hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
75,258 Commits 1,672 Branches 157 Tags
codeql-cli-2.20.3
Commit Graph

9108 Commits

Author SHA1 Message Date
Rasmus Lerchedahl Petersen
98301332bd Python: Broaden noqa regex 2022-06-16 11:16:58 +02:00
Rasmus Wriedt Larsen
d6e68258a4 Python: API-graphs: allow class decorators in .getASubclass() 2022-06-15 17:30:34 +02:00
Rasmus Wriedt Larsen
5f32f898d5 Python: API-graphs: test class decorators and subclass 
A class decorator could change the class definition in any way.

In this specific case, it would be better if we allowed the subclass to
be found with API graphs still.

inspired by
c2250cfb80/tests/auth_tests/test_views.py (L40-L46)
 2022-06-15 16:16:34 +02:00
Rasmus Wriedt Larsen
b2c8e0fe8d Python: Add comment to test 2022-06-15 15:59:54 +02:00
Rasmus Wriedt Larsen
24c9aff2fc Python: Fix a type-tracking test 2022-06-15 15:58:17 +02:00
github-actions[bot]
1ed70d51d7 Post-release preparation for codeql-cli-2.9.4 2022-06-15 13:25:20 +00:00
yoff
f14a90ff09 Merge pull request #9200 from tausbn/python-modernise-weak-file-permissions-query 
Python: Modernise weak file permissions query
 2022-06-15 14:37:17 +02:00
Rasmus Lerchedahl Petersen
0608d4d2f9 python: fix alerts 
Also, remove the `toLowerCase` again,
as I do not know what effect it will have.
 2022-06-15 14:18:29 +02:00
Rasmus Lerchedahl Petersen
40b61fa85f python: fix qldocs and clean-up dead code 2022-06-15 14:07:35 +02:00
yoff
9dbb451f41 Merge pull request #9463 from RasmusWL/req-wo-cert-validation 
Python: Rewrite `py/request-without-cert-validation`
 2022-06-15 13:00:57 +02:00
Rasmus Lerchedahl Petersen
f4ce382b7d python: update test expectations 2022-06-15 12:40:14 +02:00
github-actions[bot]
104ac05f49 Release preparation for version 2.9.4 2022-06-15 08:22:38 +00:00
Rasmus Wriedt Larsen
cfd640b1b2 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-06-14 16:47:24 +02:00
Rasmus Lerchedahl Petersen
7b5d9ec7df python: Straight port of tarslip 2022-06-14 15:01:13 +02:00
Taus
5b9c668e10 Python: Restrict test to Python 3 2022-06-14 12:58:35 +00:00
yoff
699761889d Merge pull request #7127 from jty-team/jty/python/emailInjection 
Python: CWE-079 - Add Email injection query
 2022-06-14 10:54:16 +02:00
Alex Ford
8d195e3188 Merge pull request #9157 from alexrford/crypto-op-block-mode 
Ruby/Python: Add a `BlockMode` concept for `CryptographicOperations`
 2022-06-13 21:32:36 +02:00
Rasmus Wriedt Larsen
d91b92511f Python: Add change-note 2022-06-08 17:46:51 +02:00
Rasmus Wriedt Larsen
5b2d799fde Python: Model certificate disabling in urllib3 2022-06-08 17:41:45 +02:00
Rasmus Wriedt Larsen
0d02ca07d7 Python: Add certificate disable test of urllib/urllib2 2022-06-08 17:41:45 +02:00
Rasmus Wriedt Larsen
049e87201c Python: Model certificate disabling in httpx 2022-06-08 17:41:45 +02:00
Rasmus Wriedt Larsen
1a2a4232a8 Python: Refactor httpx tests 
and improve QLDocs a bit
 2022-06-08 17:41:45 +02:00
Rasmus Wriedt Larsen
f72a1d98bb Python: Model certificate disabling in aiohttp.client 2022-06-08 17:41:45 +02:00
Rasmus Wriedt Larsen
4b07a7b7be Python: Add missing QLDoc for requests 
Also fix links
 2022-06-08 17:41:42 +02:00
Rasmus Wriedt Larsen
f37d1775f1 Python: Improve requests tests 2022-06-08 17:41:11 +02:00
Rasmus Wriedt Larsen
c21e05aa44 Python: Use HTTP::Client::Request request for py/request-without-cert-validation 
This is very much like the Ruby query, except we also have the origin
that does the disabling.

976daddd36/ruby/ql/src/queries/security/cwe-295/RequestWithoutValidation.ql (L18-L20)
 2022-06-08 15:42:32 +02:00
Rasmus Wriedt Larsen
9cb249fc2f Python: Add test we don't handle for py/request-without-cert-validation 2022-06-08 15:39:37 +02:00
jorgectf
171239b78f Format FlaskMail.qll and Sendgrid.qll 2022-06-03 18:27:45 +02:00
Rasmus Wriedt Larsen
c1e6996e99 Inline Expectation Tests: Allow tag[foo bar] 
This is partly motivated by the MaD tests which looks much better now in
my opinion.

