CodeQL library for Python
codeql/python-all 0.12.1 (changelog, source)

Module PathInjectionConfig

This configuration uses two flow states, NotNormalized and NormalizedUnchecked, to track the requirement that a file path must be first normalized and then checked before it is safe to use.

At sources, paths are assumed not normalized. At normalization points, they change state to NormalizedUnchecked after which they can be made safe by an appropriate check of the prefix.

Such checks are ineffective in the NotNormalized state.

Import path




Holds if data may flow from node1 to node2 in addition to the normal data-flow steps. This step is only applicable in state1 and updates the flow state to state2.


Holds if data flow through node is prohibited. This completely removes node from the data flow graph.


Holds if data flow through node is prohibited when the flow state is state.


Holds if sink is a relevant data flow sink accepting state.


Holds if source is a relevant data flow source with the given initial state.