hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
83,868 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.4
Commit Graph

3007 Commits

Author SHA1 Message Date
Tom Hvitved
660398aa78 Python: Introduce TypeBackTracker::getACompatibleTypeTracker() 2021-11-02 11:16:32 +01:00
Tom Hvitved
73fd66cfed Python: Cache TypeBackTracker::prepend 2021-11-02 11:16:32 +01:00
Rasmus Wriedt Larsen
83389be8e2 Python: Add some missing QLDocs 2021-11-02 11:02:51 +01:00
Rasmus Wriedt Larsen
a7e4e5ef83 Python: Add rest_framework Response modeling 2021-11-02 10:55:44 +01:00
Rasmus Wriedt Larsen
13815fe728 Python: Model known APIView subclasses 
Added internal helper `.qll` file as well
 2021-11-02 10:55:44 +01:00
Rasmus Wriedt Larsen
62d30630aa Python: Add rest_framework Request taint modeling 2021-11-02 10:55:44 +01:00
Rasmus Wriedt Larsen
5d77e62f3a Python: Add basic rest_framework Request modeling 2021-11-02 10:55:44 +01:00
Rasmus Wriedt Larsen
57e13c6066 Python: rest_framework.decorators.api_view handling 
Had to expose even more things, and had to make the `DjangoRouteHandler`
modeling more flexible so I could extend the char-pred in a different
file.
 2021-11-02 10:55:44 +01:00
Rasmus Wriedt Larsen
222db37c0d Python: Add initial rest_framework modeling 
I had to make the Django and PrivateDjango modeling non-private :O
 2021-11-02 10:55:44 +01:00
Rasmus Wriedt Larsen
b7b9120724 Python: Better handling of Pydantic models 2021-11-02 10:29:17 +01:00
Rasmus Wriedt Larsen
17da28118a Python: Small refactor to use extends .. instanceof 2021-11-02 10:06:11 +01:00
Erik Krogh Kristensen
0897b004eb revert removal of redundant inline casts in some python files 2021-10-29 14:40:27 +02:00
Erik Krogh Kristensen
d36c66cfca remove redundant inline casts in arguments where the type is inferred by the call target 2021-10-29 14:37:56 +02:00
yoff
1c78c792ff Merge pull request #6991 from RasmusWL/flask-blueprints 
Python: Support `flask.blueprints.Blueprint`
 2021-10-29 14:06:43 +02:00
Rasmus Wriedt Larsen
7e7c363e43 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-10-29 13:59:36 +02:00
Rasmus Wriedt Larsen
85f00fda19 Merge pull request #6776 from yoff/python/model-asyncpg 
Python: Model `asyncpg`
 2021-10-29 13:54:44 +02:00
Anders Schack-Mulligen
3a1836c9f6 Merge pull request #7000 from aschackmull/dataflow/interface-refactor 
Dataflow: Refactor public references to DataFlowCallable
 2021-10-29 12:21:13 +02:00
Anders Schack-Mulligen
5951ae79b9 Dataflow: Add language specific predicates. 2021-10-29 11:11:35 +02:00
Anders Schack-Mulligen
00df6798b1 Dataflow: Sync 2021-10-29 11:00:23 +02:00
Erik Krogh Kristensen
6fffdf6101 Merge pull request #6855 from erik-krogh/secCookie 
JS: Move cookie queries out of experimental.
 2021-10-29 10:23:48 +02:00
yoff
8f9741ae72 Update python/ql/lib/semmle/python/internal/Awaited.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-10-28 19:13:08 +02:00
Erik Krogh Kristensen
15c90adec5 remove redundant cast where the type is enforced by an equality comparison 2021-10-28 18:08:20 +02:00
Erik Krogh Kristensen
e75448ebb0 remove redundant inline casts 2021-10-28 16:35:53 +02:00
Rasmus Wriedt Larsen
a33a8fd518 Python: Support flask.blueprints.Blueprint 
Thanks to @haby0 who originally proposed this as part of
https://github.com/github/codeql/pull/6977
 2021-10-28 14:02:03 +02:00
Rasmus Lerchedahl Petersen
3abe3e43d0 Python: autoformat 2021-10-28 13:58:01 +02:00
Rasmus Wriedt Larsen
8c3349f40f Python: Properly model flask.send_from_directory 
To not include `filename` as path-injection sink.
