Python taint-tracking: Don't track strings through json.decode().

markshannon · markshannon · commit fc2ac891f867 · 2019-06-03T15:53:36.000+01:00
diff --git a/python/ql/src/semmle/python/security/strings/Basic.qll b/python/ql/src/semmle/python/security/strings/Basic.qll
@@ -81,6 +81,7 @@ private predicate str_format(ControlFlowNode fromnode, CallNode tonode) {
 /* tonode = codec.[en|de]code(fromnode)*/
 private predicate encode_decode(ControlFlowNode fromnode, CallNode tonode) {
     exists(FunctionObject func, string name |
+        not func.getFunction().isMethod() and
         func.getACall() = tonode and
         tonode.getAnArg() = fromnode and
         func.getName() = name |
