Python: Fix SSTI query by importing UntrustedStringKind

RasmusWL · RasmusWL · commit d9d56235ab88 · 2020-07-21T11:41:16.000+02:00
Without a concrete ExternalStringKind class, there will be no flow for
ExternalStringKind by default.
diff --git a/python/ql/src/experimental/CWE-074/TemplateInjection.ql b/python/ql/src/experimental/CWE-074/TemplateInjection.ql
@@ -15,6 +15,8 @@ import semmle.python.security.Paths
 import semmle.python.web.HttpRequest
 /* Sinks */
 import experimental.semmle.python.templates.Ssti
+/* Flow */
+import semmle.python.security.strings.Untrusted
 
 class TemplateInjectionConfiguration extends TaintTracking::Configuration {
   TemplateInjectionConfiguration() { this = "Template injection configuration" }
