Merge pull request github#3348 from RasmusWL/python-random-modernisation

Python: random modernisations

Author: tausbn

python/ql/src/semmle/python/security/injection/Exec.qll

@@ -10,12 +10,6 @@ import python
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Untrusted
 
-private FunctionObject exec_or_eval() {
-    result = Object::builtin("exec")
-    or
-    result = Object::builtin("eval")
-}
-
 /**
  * A taint sink that represents an argument to exec or eval that is vulnerable to malicious input.
  * The `vuln` in `exec(vuln)` or similar.
@@ -26,10 +20,9 @@ class StringEvaluationNode extends TaintSink {
     StringEvaluationNode() {
         exists(Exec exec | exec.getASubExpression().getAFlowNode() = this)
         or
-        exists(CallNode call |
-            exec_or_eval().getACall() = call and
-            call.getAnArg() = this
-        )
+        Value::named("exec").getACall().getAnArg() = this
+        or
+        Value::named("eval").getACall().getAnArg() = this
     }
 
     override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }

python/ql/src/semmle/python/security/injection/Path.qll

@@ -64,8 +64,12 @@ class OpenNode extends TaintSink {
 
     OpenNode() {
         exists(CallNode call |
-            call.getFunction().refersTo(Object::builtin("open")) and
-            call.getAnArg() = this
+            call = Value::named("open").getACall() and
+            (
+                call.getArg(0) = this
+                or
+                call.getArgByName("file") = this
+            )
         )
     }