hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into flask-clean-models

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2021-02-18 16:08:18 +01:00
parent 9a42f2fb26 f3814c6468
commit cc72fc82f0
440 changed files with 3680 additions and 1473 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
python/ql/src/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.py → python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.py
View File

0
python/ql/src/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.qhelp → python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.qhelp
View File

0
python/ql/src/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.ql → python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
View File

0
python/ql/src/Security/ExternalAPIs/ExternalAPISinkExample.py → python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPISinkExample.py
View File

0
python/ql/src/Security/ExternalAPIs/ExternalAPITaintStepExample.py → python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPITaintStepExample.py
View File

0
python/ql/src/Security/ExternalAPIs/ExternalAPIs.qll → python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
View File

0
python/ql/src/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qhelp → python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qhelp
View File

0
python/ql/src/Security/ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql → python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql
View File

0
python/ql/src/Security/ExternalAPIs/UntrustedDataToExternalAPI.qhelp → python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qhelp
View File

0
python/ql/src/Security/ExternalAPIs/UntrustedDataToExternalAPI.ql → python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql
View File

0
python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.qhelp → python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.qhelp
View File

0
python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.ql → python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
View File

0
python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.qhelp → python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp
View File

0
python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.ql → python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
View File

0
python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/examples/IncompleteHostnameRegExp.py → python/ql/src/Security/CWE-020/examples/IncompleteHostnameRegExp.py
View File

0
python/ql/src/Security/BadPractice/IncompleteUrlSanitizer/examples/IncompleteUrlSubstringSanitization.py → python/ql/src/Security/CWE-020/examples/IncompleteUrlSubstringSanitization.py
View File

0
python/ql/src/Security/Injection/PathInjection/PathInjection.qhelp → python/ql/src/Security/CWE-022/PathInjection.qhelp
View File

0
python/ql/src/Security/Injection/PathInjection/PathInjection.ql → python/ql/src/Security/CWE-022/PathInjection.ql
View File

0
python/ql/src/Security/Injection/TarSlip/TarSlip.qhelp → python/ql/src/Security/CWE-022/TarSlip.qhelp
View File

0
python/ql/src/Security/Injection/TarSlip/TarSlip.ql → python/ql/src/Security/CWE-022/TarSlip.ql
View File

0
python/ql/src/Security/Injection/PathInjection/examples/tainted_path.py → python/ql/src/Security/CWE-022/examples/tainted_path.py
View File

0
python/ql/src/Security/Injection/TarSlip/examples/tarslip_bad.py → python/ql/src/Security/CWE-022/examples/tarslip_bad.py
View File

0
python/ql/src/Security/Injection/TarSlip/examples/tarslip_good.py → python/ql/src/Security/CWE-022/examples/tarslip_good.py
View File

0
python/ql/src/Security/Injection/CommandInjection/CommandInjection.qhelp → python/ql/src/Security/CWE-078/CommandInjection.qhelp
View File

0
python/ql/src/Security/Injection/CommandInjection/CommandInjection.ql → python/ql/src/Security/CWE-078/CommandInjection.ql
View File

0
python/ql/src/Security/Injection/CommandInjection/examples/command_injection.py → python/ql/src/Security/CWE-078/examples/command_injection.py
View File

0
python/ql/src/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.qhelp → python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.qhelp
View File

0
python/ql/src/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.ql → python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
View File

0
python/ql/src/Security/Injection/ReflectedXss/ReflectedXss.qhelp → python/ql/src/Security/CWE-079/ReflectedXss.qhelp
View File

0
python/ql/src/Security/Injection/ReflectedXss/ReflectedXss.ql → python/ql/src/Security/CWE-079/ReflectedXss.ql
View File

0
python/ql/src/Security/BadPractice/Jinja2RenderWithoutEscape/examples/jinja2.py → python/ql/src/Security/CWE-079/examples/jinja2.py
View File

0
python/ql/src/Security/Injection/ReflectedXss/examples/xss.py → python/ql/src/Security/CWE-079/examples/xss.py
View File

