mirror of
https://github.com/github/codeql.git
synced 2026-04-27 17:55:19 +02:00
Merge branch 'main' into python-promote-header-injection
This commit is contained in:
Joe Farebrother
@@ -1,3 +1,14 @@
|
||||
## 0.12.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* Deleted the deprecated `RegExpPatterns` module from `Regexp.qll`.
|
||||
* Deleted the deprecated `Security/CWE-020/HostnameRegexpShared.qll` file.
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
- Renamed the `StrConst` class to `StringLiteral`, for greater consistency with other languages. The `StrConst` and `Str` classes are now deprecated and will be removed in a future release.
|
||||
|
||||
## 0.11.14
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: deprecated
|
||||
---
|
||||
|
||||
- Renamed the `StrConst` class to `StringLiteral`, for greater consistency with other languages. The `StrConst` and `Str` classes are now deprecated and will be removed in a future release.
|
||||
10
python/ql/lib/change-notes/released/0.12.0.md
Normal file
10
python/ql/lib/change-notes/released/0.12.0.md
Normal file
@@ -0,0 +1,10 @@
|
||||
## 0.12.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* Deleted the deprecated `RegExpPatterns` module from `Regexp.qll`.
|
||||
* Deleted the deprecated `Security/CWE-020/HostnameRegexpShared.qll` file.
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
- Renamed the `StrConst` class to `StringLiteral`, for greater consistency with other languages. The `StrConst` and `Str` classes are now deprecated and will be removed in a future release.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.11.14
|
||||
lastReleaseVersion: 0.12.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/python-all
|
||||
version: 0.11.15-dev
|
||||
version: 0.12.1-dev
|
||||
groups: python
|
||||
dbscheme: semmlecode.python.dbscheme
|
||||
extractor: python
|
||||
|
||||
@@ -7,20 +7,6 @@ private import semmle.python.regex
|
||||
private import semmle.python.dataflow.new.DataFlow
|
||||
private import semmle.python.regexp.internal.RegExpTracking
|
||||
|
||||
/**
|
||||
* Provides utility predicates related to regular expressions.
|
||||
*/
|
||||
deprecated module RegExpPatterns {
|
||||
/**
|
||||
* Gets a pattern that matches common top-level domain names in lower case.
|
||||
* DEPRECATED: use the similarly named predicate from `HostnameRegex` from the `regex` pack instead.
|
||||
*/
|
||||
deprecated string getACommonTld() {
|
||||
// according to ranking by http://google.com/search?q=site:.<<TLD>>
|
||||
result = "(?:com|org|edu|gov|uk|net|io)(?![a-z0-9])"
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A node whose value may flow to a position where it is interpreted
|
||||
* as a part of a regular expression.
|
||||
|
||||
@@ -89,7 +89,7 @@ private module SensitiveDataModeling {
|
||||
*/
|
||||
DataFlow::Node sensitiveLookupStringConst(SensitiveDataClassification classification) {
|
||||
// Note: If this is implemented with type-tracking, we will get cross-talk as
|
||||
// illustrated in python/ql/test/experimental/dataflow/sensitive-data/test.py
|
||||
// illustrated in python/ql/test/library-tests/dataflow/sensitive-data/test.py
|
||||
exists(DataFlow::LocalSourceNode source |
|
||||
source.asExpr().(StringLiteral).getText() = sensitiveString(classification) and
|
||||
source.flowsTo(result)
|
||||
|
||||
@@ -638,7 +638,7 @@ newtype TContent =
|
||||
// name = any(AccessPathToken a).getAnArgument("Attribute")
|
||||
// instead we use a qltest to alert if we write a new summary in QL that uses an
|
||||
// attribute -- see
|
||||
// python/ql/test/experimental/dataflow/summaries-checks/missing-attribute-content.ql
|
||||
// python/ql/test/library-tests/dataflow/summaries-checks/missing-attribute-content.ql
|
||||
attr in ["re", "string", "pattern"]
|
||||
or
|
||||
//
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
extensions:
|
||||
# Contribute empty data sets to avoid errors about an undefined extensionals
|
||||
# Make sure that the extensible model predicates have at least one definition
|
||||
# to avoid errors about undefined extensionals.
|
||||
- addsTo:
|
||||
pack: codeql/python-all
|
||||
extensible: sourceModel
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 0.9.15
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.9.14
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
/**
|
||||
* Provides predicates for reasoning about regular expressions
|
||||
* that match URLs and hostname patterns.
|
||||
*/
|
||||
|
||||
// HostnameRegexp should be used directly from the shared regex pack, and not from this file.
