Rasmus Lerchedahl Petersen
9cb83fcdc9
python: add summaries for
...
copy, pop, get, getitem, setdefault
Also add read steps to taint tracking.
Reading from a tainted collection can be done in two situations:
1. There is an acces path
In this case a read step (possibly from a flow summary)
gives rise to a taint step.
2. There is no access path
In this case an explicit taint step (possibly via a flow
summary) should exist.
2023-05-26 14:04:15 +02:00
Rasmus Lerchedahl Petersen
144df9a39e
python: remove explicit dataflow steps
2023-05-26 13:24:22 +02:00
Rasmus Wriedt Larsen
a057365b7e
Python: Accept .expected changes
2023-05-22 11:54:50 +02:00
Rasmus Wriedt Larsen
44d806507d
Merge branch 'main' into python-UBV
2023-05-22 11:53:56 +02:00
yoff
a905917123
Merge pull request #12937 from RasmusWL/fix-module-variable-node
...
Python: Hide `ModuleVariableNode` in data-flow paths
2023-05-03 17:58:26 +02:00
Sim4n6
1fa1a4e268
Add Unicode Bypass Validation query tests and help
2023-05-02 15:09:16 +01:00
yoff
0bc6f10a71
Merge pull request #12220 from amammad/amammad-python-paramiko
...
add some python sinks for paramiko ssh clients
2023-05-01 11:38:50 +02:00
Rasmus Wriedt Larsen
d73289ac4e
Python: Accept .expected changes
2023-04-27 11:54:39 +02:00
amammad
1bf159e9a9
Merge branch 'github:main' into amammad-python-paramiko
2023-04-26 23:28:29 -07:00
Rasmus Wriedt Larsen
7fa84a3613
Python: Only test UnsafeUnpacking with Python 3
...
Apparently the fixup of .expected in the latest commit was only required
when extracting as Python 3, but not as Python 2... I honestly don't
understand why.
2023-04-24 12:29:58 +02:00
Rasmus Wriedt Larsen
b60cab254a
Python: Accept .expected change
2023-04-21 15:25:47 +02:00
Rasmus Wriedt Larsen
f3937a4a12
Python: Update .expected from PostUpdateNode commit
2023-03-30 10:17:33 +02:00
Raul Garcia
cf8a683d7d
Merge branch 'main' into main
2023-03-29 20:27:03 -07:00
Rasmus Wriedt Larsen
86333e3ba5
Python: Remove duplicate results from azure blob query
2023-03-29 11:47:29 +02:00
Rasmus Wriedt Larsen
32d52c023e
Python: Allow any order for azure blob query
...
By only allowing the sink in the state where encryption v1 is used, we
can handle the new case where the order of attribute assignment is
flipped.
However, we get a few too many paths because we can have multiple
sources reaching the same sink... let's fix in next commit.
2023-03-29 11:42:01 +02:00
Rasmus Wriedt Larsen
480f171d9b
Python: Add azure blob tests with swapped order
...
Just shows we need to use some state in the query to get the correct
behavior.
2023-03-29 11:25:37 +02:00
Rasmus Wriedt Larsen
683985a00a
Python: Expand azure blob modeling
...
Now we can differentiate between the classes
2023-03-29 11:24:36 +02:00
Rasmus Wriedt Larsen
8ea6b6f256
Python: Update py/azure-storage/unsafe-client-side-encryption-in-use to use datafow
2023-03-28 10:09:22 +02:00
Rasmus Wriedt Larsen
691ffcd3a4
Python: Add tests of py/azure-storage/unsafe-client-side-encryption-in-use
...
Notice that it doesn't find the potentially unsafe version, or the vuln that spans calls.
2023-03-28 10:05:09 +02:00
Taus
eaf2930205
Python: Accept test changes
...
(These look like they were the result of changes elsewhere in the
analysis.)
2023-03-27 12:17:13 +00:00
Taus
11c89adbe3
Merge branch 'main' into timing-attack-py
2023-03-24 15:40:33 +01:00
amammad
54582031d8
v1
2023-02-16 17:14:32 +01:00
Sim4n6
d7af80136e
Fail tests when missing annotation on sink orfail
2023-02-12 21:27:20 +01:00
Sim4n6
518684b736
Put back the annotation result=BAD
2023-02-12 21:26:12 +01:00
Sim4n6
80d4fb5e33
Organisation TarSlip/UnsafeUnpack into two folders
2023-02-12 10:51:53 +01:00
Sim4n6
b04d5684fb
add a blank line at the end of the file
2023-02-09 15:23:58 +01:00
Sim4n6
a0150849cb
Updated the expected test file
2023-02-02 21:42:47 +01:00
Sim4n6
1a8c9abee2
Incorporate Sink & Source as steps from TarSlipQry
2023-02-02 21:09:40 +01:00
Sim4n6
18d8bbc9a4
Updated the expected results accordingly
2023-01-27 14:05:25 +01:00
Sim4n6
5f0bf1053a
Update the dataflow test query and the expected results
2023-01-27 13:42:57 +01:00
Sim4n6
998f1bf215
Some reformatting
2023-01-26 18:54:36 +01:00
Sim4n6
51b11de44a
Add a Django Upload examples
2023-01-26 15:16:24 +01:00
Sim4n6
54cc4d6498
Opt for any source from RemoteFlowSource.
2023-01-26 12:51:55 +01:00
Sim4n6
aaa0040612
Seperate the dataflow config from the query
2023-01-26 08:53:47 +01:00
Sim4n6
9464940214
Add expected results for argparse source
2023-01-26 01:00:19 +01:00
Sim4n6
2e4cb63049
Optimize the Argparse filename as a source.
2023-01-26 01:00:01 +01:00
Sim4n6
f867c9008f
Commit the expected results
2023-01-26 00:08:54 +01:00
Sim4n6
9b5b0c60b8
Handle the download of a tarball using wget pkg.
2023-01-26 00:02:20 +01:00
Sim4n6
22af6f5182
Restrict download_file() to boto3 lib
2023-01-25 23:00:00 +01:00
Sim4n6
10d6ebf95b
Use of inline tests for dataflow queries
2023-01-25 19:28:05 +01:00
Sim4n6
b5a6f6e165
Merge pull request #1 from github/main
...
Sync with the upstream
2023-01-25 19:13:35 +01:00
Rasmus Lerchedahl Petersen
2edbfbf8bc
python: update test expectations
...
...now the bug is fixed
2023-01-09 20:35:20 +01:00
ALJI Mohamed
9336f4f1a2
Considering the use of contextlib.closing() method
2022-12-08 12:26:59 +01:00
ALJI Mohamed
68fd75ca34
UnpackUnsafe query and tests
2022-12-05 17:20:22 +01:00
ALJI Mohamed
fdbed2a019
Add expected test results without considering inStdLib files.
2022-10-22 09:34:57 +01:00
ALJI Mohamed
0f44268038
Add expected test results
2022-10-21 22:14:55 +01:00
ALJI Mohamed
7d60f1f1c8
Modified the QL ref file and add TarSlip examples
2022-10-21 22:14:00 +01:00
ALJI Mohamed
31a6fb4181
Add TarSlip qlref for query-tests
2022-10-21 21:28:20 +01:00
erik-krogh
4da0508dae
Merge branch 'main' into py-last-msg
2022-10-11 10:49:19 +02:00
erik-krogh
6fdfd40880
changes to address reviews
2022-10-07 22:31:00 +02:00
