hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,920 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.2
Commit Graph

470 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
dcd103ea73 Python: Fix grammar 
Co-authored-by: Taus <tausbn@github.com>
 2020-10-13 10:31:35 +02:00
Rasmus Lerchedahl Petersen
4bd56fdbe4 Python: Implement framework sinks 2020-10-09 16:13:47 +02:00
Rasmus Lerchedahl Petersen
0d8bd01e10 Python: Port query and add test 2020-10-09 16:11:37 +02:00
Rasmus Wriedt Larsen
46ec7fbf6e Python: Make builtin compile function additional taint step 2020-10-07 21:17:39 +02:00
Rasmus Wriedt Larsen
c69a61bac5 Python: Model exec and eval calls as CodeExecution 2020-10-07 21:14:19 +02:00
Rasmus Wriedt Larsen
453c391bb0 Python: Add CodeExecution tests for stdlib 2020-10-07 21:12:31 +02:00
Rasmus Wriedt Larsen
0af86cba50 Python: Port CodeInjection query 
and the dummy test-case we already have
 2020-10-07 18:47:23 +02:00
Rasmus Wriedt Larsen
7721db206e Python: Don't double report paths for platform.popen and popen2.* 
I was a bit surprised that we hadn't double reported for popen2, but it turns
out that the implementation (at least on unix) looks like:

```
def popen2(cmd, bufsize=-1, mode='t'):
    ... = Popen3(cmd, False, bufsize)
    ...
```

but since the modeling I did only considers calls to `Popen3` only if it has
been imported from the `popen2` module, we don't consider that call as a sink.
 2020-10-07 10:57:31 +02:00
Rasmus Wriedt Larsen
36812af2c2 Python: Add test for Python2 specific command injection 2020-10-07 10:54:03 +02:00
Rasmus Wriedt Larsen
d8a9eacd02 Python: Remove TODO comment for popen2 module 2020-10-07 10:47:28 +02:00
Rasmus Wriedt Larsen
de07d9e5d9 Python: Highlight that os.popen is not only problem for extra alerts 2020-10-02 13:34:33 +02:00
Rasmus Wriedt Larsen
3247b300ae Python: Fix problem with missing use-use flow 2020-10-01 12:55:11 +02:00
Rasmus Wriedt Larsen
9b3509f0ba Python: Highlight problem with missing use-use flow 2020-10-01 12:51:44 +02:00
Rasmus Wriedt Larsen
4adc26eb62 Python: Fix command injection example code 
`subprocess.Popen(["ls", "-la"], shell=True)` correspond to running `sh -c "ls" -la`

So it doesn't follow the pattern of the rest of the test file.
 2020-09-30 13:38:37 +02:00
Rasmus Wriedt Larsen
9c1253c8af Python: Remove flow out of CommandInjection sinks 2020-09-30 13:29:40 +02:00
Rasmus Wriedt Larsen
a2d12f0440 Python: Update CommandInjection.expected 2020-09-30 13:00:10 +02:00
Rasmus Wriedt Larsen
2bdd0284dc Python: Port py-command-line-injection with new dataflow 2020-09-22 16:28:23 +02:00
Rasmus Wriedt Larsen
8aab0c8be7 Python: Fix .qlref for experimental security tests 2020-09-02 15:35:50 +02:00
Rasmus Wriedt Larsen
34c5da563e Python: Move files in experiemntal dirs to be consistent 
Except for dataflow (where we have a lot of changes, and I don't want to
introduce lots of merge conflicts right now).
 2020-09-02 13:39:01 +02:00
dilanbhalla
dc73fcc4e8 moved to experimental 2020-07-01 09:54:58 -07:00