From e3688444d74582c29c0356f96ac80c19201f3166 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 7 Apr 2026 21:39:30 +0000
Subject: [PATCH] Python: Also exclude class scope

Changing the `locals()` dictionary actually _does_ change the attributes
of the class being defined, so we shouldn't alert in this case.
---
 python/ql/src/Statements/ModificationOfLocals.ql      | 5 ++++-
 python/ql/test/query-tests/Statements/general/test.py | 6 ++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/Statements/ModificationOfLocals.ql b/python/ql/src/Statements/ModificationOfLocals.ql
index 82529cbd6d0..f32ddcf7884 100644
--- a/python/ql/src/Statements/ModificationOfLocals.ql
+++ b/python/ql/src/Statements/ModificationOfLocals.ql
@@ -37,5 +37,8 @@ where
   // in module level scope `locals() == globals()`
   // see https://docs.python.org/3/library/functions.html#locals
   // FP report in https://github.com/github/codeql/issues/6674
-  not a.getScope() instanceof Module
+  not a.getScope() instanceof Module and
+  // in class level scope `locals()` reflects the class namespace,
+  // so modifications do take effect.
+  not a.getScope() instanceof Class
 select a, "Modification of the locals() dictionary will have no effect on the local variables."
diff --git a/python/ql/test/query-tests/Statements/general/test.py b/python/ql/test/query-tests/Statements/general/test.py
index eee63fa89e8..a5848f7c718 100644
--- a/python/ql/test/query-tests/Statements/general/test.py
+++ b/python/ql/test/query-tests/Statements/general/test.py
@@ -174,3 +174,9 @@ def assert_ok(seq):
 # False positive. ODASA-8042. Fixed in PR #2401.
 class false_positive:
     e = (x for x in [])
+
+# In class-level scope `locals()` reflects the class namespace,
+# so modifications do take effect.
+class MyClass:
+    locals()['x'] = 43  # OK
+    y = x