hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,920 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.2
Commit Graph

4030 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
56c85ffe54 Python: Fixup threat-models for os.environ.get() 
Since using `.DictionaryElementAny` doesn't actually do a store on the
source, (so we can later follow any dict read-steps).

I added the ensure_tainted steps to highlight that the result of the
WHOLE expression ends up "tainted", and that we don't just mark
`os.environ` as the source without further flow.
 2024-09-10 14:32:36 +02:00
Rasmus Wriedt Larsen
b9239d7101 Python: Add basic support for environment/commandargs threat-models 2024-09-10 14:32:36 +02:00
Joe Farebrother
d1cca13563 Merge pull request #17314 from joefarebrother/python-x509-cert 
Python: Exclude certificate classification fo sensitive data queries
 2024-09-09 10:48:36 +01:00
Kevin Stubbings
bd2564ee44 Formatting 2024-09-03 14:34:25 -07:00
Porcupiney Hairs
f86570f6e7 WIP: Python: CORS Bypass 
This PR adds a query to detect a Cross Origin Resource Sharing(CORS) policy bypass due to an incorrect check.

This PR attempts to detect the vulnerability pattern found in CVE-2022-3457

```python
if request.method in ['POST', 'PUT', 'PATCH', 'DELETE']:
    origin = request.headers.get('Origin', None)
    if origin and not origin.startswith(request.base):
        raise cherrypy.HTTPError(403, 'Unexpected Origin header')
```

In this case, a value obtained from a header is compared using `startswith` call. This comparision is easily bypassed resulting in a CORS bypass. Given that similar bugs have been found in other languages as well, I think this PR would be a great addition to the exisitng python query pack.

