diff --git a/python/ql/src/Security/CWE-074/TemplateInjection.qhelp b/python/ql/src/Security/CWE-074/TemplateInjection.qhelp
index 477d1b0e139fe..e4c699d1e10e1 100644
--- a/python/ql/src/Security/CWE-074/TemplateInjection.qhelp
+++ b/python/ql/src/Security/CWE-074/TemplateInjection.qhelp
@@ -19,7 +19,7 @@
In the following case, user input is not used to construct the template; rather is only used for as the parameters to render the template, which is safe.
-
+
In the following case, a SandboxedEnvironment is used, preventing remote code execution.
diff --git a/python/ql/src/experimental/Security/CWE-074/JinjaBad.py b/python/ql/src/experimental/Security/CWE-074/JinjaBad.py
deleted file mode 100644
index aaac3ec819eb4..0000000000000
--- a/python/ql/src/experimental/Security/CWE-074/JinjaBad.py
+++ /dev/null
@@ -1,19 +0,0 @@
-from django.urls import path
-from django.http import HttpResponse
-from jinja2 import Template as Jinja2_Template
-from jinja2 import Environment, DictLoader, escape
-
-
-def a(request):
- # Load the template
- template = request.GET['template']
- t = Jinja2_Template(template)
- name = request.GET['name']
- # Render the template with the context data
- html = t.render(name=escape(name))
- return HttpResponse(html)
-
-
-urlpatterns = [
- path('a', a),
-]
diff --git a/python/ql/src/experimental/Security/CWE-074/JinjaGood.py b/python/ql/src/experimental/Security/CWE-074/JinjaGood.py
deleted file mode 100644
index a1b605618501e..0000000000000
--- a/python/ql/src/experimental/Security/CWE-074/JinjaGood.py
+++ /dev/null
@@ -1,20 +0,0 @@
-from django.urls import path
-from django.http import HttpResponse
-from jinja2 import Template as Jinja2_Template
-from jinja2 import Environment, DictLoader, escape
-
-
-def a(request):
- # Load the template
- template = request.GET['template']
- env = SandboxedEnvironment(undefined=StrictUndefined)
- t = env.from_string(template)
- name = request.GET['name']
- # Render the template with the context data
- html = t.render(name=escape(name))
- return HttpResponse(html)
-
-
-urlpatterns = [
- path('a', a),
-]
diff --git a/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll b/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll
deleted file mode 100644
index 5144e2ff97b18..0000000000000
--- a/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll
+++ /dev/null
@@ -1,165 +0,0 @@
-private import python
-private import semmle.python.dataflow.new.DataFlow
-private import semmle.python.ApiGraphs
-
-/**
- * A data-flow node that constructs a template.
- *
- * Extend this class to refine existing API models. If you want to model new APIs,
- * extend `TemplateConstruction::Range` instead.
- */
-class TemplateConstruction extends DataFlow::Node instanceof TemplateConstruction::Range {
- /** Gets the argument that specifies the template source. */
- DataFlow::Node getSourceArg() { result = super.getSourceArg() }
-}
-
-/** Provides a class for modeling new system-command execution APIs. */
-module TemplateConstruction {
- /**
- * A data-flow node that constructs a template.
- *
- * Extend this class to model new APIs. If you want to refine existing API models,
- * extend `TemplateConstruction` instead.
