Merge pull request #2419 from tausbn/python-fix-use-of-input-fp

RasmusWL · web-flow · commit 0f9113905536 · 2019-11-25T12:08:39.000+01:00
Python: Fix false positive for `py/use-of-input`.
diff --git a/python/ql/src/Expressions/UseofInput.ql b/python/ql/src/Expressions/UseofInput.ql
@@ -14,5 +14,8 @@ import python
 
 from CallNode call, Context context, ControlFlowNode func
 where
-context.getAVersion().includes(2, _) and call.getFunction() = func and func.refersTo(context, Object::builtin("input"), _, _)
+    context.getAVersion().includes(2, _) and
+    call.getFunction() = func and
+    func.pointsTo(context, Value::named("input"), _) and
+    not func.pointsTo(context, Value::named("raw_input"), _)
 select call, "The unsafe built-in function 'input' is used."
diff --git a/python/ql/test/2/query-tests/Expressions/safe_input.py b/python/ql/test/2/query-tests/Expressions/safe_input.py
@@ -0,0 +1,10 @@
+try:
+    input = raw_input
+except NameError:
+    pass
+
+def use_of_input():
+    return input()
+
+print(use_of_input())
+
