hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,644 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.1
Commit Graph

4008 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
e5abfd0196 Python: Modernise Security/ queries 2020-02-04 11:42:11 +01:00
Rasmus Wriedt Larsen
5bc592514a Python: Consistenly use "a user-provided value" 
ReflectedXss was the only query that used it with the "a"
 2020-02-03 14:35:09 +01:00
Rasmus Wriedt Larsen
4ca72de4cd Python: Fix recommended module for deprecated posixfile 
$ python2 -W default -c 'import posixfile'
-c:1: DeprecationWarning: The posixfile module is deprecated; fcntl.lockf() provides better locking

https://docs.python.org/2.7/library/posixfile.html
 2020-01-28 16:44:47 +01:00
Rasmus Wriedt Larsen
6c7cddf258 Python: py/import-deprecated-module handle backwards compatible code 2020-01-28 16:36:47 +01:00
Rasmus Wriedt Larsen
e92d6c0459 Python: Stop py/import-deprecated-module from double alerting 
This changes the location from the import statement, to the actual expression
 2020-01-28 16:15:46 +01:00
Rasmus Wriedt Larsen
194228850a Python: Add tests for py/import-deprecated-module 2020-01-28 16:15:21 +01:00
Rasmus Wriedt Larsen
c25782d6da Python: For web tests, use more precise name HttpResponseSinks 
Since there are also HttpRedirectTaintSink, using HttpSink is confusing
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
46f4b74134 Python: Fix tornado lib: a redirect is not a http response 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
ee382bb2ea Python: Fix typo (reques => request) 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
9bc72450a0 Python: Temporarily disable falcon HttpSinks test 
I will fix this in an other PR
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
9b2ca0c9c7 Python: Update web libraries to use HttpSources and HttpSinks 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
2cdbae08b6 Python: Don't make duplicate sink for Tornado handler 
`self.write(...)` would be treated as *both* TornadoConnectionWrite and
TornadoHttpRequestHandlerWrite
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
effa4548ab Python: Add toString to TurboGears HttpResponseTaintSinks 
Naming these were a bit hard, but better than generic "Taint Sink"
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
6b87458c2e Python: Add explicit tests for HttpSources and HttpSinks 
Some of the tests currently fail, since they can't reproduce the old tests
results (since the sinks/sources defined in the library code are not
HttpResponseTaintSink/HttpRequestTaintSource)
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
0a1c91fbb8 Python: Autoformat web tests QL files 2020-01-28 13:05:25 +01:00
Rasmus Wriedt Larsen
081d66eaa3 Python: Recognize taint for extended iterable unpacking 2020-01-27 15:28:53 +01:00
Rasmus Wriedt Larsen
1b670354b2 Python: Add tests for extended iterable unpacking 2020-01-27 15:24:55 +01:00
Rasmus Wriedt Larsen
781024d679 Python: Recognize taint for iterable unpacking 2020-01-27 14:43:07 +01:00
Rasmus Wriedt Larsen
a3f1f4cb87 Python: Add iterable unpacking tests 2020-01-27 14:43:07 +01:00
Rasmus Wriedt Larsen
fa48fb04f5 Python: Recognize nested tuple/list assignment 
Now we recognize `[(x,y)] = [(1,2)]` -- in itself not a widely used idiom, but
more of a warmup excersize for me
 2020-01-27 14:42:54 +01:00
Rasmus Wriedt Larsen
9763ec71fe Python: Add tests for nested assignment 2020-01-27 14:39:34 +01:00
Taus
5a2dfd40af Merge pull request #2639 from RasmusWL/python-improve-dict-taint 
Python: Improve tests for tainted collections
 2020-01-24 15:06:01 +01:00
Rasmus Wriedt Larsen
5778764a48 Python: Stop using deprecated getName in collections taint test 2020-01-24 10:32:17 +01:00
Rasmus Wriedt Larsen
3db551d6bc Python: Use variables in collection-taint test 
They are not tainted in assignment, only in use.

