hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
83,868 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.4
Commit Graph

3007 Commits

Author SHA1 Message Date
Rasmus Lerchedahl Petersen
b93c04bb79 python: Add reverse flow in some patterns 
Particularly in value and literal patterns.
This is getting a little bit into the guards aspect of matching.
We could similarly add reverse flow in terms of
sub-patterns storing to a sequence pattern,
a flow step from alternatives to an-or-pattern, etc..
It does not seem too likely that sources are embedded in patterns
to begin with, but for secrets perhaps?

It is illustrated by the literal test. The value test still fails.
I believe we miss flow in general from the static attribute.
 2022-01-27 15:20:23 +01:00
github-actions[bot]
634134f283 Release preparation for version 2.8.0 2022-01-27 10:40:20 +00:00
Rasmus Lerchedahl Petersen
cb52ab669e python: address review comments 
The comment about `py_scopes` was simply removed
 2022-01-27 11:17:00 +01:00
yoff
e28669e487 Apply suggestions from code review 
Co-authored-by: Taus <tausbn@github.com>
 2022-01-27 10:31:43 +01:00
Rasmus Lerchedahl Petersen
163c888781 python: port concepts and implementations 2022-01-26 19:05:37 +01:00
Rasmus Lerchedahl Petersen
47af3a69a5 Merge branch 'main' of github.com:github/codeql into python/support-match 2022-01-26 11:39:46 +01:00
Edoardo Pirovano
1b539eb4dc Merge branch rc/3.4 into main 2022-01-25 16:22:01 +00:00
Rasmus Wriedt Larsen
301318020f Merge pull request #7455 from haby0/py/add-shutil-module-path-injection-sinks 
Python: Add shutil module sinks for path injection query
 2022-01-24 20:06:36 +01:00
Rasmus Lerchedahl Petersen
41908cbf9f python: add missing qldoc 2022-01-21 13:55:08 +01:00
Rasmus Lerchedahl Petersen
49d4b1480d python: Do not remove ChainedConfigs12.qll 
since it was clearly already used.
Add deprecation message instead.
 2022-01-21 12:27:29 +01:00
Erik Krogh Kristensen
a235f8f023 remove redundant inline type casts 2022-01-21 11:46:33 +01:00
Erik Krogh Kristensen
ddfc3bc00f use set literals instead of big disjunctions 2022-01-21 11:46:33 +01:00
yoff
5b9ae9cede Merge pull request #7659 from RasmusWL/move-regex-injection-files 
Python: Move regex injection configuration files
 2022-01-21 11:42:06 +01:00
yoff
4fd0ada9a8 Merge pull request #7652 from RasmusWL/cleartext-remove-fps 
Python: Remove usernames as sensitive source for cleartext queries
 2022-01-21 11:30:40 +01:00
Rasmus Lerchedahl Petersen
a5bc5373d0 python: Rewrite path injection to use flow state 
This removes the FP cause by chaining
This PR also removes `ChainedConfigs12.qll`,
as we hope to solve future problems via flow states.
 2022-01-21 09:26:48 +01:00
github-actions[bot]
ab218421da Post-release preparation for codeql-cli-2.7.6 2022-01-20 12:59:20 +00:00
Erik Krogh Kristensen
4e8e3a7420 simplify expressions that could be type-casts 2022-01-20 10:41:35 +01:00
github-actions[bot]
4ce8ccc52b Release preparation for version 2.7.6 2022-01-20 08:21:18 +00:00
Rasmus Lerchedahl Petersen
32cbeae05f python: missing start tag for relation 2022-01-20 08:56:12 +01:00
Rasmus Lerchedahl Petersen
d10ad3bdd4 python: update stats for tables 2022-01-20 08:42:32 +01:00
Rasmus Lerchedahl Petersen
7e9a9e3d9a python: remove compiler warnings 2022-01-19 18:01:58 +01:00
Rasmus Wriedt Larsen
b9ee2960e2 Python: Add change-note 2022-01-19 17:24:53 +01:00
Rasmus Wriedt Larsen
aa10ad6a8a Python: Fix RegexInjection query, add old deprecated versions 2022-01-19 17:22:44 +01:00
Rasmus Wriedt Larsen
e82ea7ad17 Python: move regex injection configuration files 
I did not notice that these went to the wrong location in
https://github.com/github/codeql/pull/6693. They should be in the
