hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
75,255 Commits 1,671 Branches 157 Tags
codeql-cli-2.20.2
Commit Graph

3920 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
1e447c5ca2 Python: Handle taint for % formatting 2020-08-24 14:15:27 +02:00
Rasmus Wriedt Larsen
80745e8881 Python: Model string methods in shared taint tracking library 2020-08-24 13:58:42 +02:00
Rasmus Wriedt Larsen
a77f118b62 Python: Shared taint tracking: Handle string concat + subcript 2020-08-24 13:58:41 +02:00
Rasmus Wriedt Larsen
61f89ca3c3 Python: Add tests for shared taint tracking for strings 
I adopted the TestTaint testing setup that I made for the "old" taint tracking
tests. This time around we should figure out if we can use .qlref or similar so
it doesn't end up in multiple copies that are not kept up to date :|

The `repr` predicate could probably be placed somewhere better. For now I just
wanted something that could help me. I considered just expanding the `repr`
predicate in `ql/src/semmle/python/strings.qll`, but since it's currently used
by queries, I didn't want to do anything about it.

Anyway, the output it gives is much more useful than seeing this ;)

```
| test.py:20 | ok   | str_operations | test.py:20:9:20:10 | ts |
| test.py:21 | fail | str_operations | test.py:21:9:21:18 | BinaryExpr |
| test.py:22 | fail | str_operations | test.py:22:9:22:18 | BinaryExpr |
| test.py:23 | fail | str_operations | test.py:23:9:23:21 | Subscript |
| test.py:24 | fail | str_operations | test.py:24:9:24:13 | Subscript |
| test.py:25 | fail | str_operations | test.py:25:9:25:18 | Subscript |
| test.py:26 | fail | str_operations | test.py:26:9:26:13 | Subscript |
| test.py:27 | fail | str_operations | test.py:27:9:27:15 | str() |
| test.py:35 | fail | str_methods | test.py:35:9:35:23 | Attribute() |
| test.py:36 | fail | str_methods | test.py:36:9:36:21 | Attribute() |
| test.py:37 | fail | str_methods | test.py:37:9:37:22 | Attribute() |
| test.py:38 | fail | str_methods | test.py:38:9:38:23 | Attribute() |
| test.py:40 | fail | str_methods | test.py:40:9:40:19 | Attribute() |
| test.py:41 | fail | str_methods | test.py:41:9:41:23 | Attribute() |
| test.py:42 | fail | str_methods | test.py:42:9:42:36 | Attribute() |
| test.py:44 | fail | str_methods | test.py:44:9:44:25 | Attribute() |
| test.py:45 | fail | str_methods | test.py:45:9:45:45 | Attribute() |
| test.py:47 | fail | str_methods | test.py:47:9:47:21 | Attribute() |
| test.py:48 | fail | str_methods | test.py:48:9:48:19 | Attribute() |
| test.py:49 | fail | str_methods | test.py:49:9:49:18 | Attribute() |
| test.py:51 | fail | str_methods | test.py:51:9:51:32 | Attribute() |
| test.py:52 | fail | str_methods | test.py:52:9:52:34 | Attribute() |
| test.py:54 | fail | str_methods | test.py:54:9:54:21 | Attribute() |
| test.py:55 | fail | str_methods | test.py:55:9:55:19 | Attribute() |
| test.py:56 | fail | str_methods | test.py:56:9:56:18 | Attribute() |
| test.py:57 | fail | str_methods | test.py:57:9:57:21 | Attribute() |
| test.py:58 | fail | str_methods | test.py:58:9:58:18 | Attribute() |
| test.py:59 | fail | str_methods | test.py:59:9:59:18 | Attribute() |
