67:26:67:35 | debit_card | sensitive data (private) | +| test.py:70:15:70:25 | bank_number | test.py:67:38:67:48 | bank_number | test.py:70:15:70:25 | bank_number | This expression logs $@ as clear text. | test.py:67:38:67:48 | bank_number | sensitive data (private) | +| test.py:73:15:73:17 | ccn | test.py:67:76:67:78 | ccn | test.py:73:15:73:17 | ccn | This expression logs $@ as clear text. | test.py:67:76:67:78 | ccn | sensitive data (private) | +| test.py:74:15:74:22 | user_ccn | test.py:67:81:67:88 | user_ccn | test.py:74:15:74:22 | user_ccn | This expression logs $@ as clear text. | test.py:67:81:67:88 | user_ccn | sensitive data (private) | +| test.py:105:11:105:31 | After Subscript | test.py:103:21:103:37 | After Attribute | test.py:105:11:105:31 | After Subscript | This expression logs $@ as clear text. | test.py:103:21:103:37 | After Attribute | sensitive data (password) | diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected index 588cfae32ef..3fe85502c7c 100644 --- a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected +++ b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected @@ -1,16 +1,16 @@ edges -| test.py:9:5:9:12 | ControlFlowNode for password | test.py:12:21:12:28 | ControlFlowNode for password | provenance | | -| test.py:9:5:9:12 | ControlFlowNode for password | test.py:13:22:13:45 | ControlFlowNode for Attribute() | provenance | | -| test.py:9:5:9:12 | ControlFlowNode for password | test.py:15:26:15:33 | ControlFlowNode for password | provenance | | -| test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:9:5:9:12 | ControlFlowNode for password | provenance | | +| test.py:9:5:9:12 | password | test.py:12:21:12:28 | password | provenance | | +| test.py:9:5:9:12 | password | test.py:13:22:13:45 | After Attribute() | provenance | | +| test.py:9:5:9:12 | password | test.py:15:26:15:33 | password | provenance | | +| test.py:9:16:9:29 | After get_password() | test.py:9:5:9:12 | password | provenance | | nodes -| test.py:9:5:9:12 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | -| test.py:9:16:9:29 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() | -| test.py:12:21:12:28 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | -| test.py:13:22:13:45 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:15:26:15:33 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | +| test.py:9:5:9:12 | password | semmle.label | password | +| test.py:9:16:9:29 | After get_password() | semmle.label | After get_password() | +| test.py:12:21:12:28 | password | semmle.label | password | +| test.py:13:22:13:45 | After Attribute() | semmle.label | After Attribute() | +| test.py:15:26:15:33 | password | semmle.label | password | subpaths #select -| test.py:12:21:12:28 | ControlFlowNode for password | test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:12:21:12:28 | ControlFlowNode for password | This expression stores $@ as clear text. | test.py:9:16:9:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:13:22:13:45 | ControlFlowNode for Attribute() | test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:13:22:13:45 | ControlFlowNode for Attribute() | This expression stores $@ as clear text. | test.py:9:16:9:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:15:26:15:33 | ControlFlowNode for password | test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:15:26:15:33 | ControlFlowNode for password | This expression stores $@ as clear text. | test.py:9:16:9:29 | ControlFlowNode for get_password() | sensitive data (password) | +| test.py:12:21:12:28 | password | test.py:9:16:9:29 | After get_password() | test.py:12:21:12:28 | password | This expression stores $@ as clear text. | test.py:9:16:9:29 | After get_password() | sensitive data (password) | +| test.py:13:22:13:45 | After Attribute() | test.py:9:16:9:29 | After get_password() | test.py:13:22:13:45 | After Attribute() | This expression stores $@ as clear text. | test.py:9:16:9:29 | After get_password() | sensitive data (password) | +| test.py:15:26:15:33 | password | test.py:9:16:9:29 | After get_password() | test.py:15:26:15:33 | password | This expression stores $@ as clear text. | test.py:9:16:9:29 | After get_password() | sensitive data (password) | diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected index c3c1206ce92..bb94931bf17 100644 --- a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected +++ b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected @@ -1,27 +1,27 @@ edges -| password_in_cookie.py:7:5:7:12 | ControlFlowNode for password | password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | provenance | | -| password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | password_in_cookie.py:7:5:7:12 | ControlFlowNode for password | provenance | | -| password_in_cookie.py:14:5:14:12 | ControlFlowNode for password | password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | provenance | | -| password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | password_in_cookie.py:14:5:14:12 | ControlFlowNode for password | provenance | | -| test.py:15:5:15:12 | ControlFlowNode for password | test.py:17:20:17:27 | ControlFlowNode for password | provenance | | -| test.py:15:5:15:12 | ControlFlowNode for password | test.py:18:9:18:13 | ControlFlowNode for lines | provenance | | -| test.py:15:16:15:29 | ControlFlowNode for get_password() | test.py:15:5:15:12 | ControlFlowNode for password | provenance | | -| test.py:18:9:18:13 | ControlFlowNode for lines | test.py:19:25:19:29 | ControlFlowNode for lines | provenance | | +| password_in_cookie.py:7:5:7:12 | password | password_in_cookie.py:9:33:9:40 | password | provenance | | +| password_in_cookie.py:7:16:7:43 | After Attribute() | password_in_cookie.py:7:5:7:12 | password | provenance | | +| password_in_cookie.py:14:5:14:12 | password | password_in_cookie.py:16:33:16:40 | password | provenance | | +| password_in_cookie.py:14:16:14:43 | After Attribute() | password_in_cookie.py:14:5:14:12 | password | provenance | | +| test.py:15:5:15:12 | password | test.py:17:20:17:27 | password | provenance | | +| test.py:15:5:15:12 | password | test.py:18:9:18:13 | lines | provenance | | +| test.py:15:16:15:29 | After get_password() | test.py:15:5:15:12 | password | provenance | | +| test.py:18:9:18:13 | lines | test.py:19:25:19:29 | lines | provenance | | nodes -| password_in_cookie.py:7:5:7:12 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | -| password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | -| password_in_cookie.py:14:5:14:12 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | -| password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | -| test.py:15:5:15:12 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | -| test.py:15:16:15:29 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() | -| test.py:17:20:17:27 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | -| test.py:18:9:18:13 | ControlFlowNode for lines | semmle.label | ControlFlowNode for lines | -| test.py:19:25:19:29 | ControlFlowNode for lines | semmle.label | ControlFlowNode for lines | +| password_in_cookie.py:7:5:7:12 | password | semmle.label | password | +| password_in_cookie.py:7:16:7:43 | After Attribute() | semmle.label | After Attribute() | +| password_in_cookie.py:9:33:9:40 | password | semmle.label | password | +| password_in_cookie.py:14:5:14:12 | password | semmle.label | password | +| password_in_cookie.py:14:16:14:43 | After Attribute() | semmle.label | After Attribute() | +| password_in_cookie.py:16:33:16:40 | password | semmle.label | password | +| test.py:15:5:15:12 | password | semmle.label | password | +| test.py:15:16:15:29 | After get_password() | semmle.label | After get_password() | +| test.py:17:20:17:27 | password | semmle.label | password | +| test.py:18:9:18:13 | lines | semmle.label | lines | +| test.py:19:25:19:29 | lines | semmle.label | lines | subpaths #select -| password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | This expression stores $@ as clear text. | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | sensitive data (password) | -| password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | This expression stores $@ as clear text. | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | sensitive data (password) | -| test.py:17:20:17:27 | ControlFlowNode for password | test.py:15:16:15:29 | ControlFlowNode for get_password() | test.py:17:20:17:27 | ControlFlowNode for password | This expression stores $@ as clear text. | test.py:15:16:15:29 | ControlFlowNode for get_password() | sensitive data (password) | -| test.py:19:25:19:29 | ControlFlowNode for lines | test.py:15:16:15:29 | ControlFlowNode for get_password() | test.py:19:25:19:29 | ControlFlowNode for lines | This expression stores $@ as clear text. | test.py:15:16:15:29 | ControlFlowNode for get_password() | sensitive data (password) | +| password_in_cookie.py:9:33:9:40 | password | password_in_cookie.py:7:16:7:43 | After Attribute() | password_in_cookie.py:9:33:9:40 | password | This expression stores $@ as clear text. | password_in_cookie.py:7:16:7:43 | After Attribute() | sensitive data (password) | +| password_in_cookie.py:16:33:16:40 | password | password_in_cookie.py:14:16:14:43 | After Attribute() | password_in_cookie.py:16:33:16:40 | password | This expression stores $@ as clear text. | password_in_cookie.py:14:16:14:43 | After Attribute() | sensitive data (password) | +| test.py:17:20:17:27 | password | test.py:15:16:15:29 | After get_password() | test.py:17:20:17:27 | password | This expression stores $@ as clear text. | test.py:15:16:15:29 | After get_password() | sensitive data (password) | +| test.py:19:25:19:29 | lines | test.py:15:16:15:29 | After get_password() | test.py:19:25:19:29 | lines | This expression stores $@ as clear text. | test.py:15:16:15:29 | After get_password() | sensitive data (password) | diff --git a/python/ql/test/query-tests/Security/CWE-326-WeakCryptoKey/WeakCryptoKey.expected b/python/ql/test/query-tests/Security/CWE-326-WeakCryptoKey/WeakCryptoKey.expected index ea1f924045b..7d801fbd94e 100644 --- a/python/ql/test/query-tests/Security/CWE-326-WeakCryptoKey/WeakCryptoKey.expected +++ b/python/ql/test/query-tests/Security/CWE-326-WeakCryptoKey/WeakCryptoKey.expected @@ -1,9 +1,9 @@ -| weak_crypto.py:68:1:68:21 | ControlFlowNode for dsa_gen_key() | Creation of an DSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:16:12:16:15 | ControlFlowNode for IntegerLiteral | 1024 | -| weak_crypto.py:69:1:69:19 | ControlFlowNode for ec_gen_key() | Creation of an ECC key uses $@ bits, which is below 256 and considered breakable. | weak_crypto.py:22:11:22:22 | ControlFlowNode for Attribute | 224 | -| weak_crypto.py:70:1:70:28 | ControlFlowNode for rsa_gen_key() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:12:12:12:15 | ControlFlowNode for IntegerLiteral | 1024 | -| weak_crypto.py:72:1:72:30 | ControlFlowNode for dsa_gen_key() | Creation of an DSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:16:12:16:15 | ControlFlowNode for IntegerLiteral | 1024 | -| weak_crypto.py:73:1:73:25 | ControlFlowNode for ec_gen_key() | Creation of an ECC key uses $@ bits, which is below 256 and considered breakable. | weak_crypto.py:22:11:22:22 | ControlFlowNode for Attribute | 224 | -| weak_crypto.py:74:1:74:37 | ControlFlowNode for rsa_gen_key() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:12:12:12:15 | ControlFlowNode for IntegerLiteral | 1024 | -| weak_crypto.py:76:1:76:22 | ControlFlowNode for Attribute() | Creation of an DSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:16:12:16:15 | ControlFlowNode for IntegerLiteral | 1024 | -| weak_crypto.py:77:1:77:22 | ControlFlowNode for Attribute() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:12:12:12:15 | ControlFlowNode for IntegerLiteral | 1024 | -| weak_crypto.py:84:12:84:29 | ControlFlowNode for Attribute() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:12:12:12:15 | ControlFlowNode for IntegerLiteral | 1024 | +| weak_crypto.py:68:1:68:21 | After dsa_gen_key() | Creation of an DSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:16:12:16:15 | IntegerLiteral | 1024 | +| weak_crypto.py:69:1:69:19 | After ec_gen_key() | Creation of an ECC key uses $@ bits, which is below 256 and considered breakable. | weak_crypto.py:22:11:22:22 | After Attribute | 224 | +| weak_crypto.py:70:1:70:28 | After rsa_gen_key() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:12:12:12:15 | IntegerLiteral | 1024 | +| weak_crypto.py:72:1:72:30 | After dsa_gen_key() | Creation of an DSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:16:12:16:15 | IntegerLiteral | 1024 | +| weak_crypto.py:73:1:73:25 | After ec_gen_key() | Creation of an ECC key uses $@ bits, which is below 256 and considered breakable. | weak_crypto.py:22:11:22:22 | After Attribute | 224 | +| weak_crypto.py:74:1:74:37 | After rsa_gen_key() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:12:12:12:15 | IntegerLiteral | 1024 | +| weak_crypto.py:76:1:76:22 | After Attribute() | Creation of an DSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:16:12:16:15 | IntegerLiteral | 1024 | +| weak_crypto.py:77:1:77:22 | After Attribute() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:12:12:12:15 | IntegerLiteral | 1024 | +| weak_crypto.py:84:12:84:29 | After Attribute() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:12:12:12:15 | IntegerLiteral | 1024 | diff --git a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.expected b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.expected index 43c6eeb0f77..671b8a80f2b 100644 --- a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.expected +++ b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.expected @@ -1,4 +1,4 @@ -| test_cryptodome.py:11:13:11:42 | ControlFlowNode for Attribute() | $@ is broken or weak, and should not be used. | test_cryptodome.py:10:10:10:22 | ControlFlowNode for Attribute() | The cryptographic algorithm ARC4 | -| test_cryptodome.py:16:13:16:42 | ControlFlowNode for Attribute() | $@ is broken or weak, and should not be used. | test_cryptodome.py:15:10:15:35 | ControlFlowNode for Attribute() | The block mode ECB | -| test_cryptography.py:13:13:13:44 | ControlFlowNode for Attribute() | $@ is broken or weak, and should not be used. | test_cryptography.py:12:13:12:30 | ControlFlowNode for Attribute() | The cryptographic algorithm ARC4 | -| test_cryptography.py:22:13:22:58 | ControlFlowNode for Attribute() | $@ is broken or weak, and should not be used. | test_cryptography.py:21:13:21:30 | ControlFlowNode for Attribute() | The block mode ECB | +| test_cryptodome.py:11:13:11:42 | After Attribute() | $@ is broken or weak, and should not be used. | test_cryptodome.py:10:10:10:22 | After Attribute() | The cryptographic algorithm ARC4 | +| test_cryptodome.py:16:13:16:42 | After Attribute() | $@ is broken or weak, and should not be used. | test_cryptodome.py:15:10:15:35 | After Attribute() | The block mode ECB | +| test_cryptography.py:13:13:13:44 | After Attribute() | $@ is broken or weak, and should not be used. | test_cryptography.py:12:13:12:30 | After Attribute() | The cryptographic algorithm ARC4 | +| test_cryptography.py:22:13:22:58 | After Attribute() | $@ is broken or weak, and should not be used. | test_cryptography.py:21:13:21:30 | After Attribute() | The block mode ECB | diff --git a/python/ql/test/query-tests/Security/CWE-327-InsecureDefaultProtocol/InsecureDefaultProtocol.expected b/python/ql/test/query-tests/Security/CWE-327-InsecureDefaultProtocol/InsecureDefaultProtocol.expected index 5b98a946a1f..f2a1637d280 100644 --- a/python/ql/test/query-tests/Security/CWE-327-InsecureDefaultProtocol/InsecureDefaultProtocol.expected +++ b/python/ql/test/query-tests/Security/CWE-327-InsecureDefaultProtocol/InsecureDefaultProtocol.expected @@ -1 +1 @@ -| InsecureProtocol.py:7:1:7:17 | ControlFlowNode for Attribute() | Call to deprecated method ssl.wrap_socket does not specify a protocol, which may result in an insecure default being used. | +| InsecureProtocol.py:7:1:7:17 | After Attribute() | Call to deprecated method ssl.wrap_socket does not specify a protocol, which may result in an insecure default being used. | diff --git a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/InsecureProtocol.expected b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/InsecureProtocol.expected index 491a2382364..c94b4966a0c 100644 --- a/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/InsecureProtocol.expected +++ b/python/ql/test/query-tests/Security/CWE-327-InsecureProtocol/InsecureProtocol.expected @@ -1,45 +1,45 @@ -| InsecureProtocol.py:6:1:6:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:6:1:6:47 | ControlFlowNode for Attribute() | call to ssl.wrap_socket | -| InsecureProtocol.py:7:1:7:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv3 specified by $@. | InsecureProtocol.py:7:1:7:47 | ControlFlowNode for Attribute() | call to ssl.wrap_socket | -| InsecureProtocol.py:8:1:8:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version TLSv1 specified by $@. | InsecureProtocol.py:8:1:8:47 | ControlFlowNode for Attribute() | call to ssl.wrap_socket | -| InsecureProtocol.py:10:1:10:39 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:10:1:10:39 | ControlFlowNode for SSLContext() | call to SSLContext | -| InsecureProtocol.py:11:1:11:39 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version SSLv3 specified by $@. | InsecureProtocol.py:11:1:11:39 | ControlFlowNode for SSLContext() | call to SSLContext | -| InsecureProtocol.py:12:1:12:39 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version TLSv1 specified by $@. | InsecureProtocol.py:12:1:12:39 | ControlFlowNode for SSLContext() | call to SSLContext | -| InsecureProtocol.py:14:1:14:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:14:1:14:29 | ControlFlowNode for Attribute() | call to SSL.Context | -| InsecureProtocol.py:15:1:15:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv3 specified by $@. | InsecureProtocol.py:15:1:15:29 | ControlFlowNode for Attribute() | call to SSL.Context | -| InsecureProtocol.py:16:1:16:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version TLSv1 specified by $@. | InsecureProtocol.py:16:1:16:29 | ControlFlowNode for Attribute() | call to SSL.Context | -| InsecureProtocol.py:19:1:19:19 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:19:1:19:19 | ControlFlowNode for Attribute() | call to SSL.Context | -| InsecureProtocol.py:23:1:23:43 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:23:1:23:43 | ControlFlowNode for Attribute() | call to ssl.wrap_socket | -| InsecureProtocol.py:24:1:24:35 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:24:1:24:35 | ControlFlowNode for SSLContext() | call to SSLContext | -| import_all_one_file.py:25:14:25:45 | ControlFlowNode for copy_completely_insecure_context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | import_all_one_file.py:9:36:9:67 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| import_all_one_file.py:25:14:25:45 | ControlFlowNode for copy_completely_insecure_context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | import_all_one_file.py:9:36:9:67 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| import_all_one_file.py:29:14:29:39 | ControlFlowNode for copy_also_insecure_context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | import_all_one_file.py:12:30:12:61 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| import_use.py:13:14:13:40 | ControlFlowNode for completely_insecure_context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | import_def.py:7:31:7:62 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| import_use.py:13:14:13:40 | ControlFlowNode for completely_insecure_context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | import_def.py:7:31:7:62 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| import_use.py:17:14:17:34 | ControlFlowNode for also_insecure_context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | import_def.py:10:25:10:56 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv2 allowed by $@. | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context | -| pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@. | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context | -| pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context | -| pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context | -| pyOpenSSL_fluent.py:18:27:18:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv2 allowed by $@. | pyOpenSSL_fluent.py:15:15:15:44 | ControlFlowNode for Attribute() | call to SSL.Context | -| pyOpenSSL_fluent.py:18:27:18:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@. | pyOpenSSL_fluent.py:15:15:15:44 | ControlFlowNode for Attribute() | call to SSL.Context | -| pyOpenSSL_fluent.py:18:27:18:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | pyOpenSSL_fluent.py:15:15:15:44 | ControlFlowNode for Attribute() | call to SSL.Context | -| ssl_fluent.py:9:14:9:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | ssl_fluent.py:6:15:6:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| ssl_fluent.py:9:14:9:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:6:15:6:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| ssl_fluent.py:19:14:19:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:15:15:15:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| ssl_fluent.py:28:14:28:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:24:15:24:53 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| ssl_fluent.py:37:14:37:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:33:15:33:53 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| ssl_fluent.py:57:14:57:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | ssl_fluent.py:54:15:54:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| ssl_fluent.py:57:14:57:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:54:15:54:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| ssl_fluent.py:71:14:71:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | ssl_fluent.py:62:12:62:43 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| ssl_fluent.py:71:14:71:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | ssl_fluent.py:101:15:101:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| ssl_fluent.py:71:14:71:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:62:12:62:43 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| ssl_fluent.py:71:14:71:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:65:15:65:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| ssl_fluent.py:71:14:71:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:101:15:101:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| ssl_fluent.py:71:14:71:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:115:15:115:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| ssl_fluent.py:77:14:77:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | ssl_fluent.py:62:12:62:43 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| ssl_fluent.py:77:14:77:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:62:12:62:43 