hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
79,451 Commits 1,671 Branches 157 Tags
codeql-cli-2.21.4
Commit Graph

9277 Commits

Author SHA1 Message Date
Taus
cac5a8236e Python: Fix CLI integration tests 
Two issues:

- Tests relying on existing query machinery (i.e. `import python`) were not resolving
  correctly due to a bad `qlpack.yml` file.
- The diagnostics output tests needed an updated import to account for their new location.
 2024-03-19 17:11:40 +00:00
Taus
0550c46766 Python: Fix Bazel build 2024-03-19 17:11:40 +00:00
Taus
5fed8bc57b Python: Add codeql-extractor.yml 2024-03-19 17:11:40 +00:00
Taus
016aedab0a Python: Move Python language pack tooling to external repo 
This is essentially the contents of `language-packs/python/tools` with some minor
modifications to account for the changed location.

Of note: we explicitly exclude the `recorded-call-graph-metrics` director that
was already present in `python/tools`. When we revisit this directory for some
cleanup (e.g. to get rid of the `lgtm` references), we'll probably want to switch
to an explicit list of sources to include.
 2024-03-19 17:11:40 +00:00
Taus
cdc879ee89 Python: Fix up some bazel references 2024-03-19 17:11:40 +00:00
Dave Bartolomeo
bf46fa27d6 Merge remote-tracking branch 'origin/main' into dbartol/rc3.13-mergeback 2024-03-19 13:02:15 -04:00
yoff
ee411cc53a Merge pull request #15936 from yoff/python/test-conflicting-summaries 
Python: No `fieldFlowBranchLimit` for `SummarizedCallable`s
 2024-03-19 16:56:56 +01:00
Dave Bartolomeo
311ba8ea1b Merge from main to resolve conflicts 2024-03-19 10:41:31 -04:00
Tom Hvitved
2e370e2ded Python: Switch to shared XML.qll implementation 2024-03-19 13:17:53 +01:00
yoff
f025430431 Merge pull request #15319 from Sim4n6/main 
[Python] Add Unicode DoS (qhelp, tests and the query)
 2024-03-19 10:00:30 +01:00
yoff
44ab36f238 Merge pull request #15729 from yoff/python/hardcoded-credentials-without-pointsto 
python: Rewrite `HardcodedCredentials` away from `PointsTo`
 2024-03-18 20:48:30 +01:00
Tom Hvitved
fc55567d90 Merge pull request #15853 from hvitved/dataflow/get-location 
Data flow: Replace `hasLocationInfo` with `getLocation`
 2024-03-18 20:21:46 +01:00
Tom Hvitved
e53357d376 Update expected test output 2024-03-18 14:49:32 +01:00
Sim4n6
1af8167354 updated the .expected file 2024-03-18 13:26:20 +00:00
github-actions[bot]
aebe9f6992 Post-release preparation for codeql-cli-2.16.5 2024-03-18 12:16:26 +00:00
github-actions[bot]
0a6243d07b Release preparation for version 2.16.5 2024-03-18 10:14:07 +00:00
Tom Hvitved
a13391bda1 Merge pull request #15802 from hvitved/dataflow/variable-capture-overlapping-paths 
Variable capture: Avoid overlapping and false-positive data flow paths
 2024-03-18 10:45:55 +01:00
Rasmus Lerchedahl Petersen
2a0c451d2d python: No fieldFlowBranchLimit for SummarizedCallables 
Like https://github.com/github/codeql/pull/15689 for Ruby.
 2024-03-18 10:29:36 +01:00
Rasmus Lerchedahl Petersen
45c65b48aa python: make it a real package 
so python2 also respects it
 2024-03-18 08:49:31 +01:00
Rasmus Lerchedahl Petersen
cfbc3f73ec Pyhton: add test for conflicting summaries 
We noticed that when
- a function has more than one summary (with different charpred)
- one summary is subsumed by a subpath (or something happens around the function being extracted)
- the function is called multiple times(we needed at least three)
one of the summaries would no longer lead to flow.
 2024-03-15 15:13:39 +01:00
Sim4n6
3acdd3382c Update the expected file 2024-03-15 14:17:23 +01:00
Sim4n6
26a16b7857 use of a single var "op" of type Cmpop 2024-03-15 14:17:23 +01:00
Sim4n6
a717bf1b9d Fix p tag in UnicodeDoS.qhelp 2024-03-15 14:17:23 +01:00
Sim4n6
af19a0342e Fix UnicodeDoS vulnerability in CWE-770 code 2024-03-15 14:17:23 +01:00
Sim4n6
085d803b14 Fix UnicodeDoS vulnerability in CWE-770 2024-03-15 14:17:23 +01:00
Sim4n6
31dc542111 Update request parameter name in good_1() function 2024-03-15 14:17:23 +01:00
Sim4n6
70ebc58b4c Refactor Unicode normalization code 2024-03-15 14:17:23 +01:00
Sim4n6
3d8868a6c3 Add routes for bad_5 and bad_6, and fix routes for good_3 and good_4 2024-03-15 14:17:23 +01:00
Sim4n6${{7*'7'}}
658b88e62f Update python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql 
update the Config API

