hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
83,868 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.4
Commit Graph

3007 Commits

Author SHA1 Message Date
Rasmus Lerchedahl Petersen
60dc1afbc0 Python: prepare to promote NoSqlInjection 
Mostly move files, preserving authourship.
This will not compile.
 2023-09-07 09:28:29 +02:00
Peter Stöckli
ede7d8fb6a Python: apply suggestions from code review for asyncio 2023-09-06 15:47:07 +02:00
github-actions[bot]
abf2b12b1c Release preparation for version 2.14.4 2023-09-05 16:56:14 +00:00
Peter Stöckli
8c4dccc81b Python: initial support for CMDi via asyncio 2023-09-05 15:33:29 +02:00
Rasmus Wriedt Larsen
49f5d38956 Merge pull request #14068 from RasmusWL/dataflow-config-refactor 
Python: Use new dataflow API
 2023-09-04 21:04:10 +02:00
yoff
da64ea40b9 Merge pull request #13782 from jorgectf/jorgectf/shlex-quote 
Python: Add `shlex.quote` as `py/shell-command-constructed-from-input` sanitizer
 2023-08-31 21:08:58 +02:00
erik-krogh
8dad4950a9 add sanitizer guard for url_has_allowed_host_and_scheme 2023-08-31 13:48:42 +02:00
Tom Hvitved
253f932d2a Python: Use data flow consistency checks from shared pack 2023-08-30 15:29:41 +02:00
Rasmus Wriedt Larsen
62c2316124 Merge pull request #14084 from RasmusWL/flask-jsonify 
Python: Remove XSS FP from use of `flask.jsonify`
 2023-08-30 13:07:54 +02:00
yoff
ae4c76c788 Merge pull request #13975 from yoff/python/parsemodechars-not-chars 2023-08-29 14:05:57 +02:00
Rasmus Wriedt Larsen
0b2458d065 Python: Improve modeling of Flask jsonify 
I also tested whether `Flask.jsonify` or `Flask().jsonify` worked, but
they do not.
 2023-08-29 11:11:32 +02:00
Rasmus Wriedt Larsen
26319bfc04 Python: Fix Flask jsonify XSS regression 
The reason the result was found before, is that `jsonify(data)` was
modeled as TWO separate subclasses of `Http::Server::HttpResponse`, one
because of the implicit construction in return
(FlaskRouteHandlerReturn), and one from the `jsonify` call
(FlaskJsonifyCall). Due to the QL evaluation, we got a combination from
the two, meaning mime-type from FlaskRouteHandlerReturn and body from
FlaskJsonifyCall...
 2023-08-29 11:11:32 +02:00
Dave Bartolomeo
3343b78015 Merge pull request #14074 from github/post-release-prep/codeql-cli-2.14.3 
Post-release preparation for codeql-cli-2.14.3
 2023-08-28 13:34:10 -04:00
github-actions[bot]
3eba77421a Post-release preparation for codeql-cli-2.14.3 2023-08-28 15:53:49 +00:00
Rasmus Wriedt Larsen
e8e8d975e3 Python: Remove all usage of DataFlow2+TaintTracking2 
(and any higher number as well)
 2023-08-28 15:34:19 +02:00
Rasmus Wriedt Larsen
efec4e7ebf Python: Add missing qldocs 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
5ba8e102eb Python: Adopt tests to new DataflowQueryTest 
Since we want to know the _sinks_ and not just the flow, we need to
expose the config as well :|
 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
657b1997cc Python: Move FullServerSideRequestForgery and PartialServerSideRequestForgery to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
46322b717a Python: Move XmlBomb to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
add1077532 Python: Move RegexInjection to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
c6caf83dfe Python: Move PolynomialReDoS to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
4c336990e5 Python: Move XpathInjection to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
60e45335dd Python: Move Xxe to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
4c76ca6127 Python: Move UrlRedirect to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
6f08e73dbc Python: Move UnsafeDeserialization to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
dd074173d2 Python: Move WeakSensitiveDataHashing to new dataflow API 
I adopted helper predicates to do the "heavy" lifting of .asPathNode1(), maybe I like this approach better... let me know what you think 😊
 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
9d6b96dfd2 Python: Move CleartextStorage to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
70095446b6 Python: Move CleartextLogging to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
cca78f31ff Python: Move PamAuthorization to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
dcd96083e8 Python: Move StackTraceExposure to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
f75e65c67d Python: Move LogInjection to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
88cf9c99b0 Python: Move CodeInjection to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
05573904a5 Python: Move LdapInjection to new dataflow API 
We could have switched to a stateful config, but I tried to keep changes
as straight forward as possible.
 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
c360346e9e Python: Move ReflectedXss to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen
b30142c1d7 Python: Move CommandInjection to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen
700841e9b0 Python: Move UnsafeShellCommandConstruction to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen
d4e4e2d426 Python: Move TarSlip to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen
e97032909a Python: Move PathInjection to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen
245c24077d Python: Move SqlInjection to new dataflow API 2023-08-28 15:27:49 +02:00
yoff
2e981e330b Merge pull request #14059 from RasmusWL/fix-loginjection-tests 
Python: Fix stdlib sinks in LogInjection query
 2023-08-28 14:44:51 +02:00
yoff
6e05246daa Merge pull request #13935 from yoff/python/mad-on-externals 
Python: MaD on externals
 2023-08-28 14:04:54 +02:00
Rasmus Wriedt Larsen
c807ab4216 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2023-08-28 14:04:22 +02:00
Rasmus Wriedt Larsen
bf9a0dab2a Python: Fix stdlib sinks in LogInjection query 2023-08-25 17:04:48 +02:00
Rasmus Lerchedahl Petersen
137f9e7234 Python: Adress review comments 
- make qldoc accurate
- fix ql4ql alert
 2023-08-24 21:28:07 +02:00
Rasmus Lerchedahl Petersen
7ad1a21c2d Python: make mode characters not be characters 
They are simply considered part of the group start.
 2023-08-24 21:21:49 +02:00
yoff
a834703195 Merge pull request #13779 from geoffw0/pythonparsemode 
Python: Understand multiple parse mode flags specified in a regular expression string
 2023-08-24 21:20:45 +02:00
yoff
00c0ebe9e4 Merge pull request #13738 from RasmusWL/path-steps 
Python: Include all assignments in data flow paths
 2023-08-22 11:58:11 +02:00
Michael Nebel
ce6fd8ac5f Merge pull request #13432 from michaelnebel/updateissupported 
Java/C#: Update telemetry queries to report callables with sink/source neutrals as being supported.
 2023-08-22 08:39:38 +02:00
Jeroen Ketema
2d0f73d7c2 Merge pull request #13881 from jketema/shared-taint-tracking 
Introduce shared taint tracking library
 2023-08-21 12:45:49 +02:00
Rasmus Wriedt Larsen
c8c69aac9b Merge pull request #13561 from amammad/amammad-python-WebAppsConstatntSecretKeys 
Python: Flask & Django Constant Secret Key initialization
 2023-08-21 11:39:19 +02:00