adjust which folders are seen as exported to remove an FP

erik-krogh · erik-krogh · commit cf094c2f4f18 · 2023-02-03T14:47:55.000+01:00
diff --git a/python/ql/lib/semmle/python/frameworks/Setuptools.qll b/python/ql/lib/semmle/python/frameworks/Setuptools.qll
@@ -19,7 +19,12 @@ module Setuptools {
    * Gets a file or folder that is exported by a library.
    */
   private Container getALibraryExportedContainer() {
-    result = setupFile().getParent()
+    // a child folder of the root that has a setup.py file
+    result = setupFile().getParent().(Folder).getAFolder() and
+    // where the folder has __init__.py file
+    exists(result.(Folder).getFile("__init__.py")) and
+    // and is not a test folder
+    not result.(Folder).getBaseName() = ["test", "tests", "testing"]
     or
     // child of a library exported container
     result = getALibraryExportedContainer().getAChildContainer() and
@@ -29,9 +34,7 @@ module Setuptools {
       or
       // or a folder with an __init__.py file
       exists(result.(Folder).getFile("__init__.py"))
-    ) and
-    // that is not a test folder
-    not result.(Folder).getBaseName() = ["test", "tests", "testing"]
+    )
   }
 
   /**
diff --git a/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/setup_posix.py b/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/setup_posix.py
@@ -0,0 +1,4 @@
+import os 
+
+def unsafe_setup(name):
+    os.system("ping " + name) # $result=OK - this is inside a setyp script, so it's fine.