I also adopted an attempt at a better test-setup, where it's easy to see if
everything is the way you hoped for, instead of browsing through 100 of lines of
taint-step output :P
 2020-01-24 10:32:17 +01:00
Taus
618a35bb7c Merge pull request #2664 from RasmusWL/python-fix-redirect-example 
Python: Remove unused variable in example for py/url-redirection
 2020-01-23 13:42:00 +01:00
Taus
d06e86f54d Merge pull request #2662 from RasmusWL/python-taint-on-eq-test 
Python: Only clear taint on constant comparison in if
 2020-01-23 13:41:40 +01:00
Rasmus Wriedt Larsen
772538ff46 Python: Move tests of collection-taint to own dir 2020-01-22 14:24:50 +01:00
Rasmus Wriedt Larsen
df8be438bb Python: Show that list(tainted_string) works 2020-01-22 14:24:50 +01:00
Rasmus Wriedt Larsen
0da78f216a Python: Show that e, f, g = tainted_list doesn't work 2020-01-22 14:24:50 +01:00
Rasmus Wriedt Larsen
a55c13e61c Python: Improve tests for StringDictKind taint 
+ show we handle dict.values()
+ show we don't handle dict.items()
 2020-01-22 14:24:50 +01:00
Rasmus Wriedt Larsen
12bb05522a Python: Make py/weak-cryptographic-algorithm a path-problem 
and stop using deprecated hasFlow
 2020-01-22 13:45:14 +01:00
Rasmus Wriedt Larsen
c5091f1ce7 Python: Make py/hardcoded-credentials a path-problem 
and stop using deprecated hasFlow
 2020-01-22 13:45:14 +01:00
Rasmus Wriedt Larsen
96d5703f2c Python: Remove use of deprecated methods 2020-01-22 13:45:14 +01:00
Rasmus Wriedt Larsen
422658bbdb Python: Remove unused variable in example for py/url-redirection 2020-01-21 15:45:05 +01:00
Taus Brock-Nannestad
ead687da06 Python: Add false positive test example for issue #2652. 2020-01-21 15:28:01 +01:00
Rasmus Wriedt Larsen
bbe93f43d3 Python: Only comparison with constant will clear taint 
tainted = SOURCE
    if tainted == tainted:
        SINK(tainted) # unsafe

before, in the body of the if statement, `tainted` was not tainted
 2020-01-21 15:25:57 +01:00
Rasmus Wriedt Larsen
1498145415 Python: Highlight that any comparison will clear taint 2020-01-21 15:24:56 +01:00
Taus
cfb84be7b1 Merge pull request #2540 from RasmusWL/python-modernise-variables-queries 
Python: modernise variables queries
 2020-01-10 14:45:12 +01:00
Rasmus Wriedt Larsen
9b0b0c338f Python: Cleanup overrides tests 2020-01-06 10:55:37 +01:00
Rasmus Wriedt Larsen
15bc4cd090 Python: Add override helpers to Value classes 2019-12-20 15:05:49 +01:00
Rasmus Wriedt Larsen
81e27aab8d Python: Modernise py/unused-loop-variable 2019-12-20 15:05:49 +01:00
Taus
52d231c219 Merge pull request #2469 from RasmusWL/python-modernise-twisted-library 
Python: modernise twisted library
 2019-12-18 13:55:50 +01:00
Taus
eb6feeeaf8 Merge pull request #2482 from RasmusWL/python-include-zope-web-tests 
Python: include zope web tests from internal repo
 2019-12-18 13:55:23 +01:00
Rasmus Wriedt Larsen
ac55e6aba6 Python: Modernise twisted library 2019-12-18 10:42:39 +01:00
Rasmus Wriedt Larsen
4e3c183676 Python: Adapt twisted tests so they pass 2019-12-18 10:42:39 +01:00
Rasmus Wriedt Larsen
6011cb74f8 Python: Add twisted tests from internal repo 2019-12-18 10:42:39 +01:00
Rasmus Wriedt Larsen
8b5d6ae2cf Python: Modernise zope web tests 2019-12-17 17:42:03 +01:00
Rasmus Wriedt Larsen
e257ba40c4 Python: Make zope web tests pass 2019-12-17 17:42:03 +01:00
Henning Makholm
073563a19b Python tests: explicitly specify --lang2 for python2 tests 
This allows them to work with the `LegacyQltLanguage.PYTHON3` extraction recipe.
 2019-12-07 02:38:02 +01:00
Rasmus Wriedt Larsen
387ab52855 Python: Add zope web tests from internal repo 2019-12-02 14:38:03 +01:00