hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Doc changes

Browse Source 
Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com>
This commit is contained in:
Maiky
2023-09-17 18:47:19 +02:00
committed by GitHub
parent cada523031
commit 70103967ef
3 changed files with 1 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
python/ql/lib/semmle/python/frameworks/Joblib.qll
View File

@@ -17,15 +17,6 @@ private module Joblib {
* A call to `joblib.load`
* See https://pypi.org/project/joblib/
*
* Claiming there is decoding of the input to `joblib.load` is a bit questionable, since
* it's not the filename, but the contents of the file that is decoded.
*
* However, we definitely want to be able to alert if a user is able to control what
* file is used, since that can lead to code execution (even if that file is free of
* path injection).
*
* So right now the best way we have of modeling this seems to be to treat the filename
* argument as being deserialized...
*/
private class PandasReadPickleCall extends Decoding::Range, DataFlow::CallCfgNode {
PandasReadPickleCall() { this = API::moduleImport("joblib").getMember("load").getACall() }

9
python/ql/lib/semmle/python/frameworks/Numpy.qll
View File

@@ -18,15 +18,6 @@ private module Numpy {
* A call to `numpy.load`
* See https://pypi.org/project/numpy/
*
* Claiming there is decoding of the input to `numpy.load` is a bit questionable, since
* it's not the filename, but the contents of the file that is decoded.
*
* However, we definitely want to be able to alert if a user is able to control what
* file is used, since that can lead to code execution (even if that file is free of
* path injection).
*
* So right now the best way we have of modeling this seems to be to treat the filename
* argument as being deserialized...
*/
private class PandasReadPickleCall extends Decoding::Range, DataFlow::CallCfgNode {
PandasReadPickleCall() {

2
python/ql/lib/semmle/python/frameworks/Pandas.qll
View File

@@ -17,7 +17,7 @@ private module Pandas {
/**
* A call to `pandas.read_pickle`
* See https://pypi.org/project/pandas/
* https://pandas.pydata.org/pandas-docs/stable/reference/api/pandas.read_pickle.html)
* See https://pandas.pydata.org/pandas-docs/stable/reference/api/pandas.read_pickle.html
*/
private class PandasReadPickleCall extends Decoding::Range, DataFlow::CallCfgNode {
PandasReadPickleCall() {