From fc75a0c67a6357ce91834af8762d5f56f51d7796 Mon Sep 17 00:00:00 2001
From: elsapet <elizabeth@bearer.sh>
Date: Fri, 24 May 2024 16:15:48 +0200
Subject: [PATCH 1/2] fix(python/django): FileSystemStorage call

---
 rules/python/django/path_using_user_input.yml              | 6 +++++-
 tests/python/django/path_using_user_input/testdata/main.py | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/rules/python/django/path_using_user_input.yml b/rules/python/django/path_using_user_input.yml
index 61170167..a256ddd9 100644
--- a/rules/python/django/path_using_user_input.yml
+++ b/rules/python/django/path_using_user_input.yml
@@ -2,8 +2,12 @@ imports:
   - python_shared_common_user_input
   - python_shared_lang_import4
 patterns:
-  - pattern: $<FILE_SYSTEM_STORAGE>($<...>$<USER_INPUT>$<...>)
+  - pattern: $<FILE_SYSTEM_STORAGE>($<...>$<PARAM>=$<USER_INPUT>$<...>)
     filters:
+      - variable: PARAM
+        values:
+          - location
+          - base_url
       - variable: USER_INPUT
         detection: python_shared_common_user_input
         scope: result
diff --git a/tests/python/django/path_using_user_input/testdata/main.py b/tests/python/django/path_using_user_input/testdata/main.py
index 0251d6a0..2bdf602b 100644
--- a/tests/python/django/path_using_user_input/testdata/main.py
+++ b/tests/python/django/path_using_user_input/testdata/main.py
@@ -1,10 +1,10 @@
 from django.core.files.storage import FileSystemStorage as FSS
 
 # bearer:expected python_django_path_using_user_input
-fs = FSS(form.cleaned_data["storage_path"])
+fs = FSS(location=form.cleaned_data["storage_path"])
 request_file = request.FILES['document']
 file = fs.save(request_file)
 
 from django.core.files.storage import default_storage
 # bearer:expected python_django_path_using_user_input
-default_storage.save(form.cleaned_data["filepath"])
\ No newline at end of file
+default_storage.save(location=form.cleaned_data["filepath"])
\ No newline at end of file

From 6cc1c590315c03359a6970aa70ab7d0ee04b0d4b Mon Sep 17 00:00:00 2001
From: elsapet <elizabeth@bearer.sh>
Date: Mon, 27 May 2024 12:10:42 +0200
Subject: [PATCH 2/2] fix: add patterns for positional arguments

---
 rules/python/django/path_using_user_input.yml | 38 +++++++++++++++++++
 .../path_using_user_input/testdata/main.py    |  6 +++
 2 files changed, 44 insertions(+)

diff --git a/rules/python/django/path_using_user_input.yml b/rules/python/django/path_using_user_input.yml
index a256ddd9..4614ceb4 100644
--- a/rules/python/django/path_using_user_input.yml
+++ b/rules/python/django/path_using_user_input.yml
@@ -25,6 +25,44 @@ patterns:
             values: [storage]
           - variable: NAME
             values: [FileSystemStorage]
+  - pattern: $<FILE_SYSTEM_STORAGE>($<LOCATION>$<...>)
+    filters:
+      - variable: LOCATION
+        detection: python_shared_common_user_input
+        scope: result
+      - variable: FILE_SYSTEM_STORAGE
+        detection: python_shared_lang_import4
+        scope: cursor
+        filters:
+          - variable: MODULE1
+            values: [django]
+          - variable: MODULE2
+            values: [core]
+          - variable: MODULE3
+            values: [files]
+          - variable: MODULE4
+            values: [storage]
+          - variable: NAME
+            values: [FileSystemStorage]
+  - pattern: $<FILE_SYSTEM_STORAGE>($<LOCATION>, $<BASE_URL>$<...>)
+    filters:
+      - variable: BASE_URL
+        detection: python_shared_common_user_input
+        scope: result
+      - variable: FILE_SYSTEM_STORAGE
+        detection: python_shared_lang_import4
+        scope: cursor
+        filters:
+          - variable: MODULE1
+            values: [django]
+          - variable: MODULE2
+            values: [core]
+          - variable: MODULE3
+            values: [files]
+          - variable: MODULE4
+            values: [storage]
+          - variable: NAME
+            values: [FileSystemStorage]
   - pattern: $<DEFAULT_STORAGE>.save($<USER_INPUT>, $<...>)
     filters:
       - variable: DEFAULT_STORAGE
diff --git a/tests/python/django/path_using_user_input/testdata/main.py b/tests/python/django/path_using_user_input/testdata/main.py
index 2bdf602b..21ff6a47 100644
--- a/tests/python/django/path_using_user_input/testdata/main.py
+++ b/tests/python/django/path_using_user_input/testdata/main.py
@@ -5,6 +5,12 @@
 request_file = request.FILES['document']
 file = fs.save(request_file)
 
+# bearer:expected python_django_path_using_user_input
+fs = FSS(form.cleaned_data["storage_path"])
+
+# bearer:expected python_django_path_using_user_input
+fs = FSS("some/safe/location", form.cleaned_data["base_url"])
+
 from django.core.files.storage import default_storage
 # bearer:expected python_django_path_using_user_input
 default_storage.save(location=form.cleaned_data["filepath"])
\ No newline at end of file