hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
81,788 Commits 1,671 Branches 157 Tags
codeql-cli-2.22.4
Commit Graph

2944 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
be7d6689b8 Merge branch 'main' into import-refined 2023-02-27 17:00:48 +01:00
Taus
25043f51a4 Merge pull request #11376 from RasmusWL/call-graph-code 
Python: New type-tracking based call-graph
 2023-02-27 14:51:21 +01:00
Anders Schack-Mulligen
bf650c755c Dataflow: Sync changes to all languages. 2023-02-27 14:30:05 +01:00
Alex Ford
7c85448cba Merge pull request #12080 from alexrford/js-use-shared-cryptography 
JS: Use shared `CryptographicOperation` concept
 2023-02-27 12:26:38 +00:00
Rasmus Wriedt Larsen
13ae98ea76 Python: Fix submodule exported under wrong name (when attribute clash) 2023-02-23 00:55:30 +01:00
Rasmus Wriedt Larsen
373907265b Python: Fixed most problems from last commit 
That one line was an afterthought, and certainly did not work as
intended.
 2023-02-23 00:39:45 +01:00
Rasmus Wriedt Larsen
97fefd2545 Python: Attempt to fix import flow 
It's nice that it fixes the `InsecureProtocol` test-case (which maybe
should have been a test-case for the import resolution library in the
first place?)

But it's not quite right:

1. it adds spurious flow for `clashing_attr`
2. it runs into huge problems for typetracking_imports/tracked.expected
3. it runs into the problem for
   https://github.com/github/codeql/pull/10176 with an `from <pkg>
   import *` blocking flow from previously defined variable, that is NOT
   overridden. (simplistic_reexport.bar_attr)
 2023-02-23 00:36:30 +01:00
Rasmus Wriedt Larsen
c8a76246d8 Python: Take __all__ into consideration for re-export of from <pkg> import * 
However, we can see that `from <pkg> import *` and `import pkg` are
handled differently. Would have liked `has_defined_all_indirection` to
behave in the same way no matter how the import was made.
 2023-02-22 15:39:57 +01:00
Rasmus Wriedt Larsen
d77ce4f3d7 Python: minor rewrite of from <pkg> import * handling 2023-02-22 15:00:55 +01:00
Rasmus Wriedt Larsen
4df7dfbff6 Python: Don't import module as module_attr 
For `from <pkg> import <attr>` we would use to treat the `<pkg>`
(ImportExpr) as a definition of the name `<attr>`.

Since this removes bad import-flow, and nothing broke, I'm guessing this
was never intentional.
 2023-02-22 14:52:35 +01:00
Rasmus Wriedt Larsen
4a66e48dc5 Python: Allow import resolution with recursive phi/refine steps 2023-02-21 17:46:39 +01:00
Rasmus Wriedt Larsen
00eec6986c Python: Allow import of refined variable 
However, as illustrated by the `CWE-327-InsecureProtocol` test, this fix
is NOT good enough, since now even the `secure_context` is considered to
be insecure (for both versions). Ouch.

Will fix this in a later commit, since it was only discoverd late on.
 2023-02-21 17:45:58 +01:00
Michael Nebel
813ffa440c Java: Consider ai-generated flow summaries to as generated summaries in dataflow. 2023-02-20 12:11:48 +01:00
Rasmus Wriedt Larsen
efc75e02cc Merge pull request #12168 from RasmusWL/crypto-stdlib-modeling 
Python: Add modeling of `hmac`
 2023-02-20 09:26:53 +01:00
Nick Rolfe
3e5534f0ba Merge branch 'main' into post-release-prep/codeql-cli-2.12.3 2023-02-17 14:39:26 +00:00
github-actions[bot]
8eb8daa4d4 Post-release preparation for codeql-cli-2.12.3 2023-02-16 17:23:25 +00:00
github-actions[bot]
b0315119c6 Release preparation for version 2.12.3 2023-02-16 11:49:06 +00:00
Rasmus Wriedt Larsen
766e6c400e Python: Handle if-then-else definitions in import resolution 2023-02-16 11:18:30 +01:00
Rasmus Wriedt Larsen
c4fbfb0d07 Merge branch 'main' into call-graph-code 2023-02-15 20:15:04 +01:00
Rasmus Wriedt Larsen
ee5382d8a6 Merge pull request #12193 from RasmusWL/import-resolution-fixup 
Python: Fix `from <pkg> import *` import resolution
 2023-02-15 20:13:24 +01:00
Alex Ford
1556b1a728 Merge branch 'main' into js-use-shared-cryptography 2023-02-15 17:13:53 +00:00
Alex Ford
43af306d60 dynamic: more detailed qldoc for CryptographicOperation#getBlockMode() 2023-02-15 16:55:18 +00:00
Alex Ford
d4d0b91085 dynamic: switch CryptographicOperation::Range#getBlockMode() back to being an abstract predicate 2023-02-15 16:23:46 +00:00
Alex Ford
c7aaad9ed0 JS: avoid adding a deprecated CryptographicOperation#getInput to py/ruby 2023-02-15 16:23:46 +00:00
Rasmus Wriedt Larsen
c72dbc49fc Merge pull request #12165 from RasmusWL/crypto-updates 
Python/Ruby/JS Crypto: Add a few algorithms + block modes
 2023-02-15 14:35:40 +01:00
Rasmus Wriedt Larsen
7e16fa9cbe Python: Add change-note 2023-02-15 14:25:33 +01:00
Rasmus Wriedt Larsen
220f227707 Python: Add wrapper for isPreferredModuleForName 
We talked about how it's annoying that we in 4 places have the same fix
`isPreferredModuleForName(<module>.getFile(), <name> + ["", ".__init__"])`
, and that it would be nice to have a simple wrapper predicate that
ensures we never forget to do the `+ ["", ".__init__"]` dance...