 2021-10-28 13:41:39 +02:00
Rasmus Wriedt Larsen
228e9e973a Python: Minor flask refactor 2021-10-28 13:36:03 +02:00
Rasmus Lerchedahl Petersen
b3ba75a00f Python: Fix tests by managing local sources 
`API::Node::getAwaited` is restriced to local sources
 2021-10-28 13:22:59 +02:00
Rasmus Wriedt Larsen
6d09334cba Merge pull request #6330 from porcupineyhairs/pyPathTraversal 
Python : Add Flask sinks for path injection query
 2021-10-28 11:39:40 +02:00
Rasmus Wriedt Larsen
3fa66519f5 Merge branch 'main' into fastapi 2021-10-28 11:37:40 +02:00
Rasmus Wriedt Larsen
d9e5d179d2 Python: Minor fix to QLDoc 
and auto-formatting
 2021-10-28 11:15:34 +02:00
yoff
9478faf040 Merge pull request #6967 from RasmusWL/ruamel.yaml 
Python: Model `ruamel.yaml` PyPI package
 2021-10-28 10:19:08 +02:00
Rasmus Lerchedahl Petersen
56dab252c9 Python: remove spurious dataflow step 2021-10-28 09:47:04 +02:00
Porcuiney Hairs
4fd3f212f8 Python : Add Flask sinks for path injection query 2021-10-28 02:12:11 +05:30
Anders Schack-Mulligen
699630af54 Dataflow: Sync. 2021-10-27 13:57:44 +02:00
Anders Schack-Mulligen
034c7f3538 Dataflow: Sync. 2021-10-27 13:57:44 +02:00
Rasmus Lerchedahl Petersen
826f44d98e Python: Share implementation of awaited 2021-10-27 11:41:18 +02:00
Rasmus Lerchedahl Petersen
01ad19b82b Python: correct qldoc 2021-10-27 11:40:57 +02:00
yoff
c850554467 Update python/ql/lib/semmle/python/frameworks/SqlAlchemy.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-10-27 11:09:37 +02:00
Rasmus Wriedt Larsen
89e713a25c Python: Update PyYAML comment with 6.0 release 2021-10-26 17:58:06 +02:00
Rasmus Wriedt Larsen
cd6d73d553 Python: Handle kwarg in PyYAML 
Really surprised that we didn't already :|
 2021-10-26 17:48:10 +02:00
Rasmus Wriedt Larsen
1ce09afa08 Python: Add modeling of ruamel.yaml PyPI package 2021-10-26 17:48:10 +02:00
Erik Krogh Kristensen
62e729501c make the RegExpEscape::getUnescaped predicate public in python 2021-10-26 15:25:14 +02:00
Erik Krogh Kristensen
44afa34e37 Merge branch 'main' of github.com:github/codeql into htmlReg 2021-10-26 14:46:27 +02:00
Erik Krogh Kristensen
834d5ec6ad add session{key,id} as sensitive info 2021-10-26 13:46:59 +02:00
Erik Krogh Kristensen
a3c55c2aec use set literal instead of big disjunction of literals 2021-10-26 12:55:25 +02:00
Rasmus Lerchedahl Petersen
8a81d42e6f Python: more logic adjustment 
Not sure why the missing result is missing. There is
and edge with label `getAwaited` from `pkg.async_func` on line 22
to `coro` on line 23.
 2021-10-26 10:57:27 +02:00
Rasmus Lerchedahl Petersen
a8a181a32f Python: adjust logic and add tests 
Due to the way paths a re printed, the tests look surprising
 2021-10-26 09:55:47 +02:00
Erik Krogh Kristensen
e117659dce revert a thing for python 2021-10-25 20:50:18 +02:00
Erik Krogh Kristensen
f4a054ea01 apply range pattern patch to python 2021-10-25 19:38:10 +02:00