hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
75,255 Commits 1,672 Branches 157 Tags
codeql-cli-2.20.2
Commit Graph

3920 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
b0309dd321 Python: Limit SensitiveDataSources to prevent _some_ cross-talk 2021-07-01 12:08:12 +02:00
Rasmus Wriedt Larsen
d7e3ebb15c Python: Add tests showing sensitive data cross-talk 2021-07-01 12:05:51 +02:00
Taus
e4af14638b Merge pull request #6175 from yoff/python-port-ReDoS 
Python: port ReDoS queries from Javascript
 2021-06-30 16:26:07 +02:00
yoff
6a77b890af Merge pull request #6155 from RasmusWL/port-cleartext-queries 
Python: Port cleartext queries
 2021-06-30 15:52:34 +02:00
Rasmus Lerchedahl Petersen
651f8abba0 Python: Avoid multiple results for toString 2021-06-30 14:39:49 +02:00
Rasmus Wriedt Larsen
c2708176b1 Python: Support %-style formatting for MarkupSafe 2021-06-30 14:15:41 +02:00
Rasmus Wriedt Larsen
0a4efd0e86 Python: Add %-style formatting tests for MarkupSafe 2021-06-30 14:13:59 +02:00
Rasmus Wriedt Larsen
075953860b Merge branch 'main' into markupsafe-modeling 2021-06-30 13:55:08 +02:00
Rasmus Lerchedahl Petersen
52d91917aa Merge branch 'python-port-ReDoS' of github.com:yoff/codeql into python-port-ReDoS 2021-06-30 12:25:59 +02:00
Rasmus Lerchedahl Petersen
09e71cfdfd Python: update test expectations 2021-06-30 12:25:29 +02:00
yoff
c19522e921 Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-06-30 11:49:45 +02:00
jorgectf
b9fa57f518 Move tests to test/ 2021-06-30 00:58:58 +02:00
jorgectf
e02a63a27a Delete trivial *_good.py tests 2021-06-29 23:03:41 +02:00
jorgectf
b5ee7c3032 Specify plain-text body 2021-06-29 17:28:20 +02:00
jorgectf
621a810b7b Update .expected 2021-06-29 16:53:53 +02:00
jorgectf
9a8d1f8e0f Take back non-trivial tests 2021-06-29 16:53:44 +02:00
Rasmus Lerchedahl Petersen
e778a65464 Python: Adjust test expectations 
so we can see the light go green.
But we should perhaps do something about those duplicate results.
 2021-06-29 11:29:42 +02:00
Rasmus Lerchedahl Petersen
fbfe415162 Python: Limit test files 2021-06-29 11:18:24 +02:00
Rasmus Wriedt Larsen
a5a7f3e38a Python: Add taint-step for sqlalchemy.text 2021-06-29 11:06:25 +02:00
Rasmus Wriedt Larsen
ef48734206 Python: Add taint-tests for SQLAlchemy 2021-06-29 11:03:40 +02:00
Rasmus Wriedt Larsen
cb112395f8 Python: Fixup after merging main 2021-06-29 11:02:43 +02:00
Rasmus Wriedt Larsen
684f51ae5f Merge branch 'main' into python-use-sqlalchemy 2021-06-29 10:58:51 +02:00
Rasmus Wriedt Larsen
eac1c5d109 Python: Fix concepts-tests for SQLAlchemy 2021-06-29 10:58:28 +02:00
jorgectf
68c683189a Polish documentation, mongoCollectionMethod() and update .expected 2021-06-28 20:55:49 +02:00
jorgectf
3fd1129895 Delete trivial tests 2021-06-28 20:18:31 +02:00
jorgectf
0ca4f240d9 Merge tests and update .expected 2021-06-28 20:13:53 +02:00
Rasmus Lerchedahl Petersen
40ac91eecd Python: Add some tests for exponential ReDoS 
- `KnownCVEs` contain the currently triaged Python CVEs
- `unittest.py` contains some tests constructed by @erik-krogh
- `redos.py` contains a port of `tst.js` from javascript
The expected file has been ported as well with some fixups by @tausbn
 2021-06-28 17:04:49 +02:00
Rasmus Lerchedahl Petersen
21007d21f4 Python: track if qualifiers allow unbounded 
repeats. This in preparation for ReDoS
 2021-06-28 17:04:48 +02:00
Rasmus Lerchedahl Petersen
74ca1d00b9 Python: More precise regex parsing 2021-06-28 17:04:48 +02:00
Rasmus Lerchedahl Petersen
e5f07cc4d3 Python: inline test of regex components 
- Added naive implementation of `charRange` so the test can run.
- Made predicates public as needed.
 2021-06-28 17:04:48 +02:00
jorgectf
1d432af498 Update .expected 2021-06-28 14:18:27 +02:00
jorgectf
1d4d8ab6e0 Fix tests 2021-06-28 14:16:52 +02:00
Rasmus Wriedt Larsen
b33f6a315c Python: Fix select for py/improper-ldap-auth 2021-06-28 10:54:21 +02:00
Rasmus Wriedt Larsen
dfe16aae4c Python: Handle both positional and keyword args for LDAP bind 2021-06-28 10:46:13 +02:00
Rasmus Wriedt Larsen
97571e0b4f Python: Add modeling of peewee 2021-06-25 17:50:59 +02:00
Rasmus Wriedt Larsen
c476c89de5 Python: Add tests for peewee 2021-06-25 16:08:57 +02:00
Rasmus Wriedt Larsen
9573048ee8 Python: Port py/clear-text-logging-sensitive-data 2021-06-25 14:35:31 +02:00
Rasmus Wriedt Larsen
68cfeb0b5c Python: Model logging from the logging module 2021-06-25 14:26:35 +02:00
Rasmus Wriedt Larsen
36c9ceb13b Python: Add Logging concept 2021-06-25 14:26:35 +02:00
Rasmus Wriedt Larsen
a9469b73d9 Python: Port py/clear-text-storage-sensitive-data 2021-06-24 17:39:08 +02:00
Rasmus Wriedt Larsen
7017beca47 Python: Model CookieWrite for twisted 
Had to split the call to `request.cookies.append` since inline
expectation tests didn't like the expectation that contained `=` :(
 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
4606444b85 Python: Model CookieWrite for flask 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
65c526df86 Python: Model CookieWrite for tornado 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
9340d658a4 Python: Model CookieWrite for django 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
226425e831 Python: Model CookieWrite for aiohttp 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
e1af1f11ee Python: Add HTTP::Server::CookieWrite concept 
along with tests, but no implementations (to ease reviewing).