- */
- abstract class Range extends DataFlow::Node {
- /** Gets the argument that specifies the template source. */
- abstract DataFlow::Node getSourceArg();
- }
-}
-
-// -----------------------------------------------------------------------------
-/** A call to `airspeed.Template`. */
-class AirspeedTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
- AirspeedTemplateConstruction() {
- this = API::moduleImport("airspeed").getMember("Template").getACall()
- }
-
- override DataFlow::Node getSourceArg() { result = this.getArg(0) }
-}
-
-/** A call to `bottle.SimpleTemplate`. */
-class BottleSimpleTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
- BottleSimpleTemplateConstruction() {
- this = API::moduleImport("bottle").getMember("SimpleTemplate").getACall()
- }
-
- override DataFlow::Node getSourceArg() { result = this.getArg(0) }
-}
-
-/** A call to `bottle.template`. */
-class BottleTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
- BottleTemplateConstruction() {
- this = API::moduleImport("bottle").getMember("template").getACall()
- }
-
- override DataFlow::Node getSourceArg() { result = this.getArg(0) }
-}
-
-/** A call to `chameleon.PageTemplate`. */
-class ChameleonTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
- ChameleonTemplateConstruction() {
- this = API::moduleImport("chameleon").getMember("PageTemplate").getACall()
- }
-
- override DataFlow::Node getSourceArg() { result = this.getArg(0) }
-}
-
-/** A call to `Cheetah.Template.Template`. */
-class CheetahTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
- CheetahTemplateConstruction() {
- this =
- API::moduleImport("Cheetah")
- .getMember("Template")
- .getMember("Template")
- .getASubclass*()
- .getACall()
- }
-
- override DataFlow::Node getSourceArg() { result = this.getArg(0) }
-}
-
-/** A call to `chevron.render`. */
-class ChevronRenderConstruction extends TemplateConstruction::Range, API::CallNode {
- ChevronRenderConstruction() { this = API::moduleImport("chevron").getMember("render").getACall() }
-
- override DataFlow::Node getSourceArg() { result = this.getArg(0) }
-}
-
-/** A call to `django.template.Template` */
-class DjangoTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
- DjangoTemplateConstruction() {
- this = API::moduleImport("django").getMember("template").getMember("Template").getACall()
- }
-
- override DataFlow::Node getSourceArg() { result = this.getArg(0) }
-}
-
-// TODO: support django.template.engines["django"]].from_string
-/** A call to `flask.render_template_string`. */
-class FlaskTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
- FlaskTemplateConstruction() {
- this = API::moduleImport("flask").getMember("render_template_string").getACall()
- }
-
- override DataFlow::Node getSourceArg() { result = this.getArg(0) }
-}
-
-/** A call to `genshi.template.TextTemplate`. */
-class GenshiTextTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
- GenshiTextTemplateConstruction() {
- this = API::moduleImport("genshi").getMember("template").getMember("TextTemplate").getACall()
- }
-
- override DataFlow::Node getSourceArg() { result = this.getArg(0) }
-}
-
-/** A call to `genshi.template.MarkupTemplate` */
-class GenshiMarkupTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
- GenshiMarkupTemplateConstruction() {
- this = API::moduleImport("genshi").getMember("template").getMember("MarkupTemplate").getACall()
- }
-
- override DataFlow::Node getSourceArg() { result = this.getArg(0) }
-}
-
-//
-/** A call to `jinja2.Template`. */
-class Jinja2TemplateConstruction extends TemplateConstruction::Range, API::CallNode {
- Jinja2TemplateConstruction() {
- this = API::moduleImport("jinja2").getMember("Template").getACall()
- }
-
- override DataFlow::Node getSourceArg() { result = this.getArg(0) }
-}
-
-/** A call to `jinja2.from_string`. */
-class Jinja2FromStringConstruction extends TemplateConstruction::Range, API::CallNode {
- Jinja2FromStringConstruction() {
- this =
- API::moduleImport("jinja2")
- .getMember("Environment")
- .getReturn()
- .getMember("from_string")
- .getACall()
- }
-
- override DataFlow::Node getSourceArg() { result = this.getArg(0) }
-}
-
-/** A call to `mako.template.Template`. */
-class MakoTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
- MakoTemplateConstruction() {
- this = API::moduleImport("mako").getMember("template").getMember("Template").getACall()
- }
-
- override DataFlow::Node getSourceArg() { result = this.getArg(0) }
-}
-
-/** A call to `trender.TRender`. */
-class TRenderTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
- TRenderTemplateConstruction() {
- this = API::moduleImport("trender").getMember("TRender").getACall()
- }
-
- override DataFlow::Node getSourceArg() { result = this.getArg(0) }
-}
diff --git a/python/ql/src/experimental/Security/CWE-074/TemplateInjection.qhelp b/python/ql/src/experimental/Security/CWE-074/TemplateInjection.qhelp
deleted file mode 100644
index b044243fc8e12..0000000000000
--- a/python/ql/src/experimental/Security/CWE-074/TemplateInjection.qhelp
+++ /dev/null
@@ -1,24 +0,0 @@
-
-
-
-
- Template Injection occurs when user input is embedded in a template in an unsafe manner.
