hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
83,874 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.5
Commit Graph

932 Commits

Author SHA1 Message Date
Rasmus Lerchedahl Petersen
651f8abba0 Python: Avoid multiple results for toString 2021-06-30 14:39:49 +02:00
Rasmus Lerchedahl Petersen
09e71cfdfd Python: update test expectations 2021-06-30 12:25:29 +02:00
Rasmus Lerchedahl Petersen
e778a65464 Python: Adjust test expectations 
so we can see the light go green.
But we should perhaps do something about those duplicate results.
 2021-06-29 11:29:42 +02:00
Rasmus Lerchedahl Petersen
40ac91eecd Python: Add some tests for exponential ReDoS 
- `KnownCVEs` contain the currently triaged Python CVEs
- `unittest.py` contains some tests constructed by @erik-krogh
- `redos.py` contains a port of `tst.js` from javascript
The expected file has been ported as well with some fixups by @tausbn
 2021-06-28 17:04:49 +02:00
Rasmus Wriedt Larsen
9573048ee8 Python: Port py/clear-text-logging-sensitive-data 2021-06-25 14:35:31 +02:00
Rasmus Wriedt Larsen
a9469b73d9 Python: Port py/clear-text-storage-sensitive-data 2021-06-24 17:39:08 +02:00
Rasmus Wriedt Larsen
e2facd0981 Python: Expand cleartext query tests 2021-06-23 10:50:04 +02:00
Rasmus Wriedt Larsen
5506365b0e Python: Split cleartext tests 2021-06-23 10:50:04 +02:00
Rasmus Wriedt Larsen
dee93783a2 Python: Update .expected for py/weak-sensitive-data-hashing 
Now there is a path from the _imports_ of the functions that would
return sensitive data, so we produce more alerts.

I'm not entirely happy about this "double reporting", but I'm not sure
how to get around it without either:

1. disabling the extra taint-step for calls. Not ideal since we would
   loose good sources.
2. disabling the extra sources based on function name. Not ideal since
   we would loose good sources.
3. disabling the extra sources based on function name, for those calls
   that would be handled with the extra taint-step for calls. Not ideal
   since that would require running the data-flow query initially to
   prune these out :|

So for now, I think the best approach is to accept some risk on this,
and ship to learn :)
 2021-06-11 13:56:55 +02:00
CodeQL CI
a241c114da Merge pull request #5836 from RasmusWL/ec-class-improvement 
Approved by tausbn
 2021-06-10 06:20:56 -07:00
Rasmus Wriedt Larsen
97fadd9970 Merge branch 'main' into port-weak-crypto-algorithm 2021-05-18 14:04:18 +02:00
Rasmus Wriedt Larsen
d50f22504e Python: Fix .expected 2021-05-05 14:07:15 +02:00
CodeQL CI
84d43946de Merge pull request #5755 from RasmusWL/non-alert-data-part1 
Approved by tausbn
 2021-04-29 02:51:34 -07:00
Rasmus Wriedt Larsen
f2b4e31e7f Python: Make Diagnostics tests pass 
I had comitted a bad .expected file it seems, and since the encoding for UTF-8
is named differently from Python 2 to Python 3, we're only going to run the test
for one version.
 2021-04-28 10:21:59 +02:00
Rasmus Wriedt Larsen
deb3db3f95 Python: Add non-alert data for extractor diagnostics 
This is basically just a port of the C++/JS queries added in:

- https://github.com/github/codeql/pull/5414 (C++)
- https://github.com/github/codeql/pull/5656 (JS)

SyntaxError should capture all errors we have information about. At least in
`python/ql/src/semmlecode.python.dbscheme` the only match for `error` is
`py_syntax_error_versioned` (which `SyntaxError` is based on).
 2021-04-23 13:29:44 +02:00
Rasmus Wriedt Larsen
354dee1b09 Python: Add non-alert data for lines of code 
`py/summary/lines-of-code` is just a port of the C++/JS queries added in:

- https://github.com/github/codeql/pull/5271 (C++)
- https://github.com/github/codeql/pull/5304 (JS)

