hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
75,255 Commits 1,671 Branches 157 Tags
codeql-cli-2.20.2
Commit Graph

9108 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
471318369b Python: Don't quote %s in django example 
This is vulnerable to SQL injection because of the quotes around %s -- added
some code that highlights this in test.py

Since our examples did this in the safe query, I ended up rewriting them
completely, causing a lot of trouble for myself :D
 2019-10-29 13:58:07 +01:00
Rasmus Wriedt Larsen
afe7a0536c Python: Support positional arguments in Django routes 2019-10-29 13:58:07 +01:00
Rasmus Wriedt Larsen
49dd2216a6 Python: Refactor django library 
Use General.qll for routing, like in other web libraries
 2019-10-29 13:58:07 +01:00
Taus
6e6dab9ab8 Merge pull request #2178 from RasmusWL/python-minor-qldoc-fix 
Python: Fix qldoc for TaintTracking Configuration
 2019-10-29 10:40:12 +01:00
Henning Makholm
ae554cf1e9 Make each upgrade directory a QL pack 2019-10-28 17:14:31 +01:00
Taus
04e3683035 Merge pull request #2194 from RasmusWL/python-improve-getbasetype-qldoc 
Python: Improve qldoc for ClassValue::getABaseType
 2019-10-28 17:07:19 +01:00
Rasmus Wriedt Larsen
f1004b10ba Merge pull request #2147 from tausbn/python-cyclic-import-package-fp 
Python: Fix cyclic import FP relating to packages.
 2019-10-25 11:57:55 +02:00
Rasmus Wriedt Larsen
c50d366527 Python: Improve qldoc for ClassValue::getABaseType 
Hopefully it is more clear that you can get multiple results from getABaseType
because of multiple inheritance, and not because we are following the chain of
inheritance
 2019-10-24 17:10:42 +02:00
Rasmus Wriedt Larsen
5b6675aa71 Python: Select location first in tornado Classes test 
so it conforms with the general scheme in tests
 2019-10-24 15:01:40 +02:00
Rasmus Wriedt Larsen
e7eaf2b7d9 Python: Autoformat (4 spaces) tornado library 2019-10-24 15:01:40 +02:00
Rasmus Wriedt Larsen
2bb933fef0 Python: Modernise tornado library 2019-10-24 15:01:40 +02:00
Rasmus Wriedt Larsen
3e3833927b Python: Remove unused getTornadoRequestHandlerMethod 
It was only used in a test, and with the mock, it gives no results anyway.
 2019-10-24 15:01:40 +02:00
Rasmus Wriedt Larsen
bc50e90f5b Python: Use mock for tornado tests 2019-10-24 15:01:40 +02:00
Rasmus Wriedt Larsen
4248a8418b Python: Move tornado tests from internal repo 2019-10-24 15:01:35 +02:00
Rasmus Wriedt Larsen
2874c54133 Python: Move pyramid tests from internal repo 
Use minimal mock instead of full library
 2019-10-23 16:28:46 +02:00
Rasmus Wriedt Larsen
7c44c37d8b Python: Autoformat (4 spaces) pyramid library 2019-10-23 16:28:46 +02:00
Rasmus Wriedt Larsen
4463b30ce7 Python: Update pyramid library to use correct response class 
Tested with pyramid 1.10.4 and python 3.6.8
 2019-10-23 16:28:46 +02:00
Rasmus Wriedt Larsen
66a0e153a5 Python: Modernise pyramid library 2019-10-23 16:28:46 +02:00
Rasmus Wriedt Larsen
59e09d6d5d Python: Add nullary pointsTo to Expr class 
Like the one existing in ControlFlowNode.

