Python: Port CodeInjection query

and the dummy test-case we already have

Author: RasmusWL

python/ql/src/experimental/Security-new-dataflow/CWE-094/CodeInjection.ql

@@ -0,0 +1,35 @@
+/**
+ * @name Code injection
+ * @description Interpreting unsanitized user input as code allows a malicious user arbitrary
+ *              code execution.
+ * @kind path-problem
+ * @problem.severity error
+ * @sub-severity high
+ * @precision high
+ * @id py/code-injection
+ * @tags security
+ *       external/owasp/owasp-a1
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ *       external/cwe/cwe-116
+ */
+
+import python
+import experimental.dataflow.DataFlow
+import experimental.dataflow.TaintTracking
+import experimental.semmle.python.Concepts
+import experimental.dataflow.RemoteFlowSources
+import DataFlow::PathGraph
+
+class CodeInjectionConfiguration extends TaintTracking::Configuration {
+  CodeInjectionConfiguration() { this = "CodeInjectionConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink = any(CodeExecution e).getCode() }
+}
+
+from CodeInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ flows to here and is interpreted as code.",
+  source.getNode(), "A user-provided value"

python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-094/CodeInjection.expected

@@ -0,0 +1,3 @@
+edges
+nodes
+#select

python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-094/CodeInjection.qlref

@@ -0,0 +1 @@
+experimental/Security-new-dataflow/CWE-094/CodeInjection.ql

python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-094/code_injection.py

@@ -0,0 +1,8 @@
+from flask import Flask, request
+app = Flask(__name__)
+
+@app.route("/code-execution")
+def code_execution():
+    code = request.args.get("code")
+    exec(code)
+    eval(code)