Asger F
6d665da4dc
Merge pull request #12570 from github/post-release-prep/codeql-cli-2.12.5
...
Post-release preparation for codeql-cli-2.12.5
2023-03-21 13:06:25 +01:00
Rasmus Wriedt Larsen
e90559b86d
Python: Add missing options files
...
I could not for the life of me figure out why the tests were failing,
when they were working for me locally 🤦
2023-03-21 10:24:28 +01:00
Rasmus Wriedt Larsen
346086524b
Python: Accept dataflow-consistency test changes
...
To PRs must have had a conflict when merged separately
2023-03-21 10:09:01 +01:00
Raul Garcia
1400b4b520
Update UnsafeUsageOfClientSideEncryptionVersion.ql
...
* predicate `isUnsafeClientSideAzureStorageEncryptionViaObjectCreation` was not useful (it was meant to detect the SDK code, not its usage)
* fixed & simplified `isUnsafeClientSideAzureStorageEncryptionViaAttributes`, the original query was not finding the right code.
NOTE: tested with a real project: https://github.com/wastore/azure-storage-samples-for-python/tree/master/ClientSideEncryptionToServerSideEncryptionMigrationSamples/ClientSideEncryptionV1ToV2
2023-03-20 18:52:58 -07:00
Anders Schack-Mulligen
3876e4335f
Merge pull request #12420 from kaspersv/kaspersv/dataflow-remove-alias-preds
...
Dataflow: Remove revFlowAlias and revFlowApAlias predicates
2023-03-20 16:30:15 +01:00
Michael Nebel
17b3383043
Merge pull request #12556 from michaelnebel/java/argumentthis
...
Java: Argument[-1] -> Argument[this]
2023-03-20 15:59:59 +01:00
Erik Krogh Kristensen
a9d40d39d9
Merge pull request #12550 from erik-krogh/useNumberUtil
...
Java/Python: use Number.qll to parse hex numbers in regex parsing
2023-03-20 15:50:31 +01:00
Erik Krogh Kristensen
0f813ce2e8
Merge pull request #12543 from erik-krogh/reg-perf
...
ReDoS: restrict the edges considered in polynomial-redos for complex regular expressions
2023-03-20 15:48:35 +01:00
Rasmus Wriedt Larsen
2ee09cc5d1
Merge branch 'main' into import-refined
2023-03-20 15:42:01 +01:00
Rasmus Wriedt Larsen
93c9f59e86
Python: Extract version specific coverage/classes.py tests
...
Since we can analyze operator.py from Python3, but not in Python 2
(since it's implemented in C), we get a difference for the index tests.
note: `operator.length_hint` is only available in Python 3.4 and later,
so would always fail under Python 2.
2023-03-20 15:39:20 +01:00
yoff
6639e5a97b
Merge pull request #12590 from yoff/python/patch-uninitialized-local
...
Python: Patch uninitialized local query
2023-03-20 15:11:14 +01:00
Rasmus Lerchedahl Petersen
6a5db750c4
python: add test to validation (and fix it)
2023-03-20 15:07:46 +01:00
yoff
17c9ba9872
Merge pull request #12464 from yoff/python/add-test-captured-in-collection
...
python: add test for captured variables in lists
2023-03-20 15:01:58 +01:00
Rasmus Lerchedahl Petersen
ed15cce31f
python: add change note
2023-03-20 14:22:58 +01:00
Rasmus Lerchedahl Petersen
b042c60ca3
python: remove outdated comment
2023-03-20 14:13:48 +01:00
Rasmus Lerchedahl Petersen
72e97918e9
python: format
2023-03-20 14:11:10 +01:00
Rasmus Lerchedahl Petersen
5f438e433d
python: exclude nonlocals from query
2023-03-20 13:34:39 +01:00
Kasper Svendsen
1d2f1b6ae6
Address comments
2023-03-20 13:34:14 +01:00
Kasper Svendsen
e0e3a1d621
Dataflow: remove revFlowApAlias trick
2023-03-20 13:04:13 +01:00
Rasmus Lerchedahl Petersen
9b7a20f4ad
python: add example showing FP
2023-03-20 13:03:26 +01:00
erik-krogh
ef498020c2
PY: dont depend on codeql/util in src/ now that its added to lib/
2023-03-20 12:11:06 +01:00
Michael Nebel
37484a415f
Sync files.
2023-03-20 09:38:40 +01:00
Kasper Svendsen
9630feb5e4
Dataflow: Remove revFlowAlias trick
2023-03-20 09:04:35 +01:00
github-actions[bot]
981e171525
Post-release preparation for codeql-cli-2.12.5
2023-03-17 13:27:00 +00:00
erik-krogh
880632f536
use Number.qll to parse hex numbers in regex parsing for Python/Java
2023-03-16 14:25:53 +01:00
Michael Nebel
3fea9e4d0b
Sync files.