I also wanted this for testing argument passing. In Python we're
adopting the same argument positions as Ruby has
[here](4f3751dfea/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll (L508-L540))

So it would be nice if `arg[keyword foo]=...` was allowed, without
having to transform the `toString()` result of an argument position into
something without a space.
 2022-06-03 11:39:57 +02:00
Jorge
897d5c9471 Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-06-01 12:44:08 +02:00
Rasmus Wriedt Larsen
729cf79be7 Merge pull request #9351 from RasmusWL/django-file-read 
Python: Support `read` on Django file
 2022-06-01 10:45:26 +02:00
Anders Schack-Mulligen
9abd2259d3 Merge pull request #9381 from aschackmull/redos/perf 
ReDoS: Improve performance in ExponentialBackTracking.qll.
 2022-06-01 10:39:28 +02:00
Anders Schack-Mulligen
4f3751dfea Merge pull request #9316 from hvitved/dataflow/edges-get-a-successor-consistency 
Data flow: Make `PathGraph::edges/2` and `PathNode::getASuccessor/1` consistent
 2022-06-01 10:38:25 +02:00
Nick Rolfe
f417c12c5e Merge pull request #9332 from github/post-release-prep/codeql-cli-2.9.3 
Post-release preparation for codeql-cli-2.9.3
 2022-05-31 16:17:50 +01:00
github-actions[bot]
ed2f3409bc Post-release preparation for codeql-cli-2.9.3 2022-05-31 09:54:55 +00:00
Anders Schack-Mulligen
e36c59b285 ReDoS: Sync. 2022-05-31 11:04:42 +02:00
Rasmus Wriedt Larsen
b6cc438390 Merge pull request #9368 from RasmusWL/test-model-api-graphs 
Python: Port test model to API graphs
 2022-05-30 15:45:13 +02:00
Rasmus Wriedt Larsen
420dea0792 Python: Fix example TestCase 2022-05-30 14:48:06 +02:00
Rasmus Wriedt Larsen
08e64ea1b4 Python: Remove contrived test-case example 2022-05-30 14:45:34 +02:00
Rasmus Wriedt Larsen
4861a980be Python: Fix cryptography modeling 
The old code was my own suggestion, that I thought would just work, but
was also slightly skeptical about.

I tested out whether it works with the code below

```codeql
predicate foo(int input, string res) {
  input = 1 and res = "that was one"
}

from int input, string res
where
  input in [1, 2] and
  if foo(input, res)
  then any()
  else res = "not one"
select input, res
```

which gave the 3 results

```
1 |	that was one
1 |	not one
2 |	not one
```

only by rewriting the code to be the one below, did I get down to the 2
results I actually wanted. So I've done the same kind of rewrite in the
commit.

```codeql
predicate foo(int input, string res) {
  input = 1 and res = "that was one"
}

from int input, string res
where
  input in [1, 2] and
  if foo(input, _)
  then foo(input, res)
  else res = "not one"
select input, res
```
 2022-05-30 14:37:27 +02:00
Rasmus Wriedt Larsen
a8b4b6a374 Python: Move test-modeling to API-graphs 
Notice that although we loose the contrived examples in `test.py`, we do
gain support for real-world test-case construction, which seems worth
the tradeoff.
 2022-05-30 14:13:06 +02:00
Rasmus Wriedt Larsen
a5dc4f430c Python: Expand test-filter tests 
With no virtual environment enabled, none of the third-party library
test case are found.
 2022-05-30 14:11:50 +02:00
yoff
cd46f31cba Merge branch 'main' into py/CsvInjection 2022-05-30 13:41:31 +02:00
Rasmus Wriedt Larsen
7a6646dcaf Merge pull request #8883 from erik-krogh/pyMaD 
Python: add MaD implementation
 2022-05-30 13:31:07 +02:00
Erik Krogh Kristensen
e557d8839b have the Instance token just be an alias for ReturnValue 2022-05-30 12:21:42 +02:00
Rasmus Wriedt Larsen
5924e88a86 Python: Support read on Django file 2022-05-27 11:18:26 +02:00
jorgectf
e577a0e836 Update .expected tests 2022-05-27 00:13:40 +02:00
${sleep,7}
76c27c685f Merge branch 'main' into jty/python/emailInjection 2022-05-26 16:27:57 -04:00
Tom Hvitved
4f95abc4f6 Python: Update expected test output 2022-05-25 14:39:37 +02:00
Tom Hvitved
bcdef98392 Data flow: Sync files 2022-05-25 14:39:37 +02:00