| test.py:60 | fail | str_methods | test.py:60:9:60:21 | Attribute() |
| test.py:62 | fail | str_methods | test.py:62:9:62:26 | Attribute() |
| test.py:63 | fail | str_methods | test.py:63:9:63:42 | Attribute() |
| test.py:65 | fail | str_methods | test.py:65:9:65:26 | Attribute() |
| test.py:66 | fail | str_methods | test.py:66:9:66:42 | Attribute() |
| test.py:69 | fail | str_methods | test.py:69:9:69:25 | Attribute() |
| test.py:70 | fail | str_methods | test.py:70:9:70:26 | Attribute() |
| test.py:71 | fail | str_methods | test.py:71:9:71:22 | Attribute() |
| test.py:72 | fail | str_methods | test.py:72:9:72:21 | Attribute() |
| test.py:73 | fail | str_methods | test.py:73:9:73:23 | Attribute() |
| test.py:78 | ok   | str_methods | test.py:78:9:78:39 | Attribute() |
```
 2020-08-24 13:58:39 +02:00
Taus
b8d6f76749 Merge pull request #4056 from yoff/SharedDataflow_ParameterTests 
Python: Shared dataflow, parameter routing tests
 2020-08-24 11:36:30 +02:00
Rasmus Lerchedahl Petersen
e1343c7f1e Python: Support set literals. 2020-08-21 11:15:04 +02:00
Rasmus Lerchedahl Petersen
ccff84d546 Python: Test flow into conprehension 2020-08-21 10:40:22 +02:00
Rasmus Lerchedahl Petersen
5a734730de Python: Control flow nodes are dataflow nodes 
iff they are expression nodes
We could refine this later, but it seems to work for now...
 2020-08-20 15:00:42 +02:00
Rasmus Wriedt Larsen
7fb8e0e277 Python: Add basic shared taint tracking test 2020-08-20 14:49:17 +02:00
Rasmus Lerchedahl Petersen
18e946d4aa Python: Small rearrangement 2020-08-19 17:56:02 +02:00
Rasmus Lerchedahl Petersen
bd53a711d3 Merge branch 'main' of github.com:github/codeql into SharedDataflow_SequenceFlow 2020-08-19 11:42:41 +02:00
Rasmus Lerchedahl Petersen
176aa06fad Python: Address review comments 2020-08-19 09:21:16 +02:00
Rasmus Lerchedahl Petersen
bbf925fcc4 Python: Magic subscript and format 
(this in preparation for addressing reviews)
 2020-08-18 12:56:15 +02:00
Rasmus Lerchedahl Petersen
ca7c045d31 Python: bad re match made the tests fail.. 2020-08-17 16:24:00 +02:00
Rasmus Lerchedahl Petersen
bfdb580206 Python: Experiemntal cleanup strategy 2020-08-17 11:37:52 +02:00
Rasmus Lerchedahl Petersen
7ea3fc04c8 Python: adjust test annotation (for after feature) 2020-08-14 14:46:39 +02:00
Rasmus Lerchedahl Petersen
4bc04486cb Python: Annotate tests (as before the new feature) 2020-08-14 14:41:35 +02:00
Rasmus Lerchedahl Petersen
2817602a97 Merge branch 'master' of github.com:github/codeql into SharedDataflow_ParameterTests 2020-08-14 14:27:57 +02:00
Rasmus Lerchedahl Petersen
e808d3033a Python: Add magic to DataFlowCall 2020-08-14 14:19:18 +02:00
CodeQL CI
e9a36b2524 Merge pull request #4062 from tausbn/python-fix-unknown-import-star 
Approved by yoff
 2020-08-14 13:17:45 +01:00
Rasmus Lerchedahl Petersen
9556937840 Python: address review comments 2020-08-14 11:29:58 +02:00
yoff
8d49ad7325 Update python/ql/test/experimental/dataflow/coverage/datamodel.py 
Co-authored-by: Taus <tausbn@github.com>
 2020-08-14 10:53:37 +02:00
yoff
4b336e9b01 Update python/ql/test/experimental/dataflow/coverage/classes.py 