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| ssl_fluent.py:97:14:97:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:65:15:65:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| ssl_fluent.py:146:14:146:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:142:15:142:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext | -| ssl_fluent.py:165:14:165:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@. | ssl_fluent.py:161:15:161:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context | -| ssl_fluent.py:165:14:165:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | ssl_fluent.py:161:15:161:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context | -| ssl_fluent.py:165:14:165:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:161:15:161:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context | +| InsecureProtocol.py:6:1:6:47 | After Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:6:1:6:47 | After Attribute() | call to ssl.wrap_socket | +| InsecureProtocol.py:7:1:7:47 | After Attribute() | Insecure SSL/TLS protocol version SSLv3 specified by $@. | InsecureProtocol.py:7:1:7:47 | After Attribute() | call to ssl.wrap_socket | +| InsecureProtocol.py:8:1:8:47 | After Attribute() | Insecure SSL/TLS protocol version TLSv1 specified by $@. | InsecureProtocol.py:8:1:8:47 | After Attribute() | call to ssl.wrap_socket | +| InsecureProtocol.py:10:1:10:39 | After SSLContext() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:10:1:10:39 | After SSLContext() | call to SSLContext | +| InsecureProtocol.py:11:1:11:39 | After SSLContext() | Insecure SSL/TLS protocol version SSLv3 specified by $@. | InsecureProtocol.py:11:1:11:39 | After SSLContext() | call to SSLContext | +| InsecureProtocol.py:12:1:12:39 | After SSLContext() | Insecure SSL/TLS protocol version TLSv1 specified by $@. | InsecureProtocol.py:12:1:12:39 | After SSLContext() | call to SSLContext | +| InsecureProtocol.py:14:1:14:29 | After Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:14:1:14:29 | After Attribute() | call to SSL.Context | +| InsecureProtocol.py:15:1:15:29 | After Attribute() | Insecure SSL/TLS protocol version SSLv3 specified by $@. | InsecureProtocol.py:15:1:15:29 | After Attribute() | call to SSL.Context | +| InsecureProtocol.py:16:1:16:29 | After Attribute() | Insecure SSL/TLS protocol version TLSv1 specified by $@. | InsecureProtocol.py:16:1:16:29 | After Attribute() | call to SSL.Context | +| InsecureProtocol.py:19:1:19:19 | After Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:19:1:19:19 | After Attribute() | call to SSL.Context | +| InsecureProtocol.py:23:1:23:43 | After Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:23:1:23:43 | After Attribute() | call to ssl.wrap_socket | +| InsecureProtocol.py:24:1:24:35 | After SSLContext() | Insecure SSL/TLS protocol version SSLv2 specified by $@. | InsecureProtocol.py:24:1:24:35 | After SSLContext() | call to SSLContext | +| import_all_one_file.py:25:14:25:45 | copy_completely_insecure_context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | import_all_one_file.py:9:36:9:67 | After Attribute() | call to ssl.SSLContext | +| import_all_one_file.py:25:14:25:45 | copy_completely_insecure_context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | import_all_one_file.py:9:36:9:67 | After Attribute() | call to ssl.SSLContext | +| import_all_one_file.py:29:14:29:39 | copy_also_insecure_context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | import_all_one_file.py:12:30:12:61 | After Attribute() | call to ssl.SSLContext | +| import_use.py:13:14:13:40 | completely_insecure_context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | import_def.py:7:31:7:62 | After Attribute() | call to ssl.SSLContext | +| import_use.py:13:14:13:40 | completely_insecure_context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | import_def.py:7:31:7:62 | After Attribute() | call to ssl.SSLContext | +| import_use.py:17:14:17:34 | also_insecure_context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | import_def.py:10:25:10:56 | After Attribute() | call to ssl.SSLContext | +| pyOpenSSL_fluent.py:8:27:8:33 | context | Insecure SSL/TLS protocol version SSLv2 allowed by $@. | pyOpenSSL_fluent.py:6:15:6:44 | After Attribute() | call to SSL.Context | +| pyOpenSSL_fluent.py:8:27:8:33 | context | Insecure SSL/TLS protocol version SSLv3 allowed by $@. | pyOpenSSL_fluent.py:6:15:6:44 | After Attribute() | call to SSL.Context | +| pyOpenSSL_fluent.py:8:27:8:33 | context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | pyOpenSSL_fluent.py:6:15:6:44 | After Attribute() | call to SSL.Context | +| pyOpenSSL_fluent.py:8:27:8:33 | context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | pyOpenSSL_fluent.py:6:15:6:44 | After Attribute() | call to SSL.Context | +| pyOpenSSL_fluent.py:18:27:18:33 | context | Insecure SSL/TLS protocol version SSLv2 allowed by $@. | pyOpenSSL_fluent.py:15:15:15:44 | After Attribute() | call to SSL.Context | +| pyOpenSSL_fluent.py:18:27:18:33 | context | Insecure SSL/TLS protocol version SSLv3 allowed by $@. | pyOpenSSL_fluent.py:15:15:15:44 | After Attribute() | call to SSL.Context | +| pyOpenSSL_fluent.py:18:27:18:33 | context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | pyOpenSSL_fluent.py:15:15:15:44 | After Attribute() | call to SSL.Context | +| ssl_fluent.py:9:14:9:20 | context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | ssl_fluent.py:6:15:6:46 | After Attribute() | call to ssl.SSLContext | +| ssl_fluent.py:9:14:9:20 | context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:6:15:6:46 | After Attribute() | call to ssl.SSLContext | +| ssl_fluent.py:19:14:19:20 | context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:15:15:15:46 | After Attribute() | call to ssl.SSLContext | +| ssl_fluent.py:28:14:28:20 | context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:24:15:24:53 | After Attribute() | call to ssl.SSLContext | +| ssl_fluent.py:37:14:37:20 | context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:33:15:33:53 | After Attribute() | call to ssl.SSLContext | +| ssl_fluent.py:57:14:57:20 | context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | ssl_fluent.py:54:15:54:49 | After Attribute() | call to ssl.SSLContext | +| ssl_fluent.py:57:14:57:20 | context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:54:15:54:49 | After Attribute() | call to ssl.SSLContext | +| ssl_fluent.py:71:14:71:20 | context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | ssl_fluent.py:62:12:62:43 | After Attribute() | call to ssl.SSLContext | +| ssl_fluent.py:71:14:71:20 | context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | ssl_fluent.py:101:15:101:46 | After Attribute() | call to ssl.SSLContext | +| ssl_fluent.py:71:14:71:20 | context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:62:12:62:43 | After Attribute() | call to ssl.SSLContext | +| ssl_fluent.py:71:14:71:20 | context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:65:15:65:46 | After Attribute() | call to ssl.SSLContext | +| ssl_fluent.py:71:14:71:20 | context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:101:15:101:46 | After Attribute() | call to ssl.SSLContext | +| ssl_fluent.py:71:14:71:20 | context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:115:15:115:46 | After Attribute() | call to ssl.SSLContext | +| ssl_fluent.py:77:14:77:20 | context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | ssl_fluent.py:62:12:62:43 | After Attribute() | call to ssl.SSLContext | +| ssl_fluent.py:77:14:77:20 | context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:62:12:62:43 | After Attribute() | call to ssl.SSLContext | +| ssl_fluent.py:97:14:97:20 | context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:65:15:65:46 | After Attribute() | call to ssl.SSLContext | +| ssl_fluent.py:146:14:146:20 | context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:142:15:142:46 | After Attribute() | call to ssl.SSLContext | +| ssl_fluent.py:165:14:165:20 | context | Insecure SSL/TLS protocol version SSLv3 allowed by $@. | ssl_fluent.py:161:15:161:65 | After Attribute() | call to ssl.create_default_context | +| ssl_fluent.py:165:14:165:20 | context | Insecure SSL/TLS protocol version TLSv1 allowed by $@. | ssl_fluent.py:161:15:161:65 | After Attribute() | call to ssl.create_default_context | +| ssl_fluent.py:165:14:165:20 | context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@. | ssl_fluent.py:161:15:161:65 | After Attribute() | call to ssl.create_default_context | diff --git a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected index 1027fbf4963..3de1b3a595d 100644 --- a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected +++ b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected @@ -1,76 +1,76 @@ edges -| test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | test_cryptodome.py:2:23:2:34 | ControlFlowNode for get_password | provenance | | -| test_cryptodome.py:2:23:2:34 | ControlFlowNode for get_password | test_cryptodome.py:13:17:13:28 | ControlFlowNode for get_password | provenance | | -| test_cryptodome.py:2:23:2:34 | ControlFlowNode for get_password | test_cryptodome.py:20:17:20:28 | ControlFlowNode for get_password | provenance | | -| test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | test_cryptodome.py:2:37:2:51 | ControlFlowNode for get_certificate | provenance | | -| test_cryptodome.py:2:37:2:51 | ControlFlowNode for get_certificate | test_cryptodome.py:6:17:6:31 | ControlFlowNode for get_certificate | provenance | | -| test_cryptodome.py:6:5:6:13 | ControlFlowNode for dangerous | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | provenance | | -| test_cryptodome.py:6:17:6:31 | ControlFlowNode for get_certificate | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | provenance | Config | -| test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | test_cryptodome.py:6:5:6:13 | ControlFlowNode for dangerous | provenance | | -| test_cryptodome.py:13:5:13:13 | ControlFlowNode for dangerous | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | provenance | | -| test_cryptodome.py:13:17:13:28 | ControlFlowNode for get_password | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | provenance | Config | -| test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | test_cryptodome.py:13:5:13:13 | ControlFlowNode for dangerous | provenance | | -| test_cryptodome.py:20:5:20:13 | ControlFlowNode for dangerous | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | provenance | | -| test_cryptodome.py:20:17:20:28 | ControlFlowNode for get_password | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | provenance | Config | -| test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | test_cryptodome.py:20:5:20:13 | ControlFlowNode for dangerous | provenance | | -| test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | test_cryptography.py:3:23:3:34 | ControlFlowNode for get_password | provenance | | -| test_cryptography.py:3:23:3:34 | ControlFlowNode for get_password | test_cryptography.py:15:17:15:28 | ControlFlowNode for get_password | provenance | | -| test_cryptography.py:3:23:3:34 | ControlFlowNode for get_password | test_cryptography.py:23:17:23:28 | ControlFlowNode for get_password | provenance | | -| test_cryptography.py:3:37:3:51 | ControlFlowNode for ImportMember | test_cryptography.py:3:37:3:51 | ControlFlowNode for get_certificate | provenance | | -| test_cryptography.py:3:37:3:51 | ControlFlowNode for get_certificate | test_cryptography.py:7:17:7:31 | ControlFlowNode for get_certificate | provenance | | -| test_cryptography.py:7:5:7:13 | ControlFlowNode for dangerous | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | provenance | | -| test_cryptography.py:7:17:7:31 | ControlFlowNode for get_certificate | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | provenance | Config | -| test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | test_cryptography.py:7:5:7:13 | ControlFlowNode for dangerous | provenance | | -| test_cryptography.py:15:5:15:13 | ControlFlowNode for dangerous | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | provenance | | -| test_cryptography.py:15:17:15:28 | ControlFlowNode for get_password | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | provenance | Config | -| test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | test_cryptography.py:15:5:15:13 | ControlFlowNode for dangerous | provenance | | -| test_cryptography.py:23:5:23:13 | ControlFlowNode for dangerous | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | provenance | | -| test_cryptography.py:23:17:23:28 | ControlFlowNode for get_password | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | provenance | Config | -| test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | test_cryptography.py:23:5:23:13 | ControlFlowNode for dangerous | provenance | | +| test_cryptodome.py:2:23:2:34 | After ImportMember | test_cryptodome.py:2:23:2:34 | get_password | provenance | | +| test_cryptodome.py:2:23:2:34 | get_password | test_cryptodome.py:13:17:13:28 | get_password | provenance | | +| test_cryptodome.py:2:23:2:34 | get_password | test_cryptodome.py:20:17:20:28 | get_password | provenance | | +| test_cryptodome.py:2:37:2:51 | After ImportMember | test_cryptodome.py:2:37:2:51 | get_certificate | provenance | | +| test_cryptodome.py:2:37:2:51 | get_certificate | test_cryptodome.py:6:17:6:31 | get_certificate | provenance | | +| test_cryptodome.py:6:5:6:13 | dangerous | test_cryptodome.py:8:19:8:27 | dangerous | provenance | | +| test_cryptodome.py:6:17:6:31 | get_certificate | test_cryptodome.py:6:17:6:33 | After get_certificate() | provenance | Config | +| test_cryptodome.py:6:17:6:33 | After get_certificate() | test_cryptodome.py:6:5:6:13 | dangerous | provenance | | +| test_cryptodome.py:13:5:13:13 | dangerous | test_cryptodome.py:15:19:15:27 | dangerous | provenance | | +| test_cryptodome.py:13:17:13:28 | get_password | test_cryptodome.py:13:17:13:30 | After get_password() | provenance | Config | +| test_cryptodome.py:13:17:13:30 | After get_password() | test_cryptodome.py:13:5:13:13 | dangerous | provenance | | +| test_cryptodome.py:20:5:20:13 | dangerous | test_cryptodome.py:24:19:24:27 | dangerous | provenance | | +| test_cryptodome.py:20:17:20:28 | get_password | test_cryptodome.py:20:17:20:30 | After get_password() | provenance | Config | +| test_cryptodome.py:20:17:20:30 | After get_password() | test_cryptodome.py:20:5:20:13 | dangerous | provenance | | +| test_cryptography.py:3:23:3:34 | After ImportMember | test_cryptography.py:3:23:3:34 | get_password | provenance | | +| test_cryptography.py:3:23:3:34 | get_password | test_cryptography.py:15:17:15:28 | get_password | provenance | | +| test_cryptography.py:3:23:3:34 | get_password | test_cryptography.py:23:17:23:28 | get_password | provenance | | +| test_cryptography.py:3:37:3:51 | After ImportMember | test_cryptography.py:3:37:3:51 | get_certificate | provenance | | +| test_cryptography.py:3:37:3:51 | get_certificate | test_cryptography.py:7:17:7:31 | get_certificate | provenance | | +| test_cryptography.py:7:5:7:13 | dangerous | test_cryptography.py:9:19:9:27 | dangerous | provenance | | +| test_cryptography.py:7:17:7:31 | get_certificate | test_cryptography.py:7:17:7:33 | After get_certificate() | provenance | Config | +| test_cryptography.py:7:17:7:33 | After get_certificate() | test_cryptography.py:7:5:7:13 | dangerous | provenance | | +| test_cryptography.py:15:5:15:13 | dangerous | test_cryptography.py:17:19:17:27 | dangerous | provenance | | +| test_cryptography.py:15:17:15:28 | get_password | test_cryptography.py:15:17:15:30 | After get_password() | provenance | Config | +| test_cryptography.py:15:17:15:30 | After get_password() | test_cryptography.py:15:5:15:13 | dangerous | provenance | | +| test_cryptography.py:23:5:23:13 | dangerous | test_cryptography.py:27:19:27:27 | dangerous | provenance | | +| test_cryptography.py:23:17:23:28 | get_password | test_cryptography.py:23:17:23:30 | After get_password() | provenance | Config | +| test_cryptography.py:23:17:23:30 | After get_password() | test_cryptography.py:23:5:23:13 | dangerous | provenance | | nodes -| test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| test_cryptodome.py:2:23:2:34 | ControlFlowNode for get_password | semmle.label | ControlFlowNode for get_password | -| test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| test_cryptodome.py:2:37:2:51 | ControlFlowNode for get_certificate | semmle.label | ControlFlowNode for get_certificate | -| test_cryptodome.py:6:5:6:13 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous | -| test_cryptodome.py:6:17:6:31 | ControlFlowNode for get_certificate | semmle.label | ControlFlowNode for get_certificate | -| test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | semmle.label | ControlFlowNode for get_certificate() | -| test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous | -| test_cryptodome.py:13:5:13:13 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous | -| test_cryptodome.py:13:17:13:28 | ControlFlowNode for get_password | semmle.label | ControlFlowNode for get_password | -| test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() | -| test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous | -| test_cryptodome.py:20:5:20:13 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous | -| test_cryptodome.py:20:17:20:28 | ControlFlowNode for get_password | semmle.label | ControlFlowNode for get_password | -| test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() | -| test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous | -| test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| test_cryptography.py:3:23:3:34 | ControlFlowNode for get_password | semmle.label | ControlFlowNode for get_password | -| test_cryptography.py:3:37:3:51 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| test_cryptography.py:3:37:3:51 | ControlFlowNode for get_certificate | semmle.label | ControlFlowNode for get_certificate | -| test_cryptography.py:7:5:7:13 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous | -| test_cryptography.py:7:17:7:31 | ControlFlowNode for get_certificate | semmle.label | ControlFlowNode for get_certificate | -| test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | semmle.label | ControlFlowNode for get_certificate() | -| test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous | -| test_cryptography.py:15:5:15:13 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous | -| test_cryptography.py:15:17:15:28 | ControlFlowNode for get_password | semmle.label | ControlFlowNode for get_password | -| test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() | -| test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous | -| test_cryptography.py:23:5:23:13 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous | -| test_cryptography.py:23:17:23:28 | ControlFlowNode for get_password | semmle.label | ControlFlowNode for get_password | -| test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() | -| test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous | +| test_cryptodome.py:2:23:2:34 | After ImportMember | semmle.label | After ImportMember | +| test_cryptodome.py:2:23:2:34 | get_password | semmle.label | get_password | +| test_cryptodome.py:2:37:2:51 | After ImportMember | semmle.label | After ImportMember | +| test_cryptodome.py:2:37:2:51 | get_certificate | semmle.label | get_certificate | +| test_cryptodome.py:6:5:6:13 | dangerous | semmle.label | dangerous | +| test_cryptodome.py:6:17:6:31 | get_certificate | semmle.label | get_certificate | +| test_cryptodome.py:6:17:6:33 | After get_certificate() | semmle.label | After get_certificate() | +| test_cryptodome.py:8:19:8:27 | dangerous | semmle.label | dangerous | +| test_cryptodome.py:13:5:13:13 | dangerous | semmle.label | dangerous | +| test_cryptodome.py:13:17:13:28 | get_password | semmle.label | get_password | +| test_cryptodome.py:13:17:13:30 | After get_password() | semmle.label | After get_password() | +| test_cryptodome.py:15:19:15:27 | dangerous | semmle.label | dangerous | +| test_cryptodome.py:20:5:20:13 | dangerous | semmle.label | dangerous | +| test_cryptodome.py:20:17:20:28 | get_password | semmle.label | get_password | +| test_cryptodome.py:20:17:20:30 | After get_password() | semmle.label | After get_password() | +| test_cryptodome.py:24:19:24:27 | dangerous | semmle.label | dangerous | +| test_cryptography.py:3:23:3:34 | After ImportMember | semmle.label | After ImportMember | +| test_cryptography.py:3:23:3:34 | get_password | semmle.label | get_password | +| test_cryptography.py:3:37:3:51 | After ImportMember | semmle.label | After ImportMember | +| test_cryptography.py:3:37:3:51 | get_certificate | semmle.label | get_certificate | +| test_cryptography.py:7:5:7:13 | dangerous | semmle.label | dangerous | +| test_cryptography.py:7:17:7:31 | get_certificate | semmle.label | get_certificate | +| test_cryptography.py:7:17:7:33 | After get_certificate() | semmle.label | After get_certificate() | +| test_cryptography.py:9:19:9:27 | dangerous | semmle.label | dangerous | +| test_cryptography.py:15:5:15:13 | dangerous | semmle.label | dangerous | +| test_cryptography.py:15:17:15:28 | get_password | semmle.label | get_password | +| test_cryptography.py:15:17:15:30 | After get_password() | semmle.label | After get_password() | +| test_cryptography.py:17:19:17:27 | dangerous | semmle.label | dangerous | +| test_cryptography.py:23:5:23:13 | dangerous | semmle.label | dangerous | +| test_cryptography.py:23:17:23:28 | get_password | semmle.label | get_password | +| test_cryptography.py:23:17:23:30 | After get_password() | semmle.label | After get_password() | +| test_cryptography.py:27:19:27:27 | dangerous | semmle.label | dangerous | subpaths #select -| test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | Sensitive data (certificate) | -| test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | Sensitive data (certificate) | -| test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | Sensitive data (password) | -| test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | Sensitive data (password) | -| test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | Sensitive data (password) | -| test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | Sensitive data (password) | -| test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | test_cryptography.py:3:37:3:51 | ControlFlowNode for ImportMember | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptography.py:3:37:3:51 | ControlFlowNode for ImportMember | Sensitive data (certificate) | -| test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | Sensitive data (certificate) | -| test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | Sensitive data (password) | -| test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | Sensitive data (password) | -| test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | Sensitive data (password) | -| test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | Sensitive data (password) | +| test_cryptodome.py:8:19:8:27 | dangerous | test_cryptodome.py:2:37:2:51 | After ImportMember | test_cryptodome.py:8:19:8:27 | dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptodome.py:2:37:2:51 | After ImportMember | Sensitive data (certificate) | +| test_cryptodome.py:8:19:8:27 | dangerous | test_cryptodome.py:6:17:6:33 | After get_certificate() | test_cryptodome.py:8:19:8:27 | dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptodome.py:6:17:6:33 | After get_certificate() | Sensitive data (certificate) | +| test_cryptodome.py:15:19:15:27 | dangerous | test_cryptodome.py:2:23:2:34 | After ImportMember | test_cryptodome.py:15:19:15:27 | dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:2:23:2:34 | After ImportMember | Sensitive data (password) | +| test_cryptodome.py:15:19:15:27 | dangerous | test_cryptodome.py:13:17:13:30 | After get_password() | test_cryptodome.py:15:19:15:27 | dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:13:17:13:30 | After get_password() | Sensitive data (password) | +| test_cryptodome.py:24:19:24:27 | dangerous | test_cryptodome.py:2:23:2:34 | After ImportMember | test_cryptodome.py:24:19:24:27 | dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:2:23:2:34 | After ImportMember | Sensitive data (password) | +| test_cryptodome.py:24:19:24:27 | dangerous | test_cryptodome.py:20:17:20:30 | After get_password() | test_cryptodome.py:24:19:24:27 | dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:20:17:20:30 | After get_password() | Sensitive data (password) | +| test_cryptography.py:9:19:9:27 | dangerous | test_cryptography.py:3:37:3:51 | After ImportMember | test_cryptography.py:9:19:9:27 | dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptography.py:3:37:3:51 | After ImportMember | Sensitive data (certificate) | +| test_cryptography.py:9:19:9:27 | dangerous | test_cryptography.py:7:17:7:33 | After get_certificate() | test_cryptography.py:9:19:9:27 | dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptography.py:7:17:7:33 | After get_certificate() | Sensitive data (certificate) | +| test_cryptography.py:17:19:17:27 | dangerous | test_cryptography.py:3:23:3:34 | After ImportMember | test_cryptography.py:17:19:17:27 | dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:3:23:3:34 | After ImportMember | Sensitive data (password) | +| test_cryptography.py:17:19:17:27 | dangerous | test_cryptography.py:15:17:15:30 | After get_password() | test_cryptography.py:17:19:17:27 | dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:15:17:15:30 | After get_password() | Sensitive data (password) | +| test_cryptography.py:27:19:27:27 | dangerous | test_cryptography.py:3:23:3:34 | After ImportMember | test_cryptography.py:27:19:27:27 | dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:3:23:3:34 | After ImportMember | Sensitive data (password) | +| test_cryptography.py:27:19:27:27 | dangerous | test_cryptography.py:23:17:23:30 | After get_password() | test_cryptography.py:27:19:27:27 | dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:23:17:23:30 | After get_password() | Sensitive data (password) | diff --git a/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.expected b/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.expected index bab1e34c912..99bc58a4c3b 100644 --- a/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.expected +++ b/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.expected @@ -1,30 +1,30 @@ edges -| unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for request | provenance | | -| unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for request | unsafe_deserialization.py:14:15:14:21 | ControlFlowNode for request | provenance | | -| unsafe_deserialization.py:14:5:14:11 | ControlFlowNode for payload | unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | provenance | | -| unsafe_deserialization.py:14:5:14:11 | ControlFlowNode for payload | unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | provenance | | -| unsafe_deserialization.py:14:5:14:11 | ControlFlowNode for payload | unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | provenance | | -| unsafe_deserialization.py:14:5:14:11 | ControlFlowNode for payload | unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | provenance | | -| unsafe_deserialization.py:14:5:14:11 | ControlFlowNode for payload | unsafe_deserialization.py:24:24:24:30 | ControlFlowNode for payload | provenance | | -| unsafe_deserialization.py:14:15:14:21 | ControlFlowNode for request | unsafe_deserialization.py:14:15:14:26 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| unsafe_deserialization.py:14:15:14:26 | ControlFlowNode for Attribute | unsafe_deserialization.py:14:15:14:41 | ControlFlowNode for Attribute() | provenance | dict.get | -| unsafe_deserialization.py:14:15:14:41 | ControlFlowNode for Attribute() | unsafe_deserialization.py:14:5:14:11 | ControlFlowNode for payload | provenance | | +| unsafe_deserialization.py:8:26:8:32 | After ImportMember | unsafe_deserialization.py:8:26:8:32 | request | provenance | | +| unsafe_deserialization.py:8:26:8:32 | request | unsafe_deserialization.py:14:15:14:21 | request | provenance | | +| unsafe_deserialization.py:14:5:14:11 | payload | unsafe_deserialization.py:15:18:15:24 | payload | provenance | | +| unsafe_deserialization.py:14:5:14:11 | payload | unsafe_deserialization.py:16:15:16:21 | payload | provenance | | +| unsafe_deserialization.py:14:5:14:11 | payload | unsafe_deserialization.py:18:19:18:25 | payload | provenance | | +| unsafe_deserialization.py:14:5:14:11 | payload | unsafe_deserialization.py:21:16:21:22 | payload | provenance | | +| unsafe_deserialization.py:14:5:14:11 | payload | unsafe_deserialization.py:24:24:24:30 | payload | provenance | | +| unsafe_deserialization.py:14:15:14:21 | request | unsafe_deserialization.py:14:15:14:26 | After Attribute | provenance | AdditionalTaintStep | +| unsafe_deserialization.py:14:15:14:26 | After Attribute | unsafe_deserialization.py:14:15:14:41 | After Attribute() | provenance | dict.get | +| unsafe_deserialization.py:14:15:14:41 | After Attribute() | unsafe_deserialization.py:14:5:14:11 | payload | provenance | | nodes -| unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| unsafe_deserialization.py:14:5:14:11 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload | -| unsafe_deserialization.py:14:15:14:21 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| unsafe_deserialization.py:14:15:14:26 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| unsafe_deserialization.py:14:15:14:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload | -| unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload | -| unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload | -| unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload | -| unsafe_deserialization.py:24:24:24:30 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload | +| unsafe_deserialization.py:8:26:8:32 | After ImportMember | semmle.label | After ImportMember | +| unsafe_deserialization.py:8:26:8:32 | request | semmle.label | request | +| unsafe_deserialization.py:14:5:14:11 | payload | semmle.label | payload | +| unsafe_deserialization.py:14:15:14:21 | request | semmle.label | request | +| unsafe_deserialization.py:14:15:14:26 | After Attribute | semmle.label | After Attribute | +| unsafe_deserialization.py:14:15:14:41 | After Attribute() | semmle.label | After Attribute() | +| unsafe_deserialization.py:15:18:15:24 | payload | semmle.label | payload | +| unsafe_deserialization.py:16:15:16:21 | payload | semmle.label | payload | +| unsafe_deserialization.py:18:19:18:25 | payload | semmle.label | payload | +| unsafe_deserialization.py:21:16:21:22 | payload | semmle.label | payload | +| unsafe_deserialization.py:24:24:24:30 | payload | semmle.label | payload | subpaths #select -| unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | -| unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | -| unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | -| unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | -| unsafe_deserialization.py:24:24:24:30 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:24:24:24:30 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value | +| unsafe_deserialization.py:15:18:15:24 | payload | unsafe_deserialization.py:8:26:8:32 | After ImportMember | unsafe_deserialization.py:15:18:15:24 | payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | After ImportMember | user-provided value | +| unsafe_deserialization.py:16:15:16:21 | payload | unsafe_deserialization.py:8:26:8:32 | After ImportMember | unsafe_deserialization.py:16:15:16:21 | payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | After ImportMember | user-provided value | +| unsafe_deserialization.py:18:19:18:25 | payload | unsafe_deserialization.py:8:26:8:32 | After ImportMember | unsafe_deserialization.py:18:19:18:25 | payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | After ImportMember | user-provided value | +| unsafe_deserialization.py:21:16:21:22 | payload | unsafe_deserialization.py:8:26:8:32 | After ImportMember | unsafe_deserialization.py:21:16:21:22 | payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | After ImportMember | user-provided value | +| unsafe_deserialization.py:24:24:24:30 | payload | unsafe_deserialization.py:8:26:8:32 | After ImportMember | unsafe_deserialization.py:24:24:24:30 | payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | After ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.expected b/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.expected index 551299a64dc..eaf7465d0de 100644 --- a/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.expected +++ b/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.expected @@ -1,153 +1,153 @@ edges -| test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:1:26:1:32 | ControlFlowNode for request | provenance | | -| test.py:1:26:1:32 | ControlFlowNode for request | test.py:7:14:7:20 | ControlFlowNode for request | provenance | | -| test.py:1:26:1:32 | ControlFlowNode for request | test.py:30:17:30:23 | ControlFlowNode for request | provenance | | -| test.py:1:26:1:32 | ControlFlowNode for request | test.py:37:17:37:23 | ControlFlowNode for request | provenance | | -| test.py:1:26:1:32 | ControlFlowNode for request | test.py:44:17:44:23 | ControlFlowNode for request | provenance | | -| test.py:1:26:1:32 | ControlFlowNode for request | test.py:60:17:60:23 | ControlFlowNode for request | provenance | | -| test.py:1:26:1:32 | ControlFlowNode for request | test.py:67:17:67:23 | ControlFlowNode for request | provenance | | -| test.py:1:26:1:32 | ControlFlowNode for request | test.py:74:17:74:23 | ControlFlowNode for request | provenance | | -| test.py:1:26:1:32 | ControlFlowNode for request | test.py:81:17:81:23 | ControlFlowNode for request | provenance | | -| test.py:1:26:1:32 | ControlFlowNode for request | test.py:90:17:90:23 | ControlFlowNode for request | provenance | | -| test.py:1:26:1:32 | ControlFlowNode for request | test.py:111:17:111:23 | ControlFlowNode for request | provenance | | -| test.py:1:26:1:32 | ControlFlowNode for request | test.py:137:17:137:23 | ControlFlowNode for request | provenance | | -| test.py:1:26:1:32 | ControlFlowNode for request | test.py:145:17:145:23 | ControlFlowNode for request | provenance | | -| test.py:7:5:7:10 | ControlFlowNode for target | test.py:8:21:8:26 | ControlFlowNode for target | provenance | | -| test.py:7:14:7:20 | ControlFlowNode for request | test.py:7:14:7:25 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| test.py:7:14:7:25 | ControlFlowNode for Attribute | test.py:7:14:7:43 | ControlFlowNode for Attribute() | provenance | dict.get | -| test.py:7:14:7:43 | ControlFlowNode for Attribute() | test.py:7:5:7:10 | ControlFlowNode for target | provenance | | -| test.py:30:5:30:13 | ControlFlowNode for untrusted | test.py:31:5:31:8 | ControlFlowNode for safe | provenance | | -| test.py:30:17:30:23 | ControlFlowNode for request | test.py:30:17:30:28 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| test.py:30:17:30:28 | ControlFlowNode for Attribute | test.py:30:17:30:46 | ControlFlowNode for Attribute() | provenance | dict.get | -| test.py:30:17:30:46 | ControlFlowNode for Attribute() | test.py:30:5:30:13 | ControlFlowNode for untrusted | provenance | | -| test.py:31:5:31:8 | ControlFlowNode for safe | test.py:32:21:32:24 | ControlFlowNode for safe | provenance | | -| test.py:37:5:37:13 | ControlFlowNode for untrusted | test.py:38:5:38:8 | ControlFlowNode for safe | provenance | | -| test.py:37:17:37:23 | ControlFlowNode for request | test.py:37:17:37:28 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| test.py:37:17:37:28 | ControlFlowNode for Attribute | test.py:37:17:37:46 | ControlFlowNode for Attribute() | provenance | dict.get | -| test.py:37:17:37:46 | ControlFlowNode for Attribute() | test.py:37:5:37:13 | ControlFlowNode for untrusted | provenance | | -| test.py:38:5:38:8 | ControlFlowNode for safe | test.py:39:21:39:24 | ControlFlowNode for safe | provenance | | -| test.py:44:5:44:13 | ControlFlowNode for untrusted | test.py:45:5:45:8 | ControlFlowNode for safe | provenance | | -| test.py:44:17:44:23 | ControlFlowNode for request | test.py:44:17:44:28 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| test.py:44:17:44:28 | ControlFlowNode for Attribute | test.py:44:17:44:46 | ControlFlowNode for Attribute() | provenance | dict.get | -| test.py:44:17:44:46 | ControlFlowNode for Attribute() | test.py:44:5:44:13 | ControlFlowNode for untrusted | provenance | | -| test.py:45:5:45:8 | ControlFlowNode for safe | test.py:46:21:46:24 | ControlFlowNode for safe | provenance | | -| test.py:60:5:60:13 | ControlFlowNode for untrusted | test.py:61:5:61:10 | ControlFlowNode for unsafe | provenance | | -| test.py:60:17:60:23 | ControlFlowNode for request | test.py:60:17:60:28 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| test.py:60:17:60:28 | ControlFlowNode for Attribute | test.py:60:17:60:46 | ControlFlowNode for Attribute() | provenance | dict.get | -| test.py:60:17:60:46 | ControlFlowNode for Attribute() | test.py:60:5:60:13 | ControlFlowNode for untrusted | provenance | | -| test.py:61:5:61:10 | ControlFlowNode for unsafe | test.py:62:21:62:26 | ControlFlowNode for unsafe | provenance | | -| test.py:67:5:67:13 | ControlFlowNode for untrusted | test.py:68:5:68:10 | ControlFlowNode for unsafe | provenance | | -| test.py:67:17:67:23 | ControlFlowNode for request | test.py:67:17:67:28 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| test.py:67:17:67:28 | ControlFlowNode for Attribute | test.py:67:17:67:46 | ControlFlowNode for Attribute() | provenance | dict.get | -| test.py:67:17:67:46 | ControlFlowNode for Attribute() | test.py:67:5:67:13 | ControlFlowNode for untrusted | provenance | | -| test.py:68:5:68:10 | ControlFlowNode for unsafe | test.py:69:21:69:26 | ControlFlowNode for unsafe | provenance | | -| test.py:74:5:74:13 | ControlFlowNode for untrusted | test.py:75:5:75:10 | ControlFlowNode for unsafe | provenance | | -| test.py:74:17:74:23 | ControlFlowNode for request | test.py:74:17:74:28 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| test.py:74:17:74:28 | ControlFlowNode for Attribute | test.py:74:17:74:46 | ControlFlowNode for Attribute() | provenance | dict.get | -| test.py:74:17:74:46 | ControlFlowNode for Attribute() | test.py:74:5:74:13 | ControlFlowNode for untrusted | provenance | | -| test.py:75:5:75:10 | ControlFlowNode for unsafe | test.py:76:21:76:26 | ControlFlowNode for unsafe | provenance | | -| test.py:81:5:81:13 | ControlFlowNode for untrusted | test.py:82:5:82:10 | ControlFlowNode for unsafe | provenance | | -| test.py:81:17:81:23 | ControlFlowNode for request | test.py:81:17:81:28 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| test.py:81:17:81:28 | ControlFlowNode for Attribute | test.py:81:17:81:46 | ControlFlowNode for Attribute() | provenance | dict.get | -| test.py:81:17:81:46 | ControlFlowNode for Attribute() | test.py:81:5:81:13 | ControlFlowNode for untrusted | provenance | | -| test.py:82:5:82:10 | ControlFlowNode for unsafe | test.py:83:21:83:26 | ControlFlowNode for unsafe | provenance | | -| test.py:90:5:90:13 | ControlFlowNode for untrusted | test.py:93:18:93:26 | ControlFlowNode for untrusted | provenance | | -| test.py:90:17:90:23 | ControlFlowNode for request | test.py:90:17:90:28 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| test.py:90:17:90:28 | ControlFlowNode for Attribute | test.py:90:17:90:46 | ControlFlowNode for Attribute() | provenance | dict.get | -| test.py:90:17:90:46 | ControlFlowNode for Attribute() | test.py:90:5:90:13 | ControlFlowNode for untrusted | provenance | | -| test.py:111:5:111:13 | ControlFlowNode for untrusted | test.py:114:25:114:33 | ControlFlowNode for untrusted | provenance | | -| test.py:111:17:111:23 | ControlFlowNode for request | test.py:111:17:111:28 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| test.py:111:17:111:28 | ControlFlowNode for Attribute | test.py:111:17:111:46 | ControlFlowNode for Attribute() | provenance | dict.get | -| test.py:111:17:111:46 | ControlFlowNode for Attribute() | test.py:111:5:111:13 | ControlFlowNode for untrusted | provenance | | -| test.py:137:5:137:13 | ControlFlowNode for untrusted | test.py:140:25:140:33 | ControlFlowNode for untrusted | provenance | | -| test.py:137:17:137:23 | ControlFlowNode for request | test.py:137:17:137:28 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| test.py:137:17:137:28 | ControlFlowNode for Attribute | test.py:137:17:137:46 | ControlFlowNode for Attribute() | provenance | dict.get | -| test.py:137:17:137:46 | ControlFlowNode for Attribute() | test.py:137:5:137:13 | ControlFlowNode for untrusted | provenance | | -| test.py:145:5:145:13 | ControlFlowNode for untrusted | test.py:148:25:148:33 | ControlFlowNode for untrusted | provenance | | -| test.py:145:17:145:23 | ControlFlowNode for request | test.py:145:17:145:28 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| test.py:145:17:145:28 | ControlFlowNode for Attribute | test.py:145:17:145:46 | ControlFlowNode for Attribute() | provenance | dict.get | -| test.py:145:17:145:46 | ControlFlowNode for Attribute() | test.py:145:5:145:13 | ControlFlowNode for untrusted | provenance | | +| test.py:1:26:1:32 | After ImportMember | test.py:1:26:1:32 | request | provenance | | +| test.py:1:26:1:32 | request | test.py:7:14:7:20 | request | provenance | | +| test.py:1:26:1:32 | request | test.py:30:17:30:23 | request | provenance | | +| test.py:1:26:1:32 | request | test.py:37:17:37:23 | request | provenance | | +| test.py:1:26:1:32 | request | test.py:44:17:44:23 | request | provenance | | +| test.py:1:26:1:32 | request | test.py:60:17:60:23 | request | provenance | | +| test.py:1:26:1:32 | request | test.py:67:17:67:23 | request | provenance | | +| test.py:1:26:1:32 | request | test.py:74:17:74:23 | request | provenance | | +| test.py:1:26:1:32 | request | test.py:81:17:81:23 | request | provenance | | +| test.py:1:26:1:32 | request | test.py:90:17:90:23 | request | provenance | | +| test.py:1:26:1:32 | request | test.py:111:17:111:23 | request | provenance | | +| test.py:1:26:1:32 | request | test.py:137:17:137:23 | request | provenance | | +| test.py:1:26:1:32 | request | test.py:145:17:145:23 | request | provenance | | +| test.py:7:5:7:10 | target | test.py:8:21:8:26 | target | provenance | | +| test.py:7:14:7:20 | request | test.py:7:14:7:25 | After Attribute | provenance | AdditionalTaintStep | +| test.py:7:14:7:25 | After Attribute | test.py:7:14:7:43 | After Attribute() | provenance | dict.get | +| test.py:7:14:7:43 | After Attribute() | test.py:7:5:7:10 | target | provenance | | +| test.py:30:5:30:13 | untrusted | test.py:31:5:31:8 | safe | provenance | | +| test.py:30:17:30:23 | request | test.py:30:17:30:28 | After Attribute | provenance | AdditionalTaintStep | +| test.py:30:17:30:28 | After Attribute | test.py:30:17:30:46 | After Attribute() | provenance | dict.get | +| test.py:30:17:30:46 | After Attribute() | test.py:30:5:30:13 | untrusted | provenance | | +| test.py:31:5:31:8 | safe | test.py:32:21:32:24 | safe | provenance | | +| test.py:37:5:37:13 | untrusted | test.py:38:5:38:8 | safe | provenance | | +| test.py:37:17:37:23 | request | test.py:37:17:37:28 | After Attribute | provenance | AdditionalTaintStep | +| test.py:37:17:37:28 | After Attribute | test.py:37:17:37:46 | After Attribute() | provenance | dict.get | +| test.py:37:17:37:46 | After Attribute() | test.py:37:5:37:13 | untrusted | provenance | | +| test.py:38:5:38:8 | safe | test.py:39:21:39:24 | safe | provenance | | +| test.py:44:5:44:13 | untrusted | test.py:45:5:45:8 | safe | provenance | | +| test.py:44:17:44:23 | request | test.py:44:17:44:28 | After Attribute | provenance | AdditionalTaintStep | +| test.py:44:17:44:28 | After Attribute | test.py:44:17:44:46 | After Attribute() | provenance | dict.get | +| test.py:44:17:44:46 | After Attribute() | test.py:44:5:44:13 | untrusted | provenance | | +| test.py:45:5:45:8 | safe | test.py:46:21:46:24 | safe | provenance | | +| test.py:60:5:60:13 | untrusted | test.py:61:5:61:10 | unsafe | provenance | | +| test.py:60:17:60:23 | request | test.py:60:17:60:28 | After Attribute | provenance | AdditionalTaintStep | +| test.py:60:17:60:28 | After Attribute | test.py:60:17:60:46 | After Attribute() | provenance | dict.get | +| test.py:60:17:60:46 | After Attribute() | test.py:60:5:60:13 | untrusted | provenance | | +| test.py:61:5:61:10 | unsafe | test.py:62:21:62:26 | unsafe | provenance | | +| test.py:67:5:67:13 | untrusted | test.py:68:5:68:10 | unsafe | provenance | | +| test.py:67:17:67:23 | request | test.py:67:17:67:28 | After Attribute | provenance | AdditionalTaintStep | +| test.py:67:17:67:28 | After Attribute | test.py:67:17:67:46 | After Attribute() | provenance | dict.get | +| test.py:67:17:67:46 | After Attribute() | test.py:67:5:67:13 | untrusted | provenance | | +| test.py:68:5:68:10 | unsafe | test.py:69:21:69:26 | unsafe | provenance | | +| test.py:74:5:74:13 | untrusted | test.py:75:5:75:10 | unsafe | provenance | | +| test.py:74:17:74:23 | request | test.py:74:17:74:28 | After Attribute | provenance | AdditionalTaintStep | +| test.py:74:17:74:28 | After Attribute | test.py:74:17:74:46 | After Attribute() | provenance | dict.get | +| test.py:74:17:74:46 | After Attribute() | test.py:74:5:74:13 | untrusted | provenance | | +| test.py:75:5:75:10 | unsafe | test.py:76:21:76:26 | unsafe | provenance | | +| test.py:81:5:81:13 | untrusted | test.py:82:5:82:10 | unsafe | provenance | | +| test.py:81:17:81:23 | request | test.py:81:17:81:28 | After Attribute | provenance | AdditionalTaintStep | +| test.py:81:17:81:28 | After Attribute | test.py:81:17:81:46 | After Attribute() | provenance | dict.get | +| test.py:81:17:81:46 | After Attribute() | test.py:81:5:81:13 | untrusted | provenance | | +| test.py:82:5:82:10 | unsafe | test.py:83:21:83:26 | unsafe | provenance | | +| test.py:90:5:90:13 | untrusted | test.py:93:18:93:26 | untrusted | provenance | | +| test.py:90:17:90:23 | request | test.py:90:17:90:28 | After Attribute | provenance | AdditionalTaintStep | +| test.py:90:17:90:28 | After Attribute | test.py:90:17:90:46 | After Attribute() | provenance | dict.get | +| test.py:90:17:90:46 | After Attribute() | test.py:90:5:90:13 | untrusted | provenance | | +| test.py:111:5:111:13 | untrusted | test.py:114:25:114:33 | untrusted | provenance | | +| test.py:111:17:111:23 | request | test.py:111:17:111:28 | After Attribute | provenance | AdditionalTaintStep | +| test.py:111:17:111:28 | After Attribute | test.py:111:17:111:46 | After Attribute() | provenance | dict.get | +| test.py:111:17:111:46 | After Attribute() | test.py:111:5:111:13 | untrusted | provenance | | +| test.py:137:5:137:13 | untrusted | test.py:140:25:140:33 | untrusted | provenance | | +| test.py:137:17:137:23 | request | test.py:137:17:137:28 | After Attribute | provenance | AdditionalTaintStep | +| test.py:137:17:137:28 | After Attribute | test.py:137:17:137:46 | After Attribute() | provenance | dict.get | +| test.py:137:17:137:46 | After Attribute() | test.py:137:5:137:13 | untrusted | provenance | | +| test.py:145:5:145:13 | untrusted | test.py:148:25:148:33 | untrusted | provenance | | +| test.py:145:17:145:23 | request | test.py:145:17:145:28 | After Attribute | provenance | AdditionalTaintStep | +| test.py:145:17:145:28 | After Attribute | test.py:145:17:145:46 | After Attribute() | provenance | dict.get | +| test.py:145:17:145:46 | After Attribute() | test.py:145:5:145:13 | untrusted | provenance | | nodes -| test.