hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 10:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
79,451 Commits 1,671 Branches 157 Tags
codeql-cli-2.21.4
Commit Graph

2905 Commits

Author SHA1 Message Date
Asger F
0d96ed8aee Merge pull request #14305 from asgerf/shared/flow-state-inout-barriers 
Shared: add in/out barriers with flow state
 2023-09-28 11:07:23 +02:00
Anders Schack-Mulligen
73521ca16b Python: Use shared FileSystem library. 2023-09-28 08:58:55 +02:00
Rasmus Lerchedahl Petersen
8ade9ed164 Python: fix inconsistency 
Since we calculate the end column by offset,
we must believ that the end line is the same
as the start line.
 2023-09-26 21:02:14 +02:00
Rasmus Lerchedahl Petersen
35f28c832a Python: small refactor (reviewer suggestion) 2023-09-26 20:55:35 +02:00
Rasmus Lerchedahl Petersen
f5059a6918 Python: fix computation at part boundaries 2023-09-26 20:51:15 +02:00
Rasmus Lerchedahl Petersen
73aa302bd2 Python: only expose lengths of quote and prefix 2023-09-26 20:45:24 +02:00
Rasmus Lerchedahl Petersen
d25b93d944 Python: fix ql alerts 2023-09-26 20:33:24 +02:00
Rasmus Lerchedahl Petersen
d10b181d89 Python: add change note 2023-09-26 12:13:07 +02:00
Rasmus Lerchedahl Petersen
c1ebde4288 Python: improve location computation 2023-09-26 12:08:50 +02:00
Anders Schack-Mulligen
06cb277eb0 Merge pull request #14299 from aschackmull/dataflow/more-defaults 
Dataflow: Make use of defaults for language-specific hooks.
 2023-09-25 11:19:44 +02:00
Rasmus Wriedt Larsen
05ab28f11d autoformat 2023-09-25 10:35:18 +02:00
Rasmus Wriedt Larsen
db7b1eea55 Merge branch 'main' into maikypedia/python-unsafe-deserialization 2023-09-25 10:29:18 +02:00
Rasmus Wriedt Larsen
f515559e56 Python: Sort Frameworks.qll 2023-09-25 10:25:43 +02:00
Rasmus Wriedt Larsen
56d99fbd8a Add numpy reference 2023-09-25 10:24:53 +02:00
Rasmus Wriedt Larsen
d1caa75053 Python: Fix format for pandas.read_pickle 2023-09-25 10:24:27 +02:00
Asger F
d501856519 Update DataFlowImpl.qll copies 2023-09-25 10:05:29 +02:00
Anders Schack-Mulligen
66da997b7b Dataflow: Make use of defaults for language-specific hooks. 2023-09-22 14:54:22 +02:00
Max Schaefer
6f67055852 Correctly account for length of string literal prefix when computing locations for RegExpTerms. 2023-09-22 11:24:25 +01:00
Benjamin Rodes
50db4fd63e Moved Cpp into sub directory 'cryptography' instead of crypto. Added python models, inventory, and example alerts. 2023-09-21 12:12:15 -07:00
Anders Schack-Mulligen
13f7daf71e Merge pull request #13982 from aschackmull/dataflow/typeflow-calledge-pruning 
Dataflow: Add type-based call-edge pruning.
 2023-09-21 13:33:08 +02:00
Rasmus Lerchedahl Petersen
12dab88ec7 Python: rename concept 
`NoSqlQuery` -> `NoSqlExecution`
 2023-09-20 15:49:35 +02:00
Rasmus Lerchedahl Petersen
4ec8b3f02f Python: Model map_reduce 2023-09-20 15:44:12 +02:00
github-actions[bot]
3acf5244b0 Post-release preparation for codeql-cli-2.14.6 2023-09-20 10:25:10 +00:00
Rasmus Lerchedahl Petersen
30c37ca8cb Python: model §accumulator 
also slightly rearrange the modelling
 2023-09-19 22:21:14 +02:00
github-actions[bot]
0a3670727f Release preparation for version 2.14.6 2023-09-19 11:40:30 +00:00
Rasmus Wriedt Larsen
ad1743ecde Python: Modernize modeling of BaseHTTPRequestHandler 2023-09-18 14:13:27 +02:00
Maiky
1764aa0caf Fixing NumpyLoadCall 2023-09-17 19:44:48 +02:00
Maiky
8254d0dd10 Naming error 
Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com>
 2023-09-17 18:53:48 +02:00
Maiky
70103967ef Doc changes 
Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com>
 2023-09-17 18:47:19 +02:00
Maiky
cada523031 Remove unnecessary import 
Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com>
 2023-09-17 18:46:13 +02:00
Anders Schack-Mulligen
f5a4b792bd C++/Go/Python/Ruby/Swift: Add dummy localMustFlowStep. 2023-09-13 15:43:46 +02:00
yoff
62b41799d2 Merge pull request #14178 from yoff/python/broaden-sql-injection-frameworks 
Python: import all frameworks in SQL-injection query
 2023-09-13 14:14:09 +02:00
yoff
7d931492d8 Update python/ql/lib/semmle/python/security/dataflow/SqlInjectionCustomizations.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-09-13 13:37:18 +02:00
Erik Krogh Kristensen
cd5973764b Merge pull request #14112 from erik-krogh/pyAllowedHosts 
Py: add sanitizer guard for `url_has_allowed_host_and_scheme`
 2023-09-13 12:59:38 +02:00
Rasmus Wriedt Larsen
f62c4108ef Python: Move url_has_allowed_host_and_scheme to Django.qll 2023-09-13 11:55:44 +02:00
Rasmus Wriedt Larsen
1de7460aba Python: Don't warn on multipleArgumentCall 2023-09-12 21:16:14 +02:00
Rasmus Lerchedahl Petersen
a063d7d510 Python: sinks -> decodings 
Query operators that interpret JavaScript
are no longer considered sinks.
Instead they are considered decodings
and the output is the tainted dictionary.
The state changes to `DictInput` to reflect
that the user now controls a dangerous dictionary.