This is useful for checking class of value being poitned to, as

    expr.pointsTo().getClass() = someClass

Without this you need to do

    exists(Value v | v.getClass() = someClass | expr.pointsTo(v))
 2019-10-23 16:28:46 +02:00
Rasmus Wriedt Larsen
8767d29d21 Python: Use src for naming in TaintTrackign::Configuration 
We picked `src` since this is used much more than `source` in our existing code.
 2019-10-23 15:56:37 +02:00
Taus
30483db621 Merge pull request #2146 from RasmusWL/python-improve-iter-returns-non-iterator 
Python: improve py/iter-returns-non-iterator
 2019-10-23 11:53:00 +02:00
Rasmus Wriedt Larsen
5c5eaacc09 Python: Remove cached annotation in py/iter-returns-non-iterator 2019-10-23 10:46:07 +02:00
Rasmus Wriedt Larsen
a98466392d Python: Improve tests and docs for py/iter-returns-non-iterator 2019-10-23 10:46:07 +02:00
Henning Makholm
347d97c14c qlpack.json is now qlpack.yml 2019-10-22 17:36:35 +02:00
Pavel Avgustinov
72de1b25ab Merge pull request #2164 from hmakholm/suites 
Add some new-style suite definitions
 2019-10-22 16:35:19 +01:00
Taus
a19569ce3e Merge pull request #2161 from RasmusWL/python-fix-cookieset-tostring 
Python: Fix toString for CookieSet classes
 2019-10-22 16:48:31 +02:00
Henning Makholm
fd768a1af6 Add some new-style suite definitions 2019-10-22 15:51:00 +02:00
Taus Brock-Nannestad
32de65c0c6 Python: Add discussed test case (a false negative). 2019-10-22 15:10:40 +02:00
Taus Brock-Nannestad
83bf54c524 Python: Move false positive (now a true negative) into subfolder. 2019-10-22 15:08:29 +02:00
Rasmus Wriedt Larsen
e487fd3648 Python: Improve alert message for py/iter-returns-non-iterator 
Fixes https://github.com/Semmle/ql/issues/1427
 2019-10-22 10:27:55 +02:00
Rasmus Wriedt Larsen
6056b457e9 Python: Autoformat py/iter-returns-non-iterator 2019-10-22 10:25:01 +02:00
Taus Brock-Nannestad
ab2c8f312c Python: Apply autoformat. 2019-10-21 17:40:36 +02:00
Taus Brock-Nannestad
4fe1ba0ea4 Python: Refactor py/undefined-export for more clarity. 2019-10-21 17:40:36 +02:00
Taus Brock-Nannestad
8a1d1e7b7a Python: Modernise and false positive in py/undefined-export. 2019-10-21 16:07:48 +02:00
Rasmus Wriedt Larsen
016c95a69c Merge pull request #2078 from taus-semmle/python-unreachable-suppressed 
Python: Teach `py/unreachable-statement` about `contextlib.suppress`.
 2019-10-21 15:14:39 +02:00
Taus Brock-Nannestad
b2f7b0921b Python: Add false negative test case. 2019-10-21 14:31:05 +02:00
Taus Brock-Nannestad
99b99ef2b6 Python: Teach py/unreachable-statement about contextlib.suppress. 2019-10-21 14:31:05 +02:00
Rasmus Wriedt Larsen
9cf0e244b1 Python: Fix toString for CookieSet classes 
The old implementation would result in empty recursion.
 2019-10-21 11:26:10 +02:00
Taus
45158a7177 Merge pull request #2053 from RasmusWL/python-modernise-falcon-library 
Python modernise falcon library
 2019-10-18 14:47:33 +02:00
Taus Brock-Nannestad
70d9d1bd0e Python: Add false positive test case for cyclic import. 2019-10-18 14:03:23 +02:00
Taus
37291c5642 Merge pull request #2100 from RasmusWL/python-fix-hasFlowPath 
Python: Fix hasFlowPath default implementation of isSink/2
 2019-10-18 11:16:58 +02:00
Taus Brock-Nannestad
067bdf5ec4 Python: Disregard packages when looking for cyclic imports. 2019-10-17 12:47:34 +02:00
Rasmus Wriedt Larsen
d3f3cefa54 Python: Autoformat (4 spaces) falcon library 2019-10-15 11:23:51 +02:00
Rasmus Wriedt Larsen
7a112f37cb Python: Modernise falcon library 2019-10-15 11:22:46 +02:00
Henning Makholm
29167bbff8 Add qlpack.json files 
Eventually these files will subsume the current `queries.xml` files
at the top of query-containing and library directories. For now they're
just here to support internal testing of the tooling support for them
we're writing on.

Format and contents is a work in progress. If you're not in Semmle,
don't depend on anything here making sense (or staying stable) until
you see the version tags increase to something nonzero.
 2019-10-12 17:38:01 +02:00
Rasmus Wriedt Larsen
bf197b9f20 Add testcase 2019-10-10 15:34:54 +02:00
Rasmus Wriedt Larsen
36bb5f54ce Python: Fix hasFlowPath default implementation of isSink/2 
If hasFlowPath was used, and isSink/2 was not overridden,
hasFlowPath(src, sink) would not use isSink/1 to restrict the allowed TaintSink.
This resulted in false-positives when we had flows with unrelated TaintSinks.

FP: 1a8e7ffc2e/files/webapp/graphite/dashboard/views.py (x2d486922081db956):1

Fixes https://github.com/Semmle/ql/issues/2081
 2019-10-10 15:34:54 +02:00
semmle-qlci
ff5a98b260 Merge pull request #2074 from taus-semmle/python-unreachable-nonlocal 
Approved by RasmusWL
 2019-10-07 15:45:24 +01:00
semmle-qlci
e36e16af48 Merge pull request #2079 from taus-semmle/python-unused-local-nonlocal 
Approved by RasmusWL
 2019-10-07 15:38:21 +01:00
Rasmus Wriedt Larsen
3f45d8614b Merge pull request #2047 from taus-semmle/python-modernise-and-fix-cyclic-import-fp 
Python: modernise and fix cyclic import false positive.
 2019-10-07 14:28:36 +02:00