dataflow folder with the rest of the data-flow configurations files, the
injection folder is for old points-to based modeling.
 2022-01-19 17:21:46 +01:00
Rasmus Lerchedahl Petersen
a0e79c1d7a update stats for types 
- should still update stats for tables
 2022-01-19 16:38:19 +01:00
Rasmus Wriedt Larsen
e82e648ca1 Python: Remove usernames as sensitive source for cleartext queries 
Closes #6363, #6927, #6726, #7497, #7116
 2022-01-19 15:25:21 +01:00
Rasmus Lerchedahl Petersen
db253e8939 python: upgrade and downgrade scripts 2022-01-19 15:22:57 +01:00
Rasmus Lerchedahl Petersen
36e18d5d80 python: dataflow for match 
- also update `validTest.py`, but commented out for now
  otherwise CI will fail until we force it to run with Python 3.10
- added debug utility for dataflow (`dataflowTestPaths.ql`)
 2022-01-19 14:29:58 +01:00
Rasmus Lerchedahl Petersen
bb210f4172 pythos: SSA for match 
- new SSA definition `PatternCaptureDefinition`
- new SSA definition `PatternAliasDefinition`
- implement `hasDefiningNode`
 2022-01-19 14:29:58 +01:00
Rasmus Lerchedahl Petersen
de8ecb214f python: Wrappers for database classes 
- new syntactic category `Pattern` (in `Patterns.qll`)
- subpatterns available on statments
- new statements `MatchStmt` and `Case`
  (`Match` would conflict with the shared ReDoS library)
- new expression `Guard`
- support for pattern lists
 2022-01-19 14:29:58 +01:00
Rasmus Lerchedahl Petersen
b17f844f35 python: New generated files 2022-01-19 13:36:32 +01:00
Rasmus Wriedt Larsen
95e935e9c1 Python: Support SQLAlchemy scoped_session 2022-01-18 14:34:31 +01:00
Anders Schack-Mulligen
fff3b5c5b4 Dataflow: Add qldoc. 2022-01-18 10:39:55 +01:00
Anders Schack-Mulligen
71e39353ca Dataflow: Sync. 2022-01-18 10:36:52 +01:00
Anders Schack-Mulligen
dfa79f6119 Dataflow: Sync. 2022-01-18 10:30:09 +01:00
Chris Smowton
2c37885f6e Sync dataflow 2022-01-18 10:30:09 +01:00
Andrew Eisenberg
fbb5d7196f Merge branch 'main' into post-release-prep/codeql-cli-2.7.5 2022-01-14 08:23:43 -08:00
Anders Schack-Mulligen
0b24af901d Merge pull request #7349 from aschackmull/dataflow/state 
Dataflow: Add support for flow state
 2022-01-14 09:12:38 +01:00
Andrew Eisenberg
4ffd8c62ac Merge pull request #7579 from github/aeisenberg/changenote-upgrades-removal 
Changenotes: Add changenotes for upgrades refactoring
 2022-01-13 09:09:06 -08:00
Anders Schack-Mulligen
c44cf29992 Merge pull request #7587 from owen-mc/add-default-taint-sanitizer-guard 
Dataflow: Add default taint sanitizer guard
 2022-01-13 14:44:55 +01:00
Anders Schack-Mulligen
f7cf327e71 Dataflow: Sync 2022-01-13 13:28:43 +01:00
Erik Krogh Kristensen
89bab6ae12 Merge pull request #7097 from erik-krogh/railsReDoS 
JS/PY/RB: support a limited number of ranges for ReDoS analysis
 2022-01-13 11:04:36 +01:00
Andrew Eisenberg
e435a3e9c3 Changenotes: Add changenotes for upgrades refactoring 2022-01-12 11:36:31 -08:00
Owen Mansel-Chan
8e8278764b Add predicate defaultTaintSanitizerGuard for each language 
This was done manually, as these files are not synced by sync-files.py.
 2022-01-12 14:44:56 +00:00
Owen Mansel-Chan
c112980b81 Sync TaintTrackingImpl.qll 
Done automatically using sync-files.py
 2022-01-12 14:44:55 +00:00
github-actions[bot]
8a2d92badc Post-release preparation for codeql-cli-2.7.5 2022-01-12 13:28:43 +00:00
Andrew Eisenberg
07228672df Merge branch 'main' into aeisenberg/remove-upgrades 2022-01-11 11:25:27 -08:00
Erik Krogh Kristensen
f7a63d5ea0 remove duplicated line 2022-01-07 18:38:02 +01:00
Erik Krogh Kristensen
1a8b6d7414 recognize ranges without upper bounds 2022-01-07 18:38:01 +01:00
Erik Krogh Kristensen
acaf294bee support a limited number of regexp ranges 2022-01-07 18:36:30 +01:00