hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
74,247 Commits 1,671 Branches 157 Tags
codeql-cli-2.20.1
Commit Graph

1242 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
34631a8784 Python: Model FastAPI requests 
Co-authored-by: Joe Farebrother <joefarebrother@github.com>
 2024-12-18 15:58:51 +01:00
Rasmus Wriedt Larsen
79dfbf7b21 Python: Add FastAPI request test 
Co-authored-by: Joe Farebrother <joefarebrother@github.com>
 2024-12-18 15:48:29 +01:00
Michael Nebel
2321ca59f6 Python: Update all test util paths to point to the new location. 2024-12-12 13:54:30 +01:00
Joe Farebrother
f82fa20249 Update test outputs 2024-12-09 20:37:11 +00:00
Joe Farebrother
ebaab89933 Formatting updates 2024-12-09 19:57:25 +00:00
Joe Farebrother
dd8b7a4a8f Add additional test for safe case in documentation 2024-12-09 19:57:19 +00:00
Joe Farebrother
0f0c1e1609 Test update 2024-12-09 19:56:46 +00:00
Joe Farebrother
cea196ec61 Add concepts tests + some fixes 2024-12-09 19:55:42 +00:00
yoff
81c8a702ff Merge pull request #18112 from github/tausbn/add-api-graph-support-for-parameter-annotations 2024-12-05 15:05:27 +01:00
Jeroen Ketema
c3ea883b11 Python: Update expected test results 2024-12-03 19:18:57 +01:00
Taus
2734377e5d Python: Add API graph support for parameter annotations 
Adds API graph support for observing that in
```python
def foo(x : Bar): ...
```
The variable `x` is likely to be an instance of the type `Bar` inside
this function.
In particular, we add `getInstanceFromAnnotation` as a predicate on API
graph nodes that tracks this step (corresponding to a new edge type
labeled with "annotation" in the API graph), and extend the existing
`getAnInstance` predicate to also include instances arising from type
annotations.

A more complete solution would also add support for annotated
assignments (`x : Foo = ...` or just `x : Foo`) as well as track types
through type aliases (`type Foo = Bar`). This turns out to be
non-trivial, however, as these type constructs don't have any CFG nodes
(and so no data-flow nodes by default either). In order to not have
perfect be the enemy of good, this commit is only targeting the type
parameter case (which is also likely to be the most common use case
anyway).