Co-authored-by: yoff <lerchedahl@gmail.com>
 2024-03-15 14:17:23 +01:00
Sim4n6
1f767b887e Add some comments and docs 2024-03-15 14:17:23 +01:00
Sim4n6
5cc9170249 Add UnicodeDoS sink for werkzeug secure_filename 2024-03-15 14:17:23 +01:00
Sim4n6
342465057c Add Unicode DoS (CWE-770) 2024-03-15 14:17:23 +01:00
Rasmus Wriedt Larsen
7eb4419342 Python: Restrict type-tracking content to only be precise 
At least for now :)
 2024-03-15 10:24:57 +01:00
Rasmus Wriedt Larsen
6babb2ff90 Python: Accept .expected for typetracking-summaries 2024-03-15 10:24:33 +01:00
Rasmus Wriedt Larsen
00f2a6a65e Python: Update ssa-compute test expectations 2024-03-15 10:14:45 +01:00
Rasmus Wriedt Larsen
7a3ee0f5f8 Python: Make IterableSequenceNode LocalSourceNode 
We do this to remove the inconsistencies, and to be ready for a future
where type-tracking support content tracker of depth > 1.

It works because targets of loadSteps needs to be LocalSourceNodes

predicate loadStep(Node nodeFrom, LocalSourceNode nodeTo, Content content) {
 2024-03-14 10:46:29 +01:00
Rasmus Wriedt Larsen
6ffaad1bc8 Python: Expand type-tracking tests with nested tuples 
I was initially surprised to see that this didn't work, until I
remembered that type-tracking only works with content of depth 1.
 2024-03-14 10:44:25 +01:00
Rasmus Wriedt Larsen
af8cef5b53 Python: Fixup deprecated type-tracker API 2024-03-14 10:43:28 +01:00
Rasmus Wriedt Larsen
2b09b084e0 Python: Add change-note 2024-03-14 10:43:28 +01:00
Rasmus Wriedt Larsen
7de304bf16 Python: Add proper type-tracking tests for content 
Instead of just relying on the call-graph tests
 2024-03-14 10:43:28 +01:00
Rasmus Wriedt Larsen
fa0c4e18fc Python: Expand dict-content tt test even more 
While it might be useful to track content to any lookup, it's not
something we do right now.
 2024-03-14 10:43:28 +01:00
Rasmus Wriedt Larsen
4d78762ba8 Python: Ignore consistency failure 2024-03-14 10:43:28 +01:00
Rasmus Wriedt Larsen
8a7ffac19c Python: Accept consistency failure 2024-03-14 10:43:28 +01:00
Rasmus Wriedt Larsen
92729dbbd6 Python: Support iterable unpacking in type-tracking 2024-03-14 10:42:38 +01:00
Rasmus Wriedt Larsen
0cf3fe4a4c Python: Expand dict update tests 2024-03-14 10:42:38 +01:00
Rasmus Wriedt Larsen
dac2b57bb0 Python: type-track through dict-updates 2024-03-14 10:42:38 +01:00
Rasmus Wriedt Larsen
73fe596753 Python: type-tracking through dictionary construction 2024-03-14 10:42:38 +01:00
Rasmus Wriedt Larsen
ece8245a4b Python: type-track through tuple content 2024-03-14 10:42:38 +01:00
Rasmus Wriedt Larsen
a95bb7c86b Python: Expand function reference in content test 2024-03-14 10:42:38 +01:00
Rasmus Wriedt Larsen
7721fb3331 Python: Setup shared read/store steps 2024-03-14 10:42:37 +01:00