hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into promote-xxe

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2022-04-06 12:56:31 +02:00
parent b7f56dd17e b99767ef52
commit 23637fd691
286 changed files with 5488 additions and 1833 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
python/ql/src/Security/CWE-022/PathInjection.ql
View File

@@ -17,10 +17,10 @@
*/
import python
import semmle.python.security.dataflow.PathInjection
import semmle.python.security.dataflow.PathInjectionQuery
import DataFlow::PathGraph
from PathInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "This path depends on $@.", source.getNode(),
"a user-provided value"

4
python/ql/src/Security/CWE-078/CommandInjection.ql
View File

@@ -15,10 +15,10 @@
*/
import python
import semmle.python.security.dataflow.CommandInjection
import semmle.python.security.dataflow.CommandInjectionQuery
import DataFlow::PathGraph
from CommandInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "This command depends on $@.", source.getNode(),
"a user-provided value"

4
python/ql/src/Security/CWE-079/ReflectedXss.ql
View File

@@ -14,10 +14,10 @@
*/
import python
import semmle.python.security.dataflow.ReflectedXSS
import semmle.python.security.dataflow.ReflectedXssQuery
import DataFlow::PathGraph
from ReflectedXss::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
source.getNode(), "a user-provided value"

4
python/ql/src/Security/CWE-089/SqlInjection.ql
View File

@@ -12,10 +12,10 @@
*/
import python
import semmle.python.security.dataflow.SqlInjection
import semmle.python.security.dataflow.SqlInjectionQuery
import DataFlow::PathGraph
from SqlInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "This SQL query depends on $@.", source.getNode(),
"a user-provided value"

6
python/ql/src/Security/CWE-090/LdapInjection.ql
View File

@@ -13,15 +13,15 @@
// Determine precision above
import python
import semmle.python.security.dataflow.LdapInjection
import semmle.python.security.dataflow.LdapInjectionQuery
import DataFlow::PathGraph
from DataFlow::PathNode source, DataFlow::PathNode sink, string parameterName
where
any(LdapInjection::DnConfiguration dnConfig).hasFlowPath(source, sink) and
any(DnConfiguration dnConfig).hasFlowPath(source, sink) and
parameterName = "DN"
or
any(LdapInjection::FilterConfiguration filterConfig).hasFlowPath(source, sink) and
any(FilterConfiguration filterConfig).hasFlowPath(source, sink) and
parameterName = "filter"
select sink.getNode(), source, sink,
"$@ LDAP query parameter (" + parameterName + ") comes from $@.", sink.getNode(), "This",

4
python/ql/src/Security/CWE-094/CodeInjection.ql
View File

@@ -15,10 +15,10 @@
*/
import python
import semmle.python.security.dataflow.CodeInjection
import semmle.python.security.dataflow.CodeInjectionQuery
import DataFlow::PathGraph
from CodeInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to here and is interpreted as code.",
source.getNode(), "A user-provided value"

4
python/ql/src/Security/CWE-117/LogInjection.ql
View File

@@ -12,10 +12,10 @@
*/
import python
import semmle.python.security.dataflow.LogInjection
import semmle.python.security.dataflow.LogInjectionQuery
import DataFlow::PathGraph
from LogInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to log entry.", source.getNode(),
"User-provided value"

4
python/ql/src/Security/CWE-209/StackTraceExposure.ql
View File

@@ -14,10 +14,10 @@
*/
import python
import semmle.python.security.dataflow.StackTraceExposure
import semmle.python.security.dataflow.StackTraceExposureQuery
import DataFlow::PathGraph
from StackTraceExposure::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ may be exposed to an external user", source.getNode(),
"Error information"

2
python/ql/src/Security/CWE-312/CleartextLogging.ql
View File

@@ -16,7 +16,7 @@
import python
private import semmle.python.dataflow.new.DataFlow
import DataFlow::PathGraph
import semmle.python.security.dataflow.CleartextLogging::CleartextLogging
import semmle.python.security.dataflow.CleartextLoggingQuery
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, string classification
where

2
python/ql/src/Security/CWE-312/CleartextStorage.ql
View File

@@ -16,7 +16,7 @@
import python
private import semmle.python.dataflow.new.DataFlow
import DataFlow::PathGraph
import semmle.python.security.dataflow.CleartextStorage::CleartextStorage
import semmle.python.security.dataflow.CleartextStorageQuery
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, string classification
where

2
python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql
View File

@@ -13,7 +13,7 @@
*/
import python
import semmle.python.security.dataflow.WeakSensitiveDataHashing
import semmle.python.security.dataflow.WeakSensitiveDataHashingQuery
import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking
import DataFlow::PathGraph

4
python/ql/src/Security/CWE-502/UnsafeDeserialization.ql
View File

@@ -13,9 +13,9 @@
*/
import python
import semmle.python.security.dataflow.UnsafeDeserialization
import semmle.python.security.dataflow.UnsafeDeserializationQuery
import DataFlow::PathGraph
from UnsafeDeserialization::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Deserializing of $@.", source.getNode(), "untrusted input"