We are the first to implement the `lines-of-user-code` query, so nothing to
compare with in other languages -- but it makes a lot of sense to do for Python 👍
 2021-04-23 13:22:18 +02:00
Rasmus Wriedt Larsen
ac83c695ad Python: Add py/weak-sensitive-data-hashing query 2021-04-22 15:23:41 +02:00
Rasmus Wriedt Larsen
56c409737d Python: Port py/weak-cryptographic-algorithm 
The other query (py/weak-sensitive-data-hashing) is added in future commit
 2021-04-22 15:23:38 +02:00
Rasmus Wriedt Larsen
cf64701bcb Python: Move weak-crypto-algorithm tests to own folder 2021-04-22 14:51:13 +02:00
Rasmus Lerchedahl Petersen
9c893cb0f4 Merge branch 'main' of github.com:github/codeql into python-port-insecure-protocol 2021-04-20 16:33:03 +02:00
Rasmus Lerchedahl Petersen
9f91dde76f Python: Update test expectation after comment 2021-04-12 09:58:06 +02:00
yoff
38daeb4df2 Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-04-07 15:50:51 +02:00
Rasmus Lerchedahl Petersen
a0e3e3afaf Python: adjust test expectations 2021-04-07 08:22:36 +02:00
Rasmus Lerchedahl Petersen
094d2f3b7d Python: clean up tests 2021-04-06 22:59:58 +02:00
Rasmus Lerchedahl Petersen
1be2be843d Python: update test expectations 2021-03-26 13:08:23 +01:00
Rasmus Lerchedahl Petersen
c93e0c08fd Merge branch 'python-port-insecure-protocol' of github.com:yoff/codeql into python-port-insecure-protocol 2021-03-26 00:26:33 +01:00
yoff
54dad57cf4 Update python/ql/test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-03-26 00:25:40 +01:00
Rasmus Lerchedahl Petersen
2b257318f1 Python: more precise comment 2021-03-25 23:22:24 +01:00
Rasmus Wriedt Larsen
bd4934380a Python: Remove code duplication library 2021-03-25 15:27:55 +01:00
yoff
164b383fda Update python/ql/test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-03-19 19:12:13 +01:00
Rasmus Lerchedahl Petersen
e0e6d5724e Merge branch 'main' of github.com:github/codeql into python-port-insecure-protocol 2021-03-18 23:34:53 +01:00
yoff
746e9948b0 Merge pull request #5075 from RasmusWL/crypto 
Python: Port py/weak-crypto-key to use type-tracking
 2021-03-18 20:53:28 +01:00
Rasmus Wriedt Larsen
315127d888 Python: Also test py/insecure-default-protocol on Python 3 2021-03-17 14:53:36 +01:00
Rasmus Wriedt Larsen
fbbec5d2b9 Merge pull request #5118 from yoff/python-port-stacktrace-exosure 
Python: Port stack trace exposure
 2021-03-16 14:52:44 +01:00
Rasmus Wriedt Larsen
50978364a6 Merge pull request #5246 from yoff/python-port-insecure-default-protocol 
Python: Port insecure default protocol
 2021-03-16 14:30:19 +01:00
Rasmus Lerchedahl Petersen
6fff746b16 Merge branch 'main' of github.com:github/codeql into python-port-insecure-protocol 2021-03-15 17:37:28 +01:00
Rasmus Lerchedahl Petersen
514a69c47a Python: Support ssl.PROTOCOL_TLS_SERVER 
and `ssl.PROTOCOL_TLS_CLIENT`
 2021-03-15 17:30:01 +01:00
Rasmus Lerchedahl Petersen
87f3ba2684 Python: add tests for ssl.PROTOCOL_TLS_SERVER 
and `ssl.PROTOCOL_TLS_CLIENT`
 2021-03-15 17:24:39 +01:00
Rasmus Lerchedahl Petersen
731f4559b4 Python: update test expectations 2021-03-15 17:23:58 +01:00
Rasmus Lerchedahl Petersen
4094b18407 Python: Clean up tests 2021-03-15 16:28:08 +01:00
Taus
dfc0e9b906 Merge pull request #5243 from RasmusWL/port-bind-to-all-interfaces 
Python: Port py/bind-socket-all-network-interfaces query
 2021-03-12 16:04:19 +01:00
Rasmus Lerchedahl Petersen
7142ddcb25 Python: add taint step for __traceback__ 2021-03-08 08:13:07 +01:00
Rasmus Lerchedahl Petersen
b36e0d0be7 Python: target SSA variable rather than Cfg node 
also add "INTERNAL: Do not use."
also give test functions different names
 2021-03-08 08:04:42 +01:00
Rasmus Lerchedahl Petersen
296297915c Python: add test for __traceback__ 2021-03-07 17:50:28 +01:00
yoff
d17246ce2b Merge pull request #5255 from RasmusWL/port-flask-debug 
Python: port py/flask-debug query
 2021-03-05 09:39:14 +01:00
Rasmus Lerchedahl Petersen
7d556b354d Python: Update test annotation and expectation 2021-03-05 09:16:35 +01:00
Rasmus Lerchedahl Petersen
9f8a028dfc Python: add .expected-file 2021-03-04 00:12:34 +01:00
Rasmus Lerchedahl Petersen
d02c529872 Python: Update annotation 2021-03-04 00:06:36 +01:00
Rasmus Lerchedahl Petersen
cbbc7b2bcd Python: support unrestrictions 
Also pyOpenSSL allows SSL 2 and SSL 3 on `SSLv23`
 2021-03-03 23:42:48 +01:00
Rasmus Lerchedahl Petersen
7a1d953fca Python: More tests 2021-03-03 17:50:47 +01:00