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| test.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:7:5:7:10 | ControlFlowNode for target | semmle.label | ControlFlowNode for target | -| test.py:7:14:7:20 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:7:14:7:25 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:7:14:7:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:8:21:8:26 | ControlFlowNode for target | semmle.label | ControlFlowNode for target | -| test.py:30:5:30:13 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted | -| test.py:30:17:30:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:30:17:30:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:30:17:30:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:31:5:31:8 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe | -| test.py:32:21:32:24 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe | -| test.py:37:5:37:13 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted | -| test.py:37:17:37:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:37:17:37:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:37:17:37:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:38:5:38:8 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe | -| test.py:39:21:39:24 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe | -| test.py:44:5:44:13 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted | -| test.py:44:17:44:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:44:17:44:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:44:17:44:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:45:5:45:8 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe | -| test.py:46:21:46:24 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe | -| test.py:60:5:60:13 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted | -| test.py:60:17:60:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:60:17:60:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:60:17:60:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:61:5:61:10 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe | -| test.py:62:21:62:26 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe | -| test.py:67:5:67:13 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted | -| test.py:67:17:67:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:67:17:67:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:67:17:67:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:68:5:68:10 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe | -| test.py:69:21:69:26 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe | -| test.py:74:5:74:13 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted | -| test.py:74:17:74:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:74:17:74:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:74:17:74:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:75:5:75:10 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe | -| test.py:76:21:76:26 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe | -| test.py:81:5:81:13 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted | -| test.py:81:17:81:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:81:17:81:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:81:17:81:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:82:5:82:10 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe | -| test.py:83:21:83:26 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe | -| test.py:90:5:90:13 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted | -| test.py:90:17:90:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:90:17:90:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:90:17:90:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:93:18:93:26 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted | -| test.py:111:5:111:13 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted | -| test.py:111:17:111:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:111:17:111:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:111:17:111:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:114:25:114:33 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted | -| test.py:137:5:137:13 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted | -| test.py:137:17:137:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:137:17:137:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:137:17:137:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:140:25:140:33 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted | -| test.py:145:5:145:13 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted | -| test.py:145:17:145:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:145:17:145:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:145:17:145:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:148:25:148:33 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted | +| test.py:1:26:1:32 | After ImportMember | semmle.label | After ImportMember | +| test.py:1:26:1:32 | request | semmle.label | request | +| test.py:7:5:7:10 | target | semmle.label | target | +| test.py:7:14:7:20 | request | semmle.label | request | +| test.py:7:14:7:25 | After Attribute | semmle.label | After Attribute | +| test.py:7:14:7:43 | After Attribute() | semmle.label | After Attribute() | +| test.py:8:21:8:26 | target | semmle.label | target | +| test.py:30:5:30:13 | untrusted | semmle.label | untrusted | +| test.py:30:17:30:23 | request | semmle.label | request | +| test.py:30:17:30:28 | After Attribute | semmle.label | After Attribute | +| test.py:30:17:30:46 | After Attribute() | semmle.label | After Attribute() | +| test.py:31:5:31:8 | safe | semmle.label | safe | +| test.py:32:21:32:24 | safe | semmle.label | safe | +| test.py:37:5:37:13 | untrusted | semmle.label | untrusted | +| test.py:37:17:37:23 | request | semmle.label | request | +| test.py:37:17:37:28 | After Attribute | semmle.label | After Attribute | +| test.py:37:17:37:46 | After Attribute() | semmle.label | After Attribute() | +| test.py:38:5:38:8 | safe | semmle.label | safe | +| test.py:39:21:39:24 | safe | semmle.label | safe | +| test.py:44:5:44:13 | untrusted | semmle.label | untrusted | +| test.py:44:17:44:23 | request | semmle.label | request | +| test.py:44:17:44:28 | After Attribute | semmle.label | After Attribute | +| test.py:44:17:44:46 | After Attribute() | semmle.label | After Attribute() | +| test.py:45:5:45:8 | safe | semmle.label | safe | +| test.py:46:21:46:24 | safe | semmle.label | safe | +| test.py:60:5:60:13 | untrusted | semmle.label | untrusted | +| test.py:60:17:60:23 | request | semmle.label | request | +| test.py:60:17:60:28 | After Attribute | semmle.label | After Attribute | +| test.py:60:17:60:46 | After Attribute() | semmle.label | After Attribute() | +| test.py:61:5:61:10 | unsafe | semmle.label | unsafe | +| test.py:62:21:62:26 | unsafe | semmle.label | unsafe | +| test.py:67:5:67:13 | untrusted | semmle.label | untrusted | +| test.py:67:17:67:23 | request | semmle.label | request | +| test.py:67:17:67:28 | After Attribute | semmle.label | After Attribute | +| test.py:67:17:67:46 | After Attribute() | semmle.label | After Attribute() | +| test.py:68:5:68:10 | unsafe | semmle.label | unsafe | +| test.py:69:21:69:26 | unsafe | semmle.label | unsafe | +| test.py:74:5:74:13 | untrusted | semmle.label | untrusted | +| test.py:74:17:74:23 | request | semmle.label | request | +| test.py:74:17:74:28 | After Attribute | semmle.label | After Attribute | +| test.py:74:17:74:46 | After Attribute() | semmle.label | After Attribute() | +| test.py:75:5:75:10 | unsafe | semmle.label | unsafe | +| test.py:76:21:76:26 | unsafe | semmle.label | unsafe | +| test.py:81:5:81:13 | untrusted | semmle.label | untrusted | +| test.py:81:17:81:23 | request | semmle.label | request | +| test.py:81:17:81:28 | After Attribute | semmle.label | After Attribute | +| test.py:81:17:81:46 | After Attribute() | semmle.label | After Attribute() | +| test.py:82:5:82:10 | unsafe | semmle.label | unsafe | +| test.py:83:21:83:26 | unsafe | semmle.label | unsafe | +| test.py:90:5:90:13 | untrusted | semmle.label | untrusted | +| test.py:90:17:90:23 | request | semmle.label | request | +| test.py:90:17:90:28 | After Attribute | semmle.label | After Attribute | +| test.py:90:17:90:46 | After Attribute() | semmle.label | After Attribute() | +| test.py:93:18:93:26 | untrusted | semmle.label | untrusted | +| test.py:111:5:111:13 | untrusted | semmle.label | untrusted | +| test.py:111:17:111:23 | request | semmle.label | request | +| test.py:111:17:111:28 | After Attribute | semmle.label | After Attribute | +| test.py:111:17:111:46 | After Attribute() | semmle.label | After Attribute() | +| test.py:114:25:114:33 | untrusted | semmle.label | untrusted | +| test.py:137:5:137:13 | untrusted | semmle.label | untrusted | +| test.py:137:17:137:23 | request | semmle.label | request | +| test.py:137:17:137:28 | After Attribute | semmle.label | After Attribute | +| test.py:137:17:137:46 | After Attribute() | semmle.label | After Attribute() | +| test.py:140:25:140:33 | untrusted | semmle.label | untrusted | +| test.py:145:5:145:13 | untrusted | semmle.label | untrusted | +| test.py:145:17:145:23 | request | semmle.label | request | +| test.py:145:17:145:28 | After Attribute | semmle.label | After Attribute | +| test.py:145:17:145:46 | After Attribute() | semmle.label | After Attribute() | +| test.py:148:25:148:33 | untrusted | semmle.label | untrusted | subpaths #select -| test.py:8:21:8:26 | ControlFlowNode for target | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:8:21:8:26 | ControlFlowNode for target | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:32:21:32:24 | ControlFlowNode for safe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:32:21:32:24 | ControlFlowNode for safe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:39:21:39:24 | ControlFlowNode for safe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:39:21:39:24 | ControlFlowNode for safe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:46:21:46:24 | ControlFlowNode for safe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:46:21:46:24 | ControlFlowNode for safe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:62:21:62:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:62:21:62:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:69:21:69:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:69:21:69:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:76:21:76:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:76:21:76:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:83:21:83:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:83:21:83:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:93:18:93:26 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:93:18:93:26 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:114:25:114:33 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:114:25:114:33 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:140:25:140:33 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:140:25:140:33 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:148:25:148:33 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:148:25:148:33 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:8:21:8:26 | target | test.py:1:26:1:32 | After ImportMember | test.py:8:21:8:26 | target | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | After ImportMember | user-provided value | +| test.py:32:21:32:24 | safe | test.py:1:26:1:32 | After ImportMember | test.py:32:21:32:24 | safe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | After ImportMember | user-provided value | +| test.py:39:21:39:24 | safe | test.py:1:26:1:32 | After ImportMember | test.py:39:21:39:24 | safe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | After ImportMember | user-provided value | +| test.py:46:21:46:24 | safe | test.py:1:26:1:32 | After ImportMember | test.py:46:21:46:24 | safe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | After ImportMember | user-provided value | +| test.py:62:21:62:26 | unsafe | test.py:1:26:1:32 | After ImportMember | test.py:62:21:62:26 | unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | After ImportMember | user-provided value | +| test.py:69:21:69:26 | unsafe | test.py:1:26:1:32 | After ImportMember | test.py:69:21:69:26 | unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | After ImportMember | user-provided value | +| test.py:76:21:76:26 | unsafe | test.py:1:26:1:32 | After ImportMember | test.py:76:21:76:26 | unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | After ImportMember | user-provided value | +| test.py:83:21:83:26 | unsafe | test.py:1:26:1:32 | After ImportMember | test.py:83:21:83:26 | unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | After ImportMember | user-provided value | +| test.py:93:18:93:26 | untrusted | test.py:1:26:1:32 | After ImportMember | test.py:93:18:93:26 | untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | After ImportMember | user-provided value | +| test.py:114:25:114:33 | untrusted | test.py:1:26:1:32 | After ImportMember | test.py:114:25:114:33 | untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | After ImportMember | user-provided value | +| test.py:140:25:140:33 | untrusted | test.py:1:26:1:32 | After ImportMember | test.py:140:25:140:33 | untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | After ImportMember | user-provided value | +| test.py:148:25:148:33 | untrusted | test.py:1:26:1:32 | After ImportMember | test.py:148:25:148:33 | untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | After ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-611-Xxe/Xxe.expected b/python/ql/test/query-tests/Security/CWE-611-Xxe/Xxe.expected index b33d39f5071..ef545683e23 100644 --- a/python/ql/test/query-tests/Security/CWE-611-Xxe/Xxe.expected +++ b/python/ql/test/query-tests/Security/CWE-611-Xxe/Xxe.expected @@ -1,21 +1,21 @@ edges -| test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:1:26:1:32 | ControlFlowNode for request | provenance | | -| test.py:1:26:1:32 | ControlFlowNode for request | test.py:9:19:9:25 | ControlFlowNode for request | provenance | | -| test.py:1:26:1:32 | ControlFlowNode for request | test.py:20:19:20:25 | ControlFlowNode for request | provenance | | -| test.py:9:5:9:15 | ControlFlowNode for xml_content | test.py:10:34:10:44 | ControlFlowNode for xml_content | provenance | | -| test.py:9:19:9:25 | ControlFlowNode for request | test.py:9:5:9:15 | ControlFlowNode for xml_content | provenance | AdditionalTaintStep | -| test.py:20:5:20:15 | ControlFlowNode for xml_content | test.py:31:34:31:44 | ControlFlowNode for xml_content | provenance | | -| test.py:20:19:20:25 | ControlFlowNode for request | test.py:20:5:20:15 | ControlFlowNode for xml_content | provenance | AdditionalTaintStep | +| test.py:1:26:1:32 | After ImportMember | test.py:1:26:1:32 | request | provenance | | +| test.py:1:26:1:32 | request | test.py:9:19:9:25 | request | provenance | | +| test.py:1:26:1:32 | request | test.py:20:19:20:25 | request | provenance | | +| test.py:9:5:9:15 | xml_content | test.py:10:34:10:44 | xml_content | provenance | | +| test.py:9:19:9:25 | request | test.py:9:5:9:15 | xml_content | provenance | AdditionalTaintStep | +| test.py:20:5:20:15 | xml_content | test.py:31:34:31:44 | xml_content | provenance | | +| test.py:20:19:20:25 | request | test.py:20:5:20:15 | xml_content | provenance | AdditionalTaintStep | nodes -| test.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| test.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:9:5:9:15 | ControlFlowNode for xml_content | semmle.label | ControlFlowNode for xml_content | -| test.py:9:19:9:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:10:34:10:44 | ControlFlowNode for xml_content | semmle.label | ControlFlowNode for xml_content | -| test.py:20:5:20:15 | ControlFlowNode for xml_content | semmle.label | ControlFlowNode for xml_content | -| test.py:20:19:20:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:31:34:31:44 | ControlFlowNode for xml_content | semmle.label | ControlFlowNode for xml_content | +| test.py:1:26:1:32 | After ImportMember | semmle.label | After ImportMember | +| test.py:1:26:1:32 | request | semmle.label | request | +| test.py:9:5:9:15 | xml_content | semmle.label | xml_content | +| test.py:9:19:9:25 | request | semmle.label | request | +| test.py:10:34:10:44 | xml_content | semmle.label | xml_content | +| test.py:20:5:20:15 | xml_content | semmle.label | xml_content | +| test.py:20:19:20:25 | request | semmle.label | request | +| test.py:31:34:31:44 | xml_content | semmle.label | xml_content | subpaths #select -| test.py:10:34:10:44 | ControlFlowNode for xml_content | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:10:34:10:44 | ControlFlowNode for xml_content | XML parsing depends on a $@ without guarding against external entity expansion. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:31:34:31:44 | ControlFlowNode for xml_content | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:31:34:31:44 | ControlFlowNode for xml_content | XML parsing depends on a $@ without guarding against external entity expansion. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:10:34:10:44 | xml_content | test.py:1:26:1:32 | After ImportMember | test.py:10:34:10:44 | xml_content | XML parsing depends on a $@ without guarding against external entity expansion. | test.py:1:26:1:32 | After ImportMember | user-provided value | +| test.py:31:34:31:44 | xml_content | test.py:1:26:1:32 | After ImportMember | test.py:31:34:31:44 | xml_content | XML parsing depends on a $@ without guarding against external entity expansion. | test.py:1:26:1:32 | After ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.expected b/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.expected index 3b07bc6d9eb..d6701c0e554 100644 --- a/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.expected +++ b/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.expected @@ -1,3 +1,3 @@ -| test.py:8:5:8:40 | ControlFlowNode for Attribute() | Cookie is added to response without the 'secure' flag being set. | -| test.py:10:5:10:57 | ControlFlowNode for Attribute() | Cookie is added to response without the 'secure' flag being set. | -| test.py:11:5:11:60 | ControlFlowNode for Attribute() | Cookie is added to response without the 'secure' flag being set. | +| test.py:8:5:8:40 | After Attribute() | Cookie is added to response without the 'secure' flag being set. | +| test.py:10:5:10:57 | After Attribute() | Cookie is added to response without the 'secure' flag being set. | +| test.py:11:5:11:60 | After Attribute() | Cookie is added to response without the 'secure' flag being set. | diff --git a/python/ql/test/query-tests/Security/CWE-643-XPathInjection/XpathInjection.expected b/python/ql/test/query-tests/Security/CWE-643-XPathInjection/XpathInjection.expected index 4b1a2c40f7c..b84dc762fcd 100644 --- a/python/ql/test/query-tests/Security/CWE-643-XPathInjection/XpathInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-643-XPathInjection/XpathInjection.expected @@ -1,68 +1,68 @@ edges -| xpathBad.py:9:7:9:13 | ControlFlowNode for request | xpathBad.py:10:5:10:9 | ControlFlowNode for value | provenance | AdditionalTaintStep | -| xpathBad.py:10:5:10:9 | ControlFlowNode for value | xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | provenance | | -| xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:2:26:2:32 | ControlFlowNode for request | provenance | | -| xpathFlow.py:2:26:2:32 | ControlFlowNode for request | xpathFlow.py:11:18:11:24 | ControlFlowNode for request | provenance | | -| xpathFlow.py:2:26:2:32 | ControlFlowNode for request | xpathFlow.py:20:18:20:24 | ControlFlowNode for request | provenance | | -| xpathFlow.py:2:26:2:32 | ControlFlowNode for request | xpathFlow.py:30:18:30:24 | ControlFlowNode for request | provenance | | -| xpathFlow.py:2:26:2:32 | ControlFlowNode for request | xpathFlow.py:39:18:39:24 | ControlFlowNode for request | provenance | | -| xpathFlow.py:2:26:2:32 | ControlFlowNode for request | xpathFlow.py:47:18:47:24 | ControlFlowNode for request | provenance | | -| xpathFlow.py:11:5:11:14 | ControlFlowNode for xpathQuery | xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery | provenance | | -| xpathFlow.py:11:18:11:24 | ControlFlowNode for request | xpathFlow.py:11:18:11:29 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| xpathFlow.py:11:18:11:29 | ControlFlowNode for Attribute | xpathFlow.py:11:18:11:44 | ControlFlowNode for Attribute() | provenance | dict.get | -| xpathFlow.py:11:18:11:44 | ControlFlowNode for Attribute() | xpathFlow.py:11:5:11:14 | ControlFlowNode for xpathQuery | provenance | | -| xpathFlow.py:20:5:20:14 | ControlFlowNode for xpathQuery | xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery | provenance | | -| xpathFlow.py:20:18:20:24 | ControlFlowNode for request | xpathFlow.py:20:18:20:29 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| xpathFlow.py:20:18:20:29 | ControlFlowNode for Attribute | xpathFlow.py:20:18:20:44 | ControlFlowNode for Attribute() | provenance | dict.get | -| xpathFlow.py:20:18:20:44 | ControlFlowNode for Attribute() | xpathFlow.py:20:5:20:14 | ControlFlowNode for xpathQuery | provenance | | -| xpathFlow.py:30:5:30:14 | ControlFlowNode for xpathQuery | xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery | provenance | | -| xpathFlow.py:30:18:30:24 | ControlFlowNode for request | xpathFlow.py:30:18:30:29 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| xpathFlow.py:30:18:30:29 | ControlFlowNode for Attribute | xpathFlow.py:30:18:30:44 | ControlFlowNode for Attribute() | provenance | dict.get | -| xpathFlow.py:30:18:30:44 | ControlFlowNode for Attribute() | xpathFlow.py:30:5:30:14 | ControlFlowNode for xpathQuery | provenance | | -| xpathFlow.py:39:5:39:14 | ControlFlowNode for xpathQuery | xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery | provenance | | -| xpathFlow.py:39:18:39:24 | ControlFlowNode for request | xpathFlow.py:39:18:39:29 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| xpathFlow.py:39:18:39:29 | ControlFlowNode for Attribute | xpathFlow.py:39:18:39:44 | ControlFlowNode for Attribute() | provenance | dict.get | -| xpathFlow.py:39:18:39:44 | ControlFlowNode for Attribute() | xpathFlow.py:39:5:39:14 | ControlFlowNode for xpathQuery | provenance | | -| xpathFlow.py:47:5:47:14 | ControlFlowNode for xpathQuery | xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | provenance | | -| xpathFlow.py:47:18:47:24 | ControlFlowNode for request | xpathFlow.py:47:18:47:29 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| xpathFlow.py:47:18:47:29 | ControlFlowNode for Attribute | xpathFlow.py:47:18:47:44 | ControlFlowNode for Attribute() | provenance | dict.get | -| xpathFlow.py:47:18:47:44 | ControlFlowNode for Attribute() | xpathFlow.py:47:5:47:14 | ControlFlowNode for xpathQuery | provenance | | +| xpathBad.py:9:7:9:13 | request | xpathBad.py:10:5:10:9 | value | provenance | AdditionalTaintStep | +| xpathBad.py:10:5:10:9 | value | xpathBad.py:13:20:13:43 | After BinaryExpr | provenance | | +| xpathFlow.py:2:26:2:32 | After ImportMember | xpathFlow.py:2:26:2:32 | request | provenance | | +| xpathFlow.py:2:26:2:32 | request | xpathFlow.py:11:18:11:24 | request | provenance | | +| xpathFlow.py:2:26:2:32 | request | xpathFlow.py:20:18:20:24 | request | provenance | | +| xpathFlow.py:2:26:2:32 | request | xpathFlow.py:30:18:30:24 | request | provenance | | +| xpathFlow.py:2:26:2:32 | request | xpathFlow.py:39:18:39:24 | request | provenance | | +| xpathFlow.py:2:26:2:32 | request | xpathFlow.py:47:18:47:24 | request | provenance | | +| xpathFlow.py:11:5:11:14 | xpathQuery | xpathFlow.py:14:20:14:29 | xpathQuery | provenance | | +| xpathFlow.py:11:18:11:24 | request | xpathFlow.py:11:18:11:29 | After Attribute | provenance | AdditionalTaintStep | +| xpathFlow.py:11:18:11:29 | After Attribute | xpathFlow.py:11:18:11:44 | After Attribute() | provenance | dict.get | +| xpathFlow.py:11:18:11:44 | After Attribute() | xpathFlow.py:11:5:11:14 | xpathQuery | provenance | | +| xpathFlow.py:20:5:20:14 | xpathQuery | xpathFlow.py:23:29:23:38 | xpathQuery | provenance | | +| xpathFlow.py:20:18:20:24 | request | xpathFlow.py:20:18:20:29 | After Attribute | provenance | AdditionalTaintStep | +| xpathFlow.py:20:18:20:29 | After Attribute | xpathFlow.py:20:18:20:44 | After Attribute() | provenance | dict.get | +| xpathFlow.py:20:18:20:44 | After Attribute() | xpathFlow.py:20:5:20:14 | xpathQuery | provenance | | +| xpathFlow.py:30:5:30:14 | xpathQuery | xpathFlow.py:32:29:32:38 | xpathQuery | provenance | | +| xpathFlow.py:30:18:30:24 | request | xpathFlow.py:30:18:30:29 | After Attribute | provenance | AdditionalTaintStep | +| xpathFlow.py:30:18:30:29 | After Attribute | xpathFlow.py:30:18:30:44 | After Attribute() | provenance | dict.get | +| xpathFlow.py:30:18:30:44 | After Attribute() | xpathFlow.py:30:5:30:14 | xpathQuery | provenance | | +| xpathFlow.py:39:5:39:14 | xpathQuery | xpathFlow.py:41:31:41:40 | xpathQuery | provenance | | +| xpathFlow.py:39:18:39:24 | request | xpathFlow.py:39:18:39:29 | After Attribute | provenance | AdditionalTaintStep | +| xpathFlow.py:39:18:39:29 | After Attribute | xpathFlow.py:39:18:39:44 | After Attribute() | provenance | dict.get | +| xpathFlow.py:39:18:39:44 | After Attribute() | xpathFlow.py:39:5:39:14 | xpathQuery | provenance | | +| xpathFlow.py:47:5:47:14 | xpathQuery | xpathFlow.py:49:29:49:38 | xpathQuery | provenance | | +| xpathFlow.py:47:18:47:24 | request | xpathFlow.py:47:18:47:29 | After Attribute | provenance | AdditionalTaintStep | +| xpathFlow.py:47:18:47:29 | After Attribute | xpathFlow.py:47:18:47:44 | After Attribute() | provenance | dict.get | +| xpathFlow.py:47:18:47:44 | After Attribute() | xpathFlow.py:47:5:47:14 | xpathQuery | provenance | | nodes -| xpathBad.py:9:7:9:13 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| xpathBad.py:10:5:10:9 | ControlFlowNode for value | semmle.label | ControlFlowNode for value | -| xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| xpathFlow.py:2:26:2:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| xpathFlow.py:11:5:11:14 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery | -| xpathFlow.py:11:18:11:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| xpathFlow.py:11:18:11:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| xpathFlow.py:11:18:11:44 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery | -| xpathFlow.py:20:5:20:14 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery | -| xpathFlow.py:20:18:20:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| xpathFlow.py:20:18:20:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| xpathFlow.py:20:18:20:44 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery | -| xpathFlow.py:30:5:30:14 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery | -| xpathFlow.py:30:18:30:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| xpathFlow.py:30:18:30:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| xpathFlow.py:30:18:30:44 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery | -| xpathFlow.py:39:5:39:14 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery | -| xpathFlow.py:39:18:39:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| xpathFlow.py:39:18:39:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| xpathFlow.py:39:18:39:44 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery | -| xpathFlow.py:47:5:47:14 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery | -| xpathFlow.py:47:18:47:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| xpathFlow.py:47:18:47:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| xpathFlow.py:47:18:47:44 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery | +| xpathBad.py:9:7:9:13 | request | semmle.label | request | +| xpathBad.py:10:5:10:9 | value | semmle.label | value | +| xpathBad.py:13:20:13:43 | After BinaryExpr | semmle.label | After BinaryExpr | +| xpathFlow.py:2:26:2:32 | After ImportMember | semmle.label | After ImportMember | +| xpathFlow.py:2:26:2:32 | request | semmle.label | request | +| xpathFlow.py:11:5:11:14 | xpathQuery | semmle.label | xpathQuery | +| xpathFlow.py:11:18:11:24 | request | semmle.label | request | +| xpathFlow.py:11:18:11:29 | After Attribute | semmle.label | After Attribute | +| xpathFlow.py:11:18:11:44 | After Attribute() | semmle.label | After Attribute() | +| xpathFlow.py:14:20:14:29 | xpathQuery | semmle.label | xpathQuery | +| xpathFlow.py:20:5:20:14 | xpathQuery | semmle.label | xpathQuery | +| xpathFlow.py:20:18:20:24 | request | semmle.label | request | +| xpathFlow.py:20:18:20:29 | After Attribute | semmle.label | After Attribute | +| xpathFlow.py:20:18:20:44 | After Attribute() | semmle.label | After Attribute() | +| xpathFlow.py:23:29:23:38 | xpathQuery | semmle.label | xpathQuery | +| xpathFlow.py:30:5:30:14 | xpathQuery | semmle.label | xpathQuery | +| xpathFlow.py:30:18:30:24 | request | semmle.label | request | +| xpathFlow.py:30:18:30:29 | After Attribute | semmle.label | After Attribute | +| xpathFlow.py:30:18:30:44 | After Attribute() | semmle.label | After Attribute() | +| xpathFlow.py:32:29:32:38 | xpathQuery | semmle.label | xpathQuery | +| xpathFlow.py:39:5:39:14 | xpathQuery | semmle.label | xpathQuery | +| xpathFlow.py:39:18:39:24 | request | semmle.label | request | +| xpathFlow.py:39:18:39:29 | After Attribute | semmle.label | After Attribute | +| xpathFlow.py:39:18:39:44 | After Attribute() | semmle.label | After Attribute() | +| xpathFlow.py:41:31:41:40 | xpathQuery | semmle.label | xpathQuery | +| xpathFlow.py:47:5:47:14 | xpathQuery | semmle.label | xpathQuery | +| xpathFlow.py:47:18:47:24 | request | semmle.label | request | +| xpathFlow.py:47:18:47:29 | After Attribute | semmle.label | After Attribute | +| xpathFlow.py:47:18:47:44 | After Attribute() | semmle.label | After Attribute() | +| xpathFlow.py:49:29:49:38 | xpathQuery | semmle.label | xpathQuery | subpaths #select -| xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | xpathBad.py:9:7:9:13 | ControlFlowNode for request | xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | XPath expression depends on a $@. | xpathBad.py:9:7:9:13 | ControlFlowNode for request | user-provided value | -| xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| xpathBad.py:13:20:13:43 | After BinaryExpr | xpathBad.py:9:7:9:13 | request | xpathBad.py:13:20:13:43 | After BinaryExpr | XPath expression depends on a $@. | xpathBad.py:9:7:9:13 | request | user-provided value | +| xpathFlow.py:14:20:14:29 | xpathQuery | xpathFlow.py:2:26:2:32 | After ImportMember | xpathFlow.py:14:20:14:29 | xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | After ImportMember | user-provided value | +| xpathFlow.py:23:29:23:38 | xpathQuery | xpathFlow.py:2:26:2:32 | After ImportMember | xpathFlow.py:23:29:23:38 | xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | After ImportMember | user-provided value | +| xpathFlow.py:32:29:32:38 | xpathQuery | xpathFlow.py:2:26:2:32 | After ImportMember | xpathFlow.py:32:29:32:38 | xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | After ImportMember | user-provided value | +| xpathFlow.py:41:31:41:40 | xpathQuery | xpathFlow.py:2:26:2:32 | After ImportMember | xpathFlow.py:41:31:41:40 | xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | After ImportMember | user-provided value | +| xpathFlow.py:49:29:49:38 | xpathQuery | xpathFlow.py:2:26:2:32 | After ImportMember | xpathFlow.py:49:29:49:38 | xpathQuery | XPath expression depends on a $@. | xpathFlow.py:2:26:2:32 | After ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/PolynomialReDoS.expected b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/PolynomialReDoS.expected index aa8cea07ed1..8ae5073c544 100644 --- a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/PolynomialReDoS.expected +++ b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/PolynomialReDoS.expected @@ -1,34 +1,34 @@ edges -| test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:2:26:2:32 | ControlFlowNode for request | provenance | | -| test.py:2:26:2:32 | ControlFlowNode for request | test.py:7:12:7:18 | ControlFlowNode for request | provenance | | -| test.py:7:5:7:8 | ControlFlowNode for text | test.py:8:30:8:33 | ControlFlowNode for text | provenance | | -| test.py:7:5:7:8 | ControlFlowNode for text | test.py:9:32:9:35 | ControlFlowNode for text | provenance | | -| test.py:7:5:7:8 | ControlFlowNode for text | test.py:12:17:12:20 | ControlFlowNode for text | provenance | | -| test.py:7:5:7:8 | ControlFlowNode for text | test.py:18:28:18:31 | ControlFlowNode for text | provenance | | -| test.py:7:5:7:8 | ControlFlowNode for text | test.py:21:18:21:21 | ControlFlowNode for text | provenance | | -| test.py:7:12:7:18 | ControlFlowNode for request | test.py:7:12:7:23 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | -| test.py:7:12:7:23 | ControlFlowNode for Attribute | test.py:7:12:7:35 | ControlFlowNode for Attribute() | provenance | dict.get | -| test.py:7:12:7:35 | ControlFlowNode for Attribute() | test.py:7:5:7:8 | ControlFlowNode for text | provenance | | -| test.py:14:33:14:39 | ControlFlowNode for my_text | test.py:16:24:16:30 | ControlFlowNode for my_text | provenance | | -| test.py:18:28:18:31 | ControlFlowNode for text | test.py:14:33:14:39 | ControlFlowNode for my_text | provenance | | +| test.py:2:26:2:32 | After ImportMember | test.py:2:26:2:32 | request | provenance | | +| test.py:2:26:2:32 | request | test.py:7:12:7:18 | request | provenance | | +| test.py:7:5:7:8 | text | test.py:8:30:8:33 | text | provenance | | +| test.py:7:5:7:8 | text | test.py:9:32:9:35 | text | provenance | | +| test.py:7:5:7:8 | text | test.py:12:17:12:20 | text | provenance | | +| test.py:7:5:7:8 | text | test.py:18:28:18:31 | text | provenance | | +| test.py:7:5:7:8 | text | test.py:21:18:21:21 | text | provenance | | +| test.py:7:12:7:18 | request | test.py:7:12:7:23 | After Attribute | provenance | AdditionalTaintStep | +| test.py:7:12:7:23 | After Attribute | test.py:7:12:7:35 | After Attribute() | provenance | dict.get | +| test.py:7:12:7:35 | After Attribute() | test.py:7:5:7:8 | text | provenance | | +| test.py:14:33:14:39 | my_text | test.py:16:24:16:30 | my_text | provenance | | +| test.py:18:28:18:31 | text | test.py:14:33:14:39 | my_text | provenance | | nodes -| test.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| test.py:2:26:2:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:7:5:7:8 | ControlFlowNode for text | semmle.label | ControlFlowNode for text | -| test.py:7:12:7:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:7:12:7:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | -| test.py:7:12:7:35 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| test.py:8:30:8:33 | ControlFlowNode for text | semmle.label | ControlFlowNode for text | -| test.py:9:32:9:35 | ControlFlowNode for text | semmle.label | ControlFlowNode for text | -| test.py:12:17:12:20 | ControlFlowNode for text | semmle.label | ControlFlowNode for text | -| test.py:14:33:14:39 | ControlFlowNode for my_text | semmle.label | ControlFlowNode for my_text | -| test.py:16:24:16:30 | ControlFlowNode for my_text | semmle.label | ControlFlowNode for my_text | -| test.py:18:28:18:31 | ControlFlowNode for text | semmle.label | ControlFlowNode for text | -| test.py:21:18:21:21 | ControlFlowNode for text | semmle.label | ControlFlowNode for text | +| test.py:2:26:2:32 | After ImportMember | semmle.label | After ImportMember | +| test.py:2:26:2:32 | request | semmle.label | request | +| test.py:7:5:7:8 | text | semmle.label | text | +| test.py:7:12:7:18 | request | semmle.label | request | +| test.py:7:12:7:23 | After Attribute | semmle.label | After Attribute | +| test.py:7:12:7:35 | After Attribute() | semmle.label | After Attribute() | +| test.py:8:30:8:33 | text | semmle.label | text | +| test.py:9:32:9:35 | text | semmle.label | text | +| test.py:12:17:12:20 | text | semmle.label | text | +| test.py:14:33:14:39 | my_text | semmle.label | my_text | +| test.py:16:24:16:30 | my_text | semmle.label | my_text | +| test.py:18:28:18:31 | text | semmle.label | text | +| test.py:21:18:21:21 | text | semmle.label | text | subpaths #select -| test.py:8:30:8:33 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:8:30:8:33 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:8:19:8:21 | \\s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:9:32:9:35 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:9:32:9:35 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | test.py:9:25:9:27 | \\d+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:12:17:12:20 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:12:17:12:20 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:11:29:11:31 | \\s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:16:24:16:30 | ControlFlowNode for my_text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:16:24:16:30 | ControlFlowNode for my_text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:18:21:18:23 | \\s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | -| test.py:21:18:21:21 | ControlFlowNode for text | test.py:2:26:2:32 | ControlFlowNode for ImportMember | test.py:21:18:21:21 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings starting with 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' and with many repetitions of 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC'. | test.py:20:271:20:272 | .* | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | +| test.py:8:30:8:33 | text | test.py:2:26:2:32 | After ImportMember | test.py:8:30:8:33 | text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:8:19:8:21 | \\s+ | regular expression | test.py:2:26:2:32 | After ImportMember | user-provided value | +| test.py:9:32:9:35 | text | test.py:2:26:2:32 | After ImportMember | test.py:9:32:9:35 | text | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | test.py:9:25:9:27 | \\d+ | regular expression | test.py:2:26:2:32 | After ImportMember | user-provided value | +| test.py:12:17:12:20 | text | test.py:2:26:2:32 | After ImportMember | test.py:12:17:12:20 | text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:11:29:11:31 | \\s+ | regular expression | test.py:2:26:2:32 | After ImportMember | user-provided value | +| test.py:16:24:16:30 | my_text | test.py:2:26:2:32 | After ImportMember | test.py:16:24:16:30 | my_text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:18:21:18:23 | \\s+ | regular expression | test.py:2:26:2:32 | After ImportMember | user-provided value | +| test.py:21:18:21:21 | text | test.py:2:26:2:32 | After ImportMember | test.py:21:18:21:21 | text | This $@ that depends on a $@ may run slow on strings starting with 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' and with many repetitions of 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC'. | test.py:20:271:20:272 | .* | regular expression | test.py:2:26:2:32 | After ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-730-RegexInjection/RegexInjection.expected b/python/ql/test/query-tests/Security/CWE-730-RegexInjection/RegexInjection.expected index 16d29401f78..35d64072459 100644 --- a/python/ql/test/query-tests/Security/CWE-730-RegexInjection/RegexInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-730-RegexInjection/RegexInjection.expected @@ -1,28 +1,28 @@ edges -| re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | re_bad.py:1:19:1:25 | ControlFlowNode for request | provenance | | -| re_bad.py:1:19:1:25 | ControlFlowNode for request | re_bad.py:13:22:13:28 | ControlFlowNode for request | provenance | | -| re_bad.py:1:19:1:25 | ControlFlowNode for request | re_bad.py:24:22:24:28 | ControlFlowNode for request | provenance | | -| re_bad.py:1:19:1:25 | ControlFlowNode for request | re_bad.py:36:22:36:28 | ControlFlowNode for request | provenance | | -| re_bad.py:13:5:13:18 | ControlFlowNode for unsafe_pattern | re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | provenance | | -| re_bad.py:13:22:13:28 | ControlFlowNode for request | re_bad.py:13:5:13:18 | ControlFlowNode for unsafe_pattern | provenance | AdditionalTaintStep | -| re_bad.py:24:5:24:18 | ControlFlowNode for unsafe_pattern | re_bad.py:25:35:25:48 | ControlFlowNode for unsafe_pattern | provenance | | -| re_bad.py:24:22:24:28 | ControlFlowNode for request | re_bad.py:24:5:24:18 | ControlFlowNode for unsafe_pattern | provenance | AdditionalTaintStep | -| re_bad.py:36:5:36:18 | ControlFlowNode for unsafe_pattern | re_bad.py:37:16:37:29 | ControlFlowNode for unsafe_pattern | provenance | | -| re_bad.py:36:22:36:28 | ControlFlowNode for request | re_bad.py:36:5:36:18 | ControlFlowNode for unsafe_pattern | provenance | AdditionalTaintStep | +| re_bad.py:1:19:1:25 | After ImportMember | re_bad.py:1:19:1:25 | request | provenance | | +| re_bad.py:1:19:1:25 | request | re_bad.py:13:22:13:28 | request | provenance | | +| re_bad.py:1:19:1:25 | request | re_bad.py:24:22:24:28 | request | provenance | | +| re_bad.py:1:19:1:25 | request | re_bad.py:36:22:36:28 | request | provenance | | +| re_bad.py:13:5:13:18 | unsafe_pattern | re_bad.py:14:15:14:28 | unsafe_pattern | provenance | | +| re_bad.py:13:22:13:28 | request | re_bad.py:13:5:13:18 | unsafe_pattern | provenance | AdditionalTaintStep | +| re_bad.py:24:5:24:18 | unsafe_pattern | re_bad.py:25:35:25:48 | unsafe_pattern | provenance | | +| re_bad.py:24:22:24:28 | request | re_bad.py:24:5:24:18 | unsafe_pattern | provenance | AdditionalTaintStep | +| re_bad.py:36:5:36:18 | unsafe_pattern | re_bad.py:37:16:37:29 | unsafe_pattern | provenance | | +| re_bad.py:36:22:36:28 | request | re_bad.py:36:5:36:18 | unsafe_pattern | provenance | AdditionalTaintStep | nodes -| re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| re_bad.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| re_bad.py:13:5:13:18 | ControlFlowNode for unsafe_pattern | semmle.label | ControlFlowNode for unsafe_pattern | -| re_bad.py:13:22:13:28 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | semmle.label | ControlFlowNode for unsafe_pattern | -| re_bad.py:24:5:24:18 | ControlFlowNode for unsafe_pattern | semmle.label | ControlFlowNode for unsafe_pattern | -| re_bad.py:24:22:24:28 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| re_bad.py:25:35:25:48 | ControlFlowNode for unsafe_pattern | semmle.label | ControlFlowNode for unsafe_pattern | -| re_bad.py:36:5:36:18 | ControlFlowNode for unsafe_pattern | semmle.label | ControlFlowNode for unsafe_pattern | -| re_bad.py:36:22:36:28 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| re_bad.py:37:16:37:29 | ControlFlowNode for unsafe_pattern | semmle.label | ControlFlowNode for unsafe_pattern | +| re_bad.py:1:19:1:25 | After ImportMember | semmle.label | After ImportMember | +| re_bad.py:1:19:1:25 | request | semmle.label | request | +| re_bad.py:13:5:13:18 | unsafe_pattern | semmle.label | unsafe_pattern | +| re_bad.py:13:22:13:28 | request | semmle.label | request | +| re_bad.py:14:15:14:28 | unsafe_pattern | semmle.label | unsafe_pattern | +| re_bad.py:24:5:24:18 | unsafe_pattern | semmle.label | unsafe_pattern | +| re_bad.py:24:22:24:28 | request | semmle.label | request | +| re_bad.py:25:35:25:48 | unsafe_pattern | semmle.label | unsafe_pattern | +| re_bad.py:36:5:36:18 | unsafe_pattern | semmle.label | unsafe_pattern | +| re_bad.py:36:22:36:28 | request | semmle.label | request | +| re_bad.py:37:16:37:29 | unsafe_pattern | semmle.label | unsafe_pattern | subpaths #select -| re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | This regular expression depends on a $@ and is executed by $@. | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | re_bad.py:14:5:14:33 | ControlFlowNode for Attribute() | re.search | -| re_bad.py:25:35:25:48 | ControlFlowNode for unsafe_pattern | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | re_bad.py:25:35:25:48 | ControlFlowNode for unsafe_pattern | This regular expression depends on a $@ and is executed by $@. | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | re_bad.py:26:5:26:31 | ControlFlowNode for Attribute() | re.search | -| re_bad.py:37:16:37:29 | ControlFlowNode for unsafe_pattern | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | re_bad.py:37:16:37:29 | ControlFlowNode for unsafe_pattern | This regular expression depends on a $@ and is executed by $@. | re_bad.