hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 10:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
74,247 Commits 1,671 Branches 157 Tags
codeql-cli-2.20.1
Commit Graph

2826 Commits

Author SHA1 Message Date
yoff
da3634188d python: variaous fixes 
- sync summary files
- format files
- fix compilation
 2022-05-10 12:48:42 +00:00
yoff
f14ee0e794 python: Flow summaries based on type tracking 
Two classes have been inserted into the hierarchies:

- `NonLibraryDataFlowCallable` with a method `getACall2`.
This method implements "get a call, not considering flow summaries".
For `NonLibraryDataFlowCallable`s, `getACall` will defer to `getACall2`.
While you could have a synthesised call to such a callable,
it would not correspond to a `CallNode`.

- `NonLibraryDataFlowSourceCall` with methods
`getArg2` and `getCallable2`. These also refer to a call graph that
does not consider flow summaries.

`getArg2` is used to synthesise pre-update nodes for arguments.

`getCallable2` is used in `connects` to compute argument passing.
This is used to define data flow nodes for overflow arguments.

`getACall2` ensures that `LibraryCallableValue::getACall` is not called
when the charpred of `FunctionCall` is evaluated.
 2022-05-10 12:48:42 +00:00
Rasmus Lerchedahl Petersen
506efcf051 python: refactor TDataFlowCall 
- Branch predicates are made simple. In particular, they do not try to detect library calls.
- All branches based on `CallNode`s are gathered into one.
- That branch has been given a class `NonSpecialCall`, which is the new parent of call classes based on `CallNode`s. (Those classes now have more involved charpreds.)
- A new such class, 'LambdaCall` has been split out from `FunctionCall` to allow the latter to replace its
  general `CallNode` field with a specific `FunctionValue` one.
- `NonSpecialCall` is not an abstract class, but it has some abstract overrides. Therefor, it is not
  considered a resolved call in the test `UnresolvedCalls.qll`.
 2022-05-10 12:48:42 +00:00
Rasmus Lerchedahl Petersen
d85844bb89 python: type tracking uses source nodes 2022-05-10 12:48:42 +00:00
Rasmus Lerchedahl Petersen
81ca479ca9 Python: local flow for type tracking 
summary flow is excluded from the local flow relation used for
typetracking, but included in the one used for global data flow.
 2022-05-10 12:48:42 +00:00
Rasmus Lerchedahl Petersen
177dea5307 python: use new syntax for flow summaries 
also convert to inline tests
 2022-05-10 12:48:42 +00:00
Rasmus Lerchedahl Petersen
4024ce4777 python: some summary flows 2022-05-10 12:48:42 +00:00
Rasmus Lerchedahl Petersen
8c263b349f python: add summary flow steps 2022-05-10 12:48:42 +00:00
Rasmus Lerchedahl Petersen
828db3a392 python: Add summary nodes 
allowing more `OutNode`s (not restricting to `CallNode`s),
gives more flow in the `classesCallGraph` test
 2022-05-10 12:48:42 +00:00
Rasmus Lerchedahl Petersen
80175a9af5 Python: Compiles and mostly pass tests 
- add flowsummaries shared files
- register in indentical files
- fix initial non-monotonic recursions
  - add DataFlowSourceCall
  - add resolvedCall
  - add SourceParameterNode