Co-authored-by: Taus <tausbn@github.com>
 2020-08-14 10:53:10 +02:00
Taus Brock-Nannestad
a1a1218f95 Python: Ignore from foo import * when foo is absent. 2020-08-13 10:50:28 +02:00
Taus Brock-Nannestad
dc5c0f8e7a Python: Add test case for missing modules 2020-08-13 10:49:11 +02:00
Rasmus Lerchedahl Petersen
3f2fcbf0ae Python: Remove most noise in the query output 
Just a quick change, the query should probably be rewritten
 2020-08-13 08:23:12 +02:00
Rasmus Lerchedahl Petersen
2cc7712d40 Python: Annotate test cases 2020-08-13 08:02:42 +02:00
Rasmus Lerchedahl Petersen
6dfa2ea9d5 Python: update test expectation 2020-08-12 16:59:06 +02:00
Rasmus Lerchedahl Petersen
20ffb3fd4c Python: tests for argument routing 
Needs annotations
 2020-08-12 15:43:07 +02:00
Rasmus Lerchedahl Petersen
dd4d00293d Python: remaining class tests 2020-08-11 14:16:02 +02:00
Rasmus Lerchedahl Petersen
394991164f Python: Update test expectations 2020-08-11 13:05:35 +02:00
Rasmus Lerchedahl Petersen
f834d71bab Python: split out data model tests 2020-08-11 11:22:11 +02:00
Rasmus Lerchedahl Petersen
2c5de7f50e Python: fix r/l confusion 2020-08-11 10:48:23 +02:00
Rasmus Lerchedahl Petersen
12dfc4afd9 Python: clean up validity check code 2020-08-11 08:16:49 +02:00
Rasmus Lerchedahl Petersen
3929e01350 Python: tests for async iterators/context managers 2020-08-11 08:10:46 +02:00
Rasmus Lerchedahl Petersen
5da37f5cf4 Python: Update test expectations 2020-08-10 17:07:00 +02:00
Rasmus Lerchedahl Petersen
a963f15100 Python: format strings are unnecessary and mess up 
For some reason, we got no results when format strings were present.
 2020-08-10 11:54:24 +02:00
Rasmus Lerchedahl Petersen
959c6315c4 Python: update reference to fix tests 2020-08-10 09:24:45 +02:00
Rasmus Lerchedahl Petersen
639d914a47 Python: test Awaitable, framework for async test 2020-08-10 09:03:28 +02:00
Rasmus Lerchedahl Petersen
02478774c3 Python: tests for context managers 2020-08-10 08:11:25 +02:00
Rasmus Lerchedahl Petersen
5b7c7f933c Python: tests for numeric classes 2020-08-08 00:31:29 +02:00
Rasmus Lerchedahl Petersen
f6d6f91a42 Python: tests for containers 2020-08-07 23:39:42 +02:00
Rasmus Lerchedahl Petersen
aff4535965 Python: fix tests for descriptors 2020-08-07 23:07:58 +02:00
Rasmus Lerchedahl Petersen
d84294df3d Python: Check that tests are valid 2020-08-07 20:07:02 +02:00
Rasmus Lerchedahl Petersen
3db1ceeb70 Python: format ql 2020-08-06 15:42:14 +02:00
Rasmus Lerchedahl Petersen
614103c3b6 Python: Test calls rather than flows 2020-08-06 15:40:41 +02:00
Rasmus Lerchedahl Petersen
e77ceaf4b8 Python: Track dictionary keys 
Also, less hacky comprehension,
but I think we still want to fix the extractor
 2020-08-06 13:31:54 +02:00
Rasmus Lerchedahl Petersen
7c235597de Python: More precise dataflow for tuples 
(and dictionaries, but that is not fleshed out)
 2020-08-05 19:22:54 +02:00
yoff
e642808a75 Update python/ql/test/experimental/dataflow/coverage/classes.py 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2020-08-05 15:12:27 +02:00
Rasmus Lerchedahl Petersen
81ad4552c9 Python: full list of magic methods to be tested 2020-08-05 13:30:30 +02:00