The tests for API graphs have been extended accordingly, including tests
for the kinds of type ascriptions that we _don't_ currently model in API
graphs (marked with `MISSING:` in the inline tests).
 2024-11-26 13:03:06 +00:00
yoff
44c94e02fe Merge pull request #18037 from joefarebrother/pythob-test-global-capture 
Python: Add some test cases for flow involving global and captured variables
 2024-11-22 11:33:31 +01:00
Joe Farebrother
52cd7f2c5c Add 2 more cases 2024-11-20 11:22:42 +00:00
Joe Farebrother
9b4b01a442 Fix typo 2024-11-20 10:59:27 +00:00
Joe Farebrother
a398f707fe Add some test cases for flow involving global variables and captured variables 2024-11-19 16:34:59 +00:00
yoff
22287be5d1 Merge pull request #17370 from Kwstubbs/Bottle/Tornado-HeaderSupport 
Python: Bottle Framework Support
 2024-11-19 15:34:26 +01:00
yoff
cec0544ca5 Merge pull request #17789 from aschackmull/python/resolvecall-refactor 
Python: Refactor references to NormalCall.
 2024-11-01 14:20:34 +01:00
Kevin Stubbings
ac411f1254 Second round feedback 2024-10-30 13:52:38 -07:00
Tom Hvitved
7c4d5981dd Shared: Add missing spaces in inline test expectation output 2024-10-25 13:23:03 +02:00
Anders Schack-Mulligen
5950c336e2 Python: Refactor references to NormalCall. 2024-10-16 16:04:31 +02:00
Taus
65dbc1de91 Python: Add copy.replace test to list of runnable tests 2024-10-15 18:17:00 +02:00
Taus
778b96aa39 Python: Update test expectations 2024-10-15 12:14:19 +00:00
Taus
e16405c675 Python: Add test for copy.replace 
This test demonstrates the current state of affairs: that `copy.replace`
essentially blocks all flow of taint through it, because it has not been
modelled yet.
 2024-10-15 11:48:43 +00:00
yoff
8f681154ce Merge pull request #17683 from yoff/python/flip-default-for-stdlib-extraction 
Python: Flip default for stdlib extraction
 2024-10-11 18:34:44 +02:00
Rasmus Lerchedahl Petersen
5650694313 Python: update tests 2024-10-11 15:36:44 +02:00
Rasmus Lerchedahl Petersen
bb78c2a67e Python: update test expectations 2024-10-11 15:36:44 +02:00
Rasmus Lerchedahl Petersen
0ac4a10345 Python: model that finditer returns iterable of re.Match objects 2024-10-09 12:42:38 +02:00
Rasmus Lerchedahl Petersen
494b8bd7e1 python: model string property of resultof finditer 2024-10-09 12:40:47 +02:00
Rasmus Lerchedahl Petersen
073189ed6b python: add test for re.Match objects returned from finditer 2024-10-09 12:32:51 +02:00
yoff
1f1b1b7aab Merge pull request #17653 from yoff/python/typetracking-through-comprehensions 2024-10-08 19:39:21 +02:00
Rasmus Lerchedahl Petersen
6f5b949ec8 Python: adjust test expectations 
note that we do retain precision in
`test_dict_from_keyword()`
 2024-10-04 15:30:02 +02:00
Rasmus Lerchedahl Petersen
a4c1a622b7 Merge branch 'main' of https://github.com/github/codeql into python/add-comprehension-capture-flow 2024-10-04 14:53:03 +02:00
yoff
306b087b6e Merge pull request #17566 from yoff/python/dict-can-take-multiple-args 
Python: All dict constructor args are relevant
 2024-10-04 14:30:10 +02:00
Rasmus Lerchedahl Petersen
768d866e72 python: model urllib.parse.parse_qs 2024-10-03 12:20:40 +02:00
Rasmus Lerchedahl Petersen
0462809edc Python: add taint test for urllib 2024-10-03 12:20:38 +02:00
Rasmus Lerchedahl Petersen
0dc036abd1 Python: Allow type tracking through comprehensions 
- the subscript operator is extended to comprehensions
- the capture jump-step is extended to work for the functions generated inside comprehensions
 2024-10-03 09:31:02 +02:00
Rasmus Lerchedahl Petersen
38b1eb7c71 Python: just use ListElementContent for iterables 2024-10-01 16:24:15 +02:00
yoff
7816f34d75 Merge branch 'main' into stdlib-optparse 2024-10-01 12:48:09 +02:00
yoff
62509a10c2 Update python/ql/test/library-tests/dataflow/coverage/test_builtins.py 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2024-10-01 11:39:12 +02:00
Rasmus Lerchedahl Petersen
bd68986fa4 Python: add test showing dict can take multiple arguments 2024-10-01 10:01:22 +02:00
Rasmus Lerchedahl Petersen
fb07a56de6 Python: adjust test expectations 2024-09-30 13:26:59 +02:00
Rasmus Lerchedahl Petersen
f9f46f0f98 Python: update test expectations 
We now have a new callable, yielding new enclosing callables
 2024-09-30 12:00:38 +02:00
Rasmus Lerchedahl Petersen
d4ea62edec Python: flow through yield 
- add yield as a dataflow return
- replace comprehension store step
   with a store step to the yield
 2024-09-30 09:01:29 +02:00
Rasmus Wriedt Larsen
431a1af628 Merge branch 'main' into threat-models 2024-09-26 11:44:24 +02:00
Rasmus Lerchedahl Petersen
fc2dc28f87 python: capture flow through comprehensions 
- add comprehension functions as `DataFlowCallable`s
- add comprehension call as `DataFlowCall`
- create capture argument node for comprehension calls
 2024-09-25 10:02:31 +02:00
yoff
e7f9b5bbbc Merge branch 'main' into stdlib-optparse 2024-09-24 20:24:00 +02:00
Taus
8c015b0784 Merge pull request #17305 from Kwstubbs/CORSMiddleware-Starlette 
Python: Add Support for CORS Middlewares
 2024-09-24 15:51:49 +02:00
Kevin Stubbings
01aa63e170 Add tests 2024-09-23 16:47:10 -07:00
Kevin Stubbings
b1c0e28aff Extra test 2024-09-23 15:00:23 -07:00
Kevin Stubbings
05765c4284 Formatting 2024-09-23 14:51:50 -07:00