- When an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side is results in Server Side Template Injection.
-
-
-
-
- To fix this, ensure that an untrusted value is not used as a template. If the application requirements do not alow this, use a sandboxed environment where access to unsafe attributes and methods is prohibited.
-
-
-
- Consider the example given below, an untrusted HTTP parameter `template` is used to generate a Jinja2 template string. This can lead to remote code execution.
-
-
- Here we have fixed the problem by using the Jinja sandbox environment for evaluating untrusted code.
-
-
-
- Portswigger : [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection)
-
-
diff --git a/python/ql/src/experimental/Security/CWE-074/TemplateInjection.ql b/python/ql/src/experimental/Security/CWE-074/TemplateInjection.ql
deleted file mode 100644
index a10ad09a6ac99..0000000000000
--- a/python/ql/src/experimental/Security/CWE-074/TemplateInjection.ql
+++ /dev/null
@@ -1,20 +0,0 @@
-/**
- * @name Server Side Template Injection
- * @description Using user-controlled data to create a template can cause security issues.
- * @kind path-problem
- * @problem.severity error
- * @precision high
- * @id py/template-injection
- * @tags security
- * experimental
- * external/cwe/cwe-074
- */
-
-import python
-import TemplateInjectionQuery
-import TemplateInjectionFlow::PathGraph
-
-from TemplateInjectionFlow::PathNode source, TemplateInjectionFlow::PathNode sink
-where TemplateInjectionFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "This Template depends on $@.", source.getNode(),
- "user-provided value"
diff --git a/python/ql/src/experimental/Security/CWE-074/TemplateInjectionCustomizations.qll b/python/ql/src/experimental/Security/CWE-074/TemplateInjectionCustomizations.qll
deleted file mode 100644
index 13c70fc7d04d0..0000000000000
--- a/python/ql/src/experimental/Security/CWE-074/TemplateInjectionCustomizations.qll
+++ /dev/null
@@ -1,59 +0,0 @@
-/**
- * Provides default sources, sinks and sanitizers for detecting
- * "template injection"
- * vulnerabilities, as well as extension points for adding your own.
- */
-
-private import python
-private import semmle.python.dataflow.new.DataFlow
-private import semmle.python.Concepts as C
-private import semmle.python.dataflow.new.RemoteFlowSources
-private import semmle.python.dataflow.new.BarrierGuards
-private import TemplateConstructionConcept
-
-/**
- * Provides default sources, sinks and sanitizers for detecting
- * "template injection"
- * vulnerabilities, as well as extension points for adding your own.
- */
-module TemplateInjection {
- /**
- * A data flow source for "template injection" vulnerabilities.
- */
- abstract class Source extends DataFlow::Node { }
-
- /**
- * A data flow sink for "template injection" vulnerabilities.
- */
- abstract class Sink extends DataFlow::Node { }
-
- /**
- * A sanitizer for "template injection" vulnerabilities.
- */
- abstract class Sanitizer extends DataFlow::Node { }
-
- /**
- * DEPRECATED: Use `ActiveThreatModelSource` from Concepts instead!
- */
- deprecated class RemoteFlowSourceAsSource = ActiveThreatModelSourceAsSource;
-
- /**
- * An active threat-model source, considered as a flow source.
- */
- private class ActiveThreatModelSourceAsSource extends Source, C::ActiveThreatModelSource { }
-
- /**
- * A SQL statement of a SQL construction, considered as a flow sink.
- */
- class TemplateConstructionAsSink extends Sink {
- TemplateConstructionAsSink() { this = any(TemplateConstruction c).getSourceArg() }
- }
-
- /**
- * A comparison with a constant, considered as a sanitizer-guard.
