hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
83,868 Commits 1,672 Branches 157 Tags
codeql-cli-2.23.4
Commit Graph

9591 Commits

Author SHA1 Message Date
yoff
39acc9a40b Merge pull request #4735 from RasmusWL/python-untrusted-flow 
Python: Untrusted data used in external APIs
 2020-12-18 00:15:08 +01:00
yoff
9dd6439e3c Merge pull request #4749 from RasmusWL/command-injection-tests 
Python: Add some command injection tests
 2020-12-17 23:36:06 +01:00
Rasmus Lerchedahl Petersen
638fcab12d Python: Allow path from non-sourceNodes 
This is against the philosophy, but we
have still restricted attributes.
We use this PR to test performance.
 2020-12-15 15:35:16 +01:00
Rasmus Wriedt Larsen
8df186167e Python: Reword QLDoc for class modeling with type-tracking 
As discussed in https://github.com/github/codeql/pull/4797#discussion_r542423387
 2020-12-15 15:15:03 +01:00
Rasmus Wriedt Larsen
050e720770 Python: Minor rewrite 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2020-12-15 12:02:56 +01:00
Rasmus Wriedt Larsen
272feedb69 Merge branch 'main' into stdlib-http-source-modeling 2020-12-15 11:59:23 +01:00
Rasmus Wriedt Larsen
ed53742f03 Python: Fix additional taint-steps for cgi 
So there isn't flow from *any* instance to *any* access of the methods,
but only from the _actual_ instance where the method is accessed.
 2020-12-15 11:41:00 +01:00
Rasmus Lerchedahl Petersen
e64af59667 Merge branch 'main' of github.com:github/codeql into tausbn-python-add-source-nodes 2020-12-15 11:13:35 +01:00
Rasmus Lerchedahl Petersen
a152833a51 Merge branch 'python-add-source-nodes' of https://github.com/tausbn/codeql into tausbn-python-add-source-nodes 2020-12-15 11:13:02 +01:00
Rasmus Wriedt Larsen
ceaaac217e Merge pull request #4798 from yoff/python-reflected-xss-fp-examples 
Python: Add example FP for reflected XSS
 2020-12-14 13:56:24 +01:00
CodeQL CI
0420ac7aac Merge pull request #4820 from RasmusWL/add-pymysql-modeling 
Approved by yoff
 2020-12-14 03:04:24 -08:00
Rasmus Wriedt Larsen
daf418624e Python: Make all PEP249 implementations private 
Since we're still sticking with `private by default` at least for a while longer.
 2020-12-14 10:57:51 +01:00
Rasmus Wriedt Larsen
31d4ea77cb Python: Add modeling of PyMySQL 2020-12-14 10:56:47 +01:00
Rasmus Wriedt Larsen
e7b6400e48 Python: Add tests for PyMySQL 2020-12-14 10:55:01 +01:00
Rasmus Wriedt Larsen
8d8e92eb09 Python: Model execute on a DB connection 2020-12-14 10:33:10 +01:00
Rasmus Wriedt Larsen
18f7dbe865 Python: Adjust PEP249 QLDocs 2020-12-14 10:26:17 +01:00
yoff
9bec9b46e1 Merge pull request #4801 from RasmusWL/sqlite3-support 
Python: Add sqlite3 support
 2020-12-11 13:30:24 +01:00
Rasmus Wriedt Larsen
36e8ef53eb Python: Model sqlite3 as SQL interface 2020-12-09 11:36:18 +01:00
Rasmus Wriedt Larsen
767a246edc Python: Add sqlite3 test 2020-12-09 11:36:17 +01:00
Rasmus Lerchedahl Petersen
a757a69f36 Python: Add example FP 2020-12-08 17:02:05 +01:00
yoff
3bddb946b7 Merge pull request #4773 from RasmusWL/path-injection-improvements 
Python: Path injection improvements
 2020-12-08 14:05:53 +01:00
Rasmus Wriedt Larsen
fabc6fb7d9 Python: Add change-note 2020-12-08 14:04:46 +01:00
Rasmus Wriedt Larsen
ba1ca70858 Python: Add source modeling of stdlib HTTPRequestHandlers 2020-12-08 14:04:15 +01:00
Rasmus Wriedt Larsen
34863721f0 Python: Model cgi.FieldStorage 2020-12-08 14:03:13 +01:00
Rasmus Wriedt Larsen
43688715f5 Python: Add test of stdlib HTTP server facilities 
Just a port of the old tests, except for the fact that I learned
`cgi.FieldStorage()` _should_ be tainted when not specifying any arguments. (and
moved taint-test to own function)

