Python: More refinements

As it turns out, referring to the request object using `flask.request`
is not uncommon, and this meant restricting to `Name` nodes was too
strong. With the changes in this commit, we now include those
occurrences as well.

Author: tausbn

python/ql/lib/semmle/python/frameworks/Flask.qll

@@ -440,11 +440,13 @@ module Flask {
       // Using `request().asSource()` would result in data-flow paths starting at the import of
       // `request`, which is not very useful. Instead, we look at all the places this `request`
       // object can flow, and use only those that are local sources (so we only get the first
-      // instance of `request` in a function), and those that correspond to `Name` nodes (so we
-      // don't get the initial import, which is an `ImportMember`).
+      // instance of `request` in a function), expressions (so we don't get any SSA entry
+      // definitions), and which don't correspond to an `ImportMember` (so we don't get the
+      // `from flask import request` occurrence).
       this = request().getAValueReachableFromSource() and
       this instanceof DataFlow::LocalSourceNode and
-      this.asExpr() instanceof Name
+      this instanceof DataFlow::ExprNode and
+      not this.asExpr() instanceof ImportMember
     }
 
     override string getSourceType() { result = "flask.request" }