- */
- class ConstCompareAsSanitizerGuard extends Sanitizer, ConstCompareBarrier { }
-
- /** DEPRECATED: Use ConstCompareAsSanitizerGuard instead. */
- deprecated class StringConstCompareAsSanitizerGuard = ConstCompareAsSanitizerGuard;
-}
diff --git a/python/ql/src/experimental/Security/CWE-074/TemplateInjectionQuery.qll b/python/ql/src/experimental/Security/CWE-074/TemplateInjectionQuery.qll
deleted file mode 100644
index 111485e2602d6..0000000000000
--- a/python/ql/src/experimental/Security/CWE-074/TemplateInjectionQuery.qll
+++ /dev/null
@@ -1,18 +0,0 @@
-/**
- * Provides a taint-tracking configuration for detecting "template injection" vulnerabilities.
- */
-
-private import python
-import semmle.python.dataflow.new.DataFlow
-import semmle.python.dataflow.new.TaintTracking
-import TemplateInjectionCustomizations::TemplateInjection
-
-module TemplateInjectionConfig implements DataFlow::ConfigSig {
- predicate isSource(DataFlow::Node node) { node instanceof Source }
-
- predicate isSink(DataFlow::Node node) { node instanceof Sink }
-
- predicate isBarrierIn(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
-module TemplateInjectionFlow = TaintTracking::Global;
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/AirspeedSsti.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/AirspeedSsti.py
deleted file mode 100644
index 8938d8602f8df..0000000000000
--- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/AirspeedSsti.py
+++ /dev/null
@@ -1,11 +0,0 @@
-import airspeed
-from flask import Flask, request
-
-
-app = Flask(__name__)
-
-
-@route('/other')
-def a():
- template = request.args.get('template')
- return airspeed.Template(template)
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/BottleSsti.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/BottleSsti.py
deleted file mode 100644
index b5f8a5feeffaa..0000000000000
--- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/BottleSsti.py
+++ /dev/null
@@ -1,20 +0,0 @@
-from bottle import Bottle, route, request, redirect, response, SimpleTemplate
-from bottle import template as temp
-
-
-app = Bottle()
-
-
-@route('/other')
-def a():
- template = request.query.template
- tpl = SimpleTemplate(template)
- tpl.render(name='World')
- return tmp
-
-
-@route('/other2')
-def b():
- template = request.query.template
- temp(template, name='World')
- return tmp
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/Chameleon.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/Chameleon.py
deleted file mode 100644
index f58a641a9be3b..0000000000000
--- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/Chameleon.py
+++ /dev/null
@@ -1,10 +0,0 @@
-from chameleon import PageTemplate
-from django.urls import path
-from django.http import HttpResponse
-
-
-def chameleon(request):
- template = request.GET['template']
- tmpl = PageTemplate(template)
- return HttpResponse(tmpl)
-
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/CheetahSinks.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/CheetahSinks.py
deleted file mode 100644
index 7f9fed4decf5f..0000000000000
--- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/CheetahSinks.py
+++ /dev/null
@@ -1,22 +0,0 @@
-from flask import Flask, request
-from Cheetah.Template import Template
-
-
-app = Flask(__name__)
-
-
-@app.route('/other')
-def a():
- template = request.args.get('template')
- return Template(template)
-
-
-class Template3(Template):
- title = 'Hello World Example!'
- contents = 'Hello World!'