4
python/ql/src/Security/CWE-601/UrlRedirect.ql
View File

@@ -13,10 +13,10 @@
*/
import python
import semmle.python.security.dataflow.UrlRedirect
import semmle.python.security.dataflow.UrlRedirectQuery
import DataFlow::PathGraph
from UrlRedirect::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.", source.getNode(),
"A user-provided value"

4
python/ql/src/Security/CWE-643/XpathInjection.ql
View File

@@ -12,9 +12,9 @@
*/
import python
import semmle.python.security.dataflow.XpathInjection
import semmle.python.security.dataflow.XpathInjectionQuery
import DataFlow::PathGraph
from XpathInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink, source, sink, "This Xpath query depends on $@.", source, "a user-provided value"

6
python/ql/src/Security/CWE-730/PolynomialReDoS.ql
View File

@@ -14,12 +14,12 @@
import python
import semmle.python.security.performance.SuperlinearBackTracking
import semmle.python.security.dataflow.PolynomialReDoS
import semmle.python.security.dataflow.PolynomialReDoSQuery
import DataFlow::PathGraph
from
PolynomialReDoS::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink,
PolynomialReDoS::Sink sinkNode, PolynomialBackTrackingTerm regexp
Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode,
PolynomialBackTrackingTerm regexp
where
config.hasFlowPath(source, sink) and
sinkNode = sink.getNode() and

6
python/ql/src/Security/CWE-730/RegexInjection.ql
View File

@@ -14,15 +14,15 @@
import python
private import semmle.python.Concepts
import semmle.python.security.dataflow.RegexInjection
import semmle.python.security.dataflow.RegexInjectionQuery
import DataFlow::PathGraph
from
RegexInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink,
Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink,
RegexExecution regexExecution
where
config.hasFlowPath(source, sink) and
regexExecution = sink.getNode().(RegexInjection::Sink).getRegexExecution()
regexExecution = sink.getNode().(Sink).getRegexExecution()
select sink.getNode(), source, sink,
"$@ regular expression is constructed from a $@ and executed by $@.", sink.getNode(), "This",
source.getNode(), "user-provided value", regexExecution, regexExecution.getName()

6
python/ql/src/Security/CWE-918/FullServerSideRequestForgery.ql
View File

@@ -11,14 +11,14 @@
*/
import python
import semmle.python.security.dataflow.ServerSideRequestForgery
import semmle.python.security.dataflow.ServerSideRequestForgeryQuery
import DataFlow::PathGraph
from
FullServerSideRequestForgery::Configuration fullConfig, DataFlow::PathNode source,
FullServerSideRequestForgeryConfiguration fullConfig, DataFlow::PathNode source,
DataFlow::PathNode sink, HTTP::Client::Request request
where
request = sink.getNode().(FullServerSideRequestForgery::Sink).getRequest() and
request = sink.getNode().(Sink).getRequest() and
fullConfig.hasFlowPath(source, sink) and
fullyControlledRequest(request)
select request, source, sink, "The full URL of this request depends on $@.", source.getNode(),

6
python/ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql
View File

@@ -11,14 +11,14 @@
*/
import python
import semmle.python.security.dataflow.ServerSideRequestForgery
import semmle.python.security.dataflow.ServerSideRequestForgeryQuery
import DataFlow::PathGraph
from
PartialServerSideRequestForgery::Configuration partialConfig, DataFlow::PathNode source,
PartialServerSideRequestForgeryConfiguration partialConfig, DataFlow::PathNode source,
DataFlow::PathNode sink, HTTP::Client::Request request
where
request = sink.getNode().(PartialServerSideRequestForgery::Sink).getRequest() and
request = sink.getNode().(Sink).getRequest() and
partialConfig.hasFlowPath(source, sink) and
not fullyControlledRequest(request)
select request, source, sink, "Part of the URL of this request depends on $@.", source.getNode(),

10
python/ql/src/Statements/UnnecessaryDelete.ql
View File

@@ -14,6 +14,14 @@
import python
predicate isInsideLoop(AstNode node) {
node.getParentNode() instanceof While
or
node.getParentNode() instanceof For
or
exists(AstNode prev | isInsideLoop(prev) | node = prev.getAChildNode())
}
from Delete del, Expr e, Function f
where
f.getLastStatement() = del and
@@ -21,7 +29,7 @@ where
f.containsInScope(e) and
not e instanceof Subscript and
not e instanceof Attribute and
not exists(Stmt s | s.(While).contains(del) or s.(For).contains(del)) and
not isInsideLoop(del) and
// False positive: calling `sys.exc_info` within a function results in a
// reference cycle, and an explicit call to `del` helps break this cycle.
not exists(FunctionValue ex |