Fix Sink utilization in select

Author: jorgectf

python/ql/src/experimental/Security/CWE-730/RegexInjection.ql

@@ -16,13 +16,10 @@ import python
 import experimental.semmle.python.security.injection.RegexInjection
 import DataFlow::PathGraph
 
-from
-  RegexInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
-  RegexInjectionSink castedSink
-where
-  config.hasFlowPath(source, sink) and
-  castedSink = sink.getNode()
+from RegexInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
   "$@ regular expression is constructed from a $@ and executed by $@.", sink.getNode(), "This",
-  source.getNode(), "user-provided value", castedSink,
-  castedSink.getRegexModule() + "." + castedSink.asExpr().(Attribute).getName()
+  source.getNode(), "user-provided value", sink.getNode(),
+  sink.getNode().(RegexInjectionSink).getRegexModule() + "." +
+    sink.getNode().(RegexInjectionSink).getRegexMethod().getName()

python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll

@@ -11,15 +11,19 @@ import semmle.python.dataflow.new.RemoteFlowSources
 
 class RegexInjectionSink extends DataFlow::Node {
   string regexModule;
+  Attribute regexMethod;
 
   RegexInjectionSink() {
     exists(RegexExecution reExec |
       this = reExec.getRegexNode() and
-      regexModule = reExec.getRegexModule()
+      regexModule = reExec.getRegexModule() and
+      regexMethod = reExec.(DataFlow::CallCfgNode).getFunction().asExpr().(Attribute)
     )
   }
 
   string getRegexModule() { result = regexModule }
+
+  Attribute getRegexMethod() { result = regexMethod }
 }
 
 /**