codeqlhelper
diff --git a/‎python/ql/src/experimental/Security/CWE-409/DecompressionBombs.ql
Lines changed: 4 additions & 6 deletions b/‎python/ql/src/experimental/Security/CWE-409/DecompressionBombs.ql
Lines changed: 4 additions & 6 deletions
@@ -36,8 +36,7 @@ predicate isAdditionalTaintStepTextIOWrapper(DataFlow::Node nodeFrom, DataFlow::
   |
     nodeFrom = textIOWrapper.getParameter(0, "input").asSink() and
     nodeTo = textIOWrapper
-  ) and
-  exists(nodeTo.getLocation().getFile().getRelativePath())
+  )
 }
 
 module FileAndFormRemoteFlowSource {
@@ -62,7 +61,7 @@ module FileAndFormRemoteFlowSource {
         fastApiUploadFile =
           fastApiParam.asSource().asExpr().(Parameter).getAnnotation().getASubExpression*() and
         // Multiple Uploaded files as list of fastapi.UploadFile
-        exists(For f, Attribute attr, DataFlow::Node a, DataFlow::Node b |
+        exists(For f, Attribute attr |
           fastApiParam.getAValueReachableFromSource().asExpr() = f.getIter().getASubExpression*()
         |
           TaintTracking::localExprTaint(f.getIter(), attr.getObject()) and
@@ -80,11 +79,10 @@ module FileAndFormRemoteFlowSource {
                 .getReturn()
                 .asSource(), fastApiParam.getMember("read").getReturn().asSource()
           ]
-      ) and
-      exists(this.getLocation().getFile().getRelativePath())
+      )
     }
 
-    override string getSourceType() { result = "HTTP FORM" }
+    override string getSourceType() { result = "fastapi HTTP FORM files" }
   }
 }
Original file line number	Diff line number	Diff line change
`@@ -36,8 +36,7 @@ predicate isAdditionalTaintStepTextIOWrapper(DataFlow::Node nodeFrom, DataFlow::`
`36`	`36`	`\|`
`37`	`37`	`nodeFrom = textIOWrapper.getParameter(0, "input").asSink() and`
`38`	`38`	`nodeTo = textIOWrapper`
`39`		`- ) and`
`40`		`- exists(nodeTo.getLocation().getFile().getRelativePath())`
	`39`	`+ )`
`41`	`40`	`}`
`42`	`41`
`43`	`42`	`module FileAndFormRemoteFlowSource {`
`@@ -62,7 +61,7 @@ module FileAndFormRemoteFlowSource {`
`62`	`61`	`fastApiUploadFile =`
`63`	`62`	`fastApiParam.asSource().asExpr().(Parameter).getAnnotation().getASubExpression*() and`
`64`	`63`	`// Multiple Uploaded files as list of fastapi.UploadFile`
`65`		`- exists(For f, Attribute attr, DataFlow::Node a, DataFlow::Node b \|`
	`64`	`+ exists(For f, Attribute attr \|`
`66`	`65`	`fastApiParam.getAValueReachableFromSource().asExpr() = f.getIter().getASubExpression*()`
`67`	`66`	`\|`
`68`	`67`	`TaintTracking::localExprTaint(f.getIter(), attr.getObject()) and`
`@@ -80,11 +79,10 @@ module FileAndFormRemoteFlowSource {`
`80`	`79`	`.getReturn()`
`81`	`80`	`.asSource(), fastApiParam.getMember("read").getReturn().asSource()`
`82`	`81`	`]`
`83`		`- ) and`
`84`		`- exists(this.getLocation().getFile().getRelativePath())`
	`82`	`+ )`
`85`	`83`	`}`
`86`	`84`
`87`		`- override string getSourceType() { result = "HTTP FORM" }`
	`85`	`+ override string getSourceType() { result = "fastapi HTTP FORM files" }`
`88`	`86`	`}`
`89`	`87`	`}`
`90`	`88`