Merge pull request #544 from pavgust/fix/python-hotfixes

Pull recent Python fixes to RC branch

Author: markshannon

python/ql/src/default.qll

@@ -0,0 +1,5 @@
+/**
+ * WARNING: Use of this module is DEPRECATED.
+ * All new queries should use `import python`.
+ */
+import python

python/ql/src/semmle/python/security/Paths.qll

@@ -20,6 +20,6 @@ query predicate parents(TaintedNode child, TaintedNode parent) {
     child = first_child(parent) or
     exists(TaintedNode prev |
         parents(prev, parent) and
-        child = next_sibling(child)
+        child = next_sibling(prev)
     )
 }

python/ql/test/query-tests/Security/CWE-022/PathInjection.expected

@@ -28,6 +28,9 @@ parents
 | ../lib/os/path.py:4:14:4:14 | externally controlled string | path_injection.py:16:30:16:60 | externally controlled string |
 | ../lib/os/path.py:4:14:4:14 | externally controlled string | path_injection.py:25:30:25:60 | externally controlled string |
 | ../lib/os/path.py:4:14:4:14 | externally controlled string | path_injection.py:34:30:34:60 | externally controlled string |
+| ../lib/os/path.py:5:12:5:12 | externally controlled string | path_injection.py:16:30:16:60 | externally controlled string |
+| ../lib/os/path.py:5:12:5:12 | externally controlled string | path_injection.py:25:30:25:60 | externally controlled string |
+| ../lib/os/path.py:5:12:5:12 | externally controlled string | path_injection.py:34:30:34:60 | externally controlled string |
 #select
 | path_injection.py:10:14:10:44 | argument to open() | path_injection.py:9:12:9:23 | dict of externally controlled string | path_injection.py:10:14:10:44 | externally controlled string | This path depends on $@. | path_injection.py:9:12:9:23 | flask.request.args | a user-provided value |
 | path_injection.py:17:14:17:18 | argument to open() | path_injection.py:15:12:15:23 | dict of externally controlled string | path_injection.py:17:14:17:18 | normalized path | This path depends on $@. | path_injection.py:15:12:15:23 | flask.request.args | a user-provided value |

python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected

@@ -9,5 +9,7 @@ edges
 | reflected_xss.py:12:18:12:45 | externally controlled string | reflected_xss.py:13:51:13:60 | externally controlled string |
 parents
 | ../lib/flask/__init__.py:14:19:14:20 | externally controlled string | reflected_xss.py:8:26:8:53 | externally controlled string |
+| ../lib/flask/__init__.py:15:19:15:20 | externally controlled string | reflected_xss.py:8:26:8:53 | externally controlled string |
+| ../lib/flask/__init__.py:16:25:16:26 | externally controlled string | reflected_xss.py:8:26:8:53 | externally controlled string |
 #select
 | ../lib/flask/__init__.py:16:25:16:26 | flask.response.argument | reflected_xss.py:7:18:7:29 | dict of externally controlled string | ../lib/flask/__init__.py:16:25:16:26 | externally controlled string | Cross-site scripting vulnerability due to $@. | reflected_xss.py:7:18:7:29 | flask.request.args | user-provided value |

python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected

@@ -6,6 +6,8 @@ edges
 | test.py:37:25:37:27 | exception info | test.py:37:12:37:27 | exception info |
 parents
 | test.py:36:18:36:20 | exception info | test.py:34:29:34:31 | exception info |
+| test.py:37:12:37:27 | exception info | test.py:34:29:34:31 | exception info |
+| test.py:37:25:37:27 | exception info | test.py:34:29:34:31 | exception info |
 #select
 | test.py:16:16:16:37 | flask.routed.response | test.py:16:16:16:37 | exception info | test.py:16:16:16:37 | exception info | $@ may be exposed to an external user | test.py:16:16:16:37 | exception.info.source | Error information |
 | test.py:34:16:34:32 | flask.routed.response | test.py:33:15:33:36 | exception info | test.py:34:16:34:32 | exception info | $@ may be exposed to an external user | test.py:33:15:33:36 | exception.info.source | Error information |