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | re_bad.py:37:5:37:41 | ControlFlowNode for Attribute() | re.search | +| re_bad.py:14:15:14:28 | unsafe_pattern | re_bad.py:1:19:1:25 | After ImportMember | re_bad.py:14:15:14:28 | unsafe_pattern | This regular expression depends on a $@ and is executed by $@. | re_bad.py:1:19:1:25 | After ImportMember | user-provided value | re_bad.py:14:5:14:33 | After Attribute() | re.search | +| re_bad.py:25:35:25:48 | unsafe_pattern | re_bad.py:1:19:1:25 | After ImportMember | re_bad.py:25:35:25:48 | unsafe_pattern | This regular expression depends on a $@ and is executed by $@. | re_bad.py:1:19:1:25 | After ImportMember | user-provided value | re_bad.py:26:5:26:31 | After Attribute() | re.search | +| re_bad.py:37:16:37:29 | unsafe_pattern | re_bad.py:1:19:1:25 | After ImportMember | re_bad.py:37:16:37:29 | unsafe_pattern | This regular expression depends on a $@ and is executed by $@. | re_bad.py:1:19:1:25 | After ImportMember | user-provided value | re_bad.py:37:5:37:41 | After Attribute() | re.search | diff --git a/python/ql/test/query-tests/Security/CWE-732-WeakFilePermissions/WeakFilePermissions.expected b/python/ql/test/query-tests/Security/CWE-732-WeakFilePermissions/WeakFilePermissions.expected index 762d2599c2d..ae7ab9971c1 100644 --- a/python/ql/test/query-tests/Security/CWE-732-WeakFilePermissions/WeakFilePermissions.expected +++ b/python/ql/test/query-tests/Security/CWE-732-WeakFilePermissions/WeakFilePermissions.expected @@ -1,6 +1,6 @@ -| test.py:7:1:7:19 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to world writable. | -| test.py:8:1:8:20 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to world writable. | -| test.py:9:1:9:21 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to world writable. | -| test.py:11:1:11:21 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group readable. | -| test.py:14:1:14:19 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group writable. | -| test.py:16:1:16:25 | ControlFlowNode for Attribute() | Overly permissive mask in open sets file to world readable. | +| test.py:7:1:7:19 | After Attribute() | Overly permissive mask in chmod sets file to world writable. | +| test.py:8:1:8:20 | After Attribute() | Overly permissive mask in chmod sets file to world writable. | +| test.py:9:1:9:21 | After Attribute() | Overly permissive mask in chmod sets file to world writable. | +| test.py:11:1:11:21 | After Attribute() | Overly permissive mask in chmod sets file to group readable. | +| test.py:14:1:14:19 | After Attribute() | Overly permissive mask in chmod sets file to group writable. | +| test.py:16:1:16:25 | After Attribute() | Overly permissive mask in open sets file to world readable. | diff --git a/python/ql/test/query-tests/Security/CWE-798-HardcodedCredentials/HardcodedCredentials.expected b/python/ql/test/query-tests/Security/CWE-798-HardcodedCredentials/HardcodedCredentials.expected index 7fe70dd495b..968d1b246e9 100644 --- a/python/ql/test/query-tests/Security/CWE-798-HardcodedCredentials/HardcodedCredentials.expected +++ b/python/ql/test/query-tests/Security/CWE-798-HardcodedCredentials/HardcodedCredentials.expected @@ -1,16 +1,16 @@ edges -| test.py:5:1:5:8 | ControlFlowNode for USERNAME | test.py:14:18:14:25 | ControlFlowNode for USERNAME | provenance | | -| test.py:5:12:5:24 | ControlFlowNode for StringLiteral | test.py:5:1:5:8 | ControlFlowNode for USERNAME | provenance | | -| test.py:6:1:6:8 | ControlFlowNode for PASSWORD | test.py:15:18:15:25 | ControlFlowNode for PASSWORD | provenance | | -| test.py:6:12:6:25 | ControlFlowNode for StringLiteral | test.py:6:1:6:8 | ControlFlowNode for PASSWORD | provenance | | +| test.py:5:1:5:8 | USERNAME | test.py:14:18:14:25 | USERNAME | provenance | | +| test.py:5:12:5:24 | StringLiteral | test.py:5:1:5:8 | USERNAME | provenance | | +| test.py:6:1:6:8 | PASSWORD | test.py:15:18:15:25 | PASSWORD | provenance | | +| test.py:6:12:6:25 | StringLiteral | test.py:6:1:6:8 | PASSWORD | provenance | | nodes -| test.py:5:1:5:8 | ControlFlowNode for USERNAME | semmle.label | ControlFlowNode for USERNAME | -| test.py:5:12:5:24 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral | -| test.py:6:1:6:8 | ControlFlowNode for PASSWORD | semmle.label | ControlFlowNode for PASSWORD | -| test.py:6:12:6:25 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral | -| test.py:14:18:14:25 | ControlFlowNode for USERNAME | semmle.label | ControlFlowNode for USERNAME | -| test.py:15:18:15:25 | ControlFlowNode for PASSWORD | semmle.label | ControlFlowNode for PASSWORD | +| test.py:5:1:5:8 | USERNAME | semmle.label | USERNAME | +| test.py:5:12:5:24 | StringLiteral | semmle.label | StringLiteral | +| test.py:6:1:6:8 | PASSWORD | semmle.label | PASSWORD | +| test.py:6:12:6:25 | StringLiteral | semmle.label | StringLiteral | +| test.py:14:18:14:25 | USERNAME | semmle.label | USERNAME | +| test.py:15:18:15:25 | PASSWORD | semmle.label | PASSWORD | subpaths #select -| test.py:5:12:5:24 | ControlFlowNode for StringLiteral | test.py:5:12:5:24 | ControlFlowNode for StringLiteral | test.py:14:18:14:25 | ControlFlowNode for USERNAME | This hardcoded value is $@. | test.py:14:18:14:25 | ControlFlowNode for USERNAME | used as credentials | -| test.py:6:12:6:25 | ControlFlowNode for StringLiteral | test.py:6:12:6:25 | ControlFlowNode for StringLiteral | test.py:15:18:15:25 | ControlFlowNode for PASSWORD | This hardcoded value is $@. | test.py:15:18:15:25 | ControlFlowNode for PASSWORD | used as credentials | +| test.py:5:12:5:24 | StringLiteral | test.py:5:12:5:24 | StringLiteral | test.py:14:18:14:25 | USERNAME | This hardcoded value is $@. | test.py:14:18:14:25 | USERNAME | used as credentials | +| test.py:6:12:6:25 | StringLiteral | test.py:6:12:6:25 | StringLiteral | test.py:15:18:15:25 | PASSWORD | This hardcoded value is $@. | test.py:15:18:15:25 | PASSWORD | used as credentials | diff --git a/python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/CorsMisconfigurationMiddleware.expected b/python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/CorsMisconfigurationMiddleware.expected index 520cf9ab0d2..b74c40629e8 100644 --- a/python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/CorsMisconfigurationMiddleware.expected +++ b/python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/CorsMisconfigurationMiddleware.expected @@ -1,2 +1,2 @@ -| fastapi.py:10:1:16:1 | ControlFlowNode for Attribute() | This CORS middleware uses a vulnerable configuration that allows arbitrary websites to make authenticated cross-site requests | -| starlette.py:8:5:8:75 | ControlFlowNode for Middleware() | This CORS middleware uses a vulnerable configuration that allows arbitrary websites to make authenticated cross-site requests | +| fastapi.py:10:1:16:1 | After Attribute() | This CORS middleware uses a vulnerable configuration that allows arbitrary websites to make authenticated cross-site requests | +| starlette.py:8:5:8:75 | After Middleware() | This CORS middleware uses a vulnerable configuration that allows arbitrary websites to make authenticated cross-site requests | diff --git a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/NoSqlInjection.expected b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/NoSqlInjection.expected index 810ece4f107..ffc1de8f9b4 100644 --- a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/NoSqlInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/NoSqlInjection.expected @@ -1,269 +1,269 @@ edges -| PoC/server.py:1:26:1:32 | ControlFlowNode for ImportMember | PoC/server.py:1:26:1:32 | ControlFlowNode for request | provenance | | -| PoC/server.py:1:26:1:32 | ControlFlowNode for request | PoC/server.py:26:21:26:27 | ControlFlowNode for request | provenance | | -| PoC/server.py:1:26:1:32 | ControlFlowNode for request | PoC/server.py:43:14:43:20 | ControlFlowNode for request | provenance | | -| PoC/server.py:1:26:1:32 | ControlFlowNode for request | PoC/server.py:52:14:52:20 | ControlFlowNode for request | provenance | | -| PoC/server.py:1:26:1:32 | ControlFlowNode for request | PoC/server.py:77:14:77:20 | ControlFlowNode for request | provenance | | -| PoC/server.py:1:26:1:32 | ControlFlowNode for request | PoC/server.py:98:14:98:20 | ControlFlowNode for request | provenance | | -| PoC/server.py:26:5:26:17 | ControlFlowNode for author_string | PoC/server.py:27:25:27:37 | ControlFlowNode for author_string | provenance | | -| PoC/server.py:26:21:26:27 | ControlFlowNode for request | PoC/server.py:26:5:26:17 | ControlFlowNode for author_string | provenance | AdditionalTaintStep | -| PoC/server.py:27:5:27:10 | ControlFlowNode for author | PoC/server.py:30:27:30:44 | ControlFlowNode for Dict | provenance | | -| PoC/server.py:27:5:27:10 | ControlFlowNode for author | PoC/server.py:31:34:31:51 | ControlFlowNode for Dict | provenance | | -| PoC/server.py:27:14:27:38 | ControlFlowNode for Attribute() | PoC/server.py:27:5:27:10 | ControlFlowNode for author | provenance | | -| PoC/server.py:27:25:27:37 | ControlFlowNode for author_string | PoC/server.py:27:14:27:38 | ControlFlowNode for Attribute() | provenance | Config | -| PoC/server.py:43:5:43:10 | ControlFlowNode for author | PoC/server.py:47:38:47:67 | ControlFlowNode for BinaryExpr | provenance | | -| PoC/server.py:43:14:43:20 | ControlFlowNode for request | PoC/server.py:43:5:43:10 | ControlFlowNode for author | provenance | AdditionalTaintStep | -| PoC/server.py:47:38:47:67 | ControlFlowNode for BinaryExpr | PoC/server.py:47:27:47:68 | ControlFlowNode for Dict | provenance | Config | -| PoC/server.py:52:5:52:10 | ControlFlowNode for author | PoC/server.py:54:17:54:70 | ControlFlowNode for BinaryExpr | provenance | | -| PoC/server.py:52:14:52:20 | ControlFlowNode for request | PoC/server.py:52:5:52:10 | ControlFlowNode for author | provenance | AdditionalTaintStep | -| PoC/server.py:53:5:53:10 | ControlFlowNode for search | PoC/server.py:61:27:61:58 | ControlFlowNode for Dict | provenance | | -| PoC/server.py:53:14:57:5 | ControlFlowNode for Dict | PoC/server.py:53:5:53:10 | ControlFlowNode for search | provenance | | -| PoC/server.py:54:17:54:70 | ControlFlowNode for BinaryExpr | PoC/server.py:53:14:57:5 | ControlFlowNode for Dict | provenance | Config | -| PoC/server.py:77:5:77:10 | ControlFlowNode for author | PoC/server.py:80:23:80:101 | ControlFlowNode for BinaryExpr | provenance | | -| PoC/server.py:77:14:77:20 | ControlFlowNode for request | PoC/server.py:77:5:77:10 | ControlFlowNode for author | provenance | AdditionalTaintStep | -| PoC/server.py:78:5:78:15 | ControlFlowNode for accumulator | PoC/server.py:84:5:84:9 | ControlFlowNode for group | provenance | | -| PoC/server.py:78:19:83:5 | ControlFlowNode for Dict | PoC/server.py:78:5:78:15 | ControlFlowNode for accumulator | provenance | | -| PoC/server.py:80:23:80:101 | ControlFlowNode for BinaryExpr | PoC/server.py:78:19:83:5 | ControlFlowNode for Dict | provenance | Config | -| PoC/server.py:84:5:84:9 | ControlFlowNode for group | PoC/server.py:91:29:91:47 | ControlFlowNode for Dict | provenance | | -| PoC/server.py:84:5:84:9 | ControlFlowNode for group | PoC/server.py:92:38:92:56 | ControlFlowNode for Dict | provenance | | -| PoC/server.py:98:5:98:10 | ControlFlowNode for author | PoC/server.py:99:5:99:10 | ControlFlowNode for mapper | provenance | | -| PoC/server.py:98:14:98:20 | ControlFlowNode for request | PoC/server.py:98:5:98:10 | ControlFlowNode for author | provenance | AdditionalTaintStep | -| PoC/server.py:99:5:99:10 | ControlFlowNode for mapper | PoC/server.py:102:9:102:14 | ControlFlowNode for mapper | provenance | | -| flask_mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | flask_mongoengine_bad.py:1:26:1:32 | ControlFlowNode for request | provenance | | -| flask_mongoengine_bad.py:1:26:1:32 | ControlFlowNode for request | flask_mongoengine_bad.py:19:21:19:27 | ControlFlowNode for request | provenance | | -| flask_mongoengine_bad.py:1:26:1:32 | ControlFlowNode for request | flask_mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request | provenance | | -| flask_mongoengine_bad.py:19:5:19:17 | ControlFlowNode for unsafe_search | flask_mongoengine_bad.py:20:30:20:42 | ControlFlowNode for unsafe_search | provenance | | -| flask_mongoengine_bad.py:19:21:19:27 | ControlFlowNode for request | flask_mongoengine_bad.py:19:5:19:17 | ControlFlowNode for unsafe_search | provenance | AdditionalTaintStep | -| flask_mongoengine_bad.py:20:5:20:15 | ControlFlowNode for json_search | flask_mongoengine_bad.py:22:34:22:44 | ControlFlowNode for json_search | provenance | | -| flask_mongoengine_bad.py:20:19:20:43 | ControlFlowNode for Attribute() | flask_mongoengine_bad.py:20:5:20:15 | ControlFlowNode for json_search | provenance | | -| flask_mongoengine_bad.py:20:30:20:42 | ControlFlowNode for unsafe_search | flask_mongoengine_bad.py:20:19:20:43 | ControlFlowNode for Attribute() | provenance | Config | -| flask_mongoengine_bad.py:26:5:26:17 | ControlFlowNode for unsafe_search | flask_mongoengine_bad.py:27:30:27:42 | ControlFlowNode for unsafe_search | provenance | | -| flask_mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request | flask_mongoengine_bad.py:26:5:26:17 | ControlFlowNode for unsafe_search | provenance | AdditionalTaintStep | -| flask_mongoengine_bad.py:27:5:27:15 | ControlFlowNode for json_search | flask_mongoengine_bad.py:30:39:30:59 | ControlFlowNode for Dict | provenance | | -| flask_mongoengine_bad.py:27:19:27:43 | ControlFlowNode for Attribute() | flask_mongoengine_bad.py:27:5:27:15 | ControlFlowNode for json_search | provenance | | -| flask_mongoengine_bad.py:27:30:27:42 | ControlFlowNode for unsafe_search | flask_mongoengine_bad.py:27:19:27:43 | ControlFlowNode for Attribute() | provenance | Config | -| flask_pymongo_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | flask_pymongo_bad.py:1:26:1:32 | ControlFlowNode for request | provenance | | -| flask_pymongo_bad.py:1:26:1:32 | ControlFlowNode for request | flask_pymongo_bad.py:11:21:11:27 | ControlFlowNode for request | provenance | | -| flask_pymongo_bad.py:11:5:11:17 | ControlFlowNode for unsafe_search | flask_pymongo_bad.py:12:30:12:42 | ControlFlowNode for unsafe_search | provenance | | -| flask_pymongo_bad.py:11:21:11:27 | ControlFlowNode for request | flask_pymongo_bad.py:11:5:11:17 | ControlFlowNode for unsafe_search | provenance | AdditionalTaintStep | -| flask_pymongo_bad.py:12:5:12:15 | ControlFlowNode for json_search | flask_pymongo_bad.py:14:31:14:51 | ControlFlowNode for Dict | provenance | | -| flask_pymongo_bad.py:12:19:12:43 | ControlFlowNode for Attribute() | flask_pymongo_bad.py:12:5:12:15 | ControlFlowNode for json_search | provenance | | -| flask_pymongo_bad.py:12:30:12:42 | ControlFlowNode for unsafe_search | flask_pymongo_bad.py:12:19:12:43 | ControlFlowNode for Attribute() | provenance | Config | -| mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for request | provenance | | -| mongoengine_bad.py:1:26:1:32 | ControlFlowNode for request | mongoengine_bad.py:18:21:18:27 | ControlFlowNode for request | provenance | | -| mongoengine_bad.py:1:26:1:32 | ControlFlowNode for request | mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request | provenance | | -| mongoengine_bad.py:1:26:1:32 | ControlFlowNode for request | mongoengine_bad.py:34:21:34:27 | ControlFlowNode for request | provenance | | -| mongoengine_bad.py:1:26:1:32 | ControlFlowNode for request | mongoengine_bad.py:42:21:42:27 | ControlFlowNode for request | provenance | | -| mongoengine_bad.py:1:26:1:32 | ControlFlowNode for request | mongoengine_bad.py:50:21:50:27 | ControlFlowNode for request | provenance | | -| mongoengine_bad.py:1:26:1:32 | ControlFlowNode for request | mongoengine_bad.py:57:21:57:27 | ControlFlowNode for request | provenance | | -| mongoengine_bad.py:18:5:18:17 | ControlFlowNode for unsafe_search | mongoengine_bad.py:19:30:19:42 | ControlFlowNode for unsafe_search | provenance | | -| mongoengine_bad.py:18:21:18:27 | ControlFlowNode for request | mongoengine_bad.py:18:5:18:17 | ControlFlowNode for unsafe_search | provenance | AdditionalTaintStep | -| mongoengine_bad.py:19:5:19:15 | ControlFlowNode for json_search | mongoengine_bad.py:22:26:22:46 | ControlFlowNode for Dict | provenance | | -| mongoengine_bad.py:19:19:19:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:19:5:19:15 | ControlFlowNode for json_search | provenance | | -| mongoengine_bad.py:19:30:19:42 | ControlFlowNode for unsafe_search | mongoengine_bad.py:19:19:19:43 | ControlFlowNode for Attribute() | provenance | Config | -| mongoengine_bad.py:26:5:26:17 | ControlFlowNode for unsafe_search | mongoengine_bad.py:27:30:27:42 | ControlFlowNode for unsafe_search | provenance | | -| mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request | mongoengine_bad.py:26:5:26:17 | ControlFlowNode for unsafe_search | provenance | AdditionalTaintStep | -| mongoengine_bad.py:27:5:27:15 | ControlFlowNode for json_search | mongoengine_bad.py:30:26:30:46 | ControlFlowNode for Dict | provenance | | -| mongoengine_bad.py:27:19:27:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:27:5:27:15 | ControlFlowNode for json_search | provenance | | -| mongoengine_bad.py:27:30:27:42 | ControlFlowNode for unsafe_search | mongoengine_bad.py:27:19:27:43 | ControlFlowNode for Attribute() | provenance | Config | -| mongoengine_bad.py:34:5:34:17 | ControlFlowNode for unsafe_search | mongoengine_bad.py:35:30:35:42 | ControlFlowNode for unsafe_search | provenance | | -| mongoengine_bad.py:34:21:34:27 | ControlFlowNode for request | mongoengine_bad.py:34:5:34:17 | ControlFlowNode for unsafe_search | provenance | AdditionalTaintStep | -| mongoengine_bad.py:35:5:35:15 | ControlFlowNode for json_search | mongoengine_bad.py:38:26:38:46 | ControlFlowNode for Dict | provenance | | -| mongoengine_bad.py:35:19:35:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:35:5:35:15 | ControlFlowNode for json_search | provenance | | -| mongoengine_bad.py:35:30:35:42 | ControlFlowNode for unsafe_search | mongoengine_bad.py:35:19:35:43 | ControlFlowNode for Attribute() | provenance | Config | -| mongoengine_bad.py:42:5:42:17 | ControlFlowNode for unsafe_search | mongoengine_bad.py:43:30:43:42 | ControlFlowNode for unsafe_search | provenance | | -| mongoengine_bad.py:42:21:42:27 | ControlFlowNode for request | mongoengine_bad.py:42:5:42:17 | ControlFlowNode for unsafe_search | provenance | AdditionalTaintStep | -| mongoengine_bad.py:43:5:43:15 | ControlFlowNode for json_search | mongoengine_bad.py:46:26:46:46 | ControlFlowNode for Dict | provenance | | -| mongoengine_bad.py:43:19:43:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:43:5:43:15 | ControlFlowNode for json_search | provenance | | -| mongoengine_bad.py:43:30:43:42 | ControlFlowNode for unsafe_search | mongoengine_bad.py:43:19:43:43 | ControlFlowNode for Attribute() | provenance | Config | -| mongoengine_bad.py:50:5:50:17 | ControlFlowNode for unsafe_search | mongoengine_bad.py:51:30:51:42 | ControlFlowNode for unsafe_search | provenance | | -| mongoengine_bad.py:50:21:50:27 | ControlFlowNode for request | mongoengine_bad.py:50:5:50:17 | ControlFlowNode for unsafe_search | provenance | AdditionalTaintStep | -| mongoengine_bad.py:51:5:51:15 | ControlFlowNode for json_search | mongoengine_bad.py:53:34:53:44 | ControlFlowNode for json_search | provenance | | -| mongoengine_bad.py:51:19:51:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:51:5:51:15 | ControlFlowNode for json_search | provenance | | -| mongoengine_bad.py:51:30:51:42 | ControlFlowNode for unsafe_search | mongoengine_bad.py:51:19:51:43 | ControlFlowNode for Attribute() | provenance | Config | -| mongoengine_bad.py:57:5:57:17 | ControlFlowNode for unsafe_search | mongoengine_bad.py:58:30:58:42 | ControlFlowNode for unsafe_search | provenance | | -| mongoengine_bad.py:57:21:57:27 | ControlFlowNode for request | mongoengine_bad.py:57:5:57:17 | ControlFlowNode for unsafe_search | provenance | AdditionalTaintStep | -| mongoengine_bad.py:58:5:58:15 | ControlFlowNode for json_search | mongoengine_bad.py:61:29:61:49 | ControlFlowNode for Dict | provenance | | -| mongoengine_bad.py:58:19:58:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:58:5:58:15 | ControlFlowNode for json_search | provenance | | -| mongoengine_bad.py:58:30:58:42 | ControlFlowNode for unsafe_search | mongoengine_bad.py:58:19:58:43 | ControlFlowNode for Attribute() | provenance | Config | -| pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | pymongo_test.py:1:26:1:32 | ControlFlowNode for request | provenance | | -| pymongo_test.py:1:26:1:32 | ControlFlowNode for request | pymongo_test.py:12:21:12:27 | ControlFlowNode for request | provenance | | -| pymongo_test.py:1:26:1:32 | ControlFlowNode for request | pymongo_test.py:29:27:29:33 | ControlFlowNode for request | provenance | | -| pymongo_test.py:1:26:1:32 | ControlFlowNode for request | pymongo_test.py:39:27:39:33 | ControlFlowNode for request | provenance | | -| pymongo_test.py:1:26:1:32 | ControlFlowNode for request | pymongo_test.py:52:26:52:32 | ControlFlowNode for request | provenance | | -| pymongo_test.py:12:5:12:17 | ControlFlowNode for unsafe_search | pymongo_test.py:13:30:13:42 | ControlFlowNode for unsafe_search | provenance | | -| pymongo_test.py:12:21:12:27 | ControlFlowNode for request | pymongo_test.py:12:5:12:17 | ControlFlowNode for unsafe_search | provenance | AdditionalTaintStep | -| pymongo_test.py:13:5:13:15 | ControlFlowNode for json_search | pymongo_test.py:15:42:15:62 | ControlFlowNode for Dict | provenance | | -| pymongo_test.py:13:19:13:43 | ControlFlowNode for Attribute() | pymongo_test.py:13:5:13:15 | ControlFlowNode for json_search | provenance | | -| pymongo_test.py:13:30:13:42 | ControlFlowNode for unsafe_search | pymongo_test.py:13:19:13:43 | ControlFlowNode for Attribute() | provenance | Config | -| pymongo_test.py:29:5:29:12 | ControlFlowNode for event_id | pymongo_test.py:33:45:33:72 | ControlFlowNode for Fstring | provenance | | -| pymongo_test.py:29:16:29:51 | ControlFlowNode for Attribute() | pymongo_test.py:29:5:29:12 | ControlFlowNode for event_id | provenance | | -| pymongo_test.py:29:27:29:33 | ControlFlowNode for request | pymongo_test.py:29:27:29:50 | ControlFlowNode for Subscript | provenance | AdditionalTaintStep | -| pymongo_test.py:29:27:29:50 | ControlFlowNode for Subscript | pymongo_test.py:29:16:29:51 | ControlFlowNode for Attribute() | provenance | Config | -| pymongo_test.py:33:45:33:72 | ControlFlowNode for Fstring | pymongo_test.py:33:34:33:73 | ControlFlowNode for Dict | provenance | | -| pymongo_test.py:33:45:33:72 | ControlFlowNode for Fstring | pymongo_test.py:33:34:33:73 | ControlFlowNode for Dict | provenance | Decoding-NoSQL | -| pymongo_test.py:39:5:39:12 | ControlFlowNode for event_id | pymongo_test.py:43:45:43:72 | ControlFlowNode for Fstring | provenance | | -| pymongo_test.py:39:16:39:51 | ControlFlowNode for Attribute() | pymongo_test.py:39:5:39:12 | ControlFlowNode for event_id | provenance | | -| pymongo_test.py:39:27:39:33 | ControlFlowNode for request | pymongo_test.py:39:27:39:50 | ControlFlowNode for Subscript | provenance | AdditionalTaintStep | -| pymongo_test.py:39:27:39:50 | ControlFlowNode for Subscript | pymongo_test.py:39:16:39:51 | ControlFlowNode for Attribute() | provenance | Config | -| pymongo_test.py:43:45:43:72 | ControlFlowNode for Fstring | pymongo_test.py:43:34:43:73 | ControlFlowNode for Dict | provenance | | -| pymongo_test.py:43:45:43:72 | ControlFlowNode for Fstring | pymongo_test.py:43:34:43:73 | ControlFlowNode for Dict | provenance | Decoding-NoSQL | -| pymongo_test.py:52:5:52:11 | ControlFlowNode for decoded | pymongo_test.py:55:17:55:23 | ControlFlowNode for decoded | provenance | | -| pymongo_test.py:52:15:52:50 | ControlFlowNode for