hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 10:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
75,258 Commits 1,671 Branches 157 Tags
codeql-cli-2.20.3
Commit Graph

4561 Commits

Author SHA1 Message Date
Arthur Baars
9e8930c192 Ruby: IncompleteHostnameRegExp.ql 2022-03-07 16:10:08 +01:00
Rasmus Lerchedahl Petersen
895ce755c1 python: correct file name 2022-03-07 13:03:04 +01:00
Ahmed Farid
6685c6b4b3 Update ZipSlip.qll 2022-03-07 10:09:53 +01:00
Ahmed Farid
0d9436892a Update zipslip_bad.py 2022-03-07 00:24:25 +01:00
Ahmed Farid
ce7923c8b3 Update zipslip_bad.py 2022-03-07 00:23:19 +01:00
Ahmed Farid
b9b52d4c7c Update zipslip_bad.py 2022-03-07 00:02:50 +01:00
Ahmed Farid
d7dacfc6bd Update zipslip_good.py 2022-03-07 00:01:55 +01:00
Ahmed Farid
8649375be3 Update ZipSlip.qll 2022-03-06 23:56:02 +01:00
Ahmed Farid
91b5f2ad34 Update Zip.qll 2022-03-06 23:54:46 +01:00
Ahmed Farid
466f75bad8 Update Concepts.qll 2022-03-06 23:53:00 +01:00
Taus
095f27f294 Python: Remove deprecated annotations 2022-03-04 12:30:26 +00:00
Taus
20710616c5 Python: Fix "use set literal" warnings 2022-03-04 12:26:36 +00:00
Rasmus Lerchedahl Petersen
93750fe17f python: minimal CSRF implementation 
- currectly only looks for custom django middleware
 2022-03-04 12:47:23 +01:00
Rasmus Wriedt Larsen
ef045a6789 Python: Fix typo in set_default_parser 2022-03-04 10:18:30 +01:00
Rasmus Wriedt Larsen
f0131afc54 Python: Fix huge_tree modeling 2022-03-04 10:16:28 +01:00
Rasmus Wriedt Larsen
3cd165d5b7 Python: Apply suggestions from code review 
Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com>
 2022-03-04 10:15:50 +01:00
Jorge
683c2fa825 Apply suggestions from code review 2022-03-04 01:02:56 +01:00
Rasmus Wriedt Larsen
3f6c55e8ae Python: Rename vulnerable predicate => vulnerableTo 2022-03-03 22:09:31 +01:00
Rasmus Wriedt Larsen
0d69dc854c Python: Minor qldoc improvement 2022-03-03 22:06:26 +01:00
Rasmus Wriedt Larsen
837daaae3b Python: Remove XMLParser concept 2022-03-03 22:04:48 +01:00
Rasmus Wriedt Larsen
df8e0fce68 Python: Minor fixup of qldoc 2022-03-03 22:02:48 +01:00
Rasmus Wriedt Larsen
c0a6f9f3fd Python: Restructure lxml modeling 
and handle parser being passed as positional argument
 2022-03-03 22:00:55 +01:00
Rasmus Wriedt Larsen
c0a2c25f5a Python: Restructure modeling of xml.etree parsers 2022-03-03 21:59:34 +01:00
Rasmus Wriedt Larsen
a033b71eaf Python: Align QLdocs of XML modeling 2022-03-03 21:34:46 +01:00
Rasmus Wriedt Larsen
de0e67f327 Python: Restructure overall XML modeling 2022-03-03 21:31:15 +01:00
Rasmus Wriedt Larsen
33ebcdf437 Python: Support feed method of lxml/xml.etree Parsers 2022-03-03 21:26:24 +01:00
Rasmus Wriedt Larsen
3278793972 Python: Handle more functions and kw-args 2022-03-03 21:18:18 +01:00
Rasmus Wriedt Larsen
7cda901da2 Python: Add separate query for SimpleXMLRPCServer 
This was a rough quick-n-dirty query, and should get some qhelp as well at some point.
 2022-03-03 19:35:33 +01:00
Rasmus Wriedt Larsen
9406a972cd Python: Fix vuln detection for xml.minidom with parser arg 2022-03-03 17:52:11 +01:00
Ahmed Farid
5e14d89714 Update ZipSlip.qll 2022-03-03 17:12:06 +01:00
Rasmus Wriedt Larsen
61291936bf Python: Properly model xml.etree 2022-03-03 15:06:55 +01:00
Rasmus Wriedt Larsen
703e3e8a0f Python: Handle DTD retrieval vuln in lxml 2022-03-03 14:46:48 +01:00
Rasmus Wriedt Larsen
e295399f70 Python: Properly handle huge_tree in lxml 2022-03-03 14:43:37 +01:00
Rasmus Wriedt Larsen
3c321dd98d Python: Model lxml.etree.get_default_parser in own class 2022-03-03 13:49:17 +01:00
Rasmus Wriedt Larsen
661d8bf553 Python: Better handling of resolve_entities arg in lxml 2022-03-03 10:05:57 +01:00
jorgectf
3159d8e211 Correlate SendGridMail declaration with its predicates 2022-03-03 04:33:10 +01:00
Rasmus Wriedt Larsen
7f7758b83d Python: rewrite xml sax modeling 2022-03-02 15:22:11 +01:00
Rasmus Wriedt Larsen
6dd776b2de Python: Only produce one alert per vulnerable XML sink 
This made it much easier to debug the current alerts on tests at least.

Notice that it's important that we have `strictconcat` and not just
`concat`, since `concat` will also allow flow to sinks that are not
vulnerable to any kind of XML vulnerability :|
 2022-03-02 15:22:11 +01:00
Rasmus Wriedt Larsen
16e482bf6f Python: Improve QLDoc for XML parsing/parsers 2022-03-02 14:25:12 +01:00
Rasmus Wriedt Larsen
aaf55b21c4 Python: Add XMLVulnerabilityKind 
This gives some freedom in changing the name presented, and not worrying about whether you have made a typo that makes everything break :|
 2022-03-02 14:25:12 +01:00
Rasmus Wriedt Larsen
ee23c05489 Python: XML: Expose vuln kind on sink 2022-03-02 14:25:12 +01:00
Rasmus Lerchedahl Petersen
143e9ee954 Merge branch 'main' of github.com:github/codeql into python/promote-xpath-injection 2022-03-02 13:14:08 +01:00
Rasmus Wriedt Larsen
518e2aeebf Merge branch 'main' into jorgectf/python/deserialization 2022-03-01 16:47:13 +01:00
yoff
853857bd7e Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-03-01 10:26:29 +01:00
github-actions[bot]
980f822983 Post-release preparation for codeql-cli-2.8.2 2022-03-01 09:24:30 +00:00
Ahmed Farid
70c0c7e461 Update zipslip_bad.py 2022-03-01 00:24:33 +01:00
Ahmed Farid
85bcaa96ce Update Concepts.qll 2022-03-01 00:23:06 +01:00
Ahmed Farid
c22b032bbe Update Zip.qll 2022-03-01 00:11:33 +01:00
Ahmed Farid
67d3498891 Update ZipSlip.ql 2022-03-01 00:07:37 +01:00
Ahmed Farid
b29936716d Update Frameworks.qll 2022-03-01 00:06:22 +01:00