Python: Modernise security/injection/Path.qll

RasmusWL · RasmusWL · commit 367ee3e8c43a · 2020-04-24T12:03:42.000+02:00
And we're making things a bit more clean since it's not *any* argument of `open()` that is a taint-sink.
diff --git a/python/ql/src/semmle/python/security/injection/Path.qll b/python/ql/src/semmle/python/security/injection/Path.qll
@@ -64,8 +64,12 @@ class OpenNode extends TaintSink {
 
     OpenNode() {
         exists(CallNode call |
-            call.getFunction().refersTo(Object::builtin("open")) and
-            call.getAnArg() = this
+            call = Value::named("open").getACall() and
+            (
+                call.getArg(0) = this
+                or
+                call.getArgByName("file") = this
+            )
         )
     }
 

Original file line number	Diff line number	Diff line change
`@@ -64,8 +64,12 @@ class OpenNode extends TaintSink {`
`64`	`64`
`65`	`65`	`OpenNode() {`
`66`	`66`	`exists(CallNode call \|`
`67`		`- call.getFunction().refersTo(Object::builtin("open")) and`
`68`		`- call.getAnArg() = this`
	`67`	`+ call = Value::named("open").getACall() and`
	`68`	`+ (`
	`69`	`+ call.getArg(0) = this`
	`70`	`+ or`
	`71`	`+ call.getArgByName("file") = this`
	`72`	`+ )`
`69`	`73`	`)`
`70`	`74`	`}`
`71`	`75`