General issue: Missing vulnerability reports due to incomplete self variable reference relationships in Python classes

[Firebasky]

code:

import os
from flask import Flask, request

app = Flask(__name__)


class CCC:
    def update(self, **kwargs):
        os.system(kwargs["mode"])

class test:
    def __init__(self):
        self.A = CCC()

    @app.route('/execute')
    def execute_command(self):
        cmd = request.args.get('cmd')
        self.A.update(mode=cmd, file="a")
        return "Command executed"

ql:

/**
 * @name Uncontrolled command line
 * @description Using externally controlled strings in a command line may allow a malicious
 *              user to change the meaning of the command.
 * @kind path-problem
 * @problem.severity error
 * @security-severity 9.8
 * @sub-severity high
 * @precision high
 * @id py/command-line-injection
 * @tags correctness
 *       security
 *       external/cwe/cwe-078
 *       external/cwe/cwe-088
 */

import python
import semmle.python.security.dataflow.CommandInjectionQuery
import CommandInjectionFlow::PathGraph

from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink
where CommandInjectionFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "This command line depends on a $@.", source.getNode(),
  "user-provided value"

this ql file can not find bug!!!!???
why???
I hope you can help me, thank you.

[jketema]

Hi @Firebasky,

Thanks for your report. I've let CodeQL python engineering team know about this false negative. They'll likely get back to you early January.