codeql

mirror of https://github.com/github/codeql.git synced 2025-12-19 10:23:15 +01:00

Author	SHA1	Message	Date
Jeroen Ketema	d389a183f0	Merge pull request #10743 from jsoref/spelling Spelling	2022-10-12 12:48:22 +02:00
Rasmus Wriedt Larsen	b3f10311b3	Merge pull request #10752 from RasmusWL/pymssql Python: DB Modeling: Add `pymssql` and `executemany` in general	2022-10-11 15:55:04 +02:00
erik-krogh	a826dbbdee	fix capitalization in stack-trace-exposure	2022-10-11 13:59:10 +02:00
erik-krogh	4da0508dae	Merge branch 'main' into py-last-msg	2022-10-11 10:49:19 +02:00
Josh Soref	21caa4b03f	spelling: across Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	2022-10-11 00:23:35 -04:00
Rasmus Wriedt Larsen	dba42d6bb8	Python: Model `executemany` on PEP-249 DB APIs Note: I kept the modeling using the old approach with type-trackers instead of `DataFlow::MethodCallNode`. I would like a meta query for DCA to show sinks before doing this, so I can be absolutely sure we don't loose out on any important sinks on this... so will postpone this work to a small one-off task (added to my todo list).	2022-10-10 14:16:47 +02:00
Rasmus Wriedt Larsen	4ee71ae4a1	Python: Add support for `pymssql` package I also forgot to mention `PyMySQL` in frameworks.rst	2022-10-10 14:02:40 +02:00
Rasmus Wriedt Larsen	4b1f6f0865	Merge pull request #10629 from RasmusWL/fix-flask-source Python: Fix flask request modeling	2022-10-10 09:56:22 +02:00
erik-krogh	6fdfd40880	changes to address reviews	2022-10-07 22:31:00 +02:00
erik-krogh	944ca4a0da	fix some more style-guide violations in the alert-messages	2022-10-07 11:23:34 +02:00
Rasmus Wriedt Larsen	05bca0249c	Python: Expand test for `py/flask-debug` (I couldn't see one using positional argument)	2022-10-04 20:39:08 +02:00
Rasmus Wriedt Larsen	d7be27a1c0	Python: Fix experimental `py/ip-address-spoofing` I realized the modeling was done in a non-recommended way, so I changed the modeling. It was very nice that I could use API graphs for the flask part, and a little sad when I couldn't for Django/Tornado.	2022-10-03 21:19:30 +02:00
Rasmus Wriedt Larsen	b01a0ae696	Python: Adjust `.expected` after flask source change It's really hard to audit that this is all good.. I tried my best with `icdiff` though -- and there is a problem with ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql that needs to be fixed in the next commit	2022-10-03 20:35:49 +02:00
Rasmus Wriedt Larsen	a0fcd4a9bf	Merge pull request #10631 from RasmusWL/cleanup-options-files Python: Remove last `-p ../lib/` in `options` files	2022-10-03 11:09:59 +02:00
Nick Rolfe	ed74e0aad1	JS/Python/Ruby: s/a HTML/an HTML/	2022-09-30 10:37:52 +01:00
Rasmus Wriedt Larsen	ea27f4e20f	Python: Remove last `-p ../lib/` in `options` files These were only needed for points-to. If they only contained `--max-import-depth`, I've removed the `options` file entirely.	2022-09-29 18:05:51 +02:00
erik-krogh	7675571daa	fix RegExpEscape::getValue having multiple results for some escapes	2022-09-27 13:25:23 +02:00
Rasmus Wriedt Larsen	71da217b82	Merge pull request #10535 from RasmusWL/flask-jsonify Python: Model `flask.jsonify`	2022-09-23 12:18:27 +02:00
Tom Hvitved	f4b82cb2e8	Python: Update expected test output	2022-09-22 15:01:40 +02:00
Rasmus Wriedt Larsen	d3f811cab3	Python: Accept any arg to `flask.jsonify` Thanks @tausbn 👍	2022-09-22 14:59:06 +02:00
Rasmus Wriedt Larsen	8174120916	Python: Model `flask.jsonify`	2022-09-22 14:43:39 +02:00
Rasmus Wriedt Larsen	078d3d0062	Python: Add stacktrace exposure example	2022-09-22 14:27:49 +02:00
yoff	18a8a3332d	Merge pull request #10494 from RasmusWL/tarslip-test-imports Python: Fix imports for tarslip tests	2022-09-20 20:04:14 +02:00
Rasmus Wriedt Larsen	253d9cf39f	Python: Fix imports for tarslip tests This doesn't change results, but makes the test-code more valid	2022-09-20 17:25:46 +02:00
yoff	ea743173d5	Merge pull request #8781 from yoff/python-dataflow/flow-summaries-from-scratch Python dataflow: flow summaries restart	2022-09-20 14:08:31 +02:00