Attribute() | pymongo_test.py:52:5:52:11 | ControlFlowNode for decoded | provenance | | -| pymongo_test.py:52:26:52:32 | ControlFlowNode for request | pymongo_test.py:52:26:52:49 | ControlFlowNode for Subscript | provenance | AdditionalTaintStep | -| pymongo_test.py:52:26:52:49 | ControlFlowNode for Subscript | pymongo_test.py:52:15:52:50 | ControlFlowNode for Attribute() | provenance | Config | -| pymongo_test.py:54:5:54:10 | ControlFlowNode for search | pymongo_test.py:59:25:59:56 | ControlFlowNode for Dict | provenance | | -| pymongo_test.py:54:14:58:5 | ControlFlowNode for Dict | pymongo_test.py:54:5:54:10 | ControlFlowNode for search | provenance | | -| pymongo_test.py:55:17:55:23 | ControlFlowNode for decoded | pymongo_test.py:54:14:58:5 | ControlFlowNode for Dict | provenance | | -| pymongo_test.py:55:17:55:23 | ControlFlowNode for decoded | pymongo_test.py:54:14:58:5 | ControlFlowNode for Dict | provenance | Decoding-NoSQL | -| pymongo_test.py:55:17:55:23 | ControlFlowNode for decoded | pymongo_test.py:61:25:61:57 | ControlFlowNode for Dict | provenance | | -| pymongo_test.py:55:17:55:23 | ControlFlowNode for decoded | pymongo_test.py:62:25:62:42 | ControlFlowNode for Dict | provenance | | -| pymongo_test.py:55:17:55:23 | ControlFlowNode for decoded | pymongo_test.py:63:25:63:31 | ControlFlowNode for decoded | provenance | | +| PoC/server.py:1:26:1:32 | After ImportMember | PoC/server.py:1:26:1:32 | request | provenance | | +| PoC/server.py:1:26:1:32 | request | PoC/server.py:26:21:26:27 | request | provenance | | +| PoC/server.py:1:26:1:32 | request | PoC/server.py:43:14:43:20 | request | provenance | | +| PoC/server.py:1:26:1:32 | request | PoC/server.py:52:14:52:20 | request | provenance | | +| PoC/server.py:1:26:1:32 | request | PoC/server.py:77:14:77:20 | request | provenance | | +| PoC/server.py:1:26:1:32 | request | PoC/server.py:98:14:98:20 | request | provenance | | +| PoC/server.py:26:5:26:17 | author_string | PoC/server.py:27:25:27:37 | author_string | provenance | | +| PoC/server.py:26:21:26:27 | request | PoC/server.py:26:5:26:17 | author_string | provenance | AdditionalTaintStep | +| PoC/server.py:27:5:27:10 | author | PoC/server.py:30:27:30:44 | After Dict | provenance | | +| PoC/server.py:27:5:27:10 | author | PoC/server.py:31:34:31:51 | After Dict | provenance | | +| PoC/server.py:27:14:27:38 | After Attribute() | PoC/server.py:27:5:27:10 | author | provenance | | +| PoC/server.py:27:25:27:37 | author_string | PoC/server.py:27:14:27:38 | After Attribute() | provenance | Config | +| PoC/server.py:43:5:43:10 | author | PoC/server.py:47:38:47:67 | After BinaryExpr | provenance | | +| PoC/server.py:43:14:43:20 | request | PoC/server.py:43:5:43:10 | author | provenance | AdditionalTaintStep | +| PoC/server.py:47:38:47:67 | After BinaryExpr | PoC/server.py:47:27:47:68 | After Dict | provenance | Config | +| PoC/server.py:52:5:52:10 | author | PoC/server.py:54:17:54:70 | After BinaryExpr | provenance | | +| PoC/server.py:52:14:52:20 | request | PoC/server.py:52:5:52:10 | author | provenance | AdditionalTaintStep | +| PoC/server.py:53:5:53:10 | search | PoC/server.py:61:27:61:58 | After Dict | provenance | | +| PoC/server.py:53:14:57:5 | After Dict | PoC/server.py:53:5:53:10 | search | provenance | | +| PoC/server.py:54:17:54:70 | After BinaryExpr | PoC/server.py:53:14:57:5 | After Dict | provenance | Config | +| PoC/server.py:77:5:77:10 | author | PoC/server.py:80:23:80:101 | After BinaryExpr | provenance | | +| PoC/server.py:77:14:77:20 | request | PoC/server.py:77:5:77:10 | author | provenance | AdditionalTaintStep | +| PoC/server.py:78:5:78:15 | accumulator | PoC/server.py:84:5:84:9 | group | provenance | | +| PoC/server.py:78:19:83:5 | After Dict | PoC/server.py:78:5:78:15 | accumulator | provenance | | +| PoC/server.py:80:23:80:101 | After BinaryExpr | PoC/server.py:78:19:83:5 | After Dict | provenance | Config | +| PoC/server.py:84:5:84:9 | group | PoC/server.py:91:29:91:47 | After Dict | provenance | | +| PoC/server.py:84:5:84:9 | group | PoC/server.py:92:38:92:56 | After Dict | provenance | | +| PoC/server.py:98:5:98:10 | author | PoC/server.py:99:5:99:10 | mapper | provenance | | +| PoC/server.py:98:14:98:20 | request | PoC/server.py:98:5:98:10 | author | provenance | AdditionalTaintStep | +| PoC/server.py:99:5:99:10 | mapper | PoC/server.py:102:9:102:14 | mapper | provenance | | +| flask_mongoengine_bad.py:1:26:1:32 | After ImportMember | flask_mongoengine_bad.py:1:26:1:32 | request | provenance | | +| flask_mongoengine_bad.py:1:26:1:32 | request | flask_mongoengine_bad.py:19:21:19:27 | request | provenance | | +| flask_mongoengine_bad.py:1:26:1:32 | request | flask_mongoengine_bad.py:26:21:26:27 | request | provenance | | +| flask_mongoengine_bad.py:19:5:19:17 | unsafe_search | flask_mongoengine_bad.py:20:30:20:42 | unsafe_search | provenance | | +| flask_mongoengine_bad.py:19:21:19:27 | request | flask_mongoengine_bad.py:19:5:19:17 | unsafe_search | provenance | AdditionalTaintStep | +| flask_mongoengine_bad.py:20:5:20:15 | json_search | flask_mongoengine_bad.py:22:34:22:44 | json_search | provenance | | +| flask_mongoengine_bad.py:20:19:20:43 | After Attribute() | flask_mongoengine_bad.py:20:5:20:15 | json_search | provenance | | +| flask_mongoengine_bad.py:20:30:20:42 | unsafe_search | flask_mongoengine_bad.py:20:19:20:43 | After Attribute() | provenance | Config | +| flask_mongoengine_bad.py:26:5:26:17 | unsafe_search | flask_mongoengine_bad.py:27:30:27:42 | unsafe_search | provenance | | +| flask_mongoengine_bad.py:26:21:26:27 | request | flask_mongoengine_bad.py:26:5:26:17 | unsafe_search | provenance | AdditionalTaintStep | +| flask_mongoengine_bad.py:27:5:27:15 | json_search | flask_mongoengine_bad.py:30:39:30:59 | After Dict | provenance | | +| flask_mongoengine_bad.py:27:19:27:43 | After Attribute() | flask_mongoengine_bad.py:27:5:27:15 | json_search | provenance | | +| flask_mongoengine_bad.py:27:30:27:42 | unsafe_search | flask_mongoengine_bad.py:27:19:27:43 | After Attribute() | provenance | Config | +| flask_pymongo_bad.py:1:26:1:32 | After ImportMember | flask_pymongo_bad.py:1:26:1:32 | request | provenance | | +| flask_pymongo_bad.py:1:26:1:32 | request | flask_pymongo_bad.py:11:21:11:27 | request | provenance | | +| flask_pymongo_bad.py:11:5:11:17 | unsafe_search | flask_pymongo_bad.py:12:30:12:42 | unsafe_search | provenance | | +| flask_pymongo_bad.py:11:21:11:27 | request | flask_pymongo_bad.py:11:5:11:17 | unsafe_search | provenance | AdditionalTaintStep | +| flask_pymongo_bad.py:12:5:12:15 | json_search | flask_pymongo_bad.py:14:31:14:51 | After Dict | provenance | | +| flask_pymongo_bad.py:12:19:12:43 | After Attribute() | flask_pymongo_bad.py:12:5:12:15 | json_search | provenance | | +| flask_pymongo_bad.py:12:30:12:42 | unsafe_search | flask_pymongo_bad.py:12:19:12:43 | After Attribute() | provenance | Config | +| mongoengine_bad.py:1:26:1:32 | After ImportMember | mongoengine_bad.py:1:26:1:32 | request | provenance | | +| mongoengine_bad.py:1:26:1:32 | request | mongoengine_bad.py:18:21:18:27 | request | provenance | | +| mongoengine_bad.py:1:26:1:32 | request | mongoengine_bad.py:26:21:26:27 | request | provenance | | +| mongoengine_bad.py:1:26:1:32 | request | mongoengine_bad.py:34:21:34:27 | request | provenance | | +| mongoengine_bad.py:1:26:1:32 | request | mongoengine_bad.py:42:21:42:27 | request | provenance | | +| mongoengine_bad.py:1:26:1:32 | request | mongoengine_bad.py:50:21:50:27 | request | provenance | | +| mongoengine_bad.py:1:26:1:32 | request | mongoengine_bad.py:57:21:57:27 | request | provenance | | +| mongoengine_bad.py:18:5:18:17 | unsafe_search | mongoengine_bad.py:19:30:19:42 | unsafe_search | provenance | | +| mongoengine_bad.py:18:21:18:27 | request | mongoengine_bad.py:18:5:18:17 | unsafe_search | provenance | AdditionalTaintStep | +| mongoengine_bad.py:19:5:19:15 | json_search | mongoengine_bad.py:22:26:22:46 | After Dict | provenance | | +| mongoengine_bad.py:19:19:19:43 | After Attribute() | mongoengine_bad.py:19:5:19:15 | json_search | provenance | | +| mongoengine_bad.py:19:30:19:42 | unsafe_search | mongoengine_bad.py:19:19:19:43 | After Attribute() | provenance | Config | +| mongoengine_bad.py:26:5:26:17 | unsafe_search | mongoengine_bad.py:27:30:27:42 | unsafe_search | provenance | | +| mongoengine_bad.py:26:21:26:27 | request | mongoengine_bad.py:26:5:26:17 | unsafe_search | provenance | AdditionalTaintStep | +| mongoengine_bad.py:27:5:27:15 | json_search | mongoengine_bad.py:30:26:30:46 | After Dict | provenance | | +| mongoengine_bad.py:27:19:27:43 | After Attribute() | mongoengine_bad.py:27:5:27:15 | json_search | provenance | | +| mongoengine_bad.py:27:30:27:42 | unsafe_search | mongoengine_bad.py:27:19:27:43 | After Attribute() | provenance | Config | +| mongoengine_bad.py:34:5:34:17 | unsafe_search | mongoengine_bad.py:35:30:35:42 | unsafe_search | provenance | | +| mongoengine_bad.py:34:21:34:27 | request | mongoengine_bad.py:34:5:34:17 | unsafe_search | provenance | AdditionalTaintStep | +| mongoengine_bad.py:35:5:35:15 | json_search | mongoengine_bad.py:38:26:38:46 | After Dict | provenance | | +| mongoengine_bad.py:35:19:35:43 | After Attribute() | mongoengine_bad.py:35:5:35:15 | json_search | provenance | | +| mongoengine_bad.py:35:30:35:42 | unsafe_search | mongoengine_bad.py:35:19:35:43 | After Attribute() | provenance | Config | +| mongoengine_bad.py:42:5:42:17 | unsafe_search | mongoengine_bad.py:43:30:43:42 | unsafe_search | provenance | | +| mongoengine_bad.py:42:21:42:27 | request | mongoengine_bad.py:42:5:42:17 | unsafe_search | provenance | AdditionalTaintStep | +| mongoengine_bad.py:43:5:43:15 | json_search | mongoengine_bad.py:46:26:46:46 | After Dict | provenance | | +| mongoengine_bad.py:43:19:43:43 | After Attribute() | mongoengine_bad.py:43:5:43:15 | json_search | provenance | | +| mongoengine_bad.py:43:30:43:42 | unsafe_search | mongoengine_bad.py:43:19:43:43 | After Attribute() | provenance | Config | +| mongoengine_bad.py:50:5:50:17 | unsafe_search | mongoengine_bad.py:51:30:51:42 | unsafe_search | provenance | | +| mongoengine_bad.py:50:21:50:27 | request | mongoengine_bad.py:50:5:50:17 | unsafe_search | provenance | AdditionalTaintStep | +| mongoengine_bad.py:51:5:51:15 | json_search | mongoengine_bad.py:53:34:53:44 | json_search | provenance | | +| mongoengine_bad.py:51:19:51:43 | After Attribute() | mongoengine_bad.py:51:5:51:15 | json_search | provenance | | +| mongoengine_bad.py:51:30:51:42 | unsafe_search | mongoengine_bad.py:51:19:51:43 | After Attribute() | provenance | Config | +| mongoengine_bad.py:57:5:57:17 | unsafe_search | mongoengine_bad.py:58:30:58:42 | unsafe_search | provenance | | +| mongoengine_bad.py:57:21:57:27 | request | mongoengine_bad.py:57:5:57:17 | unsafe_search | provenance | AdditionalTaintStep | +| mongoengine_bad.py:58:5:58:15 | json_search | mongoengine_bad.py:61:29:61:49 | After Dict | provenance | | +| mongoengine_bad.py:58:19:58:43 | After Attribute() | mongoengine_bad.py:58:5:58:15 | json_search | provenance | | +| mongoengine_bad.py:58:30:58:42 | unsafe_search | mongoengine_bad.py:58:19:58:43 | After Attribute() | provenance | Config | +| pymongo_test.py:1:26:1:32 | After ImportMember | pymongo_test.py:1:26:1:32 | request | provenance | | +| pymongo_test.py:1:26:1:32 | request | pymongo_test.py:12:21:12:27 | request | provenance | | +| pymongo_test.py:1:26:1:32 | request | pymongo_test.py:29:27:29:33 | request | provenance | | +| pymongo_test.py:1:26:1:32 | request | pymongo_test.py:39:27:39:33 | request | provenance | | +| pymongo_test.py:1:26:1:32 | request | pymongo_test.py:52:26:52:32 | request | provenance | | +| pymongo_test.py:12:5:12:17 | unsafe_search | pymongo_test.py:13:30:13:42 | unsafe_search | provenance | | +| pymongo_test.py:12:21:12:27 | request | pymongo_test.py:12:5:12:17 | unsafe_search | provenance | AdditionalTaintStep | +| pymongo_test.py:13:5:13:15 | json_search | pymongo_test.py:15:42:15:62 | After Dict | provenance | | +| pymongo_test.py:13:19:13:43 | After Attribute() | pymongo_test.py:13:5:13:15 | json_search | provenance | | +| pymongo_test.py:13:30:13:42 | unsafe_search | pymongo_test.py:13:19:13:43 | After Attribute() | provenance | Config | +| pymongo_test.py:29:5:29:12 | event_id | pymongo_test.py:33:45:33:72 | After Fstring | provenance | | +| pymongo_test.py:29:16:29:51 | After Attribute() | pymongo_test.py:29:5:29:12 | event_id | provenance | | +| pymongo_test.py:29:27:29:33 | request | pymongo_test.py:29:27:29:50 | After Subscript | provenance | AdditionalTaintStep | +| pymongo_test.py:29:27:29:50 | After Subscript | pymongo_test.py:29:16:29:51 | After Attribute() | provenance | Config | +| pymongo_test.py:33:45:33:72 | After Fstring | pymongo_test.py:33:34:33:73 | After Dict | provenance | | +| pymongo_test.py:33:45:33:72 | After Fstring | pymongo_test.py:33:34:33:73 | After Dict | provenance | Decoding-NoSQL | +| pymongo_test.py:39:5:39:12 | event_id | pymongo_test.py:43:45:43:72 | After Fstring | provenance | | +| pymongo_test.py:39:16:39:51 | After Attribute() | pymongo_test.py:39:5:39:12 | event_id | provenance | | +| pymongo_test.py:39:27:39:33 | request | pymongo_test.py:39:27:39:50 | After Subscript | provenance | AdditionalTaintStep | +| pymongo_test.py:39:27:39:50 | After Subscript | pymongo_test.py:39:16:39:51 | After Attribute() | provenance | Config | +| pymongo_test.py:43:45:43:72 | After Fstring | pymongo_test.py:43:34:43:73 | After Dict | provenance | | +| pymongo_test.py:43:45:43:72 | After Fstring | pymongo_test.py:43:34:43:73 | After Dict | provenance | Decoding-NoSQL | +| pymongo_test.py:52:5:52:11 | decoded | pymongo_test.py:55:17:55:23 | decoded | provenance | | +| pymongo_test.py:52:15:52:50 | After Attribute() | pymongo_test.py:52:5:52:11 | decoded | provenance | | +| pymongo_test.py:52:26:52:32 | request | pymongo_test.py:52:26:52:49 | After Subscript | provenance | AdditionalTaintStep | +| pymongo_test.py:52:26:52:49 | After Subscript | pymongo_test.py:52:15:52:50 | After Attribute() | provenance | Config | +| pymongo_test.py:54:5:54:10 | search | pymongo_test.py:59:25:59:56 | After Dict | provenance | | +| pymongo_test.py:54:14:58:5 | After Dict | pymongo_test.py:54:5:54:10 | search | provenance | | +| pymongo_test.py:55:17:55:23 | decoded | pymongo_test.py:54:14:58:5 | After Dict | provenance | | +| pymongo_test.py:55:17:55:23 | decoded | pymongo_test.py:54:14:58:5 | After Dict | provenance | Decoding-NoSQL | +| pymongo_test.py:55:17:55:23 | decoded | pymongo_test.py:61:25:61:57 | After Dict | provenance | | +| pymongo_test.py:55:17:55:23 | decoded | pymongo_test.py:62:25:62:42 | After Dict | provenance | | +| pymongo_test.py:55:17:55:23 | decoded | pymongo_test.py:63:25:63:31 | decoded | provenance | | nodes -| PoC/server.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| PoC/server.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| PoC/server.py:26:5:26:17 | ControlFlowNode for author_string | semmle.label | ControlFlowNode for author_string | -| PoC/server.py:26:21:26:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| PoC/server.py:27:5:27:10 | ControlFlowNode for author | semmle.label | ControlFlowNode for author | -| PoC/server.py:27:14:27:38 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| PoC/server.py:27:25:27:37 | ControlFlowNode for author_string | semmle.label | ControlFlowNode for author_string | -| PoC/server.py:30:27:30:44 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| PoC/server.py:31:34:31:51 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| PoC/server.py:43:5:43:10 | ControlFlowNode for author | semmle.label | ControlFlowNode for author | -| PoC/server.py:43:14:43:20 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| PoC/server.py:47:27:47:68 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| PoC/server.py:47:38:47:67 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| PoC/server.py:52:5:52:10 | ControlFlowNode for author | semmle.label | ControlFlowNode for author | -| PoC/server.py:52:14:52:20 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| PoC/server.py:53:5:53:10 | ControlFlowNode for search | semmle.label | ControlFlowNode for search | -| PoC/server.py:53:14:57:5 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| PoC/server.py:54:17:54:70 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| PoC/server.py:61:27:61:58 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| PoC/server.py:77:5:77:10 | ControlFlowNode for author | semmle.label | ControlFlowNode for author | -| PoC/server.py:77:14:77:20 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| PoC/server.py:78:5:78:15 | ControlFlowNode for accumulator | semmle.label | ControlFlowNode for accumulator | -| PoC/server.py:78:19:83:5 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| PoC/server.py:80:23:80:101 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr | -| PoC/server.py:84:5:84:9 | ControlFlowNode for group | semmle.label | ControlFlowNode for group | -| PoC/server.py:91:29:91:47 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| PoC/server.py:92:38:92:56 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| PoC/server.py:98:5:98:10 | ControlFlowNode for author | semmle.label | ControlFlowNode for author | -| PoC/server.py:98:14:98:20 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| PoC/server.py:99:5:99:10 | ControlFlowNode for mapper | semmle.label | ControlFlowNode for mapper | -| PoC/server.py:102:9:102:14 | ControlFlowNode for mapper | semmle.label | ControlFlowNode for mapper | -| flask_mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| flask_mongoengine_bad.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| flask_mongoengine_bad.py:19:5:19:17 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| flask_mongoengine_bad.py:19:21:19:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| flask_mongoengine_bad.py:20:5:20:15 | ControlFlowNode for json_search | semmle.label | ControlFlowNode for json_search | -| flask_mongoengine_bad.py:20:19:20:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| flask_mongoengine_bad.py:20:30:20:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| flask_mongoengine_bad.py:22:34:22:44 | ControlFlowNode for json_search | semmle.label | ControlFlowNode for json_search | -| flask_mongoengine_bad.py:26:5:26:17 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| flask_mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| flask_mongoengine_bad.py:27:5:27:15 | ControlFlowNode for json_search | semmle.label | ControlFlowNode for json_search | -| flask_mongoengine_bad.py:27:19:27:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| flask_mongoengine_bad.py:27:30:27:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| flask_mongoengine_bad.py:30:39:30:59 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| flask_pymongo_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| flask_pymongo_bad.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| flask_pymongo_bad.py:11:5:11:17 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| flask_pymongo_bad.py:11:21:11:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| flask_pymongo_bad.py:12:5:12:15 | ControlFlowNode for json_search | semmle.label | ControlFlowNode for json_search | -| flask_pymongo_bad.py:12:19:12:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| flask_pymongo_bad.py:12:30:12:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| flask_pymongo_bad.py:14:31:14:51 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| mongoengine_bad.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| mongoengine_bad.py:18:5:18:17 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| mongoengine_bad.py:18:21:18:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| mongoengine_bad.py:19:5:19:15 | ControlFlowNode for json_search | semmle.label | ControlFlowNode for json_search | -| mongoengine_bad.py:19:19:19:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| mongoengine_bad.py:19:30:19:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| mongoengine_bad.py:22:26:22:46 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| mongoengine_bad.py:26:5:26:17 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| mongoengine_bad.py:27:5:27:15 | ControlFlowNode for json_search | semmle.label | ControlFlowNode for json_search | -| mongoengine_bad.py:27:19:27:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| mongoengine_bad.py:27:30:27:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| mongoengine_bad.py:30:26:30:46 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| mongoengine_bad.py:34:5:34:17 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| mongoengine_bad.py:34:21:34:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| mongoengine_bad.py:35:5:35:15 | ControlFlowNode for json_search | semmle.label | ControlFlowNode for json_search | -| mongoengine_bad.py:35:19:35:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| mongoengine_bad.py:35:30:35:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| mongoengine_bad.py:38:26:38:46 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| mongoengine_bad.py:42:5:42:17 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| mongoengine_bad.py:42:21:42:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| mongoengine_bad.py:43:5:43:15 | ControlFlowNode for json_search | semmle.label | ControlFlowNode for json_search | -| mongoengine_bad.py:43:19:43:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| mongoengine_bad.py:43:30:43:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| mongoengine_bad.py:46:26:46:46 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| mongoengine_bad.py:50:5:50:17 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| mongoengine_bad.py:50:21:50:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| mongoengine_bad.py:51:5:51:15 | ControlFlowNode for json_search | semmle.label | ControlFlowNode for json_search | -| mongoengine_bad.py:51:19:51:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| mongoengine_bad.py:51:30:51:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| mongoengine_bad.py:53:34:53:44 | ControlFlowNode for json_search | semmle.label | ControlFlowNode for json_search | -| mongoengine_bad.py:57:5:57:17 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| mongoengine_bad.py:57:21:57:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| mongoengine_bad.py:58:5:58:15 | ControlFlowNode for json_search | semmle.label | ControlFlowNode for json_search | -| mongoengine_bad.py:58:19:58:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| mongoengine_bad.py:58:30:58:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| mongoengine_bad.py:61:29:61:49 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| pymongo_test.