hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
75,258 Commits 1,672 Branches 157 Tags
codeql-cli-2.20.3
Commit Graph

4561 Commits

Author SHA1 Message Date
Rasmus Lerchedahl Petersen
186db7f43e Python: factor into modules and files 2021-03-03 17:50:46 +01:00
Rasmus Lerchedahl Petersen
7ed018aff6 Python: refactor into modules 
and turn on the pyOpenSSL module
 2021-03-03 17:50:46 +01:00
Rasmus Lerchedahl Petersen
72b37a5b1b Python: factor out barrier 2021-03-03 17:50:46 +01:00
Rasmus Lerchedahl Petersen
86dde6eab1 Python: start of port 2021-03-03 17:50:46 +01:00
Rasmus Lerchedahl Petersen
3dd34c9ba9 Python: rewrite comment 2021-03-03 17:41:20 +01:00
Rasmus Lerchedahl Petersen
dcf8c881ff Python: correct mistake in example 2021-03-03 16:54:36 +01:00
Rasmus Lerchedahl Petersen
fafc36a9cb Python: remove (do not introduce) unused import 2021-03-03 16:49:35 +01:00
Rasmus Lerchedahl Petersen
f02a19669f Python: Make exception info concept local 2021-03-03 16:47:31 +01:00
Marcono1234
b9c0193022 Sync .qhelp file renaming to other languages 2021-03-03 15:38:08 +01:00
Rasmus Wriedt Larsen
dd75ea31df Python: Apply suggestions from code review 
Co-authored-by: Taus <tausbn@github.com>
 2021-03-03 14:17:22 +01:00
yoff
078fbccc9a Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-03-02 22:32:45 +01:00
Chris Smowton
cdccc1a064 Remove needless typecasts 2021-03-01 16:47:34 +00:00
yoff
92128babef Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-03-01 17:39:17 +01:00
Rasmus Lerchedahl Petersen
38748f9e23 Python: restrict attention to ss.wrap_socket 2021-03-01 16:35:21 +01:00
Chris Smowton
c32514bf66 Sync dataflow library files 2021-03-01 10:27:28 +00:00
Rasmus Wriedt Larsen
010488c899 Python/JS: Update QLDoc for crypto algorithms before sharing 2021-02-27 11:38:45 +01:00
Rasmus Wriedt Larsen
646ea55944 Python/JS: Update Python copy of crypto algorithm modeling 
Now to be shared accross both languages, with sync-identical-files
 2021-02-27 11:38:45 +01:00
Rasmus Lerchedahl Petersen
8b68912c40 Python: Update help and add example 2021-02-26 20:19:31 +01:00
Rasmus Lerchedahl Petersen
9533c92fcc Python: Clean up tests and add comment 2021-02-26 19:28:44 +01:00
Rasmus Wriedt Larsen
b43533ce8d Python: Ensure old dataflow queries are not used 
There seems to have been some cases where the old ones have been picked up
instead of the new ones. At least I spotted _one_ case where this happened, in
an internal actions run.