0
python/ql/src/Security/Injection/SqlInjection/SqlInjection.qhelp → python/ql/src/Security/CWE-089/SqlInjection.qhelp
View File

0
python/ql/src/Security/Injection/SqlInjection/SqlInjection.ql → python/ql/src/Security/CWE-089/SqlInjection.ql
View File

0
python/ql/src/Security/Injection/SqlInjection/examples/sql_injection.py → python/ql/src/Security/CWE-089/examples/sql_injection.py
View File

0
python/ql/src/Security/Injection/CodeInjection/CodeInjection.qhelp → python/ql/src/Security/CWE-094/CodeInjection.qhelp
View File

0
python/ql/src/Security/Injection/CodeInjection/CodeInjection.ql → python/ql/src/Security/CWE-094/CodeInjection.ql
View File

0
python/ql/src/Security/Injection/CodeInjection/examples/code_injection.py → python/ql/src/Security/CWE-094/examples/code_injection.py
View File

0
python/ql/src/Security/Exposure/StackTraceExposure/StackTraceExposure.py → python/ql/src/Security/CWE-209/StackTraceExposure.py
View File

0
python/ql/src/Security/Exposure/StackTraceExposure/StackTraceExposure.qhelp → python/ql/src/Security/CWE-209/StackTraceExposure.qhelp
View File

0
python/ql/src/Security/Exposure/StackTraceExposure/StackTraceExposure.ql → python/ql/src/Security/CWE-209/StackTraceExposure.ql
View File

0
python/ql/src/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.py → python/ql/src/Security/CWE-215/FlaskDebug.py
View File

0
python/ql/src/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.qhelp → python/ql/src/Security/CWE-215/FlaskDebug.qhelp
View File

0
python/ql/src/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.ql → python/ql/src/Security/CWE-215/FlaskDebug.ql
View File

0
python/ql/src/Security/BadPractice/SSHMissingHostKeyValidation/SSHMissingHostKeyValidation.qhelp → python/ql/src/Security/CWE-295/MissingHostKeyValidation.qhelp
View File

0
python/ql/src/Security/BadPractice/SSHMissingHostKeyValidation/SSHMissingHostKeyValidation.ql → python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql
View File

0
python/ql/src/Security/BadPractice/HTTPSRequestWithoutCertValidation/HTTPSRequestWithoutCertValidation.qhelp → python/ql/src/Security/CWE-295/RequestWithoutValidation.qhelp
View File

0
python/ql/src/Security/BadPractice/HTTPSRequestWithoutCertValidation/HTTPSRequestWithoutCertValidation.ql → python/ql/src/Security/CWE-295/RequestWithoutValidation.ql
View File

0
python/ql/src/Security/BadPractice/HTTPSRequestWithoutCertValidation/examples/make_request.py → python/ql/src/Security/CWE-295/examples/make_request.py
View File

0
python/ql/src/Security/BadPractice/SSHMissingHostKeyValidation/examples/paramiko_host_key.py → python/ql/src/Security/CWE-295/examples/paramiko_host_key.py
View File

0
python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextLogging.qhelp → python/ql/src/Security/CWE-312/CleartextLogging.qhelp
View File

0
python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextLogging.ql → python/ql/src/Security/CWE-312/CleartextLogging.ql
View File

0
python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextStorage.qhelp → python/ql/src/Security/CWE-312/CleartextStorage.qhelp
View File

0
python/ql/src/Security/Exposure/SensitiveDataExposure/CleartextStorage.ql → python/ql/src/Security/CWE-312/CleartextStorage.ql
View File

0
python/ql/src/Security/Exposure/SensitiveDataExposure/examples/password_in_cookie.py → python/ql/src/Security/CWE-312/examples/password_in_cookie.py
View File

0
python/ql/src/Security/Crypto/WeakCryptoKey/WeakCryptoKey.qhelp → python/ql/src/Security/CWE-326/WeakCrypto.qhelp
View File