This fixes the spurious result and moves the error reporting
to a more logical place.
 2023-09-11 16:33:20 +02:00
Rasmus Lerchedahl Petersen
d9f63e1ed3 Python: Split modelling of query operators 
`$where` and `$function` behave quite differently.
 2023-09-11 15:54:00 +02:00
Rasmus Lerchedahl Petersen
93140cb061 Python: import all frameworks 
Are there any frameworks we do _not_ want here?
 2023-09-11 11:17:08 +02:00
github-actions[bot]
d699880c86 Post-release preparation for codeql-cli-2.14.4 2023-09-08 21:17:52 +00:00
Rasmus Lerchedahl Petersen
970e881697 Python: Follow naming convention 2023-09-07 15:03:51 +02:00
Rasmus Wriedt Larsen
bfb4be26c2 Python: Autoformat 2023-09-07 10:31:39 +02:00
Rasmus Wriedt Larsen
54c456d95d Python: Apply suggestions from code review 2023-09-07 10:28:46 +02:00
Rasmus Lerchedahl Petersen
7edebbeaff Python: Add QLDocs 2023-09-07 10:22:37 +02:00
Rasmus Lerchedahl Petersen
c0b3245a53 Python: Enrich the NoSql concept 
This allows us to make more precise modelling
The query tests now pass.
I do wonder, if there is a cleaner approach, similar to
`TaintedObject` in JavaScript. I want the option to
get this query in the hands of the custumors before
such an investigation, though.
 2023-09-07 10:22:37 +02:00
Rasmus Lerchedahl Petersen
087961d179 Python: Refactor to allow customizations 
Also use new DataFlow API
 2023-09-07 09:28:30 +02:00
Rasmus Lerchedahl Petersen
db0459739f Python: rename file 2023-09-07 09:28:30 +02:00
Rasmus Lerchedahl Petersen
55707d395e Python: Make things compile in their new location 
- Move NoSQL concepts to the non-experimental concepts file
- fix references
 2023-09-07 09:28:30 +02:00
Rasmus Lerchedahl Petersen
60dc1afbc0 Python: prepare to promote NoSqlInjection 
Mostly move files, preserving authourship.
This will not compile.
 2023-09-07 09:28:29 +02:00
Peter Stöckli
ede7d8fb6a Python: apply suggestions from code review for asyncio 2023-09-06 15:47:07 +02:00