-
-
-@app.route('/other2')
-def b():
- template = request.args.get('template')
- t3 = Template3(template)
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/ChevronSsti.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/ChevronSsti.py
deleted file mode 100644
index f3b0e57fc8f74..0000000000000
--- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/ChevronSsti.py
+++ /dev/null
@@ -1,24 +0,0 @@
-from flask import Flask, request
-import chevron
-
-
-app = Flask(__name__)
-
-
-@app.route('/other')
-def a():
- template = request.args.get('template')
- return chevron.render(template, {"key": "value"})
-
-
-@app.route('/other2')
-def b():
- template = request.args.get('template')
- args = {
- 'template': template,
-
- 'data': {
- 'key': 'value'
- }
- }
- return chevron.render(**args)
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/DjangoTemplates.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/DjangoTemplates.py
deleted file mode 100644
index 26f48fd92780c..0000000000000
--- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/DjangoTemplates.py
+++ /dev/null
@@ -1,41 +0,0 @@
-from django.urls import path
-from django.http import HttpResponse
-from django.template import Template, Context, Engine, engines
-
-
-def dj(request):
- # Load the template
- template = request.GET['template']
- t = Template(template)
- ctx = Context(locals())
- html = t.render(ctx)
- return HttpResponse(html)
-
-
-def djEngine(request):
- # Load the template
- template = request.GET['template']
-
- django_engine = engines['django']
- t = django_engine.from_string(template)
- ctx = Context(locals())
- html = t.render(ctx)
- return HttpResponse(html)
-
-
-def djEngineJinja(request):
- # Load the template
- template = request.GET['template']
-
- django_engine = engines['jinja']
- t = django_engine.from_string(template)
- ctx = Context(locals())
- html = t.render(ctx)
- return HttpResponse(html)
-
-
-urlpatterns = [
- path('', dj),
- path('', djEngine),
- path('', djEngineJinja),
-]
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/FlaskTemplate.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/FlaskTemplate.py
deleted file mode 100644
index b74e3cce715d7..0000000000000
--- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/FlaskTemplate.py
+++ /dev/null
@@ -1,22 +0,0 @@
-from flask import Flask, request
-
-
-app = Flask(__name__)
-
-
-@app.route("/")
-def home():
- from flask import render_template_string
- if request.args.get('template'):
- return render_template_string(request.args.get('template'))
-
-
-@app.route("/a")
-def a():
- import flask
- return flask.render_template_string(request.args.get('template'))
-
-
-
-if __name__ == "__main__":
- app.run(debug=True)
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/Genshi.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/Genshi.py
deleted file mode 100644
index 7800c50da968e..0000000000000
--- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/Genshi.py
+++ /dev/null
@@ -1,18 +0,0 @@
-from django.urls import path
-from django.http import HttpResponse
-from genshi.template import TextTemplate,MarkupTemplate
-
-def genshi1():
- template = request.GET['template']
- tmpl = MarkupTemplate(template)
- return HttpResponse(tmpl)
-
-def genshi2():
- template = request.GET['template']
- tmpl = TextTemplate(template)
- return HttpResponse(tmpl)
-
-urlpatterns = [
- path('', genshi1),
- path('', genshi2)
-]
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/JinjaSsti.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/JinjaSsti.py
deleted file mode 100644
index 28225c81cbaa6..0000000000000
--- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/JinjaSsti.py
+++ /dev/null
@@ -1,30 +0,0 @@
-from django.urls import path
-from django.http import HttpResponse
-from jinja2 import Template as Jinja2_Template
-from jinja2 import Environment, DictLoader, escape
-
-
-def a(request):
- # Load the template
- template = request.GET['template']
- t = Jinja2_Template(template)
- name = request.GET['name']
- # Render the template with the context data
- html = t.render(name=escape(name))
- return HttpResponse(html)
-
-def b(request):
- import jinja2
- # Load the template
- template = request.GET['template']
- t = jinja2.from_string(template)
- name = request.GET['name']
- # Render the template with the context data
- html = t.render(name=escape(name))
- return HttpResponse(html)
-
-
-urlpatterns = [
- path('a', a),
- path('b', b)
-]
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/MakoSsti.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/MakoSsti.py
deleted file mode 100644
index 7f6b25cb26cb7..0000000000000
--- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/MakoSsti.py
