hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
28,569 Commits 1,671 Branches 157 Tags
aeisenberg/codeql-workspace
Commit Graph

496 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
8494fcf45f Python: Move query tests to reflect new file layout 2021-02-16 13:15:01 +01:00
Rasmus Wriedt Larsen
1d6f9bee08 Python: Update qlrefs 2021-02-16 11:48:36 +01:00
Taus Brock-Nannestad
2632422783 Python: Add FP test for unknown argument in string format 
Reported in https://github.com/github/codeql/issues/2650

I found this during a bit of spring cleaning in my working
directory. As this doesn't have any immediate security implications, I
don't know when we'll get round to fixing it, but it can't hurt to
have the test case checked in.
 2021-02-12 19:28:12 +01:00
Rasmus Lerchedahl Petersen
cfa72af12c Python: Update test expectation to new format 2021-02-12 09:30:12 +01:00
Rasmus Wriedt Larsen
526ccdd227 Python: Add safe example from qhelp to qltests 2021-01-20 11:35:48 +01:00
Rasmus Wriedt Larsen
37aa9b9d06 Python: Add prefix sanitizer on URL redirect query 
This doesn't cover 100% of what we want to, but matches what we used to.
 2021-01-20 11:35:47 +01:00
Rasmus Wriedt Larsen
d8bfa3565f Python: Simple port of URL redirect query 
Still have not added sanitizer, but seems like old sanitizer was a bit too broad
(also covering %-formatting)
 2021-01-20 11:35:44 +01:00
Rasmus Wriedt Larsen
9d8925ae6a Python: Extend url-redirect tests 
Specifically to show how it currently handles prefixing user-input with known
constant.

I changed test to be Python 3 only since I wanted to use f-string.
 2021-01-19 15:37:41 +01:00
yoff
39acc9a40b Merge pull request #4735 from RasmusWL/python-untrusted-flow 
Python: Untrusted data used in external APIs
 2020-12-18 00:15:08 +01:00
yoff
9dd6439e3c Merge pull request #4749 from RasmusWL/command-injection-tests 
Python: Add some command injection tests
 2020-12-17 23:36:06 +01:00
Rasmus Lerchedahl Petersen
a757a69f36 Python: Add example FP 2020-12-08 17:02:05 +01:00
yoff
3bddb946b7 Merge pull request #4773 from RasmusWL/path-injection-improvements 
Python: Path injection improvements
 2020-12-08 14:05:53 +01:00
Rasmus Wriedt Larsen
5aa2c2f9d4 Python: Add command injection regex restricted FP 2020-12-07 15:26:56 +01:00
Rasmus Wriedt Larsen
32b547b3f2 Python: Add example of bad command injection sanitizer 2020-12-07 15:26:55 +01:00
Rasmus Wriedt Larsen
8444654117 Python: Adjust whitespace in command injection test 2020-12-07 15:26:54 +01:00
Rasmus Wriedt Larsen
a9ce067e15 Python: Add examples of Path Injection FPs seen 
Not quite sure how to deal with these cases of safe if UNIX-only, otherwise not
safe.

If/when we actually try to deal with these, we also need to figure that
out. We _could_ split this queyr into 3: (1) for path injection on any
platform, (2) path injection on windows, (3) path injection on UNIX. Then
UNIX-only projects could disable the path-injection on windows query. -- that's
my best idea, if you have better ideas, DO tell 👍
 2020-12-03 13:41:55 +01:00
Rasmus Wriedt Larsen
e8f63311ac Python: Model abspath and realpath (for Path Injection) 2020-12-03 13:41:54 +01:00
Rasmus Wriedt Larsen
bd5cf80352 Python: Add Path Injection tests for realpath and abspath 
Not supported currently
 2020-12-03 13:41:53 +01:00
Rasmus Wriedt Larsen
4d9f24a24c Python: Rewrite path injection tests 
To match how you would normally structure your application code. In itself not
that important, but makes it easier to add more tests :)
 2020-12-03 13:41:26 +01:00
CodeQL CI
e266cedc84 Merge pull request #4700 from RasmusWL/python-add-code-injection-FP 
Approved by tausbn
 2020-12-02 16:29:21 +00:00
Rasmus Wriedt Larsen
4ab3fff973 Python: Fix untrusted data to external API example 
The hmac.digest function was only added in python 3.7, so obviously doesn't work
on Python 2
 2020-11-30 10:42:30 +01:00
Rasmus Wriedt Larsen
9e4910f863 Python: Untrusted data used in external APIs 
A port of the one for Java that was added in https://github.com/github/codeql/pull/3938
 2020-11-26 18:19:35 +01:00
Henning Makholm
a2a4938f60 Remove unit tests for duplicate-code detection, take II 
In #4689 I forgot to remove the `.expected` files too, but they are
now of course useless.
 2020-11-20 21:07:42 +01:00
Rasmus Wriedt Larsen
4c7c940273 Python: Add example of Code Injection FP 2020-11-19 15:05:51 +01:00
Henning Makholm
a86679a377 Remove unit tests for duplicate-code detection 
The old Semmle duplicate-code detection code has never been done when
extracting databases for the CodeQL CLI, except that `codeql test run`
will run it _just_ in order to support tests of the feature. With the
sunsetting of Odasa there's no need to even _test_ the feature anymore.

