Python: Re-introduce syntactic handling of str/bytes/unicode

I don't want to loose results on this, so until type-tracking/API graphs
can handle this, I want to keep our syntactic handling.

Author: RasmusWL

python/ql/src/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll

@@ -77,7 +77,11 @@ predicate subscriptStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
 predicate stringManipulation(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
   // transforming something tainted into a string will make the string tainted
   exists(DataFlow::CallCfgNode call | call = nodeTo |
-    call = API::builtin(["str", "bytes", "unicode"]).getACall() and
+    (
+      call = API::builtin(["str", "bytes", "unicode"]).getACall()
+      or
+      call.getFunction().asCfgNode().(NameNode).getId() in ["str", "bytes", "unicode"]
+    ) and
     nodeFrom in [call.getArg(0), call.getArgByName("object")]
   )
   or

python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_string.py

@@ -32,7 +32,7 @@ def str_operations():
         ts[0], # $ tainted
         str(ts), # $ tainted
         bytes(tb), # $ tainted
-        unicode(ts), # $ MISSING: tainted
+        unicode(ts), # $ tainted
     )
 
     aug_assignment = "safe"