I had trouble coming up with a name for this (ironically), but
I think `getModuleFromName` is good enough.
 2023-02-15 14:23:39 +01:00
Rasmus Wriedt Larsen
66c3529465 Python: Fix import * from __init__.py files 2023-02-15 14:10:37 +01:00
erik-krogh
759854991a fix various nits based on feedback 2023-02-15 11:10:43 +01:00
Rasmus Wriedt Larsen
9e2eb56032 Python: Remove support for late *args arguments 
I found this to cause bad performance, so the implementation of this has
to be thought out more carefully.
 2023-02-15 09:42:11 +01:00
Taus
1b30043422 Python: Move change note to correct directory 2023-02-14 13:48:55 +00:00
Taus
4f7c598ffc Python: Add change note 2023-02-14 13:22:48 +00:00
Taus
39516862c1 Merge remote-tracking branch 'origin/main' into tausbn/python-clean-up-version-handling 2023-02-14 13:07:40 +00:00
Rasmus Wriedt Larsen
1c7fe97427 Python: Add modeling of hmac 2023-02-13 15:39:43 +01:00
Anders Schack-Mulligen
e877b161d8 Merge pull request #12124 from hvitved/dataflow/stage1-dispatch 
Data flow: Call context virtual dispatch pruning in stage 1
 2023-02-13 13:13:43 +01:00
Rasmus Wriedt Larsen
b2e79e2948 Python/Ruby/JS Crypto: Add a few algorithms + block modes 
I have tried to add a few links to support the claim that these
algorithms are strong/safe. It wasn't always super easy, so in some
cases I have ended up just linking to the documentation of the
`cryptography` Python package.

Co-authored-by: REDMOND\brodes <brodes@microsoft.com>
 2023-02-13 10:40:47 +01:00
Tom Hvitved
f7a5a33474 Address review comment 2023-02-13 09:01:15 +01:00
Rasmus Wriedt Larsen
5c23b47ef4 Python: Fix typo in QLDoc 
Co-authored-by: Taus <tausbn@github.com>
 2023-02-08 16:27:06 +01:00
Rasmus Wriedt Larsen
8bb1d8631a Python: Add call-graph hotfix for sympy 2023-02-08 16:19:29 +01:00
Rasmus Wriedt Larsen
23144f584a Merge branch 'main' into call-graph-code 2023-02-08 16:17:34 +01:00
Taus
49a3dd6131 Python: Clean up version handling 
Depends on an internal PR.
 2023-02-07 16:21:15 +00:00
Tom Hvitved
8e8897b08b Data flow: Sync files 2023-02-07 15:15:04 +01:00
Erik Krogh Kristensen
9360ae9638 Merge pull request #12076 from erik-krogh/poly-sink-track 
PY: add tracking of strings to compile-sites for poly-redos
 2023-02-06 14:21:04 +01:00
Mathias Vorreiter Pedersen
00fe448e3a Merge pull request #12072 from aschackmull/dataflow/stage3-perf 
Dataflow: Fix join in `fwdFlowRead` (take 2)
 2023-02-06 10:43:11 +00:00
Alex Ford
7768026e70 Merge branch 'main' into js-use-shared-cryptography 2023-02-03 15:18:30 +00:00
Alex Ford
6c35feaa98 ConceptsShared: add a default implementation of BlockMode CryptographicOperation#getBlockMode() for compatibility with external code 2023-02-03 14:39:32 +00:00
Alex Ford
b968b59afc CryptoAlgorithms: make CryptographicAlgorithm#matchesName hold only if that algorithm is the most specific match 2023-02-03 14:15:32 +00:00
erik-krogh
8e05fdb369 make more imports private 2023-02-03 15:00:31 +01:00
erik-krogh
cf094c2f4f adjust which folders are seen as exported to remove an FP 2023-02-03 14:47:55 +01:00
erik-krogh
ef44cb86c2 remove FPs related to parameters that are meant to be commands 2023-02-03 14:47:55 +01:00