From dede5bc49bcaab2f9bef0b8a0025bf62cbabb85d Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Tue, 2 Jun 2026 14:18:28 +0100
Subject: [PATCH] Track flow through `tuple()` with list with tainted elements

---
 python/ql/lib/semmle/python/frameworks/Stdlib.qll | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/python/ql/lib/semmle/python/frameworks/Stdlib.qll b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
index 6dc66fb2fd4..05e7a629de6 100644
--- a/python/ql/lib/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -4277,9 +4277,7 @@ module StdlibPrivate {
         preservesValue = true
       )
       or
-      // TODO: We need to also translate iterable content such as list element
-      //       but we currently lack TupleElementAny
-      input = "Argument[0]" and
+      input = ["Argument[0]", "Argument[0].ListElement"] and
       output = "ReturnValue" and
       preservesValue = false
     }