Rasmus Wriedt Larsen	556e93ae68	Merge pull request #10384 from RasmusWL/callnode-getargbyname Python: Allow `CallNode.getArgByName` for keyword args after `**kwargs`	2022-09-19 15:05:59 +02:00
Rasmus Lerchedahl Petersen	37fb27fa1c	Python: change type of `LibraryCallable::getACall` The other callables return control flow nodes, so it is slightly inconsistent for this to return a data flow node, but it does make models based on API graphs nicer.	2022-09-19 14:02:52 +02:00
Erik Krogh Kristensen	a4cd913aea	Merge pull request #10312 from erik-krogh/fix-caseDiff ensure consistent casing of names	2022-09-19 10:43:12 +02:00
CodeQL CI	b48808778f	Merge pull request #10264 from yoff/python/port-RaisesTuple Approved by tausbn	2022-09-19 00:51:29 -07:00
CodeQL CI	ed4b64b1c4	Merge pull request #10265 from yoff/python/port-UnguardedNextInGenerator Approved by tausbn	2022-09-19 00:50:52 -07:00
Rasmus Lerchedahl Petersen	33b508d6e6	Python: undo change to `--max-import-depth` This is not necessary as long as `LibraryCall` only includes unresolved calls.	2022-09-14 12:52:27 +02:00
Rasmus Lerchedahl Petersen	245baa51a3	Python: rename summary `map` -> `list_map`, since map resolves to a class call also fix test expectation	2022-09-14 11:21:16 +02:00
Rasmus Lerchedahl Petersen	f83158ff8b	Python: do not stake out too much territory	2022-09-14 10:28:11 +02:00
Rasmus Lerchedahl Petersen	58cfac27d2	Python: adjust expectations to new spelling	2022-09-13 10:10:17 +02:00
Rasmus Lerchedahl Petersen	c1ab66181b	Python: format	2022-09-13 08:08:04 +02:00
Rasmus Lerchedahl Petersen	03c243175b	Python: fix QL alerts	2022-09-12 23:53:42 +02:00
Rasmus Lerchedahl Petersen	56dcfc2161	Python: --max-import-depth=0 to avoid nodes in the extracted stdlib Was there a reason for this depth to be 1?	2022-09-12 23:25:48 +02:00
Rasmus Lerchedahl Petersen	bf16e220a0	Python: adjust expectations	2022-09-12 22:43:03 +02:00
Rasmus Lerchedahl Petersen	efc5cfb852	Merge branch 'main' of github.com:github/codeql into python-dataflow/flow-summaries-from-scratch	2022-09-12 19:56:16 +02:00
Rasmus Lerchedahl Petersen	0f95992b2f	Python: remove `NonLibraryDataFlowCallable` this required managing parameters and their pre-update nodes a bit	2022-09-12 15:17:29 +02:00
Rasmus Wriedt Larsen	4296ac1ac0	Python: Allow `CallNode.getArgByName` for keyword args after `**kwargs`	2022-09-12 15:03:13 +02:00
Rasmus Lerchedahl Petersen	895f5480c2	Python: Added recursion guard to ensure that the call graph seen by type tracking does not include summary calls resolved by type tracking. (I tried inserting a similar test into the Ruby codebase, and it still compiled) To get this to compile, I had to move the resolution of summary calls out of the data flow nodes and into the `viableCallable` predicate. This means that we now have a potential summary call for each cfg call node. (I tried using the base class, `DataFlowCall`, for this but calls to `map` got identified as class calls and would no longer be associated with a summary.) It is possible that the "NonLIbrary"-layers the were inserted into the hierarchy can be removed again.	2022-09-09 22:47:47 +02:00
erik-krogh	26d8553f6e	ensure consistent casing of names	2022-09-09 10:34:14 +02:00
Taus	8b8e74cc9a	Merge pull request #10314 from RasmusWL/revert-alert-msgs-change	2022-09-08 13:00:47 +02:00
Asger F	6b2ebcce3a	Merge pull request #10276 from asgerf/mad-typedef-entry-points Add TypeModel hook for adding MaD type-defs from CodeQL	2022-09-07 14:14:48 +02:00
Rasmus Lerchedahl Petersen	f6d807aec0	Python: Add summary test `append_to_list`	2022-09-06 18:42:32 +02:00
Taus	0b8bdc0f85	Python: Fix broken test	2022-09-06 16:37:43 +00:00
Taus	3bb7e28712	Merge pull request #10176 from RasmusWL/import-problem Python: Add testcase for import problem	2022-09-06 18:12:37 +02:00
Rasmus Lerchedahl Petersen	4cd41c24c7	Python: remove comments and start design document	2022-09-06 17:23:40 +02:00
Rasmus Lerchedahl Petersen	67c3a9b2f4	Python: resolve library calls in the CFG rather than in the AST	2022-09-06 17:00:28 +02:00

... 22 23 24 25 26 ...

4008 Commits