Python: Only allow unsafe positional args to extra

yoff · yoff · commit 77d4cbc0df98 · 2020-10-21T14:21:36.000+02:00
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Django.qll b/python/ql/src/experimental/semmle/python/frameworks/Django.qll
@@ -359,7 +359,7 @@ private module Django {
 
     override DataFlow::Node getSql() {
       result.asCfgNode() =
-        [node.getArg([0 .. 5]), node.getArgByName(["select", "where", "tables", "order_by"])]
+        [node.getArg([0, 1, 3, 4]), node.getArgByName(["select", "where", "tables", "order_by"])]
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -359,7 +359,7 @@ private module Django {`
`359`	`359`
`360`	`360`	`override DataFlow::Node getSql() {`
`361`	`361`	`result.asCfgNode() =`
`362`		`- [node.getArg([0 .. 5]), node.getArgByName(["select", "where", "tables", "order_by"])]`
	`362`	`+ [node.getArg([0, 1, 3, 4]), node.getArgByName(["select", "where", "tables", "order_by"])]`
`363`	`363`	`}`
`364`	`364`	`}`
`365`	`365`	`}`