|
||||
deprecated private import semmle.python.security.regexp.HostnameRegex as Dep
|
||||
import Dep
|
||||
3
python/ql/src/change-notes/released/0.9.15.md
Normal file
3
python/ql/src/change-notes/released/0.9.15.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.9.15
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.9.14
|
||||
lastReleaseVersion: 0.9.15
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/python-queries
|
||||
version: 0.9.15-dev
|
||||
version: 0.9.16-dev
|
||||
groups:
|
||||
- python
|
||||
- queries
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import python
|
||||
import experimental.dataflow.TestUtil.FlowTest
|
||||
import experimental.dataflow.testConfig
|
||||
import TestUtilities.dataflow.FlowTest
|
||||
import TestUtilities.dataflow.testConfig
|
||||
private import semmle.python.dataflow.new.internal.PrintNode
|
||||
|
||||
module DataFlowTest implements FlowTestSig {
|
||||
@@ -1,6 +1,6 @@
|
||||
import python
|
||||
import experimental.dataflow.TestUtil.FlowTest
|
||||
import experimental.dataflow.testTaintConfig
|
||||
import TestUtilities.dataflow.FlowTest
|
||||
import TestUtilities.dataflow.testTaintConfig
|
||||
private import semmle.python.dataflow.new.internal.PrintNode
|
||||
|
||||
module DataFlowTest implements FlowTestSig {
|
||||
@@ -1 +0,0 @@
|
||||
import experimental.dataflow.TestUtil.LocalFlowStepTest
|
||||
@@ -1 +0,0 @@
|
||||
import experimental.dataflow.TestUtil.MaximalFlowTest
|
||||
@@ -1,2 +0,0 @@
|
||||
import python
|
||||
import experimental.dataflow.TestUtil.NormalDataflowTest
|
||||
@@ -1,2 +0,0 @@
|
||||
import python
|
||||
import experimental.dataflow.TestUtil.NormalDataflowTest
|
||||
@@ -1,2 +0,0 @@
|
||||
import python
|
||||
import experimental.dataflow.TestUtil.NormalDataflowTest
|
||||
@@ -1,2 +0,0 @@
|
||||
import python
|
||||
import experimental.dataflow.TestUtil.NormalDataflowTest
|
||||
@@ -1,2 +0,0 @@
|
||||
import python
|
||||
import experimental.dataflow.TestUtil.NormalDataflowTest
|
||||
@@ -1,3 +0,0 @@
|
||||
import python
|
||||
private import TestSummaries
|
||||
import experimental.dataflow.TestUtil.NormalTaintTrackingTest
|
||||
@@ -1,2 +0,0 @@
|
||||
import python
|
||||
import experimental.dataflow.TestUtil.NormalDataflowTest
|
||||
@@ -9,7 +9,7 @@
|
||||
// 3. if necessary, look at partial paths by (un)commenting appropriate lines
|
||||
import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import experimental.dataflow.testConfig
|
||||
import TestUtilities.dataflow.testConfig
|
||||
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { TestConfig::isSource(source) }
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
import python
|
||||
import experimental.dataflow.TestUtil.DataflowQueryTest
|
||||
import TestUtilities.dataflow.DataflowQueryTest
|
||||
import experimental.Security.UnsafeUnpackQuery
|
||||
import FromTaintTrackingConfig<UnsafeUnpackConfig>
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
import python
|
||||
import experimental.dataflow.TestUtil.DataflowQueryTest
|
||||
import TestUtilities.dataflow.DataflowQueryTest
|
||||
import experimental.semmle.python.security.DecompressionBomb
|
||||
import FromTaintTrackingConfig<BombsConfig>
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
import experimental.dataflow.callGraphConfig
|
||||
import TestUtilities.dataflow.callGraphConfig
|
||||
|
||||
from DataFlow::Node source, DataFlow::Node sink
|
||||
where
|
||||
@@ -1,4 +1,4 @@
|
||||
import experimental.dataflow.callGraphConfig
|
||||
import TestUtilities.dataflow.callGraphConfig
|
||||
|
||||
from DataFlow::Node sink
|
||||
where
|
||||
@@ -1,4 +1,4 @@
|
||||
import experimental.dataflow.callGraphConfig
|
||||
import TestUtilities.dataflow.callGraphConfig
|
||||
|
||||
from DataFlow::Node source
|
||||
where
|
||||
@@ -0,0 +1 @@
|
||||
import TestUtilities.dataflow.LocalFlowStepTest
|
||||
@@ -0,0 +1 @@
|
||||
import TestUtilities.dataflow.MaximalFlowTest
|
||||
@@ -0,0 +1,2 @@
|
||||
import python
|
||||
import TestUtilities.dataflow.NormalDataflowTest
|
||||
@@ -1,7 +1,7 @@
|
||||
import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
private import semmle.python.dataflow.new.internal.DataFlowPrivate as DataFlowPrivate
|
||||
import experimental.dataflow.TestUtil.RoutingTest
|
||||
import TestUtilities.dataflow.RoutingTest
|
||||
|
||||
module Argument1RoutingTest implements RoutingTestSig {
|
||||
class Argument = Unit;
|
||||
@@ -6,7 +6,7 @@
|
||||
# A thorough covering of methods in that document is found in classes.py.
|
||||
#
|
||||
# Intended sources should be the variable `SOURCE` and intended sinks should be
|
||||
# arguments to the function `SINK` (see python/ql/test/experimental/dataflow/testConfig.qll).
|
||||
# arguments to the function `SINK` (see python/ql/test/library-tests/dataflow/testConfig.qll).
|
||||
|
||||
import sys
|
||||
import os
|
||||
@@ -2,7 +2,7 @@
|
||||
# Headings refer to https://docs.python.org/3/reference/expressions.html,
|
||||
# and are selected whenever they incur dataflow.
|
||||
# Intended sources should be the variable `SOURCE` and intended sinks should be
|
||||
# arguments to the function `SINK` (see python/ql/test/experimental/dataflow/testConfig.qll).
|
||||
# arguments to the function `SINK` (see python/ql/test/library-tests/dataflow/testConfig.qll).
|
||||
#
|
||||
# Functions whose name ends with "_with_local_flow" will also be tested for local flow.
|
||||
#
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user