---

I've put quite some thinking into what to call our concept for this.

[JS has `CookieDefinition`](581f4ed757/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll (L148-L187)), but I couldn't find a matching concept in any other languages.

We used to call this [`CookieSet`](f07a7bf8cf/python/ql/src/semmle/python/web/Http.qll (L76)) (and had a corresponding `CookieGet`).

But for headers, [Go calls this `HeaderWrite`](cd1e14ed09/ql/src/semmle/go/concepts/HTTP.qll (L97-L131)) and [JS calls this `HeaderDefinition`](581f4ed757/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll (L23-L46))

I think it would be really cool if we have a naming scheme that means the name for getting the value of a header on a incoming request is obvious. I think `HeaderWrite`/`HeaderRead` fulfils this best. We could go with `HeaderSet`/`HeaderGet`, but they feel a bit too vague to me. For me, I'm so used to talking about def-use, that I would immediately go for `HeaderDefinition` and `HeaderUse`, which could work, but is kinda strange.

So in the end that means I went with `CookieWrite`, since that allows using a consistent naming scheme for the future :)
 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
686638a65f Merge pull request #6049 from RasmusWL/jmespath 
Python: Add modeling of `jmespath`
 2021-06-24 11:13:19 +02:00
jorgectf
9563faf918 Add Sendgrid modeling 2021-06-23 20:53:17 +02:00
jorgectf
bf1eb7238e Cover django.core.mail 2021-06-23 18:37:55 +02:00
jorgectf
eac5eba9d2 Move tests and qlref to test/ 2021-06-23 18:36:44 +02:00