failing tests:
- 3/library-tests/with/test.ql
 2022-05-10 12:48:42 +00:00
Tom Hvitved
712fe002b9 Data flow: Sync files 2022-05-10 12:41:10 +02:00
yoff
6c3e2db7fd Merge branch 'main' into python/simple-csrf 2022-05-10 10:55:28 +02:00
Anders Schack-Mulligen
f85e06c2e4 Dataflow: Sync. 2022-05-10 10:12:39 +02:00
yoff
b6605bc330 Merge pull request #8634 from RasmusWL/promote-xxe 
Python: Promote XXE and XML-bomb queries
 2022-05-09 21:54:55 +02:00
Rasmus Wriedt Larsen
4a6789182d Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-05-09 16:37:12 +02:00
Anders Schack-Mulligen
f24364d951 Merge pull request #9045 from hvitved/dataflow/subpaths-perf-take2 
Data flow: Speedup `subpaths` predicate (take 2)
 2022-05-09 15:39:11 +02:00
Rasmus Wriedt Larsen
36349222a9 Python: Fix casing of XMLDomParsing 2022-05-09 11:00:25 +02:00
Rasmus Wriedt Larsen
f22bd039f3 Python: Slight refactor of LxmlParsing 2022-05-09 10:56:39 +02:00
Mathias Vorreiter Pedersen
176e40f139 Merge pull request #9052 from github/post-release-prep/codeql-cli-2.9.1 
Post-release preparation for codeql-cli-2.9.1
 2022-05-06 13:15:17 +01:00
github-actions[bot]
1a25457178 Post-release preparation for codeql-cli-2.9.1 2022-05-05 19:05:50 +00:00
Erik Krogh Kristensen
efe306733e move path-injection MaD to PathInjectionCustomizations.qll 2022-05-05 16:51:39 +02:00
yoff
6169ac6122 Merge pull request #7776 from RasmusWL/django-filefield-uploadto 
Python: Support Django FileField.upload_to
 2022-05-05 14:25:08 +02:00
Tom Hvitved
d9d5372f28 Data flow: Sync files 2022-05-05 13:36:26 +02:00
yoff
0c7184952b Merge pull request #9023 from RasmusWL/positional-docs 
Python: Clarify `getArg` is about positional arguments
 2022-05-05 11:28:17 +02:00
Tom Hvitved
66a9759329 Merge pull request #8870 from hvitved/dataflow/expect-content 
Data flow: Introduce `expectsContent`
 2022-05-05 09:01:40 +02:00
Joe Farebrother
c1290d9e2b Sync shared redos library files. 2022-05-04 15:41:38 +01:00
Joe Farebrother
0a5268aeb4 Sync shared library changes across languages. 2022-05-04 15:41:38 +01:00
Tom Hvitved
8e33653d25 Merge pull request #9017 from hvitved/dataflow/subpaths-perf 
Data flow: Speedup `subpaths` predicate
 2022-05-04 16:37:52 +02:00
Tom Hvitved
9cb63c0a5e Data flow: Sync files 2022-05-04 14:49:26 +02:00
Erik Krogh Kristensen
a812d4dd34 move the MaD sql-injection sink to SqlInjectionCustomizations.qll 2022-05-04 10:59:02 +02:00
Erik Krogh Kristensen
571fc3e73b Revert "deprecate SqlConstruction" 
This reverts commit c0eca0d09a.
 2022-05-04 10:59:02 +02:00
Tom Hvitved
74e99302d6 Address review comments 2022-05-04 09:57:59 +02:00
Tom Hvitved
da72ba46d4 Data flow: Add stub expectsContent for all languages 2022-05-04 09:57:59 +02:00
Tom Hvitved
6e2e8440eb Data flow: Sync files 2022-05-04 09:57:59 +02:00
Erik Krogh Kristensen
ead978187d adjust the source-type for remote-flow from MaD 2022-05-03 22:53:41 +02:00
Erik Krogh Kristensen
8ffc05c84b count both named and positional arguments in the WithArity filter 2022-05-03 21:21:57 +02:00
Rasmus Wriedt Larsen
d012eaa892 Python: Clarify getArg is about positional arguments 2022-05-03 14:26:23 +02:00
yoff
56ed68b3eb Merge pull request #9001 from RasmusWL/files-refactoring 
Python: Flask: Improve `request.files` modeing
 2022-05-03 12:19:55 +02:00
Tom Hvitved
e9c8f979f9 Data flow: Sync files 2022-05-03 11:46:51 +02:00
Rasmus Wriedt Larsen
7e1be3172e Python: Add change-note 2022-05-02 14:24:13 +02:00
Rasmus Wriedt Larsen
de4390cdf6 Python: Improve Flask request.files handling even more 2022-05-02 14:19:45 +02:00
Rasmus Wriedt Larsen
fb0133d276 Python: Fix Flask request.files modeling 2022-05-02 14:14:58 +02:00
Erik Krogh Kristensen
c0eca0d09a deprecate SqlConstruction 2022-05-02 12:58:21 +02:00
Erik Krogh Kristensen
a8790412dd add support for the Argument[any] and Argument[any-named] tokens 2022-05-02 12:58:21 +02:00
Erik Krogh Kristensen
b1fa7f86a8 add support for the any argument tokens 2022-05-02 12:58:15 +02:00
Erik Krogh Kristensen
413d182bcf add support for named parameters 2022-05-02 12:56:44 +02:00
Erik Krogh Kristensen
c1d3738fb8 fix API-graphs such that the first parameter is the first non-self parameter 2022-05-02 12:52:02 +02:00
Erik Krogh Kristensen
547047ef19 add self parameters to API-graphs, and add support for self parameters in MaD 2022-05-02 12:50:31 +02:00
Erik Krogh Kristensen
dc38aa8a96 add support for the Method[name] token 2022-05-02 12:50:29 +02:00
Erik Krogh Kristensen
ea01bcf5ec have the Instance token be an alias for Subclass.ReturnValue 2022-05-02 12:45:21 +02:00