Also clarified how imports of all the .*HTTPRequestHandler works in Python2
 2020-12-08 14:01:55 +01:00
Rasmus Wriedt Larsen
976559889f Python: Reword qhelp text 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2020-12-08 11:34:44 +01:00
Rasmus Wriedt Larsen
e5e8ec6ecc Python: Add a few test-cases for barrier guards and references 
I'm not sure references is the best name, but it's the best I could come up with
jsut now
 2020-12-07 15:27:20 +01:00
Rasmus Wriedt Larsen
5aa2c2f9d4 Python: Add command injection regex restricted FP 2020-12-07 15:26:56 +01:00
Rasmus Wriedt Larsen
32b547b3f2 Python: Add example of bad command injection sanitizer 2020-12-07 15:26:55 +01:00
Rasmus Wriedt Larsen
8444654117 Python: Adjust whitespace in command injection test 2020-12-07 15:26:54 +01:00
Rasmus Wriedt Larsen
608ce50399 Python: Expose HTTP verbs in HTTP concept 
Let's discuss whether doing it this way is reasonable, since I'm not 100% sure
whether this fits into "concepts" or not.
 2020-12-04 14:04:56 +01:00
Rasmus Wriedt Larsen
c7ab78f8c2 Python: Add modeling of django class based view handlers 
BUT, since MyCustomViewBaseClass.post (django-v2-v3/testapp/views.py) and
Foo.post (django-v2-v3/routing_test.py) aren't handled, this raises important
question about how to do MRO without points-to :S
 2020-12-04 14:03:59 +01:00
Rasmus Wriedt Larsen
4ead118a31 Python: Add class based route handler in django tests 
Disabled CSRF middleware for now, since it blocked my debugging curl POST requests :(
 2020-12-04 13:27:01 +01:00
Rasmus Wriedt Larsen
ffdbecfbb7 Python: Simplify getARouteHandler for Django 2020-12-04 11:29:52 +01:00
Rasmus Wriedt Larsen
a9ce067e15 Python: Add examples of Path Injection FPs seen 
Not quite sure how to deal with these cases of safe if UNIX-only, otherwise not
safe.

If/when we actually try to deal with these, we also need to figure that
out. We _could_ split this queyr into 3: (1) for path injection on any
platform, (2) path injection on windows, (3) path injection on UNIX. Then
UNIX-only projects could disable the path-injection on windows query. -- that's
my best idea, if you have better ideas, DO tell 👍
 2020-12-03 13:41:55 +01:00
Rasmus Wriedt Larsen
e8f63311ac Python: Model abspath and realpath (for Path Injection) 2020-12-03 13:41:54 +01:00
Rasmus Wriedt Larsen
bd5cf80352 Python: Add Path Injection tests for realpath and abspath 
Not supported currently
 2020-12-03 13:41:53 +01:00
Rasmus Wriedt Larsen
e53ed478ab Python: Highlight os.path.join behavior with absolute paths 2020-12-03 13:41:52 +01:00
Rasmus Wriedt Larsen
4d9f24a24c Python: Rewrite path injection tests 
To match how you would normally structure your application code. In itself not
that important, but makes it easier to add more tests :)
 2020-12-03 13:41:26 +01:00
CodeQL CI
e266cedc84 Merge pull request #4700 from RasmusWL/python-add-code-injection-FP 
Approved by tausbn
 2020-12-02 16:29:21 +00:00
CodeQL CI
6017f25106 Merge pull request #4740 from RasmusWL/fix-json-modeling 
Approved by tausbn
 2020-12-02 16:29:00 +00:00
Taus
9eeaceac2a Merge pull request #4739 from RasmusWL/recrete-regex-fp 
Python: Add regex FP with + for flags
 2020-12-02 13:01:47 +01:00
Rasmus Wriedt Larsen
a08e1db601 Python: Remove leftover note to self in qhelp file 2020-11-30 17:44:18 +01:00
Rasmus Lerchedahl Petersen
289b9e62f9 Python: Add read step for unpacking assignment 2020-11-30 15:30:14 +01:00
Anders Schack-Mulligen
8f2094f0bf Autoformat. 2020-11-30 14:42:38 +01:00
Rasmus Wriedt Larsen
94e90aac39 Python: Only one Unit implementation 
Conflict arose since the Unit in DataFlowPrivate was added in a merged PR.

The behavior from this PR will make it match what java does (931322e4c5/java/ql/src/semmle/code/Unit.qll)
 2020-11-30 14:41:47 +01:00
Rasmus Wriedt Larsen
1eac1995a9 Merge branch 'main' into python-untrusted-flow 2020-11-30 14:38:52 +01:00
Rasmus Lerchedahl Petersen
f345e55951 Python: Adjust test expectations 2020-11-30 14:21:30 +01:00
Rasmus Lerchedahl Petersen
673ff901fb Python: Test for unpacking assignment 2020-11-30 14:18:22 +01:00
Rasmus Wriedt Larsen
4ab3fff973 Python: Fix untrusted data to external API example 
The hmac.digest function was only added in python 3.7, so obviously doesn't work
on Python 2
 2020-11-30 10:42:30 +01:00