This commit removes those tests that fail when the duplicate-code
detector is turned off. Once it is merged and bumped, we can finally
remove it from `codeql`.
 2020-11-18 16:37:29 +01:00
Rasmus Lerchedahl Petersen
0710963fc3 Python: update test expectations 
EssaNode -> ControlFlowNode
 2020-11-10 23:58:55 +01:00
Taus Brock-Nannestad
b620b9b7c6 Python: Fixup CWE-022 tests 
This was a bit of a mess, since there was crosstalk between the
TarSlip and PathInjection queries. (Also one of these needs the
`options` file to be in one way, and the other not). To fix this, I
split these out into separate directories.
 2020-11-02 11:46:28 +01:00
Taus Brock-Nannestad
af7626a6b3 Python: Fixup CWE-079 tests 2020-11-02 11:46:02 +01:00
Taus Brock-Nannestad
57b51090ef Python: Fixup CWE-094 tests 2020-11-02 11:45:44 +01:00
Taus Brock-Nannestad
ebb593466d Python: Fixup CWE-089 tests 2020-11-02 11:45:14 +01:00
Taus Brock-Nannestad
7a395bf7c8 Python: Fixup CWE-078 tests. 2020-11-02 11:44:42 +01:00
Taus Brock-Nannestad
52dc905037 Python: Fixup CWE-502 tests. 2020-11-02 11:44:00 +01:00
Rasmus Wriedt Larsen
4adc26eb62 Python: Fix command injection example code 
`subprocess.Popen(["ls", "-la"], shell=True)` correspond to running `sh -c "ls" -la`

So it doesn't follow the pattern of the rest of the test file.
 2020-09-30 13:38:37 +02:00
CodeQL CI
e9a36b2524 Merge pull request #4062 from tausbn/python-fix-unknown-import-star 
Approved by yoff
 2020-08-14 13:17:45 +01:00
Taus Brock-Nannestad
a1a1218f95 Python: Ignore from foo import * when foo is absent. 2020-08-13 10:50:28 +02:00
Taus Brock-Nannestad
dc5c0f8e7a Python: Add test case for missing modules 2020-08-13 10:49:11 +02:00
Porcupiney Hairs
49df4169cf Python : Add query to detect Server Side Template Injection 2020-07-21 18:01:27 +05:30
Taus Brock-Nannestad
f07a7bf8cf Python: Autoformat everything using qlformat. 
Will need subsequent PRs fixing up test failures (due to deprecated
methods moving around), but other than that everything should be
straight-forward.
 2020-07-07 15:43:52 +02:00
Rasmus Wriedt Larsen
67be45f045 Merge branch 'master' into python-fix-django-taint-sinks 2020-07-02 11:55:42 +02:00
Rasmus Wriedt Larsen
1e5eeb8009 Python: Move lxml.etree library stub to reduce clutter 2020-06-25 12:07:41 +02:00
Rasmus Wriedt Larsen
b36c23ef63 Merge pull request #3500 from yoff/UnmatchableDollar 
Python: Regexp: Handle repetions {n} (with no ,)
 2020-06-25 11:26:52 +02:00
Rasmus Wriedt Larsen
0b36cd44b8 Merge pull request #3522 from porcupineyhairs/pythonXpath 
Python : Add Xpath injection query
 2020-06-25 11:21:45 +02:00
Rasmus Lerchedahl Petersen
f6c59abcd9 Merge branch 'master' of github.com:github/codeql into UnmatchableDollar 
to make CodeScan happy
 2020-06-24 11:04:07 +02:00
Rasmus Lerchedahl Petersen
6e9c48bba7 Python: test zero iterations 2020-06-24 11:01:27 +02:00
Porcupiney Hairs
a519132407 add support for libxml2 2020-06-22 02:01:07 +05:30
Taus Brock-Nannestad
410f4781b3 Python: Fix one last reference. 
This one got lost in the big renaming somehow.
 2020-06-19 20:15:01 +02:00
Taus Brock-Nannestad
48e3e9c0b4 Python: Do all the renames. 2020-06-19 17:02:47 +02:00
Taus Brock-Nannestad
01fb1e3786 Python: Get rid of deprecated terms in code and .qhelp. 2020-06-19 16:51:09 +02:00
Rasmus Wriedt Larsen
c0043eb9db Python: Don't treat re.escape(...) as a regex 
Fixes https://github.com/github/codeql/issues/3712
 2020-06-15 11:54:14 +02:00
Rasmus Wriedt Larsen
7601bd497e Python: Add tests for re.escape FP 2020-06-15 11:34:42 +02:00