I'm not sure how to actual debug this, so just removing all the tags that could
make these queries to become picked up :|
 2021-02-26 11:22:23 +01:00
yoff
7f7320ae4c Update python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-02-26 10:56:48 +01:00
Rasmus Lerchedahl Petersen
311149ab4f Python: fix spelling 2021-02-26 09:44:24 +01:00
yoff
e3b3825ab0 Merge pull request #5151 from RasmusWL/django-get-redirect-url 
Python: Model get_redirect_url in django
 2021-02-25 23:07:33 +01:00
Rasmus Wriedt Larsen
81b29316e1 Merge pull request #4737 from yoff/python-dataflow-add-cast-nodes 
Python: Force read- and store steps to add nodes.
 2021-02-25 14:28:54 +01:00
Taus
01d581ecf3 Merge pull request #5250 from tausbn/python-port-re-security-queries 
Python: Port URL sanitisation queries to API graphs
 2021-02-25 13:13:55 +01:00
yoff
f15084254b Add comment explaining tacky nature of code 2021-02-25 11:49:57 +01:00
Rasmus Lerchedahl Petersen
5b51a3461d Python: Force read- and store steps to add nodes. 
This gives muche nicer path explanations on some snapshots.
It is achieved by making stepped-to nodes `CastNode`s.
This seems somewhat reasonable as types then to change, when we move
between content and container.
We could probably refine it, though.
 2021-02-25 11:49:57 +01:00
Rasmus Wriedt Larsen
4610b1b392 Pyhton: Use type back-tracking for keysize on key-generation 
Internal evaluation showed that this didn't perform better than normal (forward)
type-tracking, but it feels more like the right approach.
 2021-02-25 11:31:00 +01:00
Rasmus Wriedt Larsen
c195c64982 Python: Use type-tracking for integer literal tracking 
Like we've done for pretty much everything else. An experiment to see what this
means for query performance.
 2021-02-25 11:30:56 +01:00
Rasmus Wriedt Larsen
27987717dc Merge branch 'main' into crypto 2021-02-25 11:30:32 +01:00
Rasmus Lerchedahl Petersen
41743b6afa Python: restrict to caught exceptions 
also modernise code
 2021-02-25 07:53:35 +01:00
Rasmus Lerchedahl Petersen
24b51e8851 Merge branch 'main' of github.com:github/codeql into python-port-stacktrace-exosure 2021-02-25 07:24:41 +01:00
Rasmus Lerchedahl Petersen
76f080978a Python: Add missing QLDoc 2021-02-24 23:35:44 +01:00
Rasmus Lerchedahl Petersen
192988077e Python: Move <ul> outside of <p> 2021-02-24 23:28:13 +01:00
Rasmus Lerchedahl Petersen
10657160bc Python: Improve qlhelp according to review 2021-02-24 22:02:16 +01:00
CodeQL CI
bf66bdbb95 Merge pull request #5253 from RasmusWL/no-getAnArg 
Approved by tausbn
 2021-02-24 06:34:31 -08:00
Rasmus Wriedt Larsen
d05a8b8c46 Python: Remove getAnArg in DataFlow::CallCfgNode 
Until we've had further discussion on what is the right approach to
naming (internal discussion in https://github.com/github/codeql-python-team/issues/95)
 2021-02-24 14:58:48 +01:00
Rasmus Wriedt Larsen
a6e5ec2e09 Python: Port py/flask-debug 2021-02-24 11:37:25 +01:00
yoff
8262f0343b Merge pull request #5208 from RasmusWL/flask-clean-models 
Python: Cleanup Flask models now that we have API graphs
 2021-02-24 10:36:30 +01:00
Rasmus Wriedt Larsen
5bb4a1a45a Python: Use explicit argument specification instead of getAnArg 
I've seen quite a few places where `getAnArg` leads to wrong behavior, and I
generally just don't like it.
 2021-02-24 10:19:34 +01:00
Taus Brock-Nannestad
e77c1059a3 Python: Use source nodes and prevent bad join order 2021-02-24 10:18:54 +01:00
Taus Brock-Nannestad
cac6c4acc9 Python: Add deprecation notice to mode_from_mode_object 2021-02-24 10:18:21 +01:00
yoff
c3d2001e85 Merge pull request #5251 from tausbn/python-port-missing-host-key-validation-query 
Python: Port missing host key validation query
 2021-02-24 08:43:52 +01:00
Taus Brock-Nannestad
2942a11a69 Python: Import API graphs privately 2021-02-23 22:45:39 +01:00
Taus Brock-Nannestad
f241dbabab Python: Clean up query a bit 2021-02-23 22:33:18 +01:00
Taus Brock-Nannestad
002d0fe565 Python: Port missing host key query 2021-02-23 22:26:03 +01:00
Taus Brock-Nannestad
e812eb777d Python: Port URL sanitisation queries to API graphs 
Really, this boils down to "Port `re` library model to use API graphs
instead of points-to", which is what this PR actually does.

Instead of using points-to to track flags, we use a type tracker. To
handle multiple flags at the same time, we add additional flow from

`x` to `x | y` and `y | x`

and, as an added bonus, the above with `+` instead of `|`, neatly
fixing https://github.com/github/codeql/issues/4707

I had to modify the `Qualified.ql` test slightly, as it now had a
result stemming from the standard library (in `warnings.py`) that
points-to previously ignored.

It might be possible to implement this as a type tracker on
`LocalSourceNode`s, but with the added steps for the above operations,
this was not obvious to me, and so I opted for the simpler
"`smallstep`" variant.
 2021-02-23 22:02:35 +01:00
Rasmus Wriedt Larsen
358ade67e5 Merge pull request #5248 from tausbn/python-port-insecure-temporary-file 
Python: Port `py/insecure-temporary-file`
 2021-02-23 21:37:59 +01:00
Taus Brock-Nannestad
b8ce5e969e Python: Port py/insecure-temporary-file 2021-02-23 20:02:22 +01:00
yoff
9eed17f647 Merge pull request #5152 from RasmusWL/improve-pyyaml-support 
Python: Improve pyyaml support
 2021-02-23 19:58:04 +01:00