2023-03-16 14:12:29 +01:00
github-actions[bot]
fe4d27e8cc
Release preparation for version 2.12.5
2023-03-16 12:58:50 +00:00
Rasmus Lerchedahl Petersen
f9bffb5454
python: add change note
2023-03-16 12:55:58 +01:00
Rasmus Lerchedahl Petersen
4713ba1e12
python: more results no longer missing
...
Adjusted `tracked.ql`
- no need to annotate results on line 0
this could happen for global SSA variables
- no need to annotate scope entry definitons
they look a bit weird, as the annotation goes on the
line of the function definition.
2023-03-16 12:55:58 +01:00
Rasmus Lerchedahl Petersen
2318752c14
python: add reads of captured variables to
...
type tracking and the API graph.
- In `TypeTrackerSpecific.qll` we add a jump step
- to every scope entry definition
- from the value of any defining `DefinitionNode`
(In our example, the definition is the class name, `Users`,
while the assigned value is the class definition, and it is
the latter which receives flow in this case.)
- In `LocalSources.qll` we allow scope entry definitions as local sources.
- This feels natural enough, as they are a local source for the value, they represent.
It is perhaps a bit funne to see an Ssa variable here,
rather than a control flow node.
- This is necessary in order for type tracking to see the local flow
from the scope entry definition.
- In `ApiGraphs.qll` we no longer restrict the result of `trackUseNode`
to be an `ExprNode`. To keep the positive formulation, we do not
prohibit module variable nodes. Instead we restrict to the new
`LocalSourceNodeNotModule` which avoids those cases.
2023-03-16 12:55:58 +01:00
Rasmus Lerchedahl Petersen
7e003f63b9
python: add test for flask example
...
This is a condensed versio of the user reported example
found [here](eb377d5918/app.py (L278)
2023-03-16 12:53:40 +01:00
erik-krogh
b208988675
Py: add test for problematic regex
2023-03-16 12:21:00 +01:00
erik-krogh
8bc8342c7c
Py:don't parse regular expressions in system-code
2023-03-16 10:41:30 +01:00
Tom Hvitved
a13b6ed230
Merge pull request #12536 from hvitved/dataflow/call-enclosing-callable-consistency-check
...
Data flow: Add consistency check for `DataFlowCall::getEnclosingCallable`
2023-03-16 10:19:42 +01:00
Rasmus Wriedt Larsen
b3a49ab143
Merge pull request #12467 from RasmusWL/kwargs-parameter-position-fixup
...
Python/Ruby: Use new parameter position for synthetic hash-splat instead
2023-03-16 09:52:46 +01:00
Tom Hvitved
404ead8a18
Python: Update expected test output
2023-03-16 08:40:53 +01:00
Tom Hvitved
9f798902bd
Data flow: Add consistency check for DataFlowCall::getEnclosingCallable
2023-03-16 08:40:53 +01:00
Tom Hvitved
bdd56f1b6e
Data flow: Sync files
2023-03-14 10:01:56 +01:00
erik-krogh
6a5d6eb5c2
lower precision of py/shell-command-constructed-from-input to medium
2023-03-13 14:56:42 +01:00
erik-krogh
d001cc40d3
Merge branch 'main' into py-shell
2023-03-13 14:56:04 +01:00
Tony Torralba
705691b096
Merge pull request #12446 from github/java/update-mad-decls-after-triage-2023-03-08T14-51-59
...
Java: Update MaD Declarations after Triage
2023-03-13 14:07:59 +01:00
Anders Schack-Mulligen
0c95ab2cdc
Merge pull request #12474 from hvitved/dataflow/call-back-post-update
...
Data flow: Synthesize post-update nodes for callback arguments inside summarized callables
2023-03-13 13:21:52 +01:00
Erik Krogh Kristensen
060c37b6a2
Merge pull request #12345 from erik-krogh/delOldDeps
...
delete old deprecations
2023-03-13 12:48:24 +01:00
Anders Schack-Mulligen
c380ecbbbc
Data flow: Add change notes.
2023-03-13 11:09:13 +01:00
erik-krogh
6c1ebd999e
Merge branch 'main' into delOldDeps
2023-03-13 11:00:29 +01:00
Anders Schack-Mulligen
1e64748ffe
Dataflow: Autoformat.
2023-03-10 15:12:19 +01:00
Anders Schack-Mulligen
289f921171
Dataflow: Sync.
2023-03-10 14:56:54 +01:00
Anders Schack-Mulligen
00f0879ff5
Dataflow: Sync.
2023-03-10 14:56:54 +01:00
Tom Hvitved
32a699e34a
Data flow: Sync files
2023-03-10 12:43:21 +01:00
Tony Torralba
8aa80882ea
Sync files
2023-03-10 12:35:13 +01:00
