hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,644 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.1
Commit Graph

2968 Commits

Author SHA1 Message Date
Rasmus Lerchedahl Petersen
d9f63e1ed3 Python: Split modelling of query operators 
`$where` and `$function` behave quite differently.
 2023-09-11 15:54:00 +02:00
Rasmus Lerchedahl Petersen
93140cb061 Python: import all frameworks 
Are there any frameworks we do _not_ want here?
 2023-09-11 11:17:08 +02:00
github-actions[bot]
d699880c86 Post-release preparation for codeql-cli-2.14.4 2023-09-08 21:17:52 +00:00
Rasmus Lerchedahl Petersen
970e881697 Python: Follow naming convention 2023-09-07 15:03:51 +02:00
Rasmus Wriedt Larsen
bfb4be26c2 Python: Autoformat 2023-09-07 10:31:39 +02:00
Rasmus Wriedt Larsen
54c456d95d Python: Apply suggestions from code review 2023-09-07 10:28:46 +02:00
Rasmus Lerchedahl Petersen
7edebbeaff Python: Add QLDocs 2023-09-07 10:22:37 +02:00
Rasmus Lerchedahl Petersen
c0b3245a53 Python: Enrich the NoSql concept 
This allows us to make more precise modelling
The query tests now pass.
I do wonder, if there is a cleaner approach, similar to
`TaintedObject` in JavaScript. I want the option to
get this query in the hands of the custumors before
such an investigation, though.
 2023-09-07 10:22:37 +02:00
Rasmus Lerchedahl Petersen
087961d179 Python: Refactor to allow customizations 
Also use new DataFlow API
 2023-09-07 09:28:30 +02:00
Rasmus Lerchedahl Petersen
db0459739f Python: rename file 2023-09-07 09:28:30 +02:00
Rasmus Lerchedahl Petersen
55707d395e Python: Make things compile in their new location 
- Move NoSQL concepts to the non-experimental concepts file
- fix references
 2023-09-07 09:28:30 +02:00
Rasmus Lerchedahl Petersen
60dc1afbc0 Python: prepare to promote NoSqlInjection 
Mostly move files, preserving authourship.
This will not compile.
 2023-09-07 09:28:29 +02:00
Peter Stöckli
ede7d8fb6a Python: apply suggestions from code review for asyncio 2023-09-06 15:47:07 +02:00
github-actions[bot]
abf2b12b1c Release preparation for version 2.14.4 2023-09-05 16:56:14 +00:00
Peter Stöckli
8c4dccc81b Python: initial support for CMDi via asyncio 2023-09-05 15:33:29 +02:00
Rasmus Wriedt Larsen
49f5d38956 Merge pull request #14068 from RasmusWL/dataflow-config-refactor 
Python: Use new dataflow API
 2023-09-04 21:04:10 +02:00
yoff
da64ea40b9 Merge pull request #13782 from jorgectf/jorgectf/shlex-quote 
Python: Add `shlex.quote` as `py/shell-command-constructed-from-input` sanitizer
 2023-08-31 21:08:58 +02:00
erik-krogh
8dad4950a9 add sanitizer guard for url_has_allowed_host_and_scheme 2023-08-31 13:48:42 +02:00
Tom Hvitved
253f932d2a Python: Use data flow consistency checks from shared pack 2023-08-30 15:29:41 +02:00
Rasmus Wriedt Larsen
62c2316124 Merge pull request #14084 from RasmusWL/flask-jsonify 
Python: Remove XSS FP from use of `flask.jsonify`
 2023-08-30 13:07:54 +02:00
yoff
ae4c76c788 Merge pull request #13975 from yoff/python/parsemodechars-not-chars 2023-08-29 14:05:57 +02:00
Rasmus Wriedt Larsen
0b2458d065 Python: Improve modeling of Flask jsonify 
I also tested whether `Flask.jsonify` or `Flask().jsonify` worked, but
they do not.
 2023-08-29 11:11:32 +02:00
Rasmus Wriedt Larsen
26319bfc04 Python: Fix Flask jsonify XSS regression 
The reason the result was found before, is that `jsonify(data)` was
modeled as TWO separate subclasses of `Http::Server::HttpResponse`, one
because of the implicit construction in return
(FlaskRouteHandlerReturn), and one from the `jsonify` call
(FlaskJsonifyCall). Due to the QL evaluation, we got a combination from
the two, meaning mime-type from FlaskRouteHandlerReturn and body from
FlaskJsonifyCall...
 2023-08-29 11:11:32 +02:00
Dave Bartolomeo
3343b78015 Merge pull request #14074 from github/post-release-prep/codeql-cli-2.14.3 
Post-release preparation for codeql-cli-2.14.3
 2023-08-28 13:34:10 -04:00
github-actions[bot]
3eba77421a Post-release preparation for codeql-cli-2.14.3 2023-08-28 15:53:49 +00:00
Rasmus Wriedt Larsen
e8e8d975e3 Python: Remove all usage of DataFlow2+TaintTracking2 
(and any higher number as well)
 2023-08-28 15:34:19 +02:00
Rasmus Wriedt Larsen
efec4e7ebf Python: Add missing qldocs 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
5ba8e102eb Python: Adopt tests to new DataflowQueryTest 
Since we want to know the _sinks_ and not just the flow, we need to
expose the config as well :|
 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
657b1997cc Python: Move FullServerSideRequestForgery and PartialServerSideRequestForgery to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
46322b717a Python: Move XmlBomb to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
add1077532 Python: Move RegexInjection to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
c6caf83dfe Python: Move PolynomialReDoS to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
4c336990e5 Python: Move XpathInjection to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
60e45335dd Python: Move Xxe to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
4c76ca6127 Python: Move UrlRedirect to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
6f08e73dbc Python: Move UnsafeDeserialization to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
dd074173d2 Python: Move WeakSensitiveDataHashing to new dataflow API 
I adopted helper predicates to do the "heavy" lifting of .asPathNode1(), maybe I like this approach better... let me know what you think 😊
 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
9d6b96dfd2 Python: Move CleartextStorage to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
70095446b6 Python: Move CleartextLogging to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
cca78f31ff Python: Move PamAuthorization to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
dcd96083e8 Python: Move StackTraceExposure to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
f75e65c67d Python: Move LogInjection to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
88cf9c99b0 Python: Move CodeInjection to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
05573904a5 Python: Move LdapInjection to new dataflow API 
We could have switched to a stateful config, but I tried to keep changes
as straight forward as possible.
 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
c360346e9e Python: Move ReflectedXss to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen
b30142c1d7 Python: Move CommandInjection to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen
700841e9b0 Python: Move UnsafeShellCommandConstruction to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen
d4e4e2d426 Python: Move TarSlip to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen
e97032909a Python: Move PathInjection to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen
245c24077d Python: Move SqlInjection to new dataflow API 2023-08-28 15:27:49 +02:00