+++ /dev/null
@@ -1,15 +0,0 @@
-from django.urls import path
-from django.http import HttpResponse
-from mako.template import Template
-
-
-def mako(request):
- # Load the template
- template = request.GET['template']
- mytemplate = Template(template)
- return HttpResponse(mytemplate)
-
-
-urlpatterns = [
- path('', mako)
-]
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TRender.py b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TRender.py
deleted file mode 100644
index 2514f22b80595..0000000000000
--- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TRender.py
+++ /dev/null
@@ -1,12 +0,0 @@
-from django.urls import path
-from django.http import HttpResponse
-from trender import TRender
-
-def trender(request):
- template = request.GET['template']
- compiled = TRender(template)
- return HttpResponse(compiled)
-
-urlpatterns = [
- path('', trender)
-]
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected
deleted file mode 100644
index 06cf81cc6aafd..0000000000000
--- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.expected
+++ /dev/null
@@ -1,107 +0,0 @@
-edges
-| AirspeedSsti.py:2:26:2:32 | ControlFlowNode for ImportMember | AirspeedSsti.py:2:26:2:32 | ControlFlowNode for request | provenance | |
-| AirspeedSsti.py:2:26:2:32 | ControlFlowNode for request | AirspeedSsti.py:10:16:10:22 | ControlFlowNode for request | provenance | |
-| AirspeedSsti.py:10:5:10:12 | ControlFlowNode for template | AirspeedSsti.py:11:30:11:37 | ControlFlowNode for template | provenance | |
-| AirspeedSsti.py:10:16:10:22 | ControlFlowNode for request | AirspeedSsti.py:10:16:10:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
-| AirspeedSsti.py:10:16:10:27 | ControlFlowNode for Attribute | AirspeedSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | provenance | dict.get |
-| AirspeedSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | AirspeedSsti.py:10:5:10:12 | ControlFlowNode for template | provenance | |
-| CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | CheetahSinks.py:1:26:1:32 | ControlFlowNode for request | provenance | |
-| CheetahSinks.py:1:26:1:32 | ControlFlowNode for request | CheetahSinks.py:10:16:10:22 | ControlFlowNode for request | provenance | |
-| CheetahSinks.py:1:26:1:32 | ControlFlowNode for request | CheetahSinks.py:21:16:21:22 | ControlFlowNode for request | provenance | |
-| CheetahSinks.py:10:5:10:12 | ControlFlowNode for template | CheetahSinks.py:11:21:11:28 | ControlFlowNode for template | provenance | |
-| CheetahSinks.py:10:16:10:22 | ControlFlowNode for request | CheetahSinks.py:10:16:10:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
-| CheetahSinks.py:10:16:10:27 | ControlFlowNode for Attribute | CheetahSinks.py:10:16:10:43 | ControlFlowNode for Attribute() | provenance | dict.get |
-| CheetahSinks.py:10:16:10:43 | ControlFlowNode for Attribute() | CheetahSinks.py:10:5:10:12 | ControlFlowNode for template | provenance | |
-| CheetahSinks.py:21:5:21:12 | ControlFlowNode for template | CheetahSinks.py:22:20:22:27 | ControlFlowNode for template | provenance | |
-| CheetahSinks.py:21:16:21:22 | ControlFlowNode for request | CheetahSinks.py:21:16:21:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
-| CheetahSinks.py:21:16:21:27 | ControlFlowNode for Attribute | CheetahSinks.py:21:16:21:43 | ControlFlowNode for Attribute() | provenance | dict.get |
-| CheetahSinks.py:21:16:21:43 | ControlFlowNode for Attribute() | CheetahSinks.py:21:5:21:12 | ControlFlowNode for template | provenance | |
-| ChevronSsti.py:1:26:1:32 | ControlFlowNode for ImportMember | ChevronSsti.py:1:26:1:32 | ControlFlowNode for request | provenance | |
-| ChevronSsti.py:1:26:1:32 | ControlFlowNode for request | ChevronSsti.py:10:16:10:22 | ControlFlowNode for request | provenance | |
-| ChevronSsti.py:10:5:10:12 | ControlFlowNode for template | ChevronSsti.py:11:27:11:34 | ControlFlowNode for template | provenance | |
-| ChevronSsti.py:10:16:10:22 | ControlFlowNode for request | ChevronSsti.py:10:16:10:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
-| ChevronSsti.py:10:16:10:27 | ControlFlowNode for Attribute | ChevronSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | provenance | dict.get |
-| ChevronSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | ChevronSsti.py:10:5:10:12 | ControlFlowNode for template | provenance | |
-| DjangoTemplates.py:6:8:6:14 | ControlFlowNode for request | DjangoTemplates.py:8:5:8:12 | ControlFlowNode for template | provenance | AdditionalTaintStep |
-| DjangoTemplates.py:8:5:8:12 | ControlFlowNode for template | DjangoTemplates.py:9:18:9:25 | ControlFlowNode for template | provenance | |
-| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for request | provenance | |
-| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for request | FlaskTemplate.py:10:8:10:14 | ControlFlowNode for request | provenance | |
-| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for request | FlaskTemplate.py:11:39:11:45 | ControlFlowNode for request | provenance | |
-| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for request | FlaskTemplate.py:17:41:17:47 | ControlFlowNode for request | provenance | |
-| FlaskTemplate.py:10:8:10:14 | ControlFlowNode for request | FlaskTemplate.py:11:39:11:50 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
-| FlaskTemplate.py:11:39:11:45 | ControlFlowNode for request | FlaskTemplate.py:11:39:11:50 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
-| FlaskTemplate.py:11:39:11:50 | ControlFlowNode for Attribute | FlaskTemplate.py:11:39:11:66 | ControlFlowNode for Attribute() | provenance | dict.get |
-| FlaskTemplate.py:17:41:17:47 | ControlFlowNode for request | FlaskTemplate.py:17:41:17:52 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
-| FlaskTemplate.py:17:41:17:52 | ControlFlowNode for Attribute | FlaskTemplate.py:17:41:17:68 | ControlFlowNode for Attribute() | provenance | dict.get |
-| JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | provenance | AdditionalTaintStep |
-| JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | JinjaSsti.py:10:25:10:32 | ControlFlowNode for template | provenance | |
-| JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | JinjaSsti.py:19:5:19:12 | ControlFlowNode for template | provenance | AdditionalTaintStep |
-| JinjaSsti.py:19:5:19:12 | ControlFlowNode for template | JinjaSsti.py:20:28:20:35 | ControlFlowNode for template | provenance | |
-| MakoSsti.py:6:10:6:16 | ControlFlowNode for request | MakoSsti.py:8:5:8:12 | ControlFlowNode for template | provenance | AdditionalTaintStep |
-| MakoSsti.py:8:5:8:12 | ControlFlowNode for template | MakoSsti.py:9:27:9:34 | ControlFlowNode for template | provenance | |
-| TRender.py:5:13:5:19 | ControlFlowNode for request | TRender.py:6:5:6:12 | ControlFlowNode for template | provenance | AdditionalTaintStep |
-| TRender.py:6:5:6:12 | ControlFlowNode for template | TRender.py:7:24:7:31 | ControlFlowNode for template | provenance | |
-nodes
-| AirspeedSsti.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
-| AirspeedSsti.py:2:26:2:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| AirspeedSsti.py:10:5:10:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
-| AirspeedSsti.py:10:16:10:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| AirspeedSsti.py:10:16:10:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| AirspeedSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| AirspeedSsti.py:11:30:11:37 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
-| CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
-| CheetahSinks.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| CheetahSinks.py:10:5:10:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
-| CheetahSinks.py:10:16:10:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| CheetahSinks.py:10:16:10:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| CheetahSinks.py:10:16:10:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| CheetahSinks.py:11:21:11:28 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
-| CheetahSinks.py:21:5:21:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
-| CheetahSinks.py:21:16:21:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| CheetahSinks.py:21:16:21:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| CheetahSinks.py:21:16:21:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| CheetahSinks.py:22:20:22:27 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
-| ChevronSsti.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
-| ChevronSsti.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| ChevronSsti.py:10:5:10:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
-| ChevronSsti.py:10:16:10:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| ChevronSsti.py:10:16:10:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| ChevronSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| ChevronSsti.py:11:27:11:34 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
-| DjangoTemplates.py:6:8:6:14 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| DjangoTemplates.py:8:5:8:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
-| DjangoTemplates.py:9:18:9:25 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
-| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
-| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| FlaskTemplate.py:10:8:10:14 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| FlaskTemplate.py:11:39:11:45 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| FlaskTemplate.py:11:39:11:50 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| FlaskTemplate.py:11:39:11:66 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| FlaskTemplate.py:17:41:17:47 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| FlaskTemplate.py:17:41:17:52 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| FlaskTemplate.py:17:41:17:68 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
-| JinjaSsti.py:10:25:10:32 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
-| JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| JinjaSsti.py:19:5:19:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
-| JinjaSsti.py:20:28:20:35 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
-| MakoSsti.py:6:10:6:16 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| MakoSsti.py:8:5:8:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
-| MakoSsti.py:9:27:9:34 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
-| TRender.py:5:13:5:19 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| TRender.py:6:5:6:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
-| TRender.py:7:24:7:31 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
-subpaths
-#select
-| AirspeedSsti.py:11:30:11:37 | ControlFlowNode for template | AirspeedSsti.py:2:26:2:32 | ControlFlowNode for ImportMember | AirspeedSsti.py:11:30:11:37 | ControlFlowNode for template | This Template depends on $@. | AirspeedSsti.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
-| CheetahSinks.py:11:21:11:28 | ControlFlowNode for template | CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | CheetahSinks.py:11:21:11:28 | ControlFlowNode for template | This Template depends on $@. | CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
-| CheetahSinks.py:22:20:22:27 | ControlFlowNode for template | CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | CheetahSinks.py:22:20:22:27 | ControlFlowNode for template | This Template depends on $@. | CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
-| ChevronSsti.py:11:27:11:34 | ControlFlowNode for template | ChevronSsti.py:1:26:1:32 | ControlFlowNode for ImportMember | ChevronSsti.py:11:27:11:34 | ControlFlowNode for template | This Template depends on $@. | ChevronSsti.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
-| DjangoTemplates.py:9:18:9:25 | ControlFlowNode for template | DjangoTemplates.py:6:8:6:14 | ControlFlowNode for request | DjangoTemplates.py:9:18:9:25 | ControlFlowNode for template | This Template depends on $@. | DjangoTemplates.py:6:8:6:14 | ControlFlowNode for request | user-provided value |
-| FlaskTemplate.py:11:39:11:66 | ControlFlowNode for Attribute() | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | FlaskTemplate.py:11:39:11:66 | ControlFlowNode for Attribute() | This Template depends on $@. | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
-| FlaskTemplate.py:17:41:17:68 | ControlFlowNode for Attribute() | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | FlaskTemplate.py:17:41:17:68 | ControlFlowNode for Attribute() | This Template depends on $@. | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
-| JinjaSsti.py:10:25:10:32 | ControlFlowNode for template | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:10:25:10:32 | ControlFlowNode for template | This Template depends on $@. | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | user-provided value |
-| JinjaSsti.py:20:28:20:35 | ControlFlowNode for template | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | JinjaSsti.py:20:28:20:35 | ControlFlowNode for template | This Template depends on $@. | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | user-provided value |
-| MakoSsti.py:9:27:9:34 | ControlFlowNode for template | MakoSsti.py:6:10:6:16 | ControlFlowNode for request | MakoSsti.py:9:27:9:34 | ControlFlowNode for template | This Template depends on $@. | MakoSsti.py:6:10:6:16 | ControlFlowNode for request | user-provided value |
-| TRender.py:7:24:7:31 | ControlFlowNode for template | TRender.py:5:13:5:19 | ControlFlowNode for request | TRender.py:7:24:7:31 | ControlFlowNode for template | This Template depends on $@. | TRender.py:5:13:5:19 | ControlFlowNode for request | user-provided value |
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.qlref b/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.qlref
deleted file mode 100644
index 90efec9f6360a..0000000000000
--- a/python/ql/test/experimental/query-tests/Security/CWE-074-TemplateInjection/TemplateInjection.qlref
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security/CWE-074/TemplateInjection.ql