0
python/ql/src/Security/Crypto/WeakCryptoKey/WeakCryptoKey.ql → python/ql/src/Security/CWE-326/WeakCrypto.ql
View File

2
python/ql/src/Security/Crypto/WeakCryptoAlgorithm/WeakCryptoAlgorithm.qhelp → python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
View File

@@ -36,7 +36,7 @@
example uses AES, which is a stronger modern algorithm.
</p>
<sample src="examples/weak_crypto_algorithm.py" />
<sample src="examples/broken_crypto.py" />
<p>
WARNING: Although the second example above is more robust,

0
python/ql/src/Security/Crypto/WeakCryptoAlgorithm/WeakCryptoAlgorithm.ql → python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
View File

0
python/ql/src/Security/Crypto/TLS/InsecureDefaultProtocol.qhelp → python/ql/src/Security/CWE-327/InsecureDefaultProtocol.qhelp
View File

0
python/ql/src/Security/Crypto/TLS/InsecureDefaultProtocol.ql → python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql
View File

0
python/ql/src/Security/Crypto/TLS/InsecureProtocol.qhelp → python/ql/src/Security/CWE-327/InsecureProtocol.qhelp
View File

0
python/ql/src/Security/Crypto/TLS/InsecureProtocol.ql → python/ql/src/Security/CWE-327/InsecureProtocol.ql
View File

0
python/ql/src/Security/Crypto/WeakCryptoAlgorithm/examples/weak_crypto_algorithm.py → python/ql/src/Security/CWE-327/examples/broken_crypto.py
View File

0
python/ql/src/Security/Crypto/TLS/examples/insecure_default_protocol.py → python/ql/src/Security/CWE-327/examples/insecure_default_protocol.py
View File

0
python/ql/src/Security/Crypto/TLS/examples/insecure_protocol.py → python/ql/src/Security/CWE-327/examples/insecure_protocol.py
View File

0
python/ql/src/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.py → python/ql/src/Security/CWE-377/InsecureTemporaryFile.py
View File

0
python/ql/src/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.qhelp → python/ql/src/Security/CWE-377/InsecureTemporaryFile.qhelp
View File

0
python/ql/src/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.ql → python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
View File

0
python/ql/src/Security/BadPractice/InsecureTemporaryFile/SecureTemporaryFile.py → python/ql/src/Security/CWE-377/SecureTemporaryFile.py
View File

0
python/ql/src/Security/Injection/UnsafeDeserialization/JsonGood.py → python/ql/src/Security/CWE-502/JsonGood.py
View File

0
python/ql/src/Security/Injection/UnsafeDeserialization/UnpicklingBad.py → python/ql/src/Security/CWE-502/UnpicklingBad.py
View File

0
python/ql/src/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.qhelp → python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp
View File

0
python/ql/src/Security/Injection/UnsafeDeserialization/UnsafeDeserialization.ql → python/ql/src/Security/CWE-502/UnsafeDeserialization.ql
View File

0
python/ql/src/Security/Injection/OpenRedirect/OpenRedirect.qhelp → python/ql/src/Security/CWE-601/UrlRedirect.qhelp
View File

0
python/ql/src/Security/Injection/OpenRedirect/OpenRedirect.ql → python/ql/src/Security/CWE-601/UrlRedirect.ql
View File

0
python/ql/src/Security/Injection/OpenRedirect/examples/redirect_bad.py → python/ql/src/Security/CWE-601/examples/redirect_bad.py
View File

0
python/ql/src/Security/Injection/OpenRedirect/examples/redirect_good.py → python/ql/src/Security/CWE-601/examples/redirect_good.py
View File

0
python/ql/src/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.qhelp → python/ql/src/Security/CWE-732/WeakFilePermissions.qhelp
View File

0
python/ql/src/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.ql → python/ql/src/Security/CWE-732/WeakFilePermissions.ql
View File

0
python/ql/src/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.py → python/ql/src/Security/CWE-798/HardcodedCredentials.py
View File

0
python/ql/src/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.qhelp → python/ql/src/Security/CWE-798/HardcodedCredentials.qhelp
View File

