Python taint-tracking: Don't track strings through json.decode().

Author: markshannon

python/ql/src/semmle/python/security/strings/Basic.qll

@@ -81,6 +81,7 @@ private predicate str_format(ControlFlowNode fromnode, CallNode tonode) {
 /* tonode = codec.[en|de]code(fromnode)*/
 private predicate encode_decode(ControlFlowNode fromnode, CallNode tonode) {
     exists(FunctionObject func, string name |
+        not func.getFunction().isMethod() and
         func.getACall() = tonode and
         tonode.getAnArg() = fromnode and
         func.getName() = name |