1

test.ql

@@ -20,7 +20,7 @@ Node getClassNode() {
 
 predicate test(Function routeFunc) {
     exists(Node noAuthClassNode|
-        routeFunc.getADecorator() = getRouteNode().asExpr() 
+        routeFunc.getADecorator() = getNoAuthClassNode().asExpr() 
         and not exists(Function authFunc |
             authFunc.getADecorator().(Attribute).getName() = "login_required"
             |routeFunc = authFunc
@@ -29,15 +29,23 @@ predicate test(Function routeFunc) {
 }
 
 Node getNoAuthClassNode() {
-    exists(Node noAuthClassNode|
+    exists(Node noAuthClassNode, API::Node flaskNode|
         noAuthClassNode = getClassNode()
         and not exists( Function globalFunc, Node globalNode|
             globalFunc.getADecorator().(Attribute).getName() = "before_request"
             and globalFunc.getName().toLowerCase().matches("%soa%")
             and globalFunc.getADecorator().(Attribute).getObject() = globalNode.asExpr()
             and noAuthClassNode.getALocalSource().flowsTo(globalNode)
         )
-        | result = noAuthClassNode
+        | 
+        flaskNode = [
+            Flask::FlaskApp::instance(),
+            Flask::Blueprint::instance()
+        ]
+        and flaskNode.asSource() = noAuthClassNode
+        and result = [
+            flaskNode.getMember("route").getACall()
+        ]
     )
 }