The databases for CVE-2022-3457 can be downloaded from
```
https://filetransfer.io/data-package/i4Mfepls#link
https://file.io/V67T4SSgmExF
```
 2024-09-03 03:11:35 +05:30
Kevin Stubbings
5c8c99d31f Add header support for bottle and tornado 2024-08-30 18:16:01 -07:00
Joe Farebrother
a8591c79c5 Update test 2024-08-28 09:11:34 +01:00
Joe Farebrother
fc24ca304d Update tests 2024-08-27 14:18:50 +01:00
Kevin Stubbings
8bf8893307 Add support for vulnerable CORS middlewares 2024-08-26 21:30:48 -07:00
Tom Hvitved
c92c96fa78 Data flow: Compute local big step relation per stage 2024-08-26 09:15:27 +02:00
Rasmus Wriedt Larsen
8f7dec07b8 Python: Remove 'response' from default threat-models 
I didn't want to put the configuration file in
`semmle/python/frameworks/**/*.model.yml`, so created `ext/` as in other
languages
 2024-08-19 10:54:48 +02:00
Rasmus Wriedt Larsen
617ab27c75 Python: Add test showing default active threat-models 2024-08-19 10:54:48 +02:00
Joe Farebrother
62c2fe6b17 Merge pull request #16933 from joefarebrother/python-cookie-concept-promote 
Python: Promote the insecure cookie query from experimental
 2024-08-07 09:06:05 +01:00
Anders Schack-Mulligen
377301a55a Merge pull request #17108 from aschackmull/dataflow/flowthrough-provenance 
Dataflow: Propagate provenance correctly for flow-through wrappers.
 2024-08-01 09:35:56 +02:00
yoff
251036c6b4 Merge pull request #17080 from sylwia-budzynska/streamlit 
Python: Add Streamlit models
 2024-07-31 18:20:11 +02:00
Anders Schack-Mulligen
9724516c84 C#/Go/Java/Python/Ruby: Accept qltest .expected changes. 2024-07-31 14:45:10 +02:00
yoff
123dcc75d1 Merge pull request #16971 from RasmusWL/mad-dict-source 
Python: Add MaD support for DictionaryElement/DictionaryElementAny for sources
 2024-07-31 13:40:07 +02:00
Sylwia Budzynska
9bd00c9e1e Change Gradio rfs test to use shared rfs test module 2024-07-31 13:25:32 +02:00
Sylwia Budzynska
9741ddb926 Add remoteflowsoucre test 2024-07-30 17:20:14 +02:00
Sylwia Budzynska
bfd2e4350b Add StreamlitConnection model 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2024-07-30 12:58:49 +02:00
Joe Farebrother
e68ef87662 update inline tests for rest_framework tests 2024-07-29 23:35:36 +01:00
Joe Farebrother
f10d007496 Add additional test for kwargs case 2024-07-29 23:27:22 +01:00
Joe Farebrother
68512eea14 Remove remaining files from experimental tests 2024-07-29 11:19:33 +01:00
Joe Farebrother
1127b08635 Merge branch 'main' into python-cookie-concept-promote 2024-07-29 10:26:03 +01:00
Joe Farebrother
58689c90fb Merge pull request #16893 from joefarebrother/python-cookie-injectio-promote 
Python: Promote cookie injection query from experimental
 2024-07-29 10:17:01 +01:00
yoff
d23d138e7d Merge pull request #16923 from RasmusWL/impossible-isinstance 
Python: Add test for impossible isinstance flow
 2024-07-29 09:33:30 +02:00
Sylwia Budzynska
358a1b3a20 Fix tests 2024-07-26 14:19:06 +02:00
Sylwia Budzynska
6d1c00742f Add tests and change note 2024-07-26 14:15:43 +02:00
Joe Farebrother
db27fd934a Add tests for tornado and twisted 2024-07-23 13:21:37 +01:00
Joe Farebrother
93f70b3ad9 Add unit tests 2024-07-23 10:15:23 +01:00
Joe Farebrother
b28d79960b Update ConceptsTests and make a fix 2024-07-23 10:15:09 +01:00
Joe Farebrother
a73d675e6e Remove experimental query versions 2024-07-23 10:14:55 +01:00
Joe Farebrother
32fbe52f0f Model cookie attributes for Django and Flask 2024-07-23 10:14:33 +01:00
Rasmus Lerchedahl Petersen
3434c38da7 Python: update test expectations 
This is MaD...
 2024-07-22 17:03:29 +02:00
Joe Farebrother
070d67816d Remove experimental version 2024-07-16 16:50:10 +01:00
Joe Farebrother
8d93c3a852 Move to cwe-20 2024-07-16 16:50:08 +01:00
Joe Farebrother
983bdb92a1 Add test cases + remove redundant import 2024-07-16 16:50:00 +01:00
Rasmus Wriedt Larsen
db8a5306cf Python: Add MaD support for DictionaryElement/DictionaryElementAny for sources 2024-07-12 15:19:40 +02:00
Rasmus Wriedt Larsen
eed8b3e87b Python: Add more tests for MaD sources 2024-07-12 15:10:23 +02:00
Rasmus Wriedt Larsen
f41d2a896c Merge pull request #16771 from porcupineyhairs/js2py 
Python : Arbitrary code execution due to Js2Py
 2024-07-11 15:31:57 +02:00
Joe Farebrother
8152ec7472 Merge pull request #16696 from joefarebrother/python-cookie-write-headers 
Python: Model CookieWrites from HeaderWrites
 2024-07-11 14:25:54 +01:00
Rasmus Wriedt Larsen
5ecde387af Python: Fix .expected 2024-07-11 14:42:26 +02:00
Rasmus Wriedt Larsen
173cd13ded Python: Add test for impossible isinstance flow 2024-07-08 12:06:53 +02:00
Porcupiney Hairs
808af28618 Python : Arbitrary codde execution due to Js2Py 
Js2Py is a Javascript to Python translation library written in Python. It allows users to invoke JavaScript code directly from Python.
The Js2Py interpreter by default exposes the entire standard library to it's users. This can lead to security issues if a malicious input were directly.

This PR includes a CodeQL query along with a qhelp and testcases to detect cases where an untrusted input flows to an Js2Py eval call.

This query successfully detects CVE-2023-0297 in `pyload/pyload`along with it's fix.
The databases can be downloaded from the links bellow.
```
https://file.io/qrMEjSJJoTq1
https://filetransfer.io/data-package/a02eab7V#link
```
 2024-07-03 19:06:34 +05:30
Rasmus Wriedt Larsen
ce177c3450 Merge pull request #15655 from yoff/python/support-model-editor 
Python: Support model editor
 2024-07-02 16:28:58 +02:00
Rasmus Wriedt Larsen
dc33f0de1d Python: Additional tests for model-editor 
We currently have some problems with these files, that we should fix
later down the line. See PR comment for more details.
 2024-07-02 14:28:46 +02:00
Joe Farebrother
b81d41ba7b Add django header write models for direct subscript write 2024-07-01 11:26:54 +01:00
Rasmus Lerchedahl Petersen
e40ae2e52d Python: adjust test expectations 
MaD row numbers in provenance column
 2024-06-28 21:56:11 +02:00
Rasmus Lerchedahl Petersen
77a00873a9 Python: add tests for loggers 2024-06-28 15:25:17 +02:00
Rasmus Lerchedahl Petersen
9cca1b294c Python: Add test cases 2024-06-27 16:33:23 +02:00