0
python/ql/src/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.ql → python/ql/src/Security/CWE-798/HardcodedCredentials.ql
View File

4
python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
View File

@@ -180,7 +180,7 @@ private newtype TTypeTracker = MkTypeTracker(Boolean hasCall, OptionalAttributeN
* It is recommended that all uses of this type are written in the following form,
* for tracking some type `myType`:
* ```
* DataFlow::Node myType(DataFlow::TypeTracker t) {
* DataFlow::LocalSourceNode myType(DataFlow::TypeTracker t) {
* t.start() and
* result = < source of myType >
* or
@@ -189,7 +189,7 @@ private newtype TTypeTracker = MkTypeTracker(Boolean hasCall, OptionalAttributeN
* )
* }
*
* DataFlow::Node myType() { result = myType(DataFlow::TypeTracker::end()) }
* DataFlow::Node myType() { myType(DataFlow::TypeTracker::end()).flowsTo(result) }
* ```
*
* Instead of `result = myType(t2).track(t2, t)`, you can also use the equivalent

1
python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.qlref
View File

@@ -1 +0,0 @@
Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.ql

1
python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/FlaskDebug.qlref
View File

@@ -1 +0,0 @@
Security/BadPractice/FlaskRunWithDebug/FlaskDebug.ql

1
python/ql/test/query-tests/Security/BadPractice/FlaskRunWithDebug/options
View File

@@ -1 +0,0 @@
semmle-extractor-options: --max-import-depth=2 -p ../../lib

1
python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/RequestWithoutValidation.qlref
View File

@@ -1 +0,0 @@
Security/BadPractice/HTTPSRequestWithoutCertValidation/HTTPSRequestWithoutCertValidation.ql

1
python/ql/test/query-tests/Security/BadPractice/HTTPSRequestWithoutCertValidation/options
View File

@@ -1 +0,0 @@
semmle-extractor-options: -p ../../lib --max-import-depth=3

1
python/ql/test/query-tests/Security/BadPractice/HardcodedCredentials/HardcodedCredentials.qlref
View File

@@ -1 +0,0 @@
Security/BadPractice/HardcodedCredentials/HardcodedCredentials.ql

1
python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.qlref
View File

@@ -1 +0,0 @@
Security/BadPractice/IncompleteUrlSanitizer/IncompleteHostnameRegExp.ql

1
python/ql/test/query-tests/Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.qlref
View File

@@ -1 +0,0 @@
Security/BadPractice/IncompleteUrlSanitizer/IncompleteUrlSubstringSanitization.ql

1
python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.qlref
View File

@@ -1 +0,0 @@
Security/BadPractice/InsecureTemporaryFile/InsecureTemporaryFile.ql

1
python/ql/test/query-tests/Security/BadPractice/InsecureTemporaryFile/options
View File

@@ -1 +0,0 @@
semmle-extractor-options: -p ../../lib --max-import-depth=3

1
python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.qlref
View File

@@ -1 +0,0 @@
Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.ql

1
python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/MissingHostKeyValidation.qlref
View File

@@ -1 +0,0 @@
Security/BadPractice/SSHMissingHostKeyValidation/SSHMissingHostKeyValidation.ql

1
python/ql/test/query-tests/Security/BadPractice/SSHMissingHostKeyValidation/options
View File

@@ -1 +0,0 @@
semmle-extractor-options: -p ../../lib --max-import-depth=3

1
python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/WeakFilePermissions.qlref
View File

@@ -1 +0,0 @@
Security/BadPractice/WeakFilePermissions/WeakFilePermissions.ql

1
python/ql/test/query-tests/Security/BadPractice/WeakFilePermissions/options
View File

@@ -1 +0,0 @@
semmle-extractor-options: --max-import-depth=2 -p ../../lib

0
python/ql/test/query-tests/Security/BadPractice/BindToAllInterfaces/BindToAllInterfaces.expected → python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.expected
View File

Some files were not shown because too many files have changed in this diff Show More