Merge branch 'master' into python-fix-django-taint-sinks

2026-05-01 11:45:14 +02:00 · 2020-07-02 11:55:42 +02:00
parent 9a82927187 50fee5c4a1
commit 67be45f045
1672 changed files with 69476 additions and 29250 deletions
--- a/python/ql/test/query-tests/Security/CWE-020/hosttest.py
+++ b/python/ql/test/query-tests/Security/CWE-020/hosttest.py
@@ -17,3 +17,7 @@ def safe(request):
    target = request.args.get('target', '')
    if SAFE_REGEX.match(target):
        return redirect(target)
+
+# FP reported in https://github.com/github/codeql/issues/3712
+# This does not define a regex (but could be used by other code to do so)
+escaped = re.escape("https://www.humblebundle.com/home/library")
--- a/python/ql/test/query-tests/Security/CWE-020/urltest.py
+++ b/python/ql/test/query-tests/Security/CWE-020/urltest.py
@@ -17,16 +17,16 @@ def unsafe2(request):



-#Simplest and safest approach is to use a white-list
+#Simplest and safest approach is to use an allowlist

@app.route('/some/path/good1')
 def safe1(request):
-    whitelist = [
+    allowlist = [
        "example.com/home",
        "example.com/login",
    ]
    target = request.args.get('target', '')
-    if target in whitelist:
+    if target in allowlist:
        return redirect(target)

 #More complex example allowing sub-domains.
--- a/python/ql/test/query-tests/Security/CWE-327/TestNode.ql
+++ b/python/ql/test/query-tests/Security/CWE-327/TestNode.ql
@@ -1,5 +1,5 @@
 import python
-import semmle.python.security.TaintTracking
+import semmle.python.dataflow.TaintTracking
 import python
 import semmle.python.security.SensitiveData
 import semmle.python.security.Crypto
--- a/python/ql/test/query-tests/Security/lib/fabric/api.py
+++ b/python/ql/test/query-tests/Security/lib/fabric/api.py
@@ -23,3 +23,7 @@ def sudo(command, shell=True, pty=True, combine_stderr=None, user=None,
    quiet=False, warn_only=False, stdout=None, stderr=None, group=None,
    timeout=None, shell_escape=None, capture_buffer_size=None):
    pass
+
+# https://github.com/fabric/fabric/blob/1.14/fabric/tasks.py#L281
+def execute(task, *args, **kwargs):
+    pass
--- a/python/ql/test/query-tests/Security/lib/libxml2/init.py
+++ b/python/ql/test/query-tests/Security/lib/libxml2/init.py
@@ -0,0 +1,10 @@
+def parseFile(filename):
+    return xmlDoc(_obj=None)
+
+
+class xmlDoc(Object):
+    def __init__(self, _obj=None):
+        pass
+
+    def xpathEval(self, expr):
+        pass
--- a/python/ql/test/query-tests/Security/lib/lxml/init.py
+++ b/python/ql/test/query-tests/Security/lib/lxml/init.py
--- a/python/ql/test/query-tests/Security/lib/lxml/etree.py
+++ b/python/ql/test/query-tests/Security/lib/lxml/etree.py
@@ -0,0 +1,37 @@
+class _ElementTree(object):
+    def xpath(self, _path, namespaces=None, extensions=None, smart_strings=True, **_variables):
+        pass
+
+    def xslt(self, _xslt, extensions=None, access_control=None, **_kw):
+        pass
+
+
+class ETXPath(object):
+    def __init__(self, path, extensions=None, regexp=True, smart_strings=True):
+        pass
+
+
+class XPath(object):
+    def __init__(self, path, namespaces=None, extensions=None, regexp=True, smart_strings=True):
+        pass
+
+
+class XSLT(object):
+    def __init__(self, xslt_input, extensions=None, regexp=True, access_control=None):
+        pass
+
+
+def parse(self, parser=None, base_url=None):
+    return _ElementTree()
+
+
+def fromstring(self, text, parser=None, base_url=None):
+    pass
+
+
+def fromstringlist(self, strings, parser=None):
+    pass
+
+
+def XML(self, text, parser=None, base_url=None):
+    pass