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| pymongo_test.py:12:5:12:17 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| pymongo_test.py:12:21:12:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| pymongo_test.py:13:5:13:15 | ControlFlowNode for json_search | semmle.label | ControlFlowNode for json_search | -| pymongo_test.py:13:19:13:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| pymongo_test.py:13:30:13:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search | -| pymongo_test.py:15:42:15:62 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| pymongo_test.py:29:5:29:12 | ControlFlowNode for event_id | semmle.label | ControlFlowNode for event_id | -| pymongo_test.py:29:16:29:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| pymongo_test.py:29:27:29:33 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| pymongo_test.py:29:27:29:50 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript | -| pymongo_test.py:33:34:33:73 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| pymongo_test.py:33:45:33:72 | ControlFlowNode for Fstring | semmle.label | ControlFlowNode for Fstring | -| pymongo_test.py:39:5:39:12 | ControlFlowNode for event_id | semmle.label | ControlFlowNode for event_id | -| pymongo_test.py:39:16:39:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| pymongo_test.py:39:27:39:33 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| pymongo_test.py:39:27:39:50 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript | -| pymongo_test.py:43:34:43:73 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| pymongo_test.py:43:45:43:72 | ControlFlowNode for Fstring | semmle.label | ControlFlowNode for Fstring | -| pymongo_test.py:52:5:52:11 | ControlFlowNode for decoded | semmle.label | ControlFlowNode for decoded | -| pymongo_test.py:52:15:52:50 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| pymongo_test.py:52:26:52:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| pymongo_test.py:52:26:52:49 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript | -| pymongo_test.py:54:5:54:10 | ControlFlowNode for search | semmle.label | ControlFlowNode for search | -| pymongo_test.py:54:14:58:5 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| pymongo_test.py:55:17:55:23 | ControlFlowNode for decoded | semmle.label | ControlFlowNode for decoded | -| pymongo_test.py:59:25:59:56 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| pymongo_test.py:61:25:61:57 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| pymongo_test.py:62:25:62:42 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict | -| pymongo_test.py:63:25:63:31 | ControlFlowNode for decoded | semmle.label | ControlFlowNode for decoded | +| PoC/server.py:1:26:1:32 | After ImportMember | semmle.label | After ImportMember | +| PoC/server.py:1:26:1:32 | request | semmle.label | request | +| PoC/server.py:26:5:26:17 | author_string | semmle.label | author_string | +| PoC/server.py:26:21:26:27 | request | semmle.label | request | +| PoC/server.py:27:5:27:10 | author | semmle.label | author | +| PoC/server.py:27:14:27:38 | After Attribute() | semmle.label | After Attribute() | +| PoC/server.py:27:25:27:37 | author_string | semmle.label | author_string | +| PoC/server.py:30:27:30:44 | After Dict | semmle.label | After Dict | +| PoC/server.py:31:34:31:51 | After Dict | semmle.label | After Dict | +| PoC/server.py:43:5:43:10 | author | semmle.label | author | +| PoC/server.py:43:14:43:20 | request | semmle.label | request | +| PoC/server.py:47:27:47:68 | After Dict | semmle.label | After Dict | +| PoC/server.py:47:38:47:67 | After BinaryExpr | semmle.label | After BinaryExpr | +| PoC/server.py:52:5:52:10 | author | semmle.label | author | +| PoC/server.py:52:14:52:20 | request | semmle.label | request | +| PoC/server.py:53:5:53:10 | search | semmle.label | search | +| PoC/server.py:53:14:57:5 | After Dict | semmle.label | After Dict | +| PoC/server.py:54:17:54:70 | After BinaryExpr | semmle.label | After BinaryExpr | +| PoC/server.py:61:27:61:58 | After Dict | semmle.label | After Dict | +| PoC/server.py:77:5:77:10 | author | semmle.label | author | +| PoC/server.py:77:14:77:20 | request | semmle.label | request | +| PoC/server.py:78:5:78:15 | accumulator | semmle.label | accumulator | +| PoC/server.py:78:19:83:5 | After Dict | semmle.label | After Dict | +| PoC/server.py:80:23:80:101 | After BinaryExpr | semmle.label | After BinaryExpr | +| PoC/server.py:84:5:84:9 | group | semmle.label | group | +| PoC/server.py:91:29:91:47 | After Dict | semmle.label | After Dict | +| PoC/server.py:92:38:92:56 | After Dict | semmle.label | After Dict | +| PoC/server.py:98:5:98:10 | author | semmle.label | author | +| PoC/server.py:98:14:98:20 | request | semmle.label | request | +| PoC/server.py:99:5:99:10 | mapper | semmle.label | mapper | +| PoC/server.py:102:9:102:14 | mapper | semmle.label | mapper | +| flask_mongoengine_bad.py:1:26:1:32 | After ImportMember | semmle.label | After ImportMember | +| flask_mongoengine_bad.py:1:26:1:32 | request | semmle.label | request | +| flask_mongoengine_bad.py:19:5:19:17 | unsafe_search | semmle.label | unsafe_search | +| flask_mongoengine_bad.py:19:21:19:27 | request | semmle.label | request | +| flask_mongoengine_bad.py:20:5:20:15 | json_search | semmle.label | json_search | +| flask_mongoengine_bad.py:20:19:20:43 | After Attribute() | semmle.label | After Attribute() | +| flask_mongoengine_bad.py:20:30:20:42 | unsafe_search | semmle.label | unsafe_search | +| flask_mongoengine_bad.py:22:34:22:44 | json_search | semmle.label | json_search | +| flask_mongoengine_bad.py:26:5:26:17 | unsafe_search | semmle.label | unsafe_search | +| flask_mongoengine_bad.py:26:21:26:27 | request | semmle.label | request | +| flask_mongoengine_bad.py:27:5:27:15 | json_search | semmle.label | json_search | +| flask_mongoengine_bad.py:27:19:27:43 | After Attribute() | semmle.label | After Attribute() | +| flask_mongoengine_bad.py:27:30:27:42 | unsafe_search | semmle.label | unsafe_search | +| flask_mongoengine_bad.py:30:39:30:59 | After Dict | semmle.label | After Dict | +| flask_pymongo_bad.py:1:26:1:32 | After ImportMember | semmle.label | After ImportMember | +| flask_pymongo_bad.py:1:26:1:32 | request | semmle.label | request | +| flask_pymongo_bad.py:11:5:11:17 | unsafe_search | semmle.label | unsafe_search | +| flask_pymongo_bad.py:11:21:11:27 | request | semmle.label | request | +| flask_pymongo_bad.py:12:5:12:15 | json_search | semmle.label | json_search | +| flask_pymongo_bad.py:12:19:12:43 | After Attribute() | semmle.label | After Attribute() | +| flask_pymongo_bad.py:12:30:12:42 | unsafe_search | semmle.label | unsafe_search | +| flask_pymongo_bad.py:14:31:14:51 | After Dict | semmle.label | After Dict | +| mongoengine_bad.py:1:26:1:32 | After ImportMember | semmle.label | After ImportMember | +| mongoengine_bad.py:1:26:1:32 | request | semmle.label | request | +| mongoengine_bad.py:18:5:18:17 | unsafe_search | semmle.label | unsafe_search | +| mongoengine_bad.py:18:21:18:27 | request | semmle.label | request | +| mongoengine_bad.py:19:5:19:15 | json_search | semmle.label | json_search | +| mongoengine_bad.py:19:19:19:43 | After Attribute() | semmle.label | After Attribute() | +| mongoengine_bad.py:19:30:19:42 | unsafe_search | semmle.label | unsafe_search | +| mongoengine_bad.py:22:26:22:46 | After Dict | semmle.label | After Dict | +| mongoengine_bad.py:26:5:26:17 | unsafe_search | semmle.label | unsafe_search | +| mongoengine_bad.py:26:21:26:27 | request | semmle.label | request | +| mongoengine_bad.py:27:5:27:15 | json_search | semmle.label | json_search | +| mongoengine_bad.py:27:19:27:43 | After Attribute() | semmle.label | After Attribute() | +| mongoengine_bad.py:27:30:27:42 | unsafe_search | semmle.label | unsafe_search | +| mongoengine_bad.py:30:26:30:46 | After Dict | semmle.label | After Dict | +| mongoengine_bad.py:34:5:34:17 | unsafe_search | semmle.label | unsafe_search | +| mongoengine_bad.py:34:21:34:27 | request | semmle.label | request | +| mongoengine_bad.py:35:5:35:15 | json_search | semmle.label | json_search | +| mongoengine_bad.py:35:19:35:43 | After Attribute() | semmle.label | After Attribute() | +| mongoengine_bad.py:35:30:35:42 | unsafe_search | semmle.label | unsafe_search | +| mongoengine_bad.py:38:26:38:46 | After Dict | semmle.label | After Dict | +| mongoengine_bad.py:42:5:42:17 | unsafe_search | semmle.label | unsafe_search | +| mongoengine_bad.py:42:21:42:27 | request | semmle.label | request | +| mongoengine_bad.py:43:5:43:15 | json_search | semmle.label | json_search | +| mongoengine_bad.py:43:19:43:43 | After Attribute() | semmle.label | After Attribute() | +| mongoengine_bad.py:43:30:43:42 | unsafe_search | semmle.label | unsafe_search | +| mongoengine_bad.py:46:26:46:46 | After Dict | semmle.label | After Dict | +| mongoengine_bad.py:50:5:50:17 | unsafe_search | semmle.label | unsafe_search | +| mongoengine_bad.py:50:21:50:27 | request | semmle.label | request | +| mongoengine_bad.py:51:5:51:15 | json_search | semmle.label | json_search | +| mongoengine_bad.py:51:19:51:43 | After Attribute() | semmle.label | After Attribute() | +| mongoengine_bad.py:51:30:51:42 | unsafe_search | semmle.label | unsafe_search | +| mongoengine_bad.py:53:34:53:44 | json_search | semmle.label | json_search | +| mongoengine_bad.py:57:5:57:17 | unsafe_search | semmle.label | unsafe_search | +| mongoengine_bad.py:57:21:57:27 | request | semmle.label | request | +| mongoengine_bad.py:58:5:58:15 | json_search | semmle.label | json_search | +| mongoengine_bad.py:58:19:58:43 | After Attribute() | semmle.label | After Attribute() | +| mongoengine_bad.py:58:30:58:42 | unsafe_search | semmle.label | unsafe_search | +| mongoengine_bad.py:61:29:61:49 | After Dict | semmle.label | After Dict | +| pymongo_test.py:1:26:1:32 | After ImportMember | semmle.label | After ImportMember | +| pymongo_test.py:1:26:1:32 | request | semmle.label | request | +| pymongo_test.py:12:5:12:17 | unsafe_search | semmle.label | unsafe_search | +| pymongo_test.py:12:21:12:27 | request | semmle.label | request | +| pymongo_test.py:13:5:13:15 | json_search | semmle.label | json_search | +| pymongo_test.py:13:19:13:43 | After Attribute() | semmle.label | After Attribute() | +| pymongo_test.py:13:30:13:42 | unsafe_search | semmle.label | unsafe_search | +| pymongo_test.py:15:42:15:62 | After Dict | semmle.label | After Dict | +| pymongo_test.py:29:5:29:12 | event_id | semmle.label | event_id | +| pymongo_test.py:29:16:29:51 | After Attribute() | semmle.label | After Attribute() | +| pymongo_test.py:29:27:29:33 | request | semmle.label | request | +| pymongo_test.py:29:27:29:50 | After Subscript | semmle.label | After Subscript | +| pymongo_test.py:33:34:33:73 | After Dict | semmle.label | After Dict | +| pymongo_test.py:33:45:33:72 | After Fstring | semmle.label | After Fstring | +| pymongo_test.py:39:5:39:12 | event_id | semmle.label | event_id | +| pymongo_test.py:39:16:39:51 | After Attribute() | semmle.label | After Attribute() | +| pymongo_test.py:39:27:39:33 | request | semmle.label | request | +| pymongo_test.py:39:27:39:50 | After Subscript | semmle.label | After Subscript | +| pymongo_test.py:43:34:43:73 | After Dict | semmle.label | After Dict | +| pymongo_test.py:43:45:43:72 | After Fstring | semmle.label | After Fstring | +| pymongo_test.py:52:5:52:11 | decoded | semmle.label | decoded | +| pymongo_test.py:52:15:52:50 | After Attribute() | semmle.label | After Attribute() | +| pymongo_test.py:52:26:52:32 | request | semmle.label | request | +| pymongo_test.py:52:26:52:49 | After Subscript | semmle.label | After Subscript | +| pymongo_test.py:54:5:54:10 | search | semmle.label | search | +| pymongo_test.py:54:14:58:5 | After Dict | semmle.label | After Dict | +| pymongo_test.py:55:17:55:23 | decoded | semmle.label | decoded | +| pymongo_test.py:59:25:59:56 | After Dict | semmle.label | After Dict | +| pymongo_test.py:61:25:61:57 | After Dict | semmle.label | After Dict | +| pymongo_test.py:62:25:62:42 | After Dict | semmle.label | After Dict | +| pymongo_test.py:63:25:63:31 | decoded | semmle.label | decoded | subpaths #select -| PoC/server.py:30:27:30:44 | ControlFlowNode for Dict | PoC/server.py:1:26:1:32 | ControlFlowNode for ImportMember | PoC/server.py:30:27:30:44 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | PoC/server.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| PoC/server.py:31:34:31:51 | ControlFlowNode for Dict | PoC/server.py:1:26:1:32 | ControlFlowNode for ImportMember | PoC/server.py:31:34:31:51 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | PoC/server.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| PoC/server.py:47:27:47:68 | ControlFlowNode for Dict | PoC/server.py:1:26:1:32 | ControlFlowNode for ImportMember | PoC/server.py:47:27:47:68 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | PoC/server.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| PoC/server.py:61:27:61:58 | ControlFlowNode for Dict | PoC/server.py:1:26:1:32 | ControlFlowNode for ImportMember | PoC/server.py:61:27:61:58 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | PoC/server.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| PoC/server.py:91:29:91:47 | ControlFlowNode for Dict | PoC/server.py:1:26:1:32 | ControlFlowNode for ImportMember | PoC/server.py:91:29:91:47 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | PoC/server.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| PoC/server.py:92:38:92:56 | ControlFlowNode for Dict | PoC/server.py:1:26:1:32 | ControlFlowNode for ImportMember | PoC/server.py:92:38:92:56 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | PoC/server.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| PoC/server.py:102:9:102:14 | ControlFlowNode for mapper | PoC/server.py:1:26:1:32 | ControlFlowNode for ImportMember | PoC/server.py:102:9:102:14 | ControlFlowNode for mapper | This NoSQL query contains an unsanitized $@. | PoC/server.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| flask_mongoengine_bad.py:22:34:22:44 | ControlFlowNode for json_search | flask_mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | flask_mongoengine_bad.py:22:34:22:44 | ControlFlowNode for json_search | This NoSQL query contains an unsanitized $@. | flask_mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| flask_mongoengine_bad.py:30:39:30:59 | ControlFlowNode for Dict | flask_mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | flask_mongoengine_bad.py:30:39:30:59 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | flask_mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| flask_pymongo_bad.py:14:31:14:51 | ControlFlowNode for Dict | flask_pymongo_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | flask_pymongo_bad.py:14:31:14:51 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | flask_pymongo_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| mongoengine_bad.py:22:26:22:46 | ControlFlowNode for Dict | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | mongoengine_bad.py:22:26:22:46 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| mongoengine_bad.py:30:26:30:46 | ControlFlowNode for Dict | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | mongoengine_bad.py:30:26:30:46 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| mongoengine_bad.py:38:26:38:46 | ControlFlowNode for Dict | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | mongoengine_bad.py:38:26:38:46 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| mongoengine_bad.py:46:26:46:46 | ControlFlowNode for Dict | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | mongoengine_bad.py:46:26:46:46 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| mongoengine_bad.py:53:34:53:44 | ControlFlowNode for json_search | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | mongoengine_bad.py:53:34:53:44 | ControlFlowNode for json_search | This NoSQL query contains an unsanitized $@. | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| mongoengine_bad.py:61:29:61:49 | ControlFlowNode for Dict | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | mongoengine_bad.py:61:29:61:49 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| pymongo_test.py:15:42:15:62 | ControlFlowNode for Dict | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | pymongo_test.py:15:42:15:62 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| pymongo_test.py:33:34:33:73 | ControlFlowNode for Dict | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | pymongo_test.py:33:34:33:73 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| pymongo_test.py:43:34:43:73 | ControlFlowNode for Dict | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | pymongo_test.py:43:34:43:73 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| pymongo_test.py:59:25:59:56 | ControlFlowNode for Dict | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | pymongo_test.py:59:25:59:56 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| pymongo_test.py:61:25:61:57 | ControlFlowNode for Dict | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | pymongo_test.py:61:25:61:57 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| pymongo_test.py:62:25:62:42 | ControlFlowNode for Dict | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | pymongo_test.py:62:25:62:42 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| pymongo_test.py:63:25:63:31 | ControlFlowNode for decoded | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | pymongo_test.py:63:25:63:31 | ControlFlowNode for decoded | This NoSQL query contains an unsanitized $@. | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +| PoC/server.py:30:27:30:44 | After Dict | PoC/server.py:1:26:1:32 | After ImportMember | PoC/server.py:30:27:30:44 | After Dict | This NoSQL query contains an unsanitized $@. | PoC/server.py:1:26:1:32 | After ImportMember | user-provided value | +| PoC/server.py:31:34:31:51 | After Dict | PoC/server.py:1:26:1:32 | After ImportMember | PoC/server.py:31:34:31:51 | After Dict | This NoSQL query contains an unsanitized $@. | PoC/server.py:1:26:1:32 | After ImportMember | user-provided value | +| PoC/server.py:47:27:47:68 | After Dict | PoC/server.py:1:26:1:32 | After ImportMember | PoC/server.py:47:27:47:68 | After Dict | This NoSQL query contains an unsanitized $@. | PoC/server.py:1:26:1:32 | After ImportMember | user-provided value | +| PoC/server.py:61:27:61:58 | After Dict | PoC/server.py:1:26:1:32 | After ImportMember | PoC/server.py:61:27:61:58 | After Dict | This NoSQL query contains an unsanitized $@. | PoC/server.py:1:26:1:32 | After ImportMember | user-provided value | +| PoC/server.py:91:29:91:47 | After Dict | PoC/server.py:1:26:1:32 | After ImportMember | PoC/server.py:91:29:91:47 | After Dict | This NoSQL query contains an unsanitized $@. | PoC/server.py:1:26:1:32 | After ImportMember | user-provided value | +| PoC/server.py:92:38:92:56 | After Dict | PoC/server.py:1:26:1:32 | After ImportMember | PoC/server.py:92:38:92:56 | After Dict | This NoSQL query contains an unsanitized $@. | PoC/server.py:1:26:1:32 | After ImportMember | user-provided value | +| PoC/server.py:102:9:102:14 | mapper | PoC/server.py:1:26:1:32 | After ImportMember | PoC/server.py:102:9:102:14 | mapper | This NoSQL query contains an unsanitized $@. | PoC/server.py:1:26:1:32 | After ImportMember | user-provided value | +| flask_mongoengine_bad.py:22:34:22:44 | json_search | flask_mongoengine_bad.py:1:26:1:32 | After ImportMember | flask_mongoengine_bad.py:22:34:22:44 | json_search | This NoSQL query contains an unsanitized $@. | flask_mongoengine_bad.py:1:26:1:32 | After ImportMember | user-provided value | +| flask_mongoengine_bad.py:30:39:30:59 | After Dict | flask_mongoengine_bad.py:1:26:1:32 | After ImportMember | flask_mongoengine_bad.py:30:39:30:59 | After Dict | This NoSQL query contains an unsanitized $@. | flask_mongoengine_bad.py:1:26:1:32 | After ImportMember | user-provided value | +| flask_pymongo_bad.py:14:31:14:51 | After Dict | flask_pymongo_bad.py:1:26:1:32 | After ImportMember | flask_pymongo_bad.py:14:31:14:51 | After Dict | This NoSQL query contains an unsanitized $@. | flask_pymongo_bad.py:1:26:1:32 | After ImportMember | user-provided value | +| mongoengine_bad.py:22:26:22:46 | After Dict | mongoengine_bad.py:1:26:1:32 | After ImportMember | mongoengine_bad.py:22:26:22:46 | After Dict | This NoSQL query contains an unsanitized $@. | mongoengine_bad.py:1:26:1:32 | After ImportMember | user-provided value | +| mongoengine_bad.py:30:26:30:46 | After Dict | mongoengine_bad.py:1:26:1:32 | After ImportMember | mongoengine_bad.py:30:26:30:46 | After Dict | This NoSQL query contains an unsanitized $@. | mongoengine_bad.py:1:26:1:32 | After ImportMember | user-provided value | +| mongoengine_bad.py:38:26:38:46 | After Dict | mongoengine_bad.py:1:26:1:32 | After ImportMember | mongoengine_bad.py:38:26:38:46 | After Dict | This NoSQL query contains an unsanitized $@. | mongoengine_bad.py:1:26:1:32 | After ImportMember | user-provided value | +| mongoengine_bad.py:46:26:46:46 | After Dict | mongoengine_bad.py:1:26:1:32 | After ImportMember | mongoengine_bad.py:46:26:46:46 | After Dict | This NoSQL query contains an unsanitized $@. | mongoengine_bad.py:1:26:1:32 | After ImportMember | user-provided value | +| mongoengine_bad.py:53:34:53:44 | json_search | mongoengine_bad.py:1:26:1:32 | After ImportMember | mongoengine_bad.py:53:34:53:44 | json_search | This NoSQL query contains an unsanitized $@. | mongoengine_bad.py:1:26:1:32 | After ImportMember | user-provided value | +| mongoengine_bad.py:61:29:61:49 | After Dict | mongoengine_bad.py:1:26:1:32 | After ImportMember | mongoengine_bad.py:61:29:61:49 | After Dict | This NoSQL query contains an unsanitized $@. | mongoengine_bad.py:1:26:1:32 | After ImportMember | user-provided value | +| pymongo_test.py:15:42:15:62 | After Dict | pymongo_test.py:1:26:1:32 | After ImportMember | pymongo_test.py:15:42:15:62 | After Dict | This NoSQL query contains an unsanitized $@. | pymongo_test.py:1:26:1:32 | After ImportMember | user-provided value | +| pymongo_test.py:33:34:33:73 | After Dict | pymongo_test.py:1:26:1:32 | After ImportMember | pymongo_test.py:33:34:33:73 | After Dict | This NoSQL query contains an unsanitized $@. | pymongo_test.py:1:26:1:32 | After ImportMember | user-provided value | +| pymongo_test.py:43:34:43:73 | After Dict | pymongo_test.py:1:26:1:32 | After ImportMember | pymongo_test.py:43:34:43:73 | After Dict | This NoSQL query contains an unsanitized $@. | pymongo_test.py:1:26:1:32 | After ImportMember | user-provided value | +| pymongo_test.py:59:25:59:56 | After Dict | pymongo_test.py:1:26:1:32 | After ImportMember | pymongo_test.py:59:25:59:56 | After Dict | This NoSQL query contains an unsanitized $@. | pymongo_test.py:1:26:1:32 | After ImportMember | user-provided value | +| pymongo_test.py:61:25:61:57 | After Dict | pymongo_test.py:1:26:1:32 | After ImportMember | pymongo_test.py:61:25:61:57 | After Dict | This NoSQL query contains an unsanitized $@. | pymongo_test.py:1:26:1:32 | After ImportMember | user-provided value | +| pymongo_test.py:62:25:62:42 | After Dict | pymongo_test.py:1:26:1:32 | After ImportMember | pymongo_test.py:62:25:62:42 | After Dict | This NoSQL query contains an unsanitized $@. | pymongo_test.py:1:26:1:32 | After ImportMember | user-provided value | +| pymongo_test.py:63:25:63:31 | decoded | pymongo_test.py:1:26:1:32 | After ImportMember | pymongo_test.py:63:25:63:31 | decoded | This NoSQL query contains an unsanitized $@. | pymongo_test.py:1:26:1:32 | After ImportMember | user-provided value |