codeql

mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00

Author	SHA1	Message	Date
Rasmus Wriedt Larsen	fc8633cc01	Python: Fix select for `py/cookie-injection`	2022-05-11 13:18:14 +02:00
Rasmus Wriedt Larsen	d127d2164a	Merge branch 'main' into jorgectf/python/insecure-cookie	2022-05-11 11:13:47 +02:00
Rasmus Wriedt Larsen	7e87e18b32	Python: Adjust name/description/select of `PamAuthorization.ql` Thought that calling out the actual vulnerability would make things easier for our end users :)	2022-05-10 18:02:17 +02:00
Rasmus Wriedt Larsen	cb17e2a649	Merge pull request #8595 from porcupineyhairs/pypam Python : Add query to detect PAM authorization bypass	2022-05-10 13:35:12 +02:00
Rasmus Wriedt Larsen	2421076d2f	Merge pull request #8696 from RasmusWL/new-nosql-examples Python: Improve experimental modeling for `pymongo`	2022-05-10 11:03:05 +02:00
Rasmus Wriedt Larsen	c218162104	Merge branch 'main' into pypam	2022-05-09 14:20:05 +02:00
Rasmus Wriedt Larsen	3c1a37e7e1	Merge branch 'main' into new-nosql-examples	2022-05-02 11:21:36 +02:00
${sleep,7}	b5734ed6a2	Merge branch 'main' into jty/python/emailInjection	2022-04-20 09:50:08 -04:00
Rasmus Wriedt Larsen	bb6969a175	Merge branch 'main' into promote-xxe	2022-04-20 13:42:02 +02:00
Rasmus Wriedt Larsen	6235dc5039	Python: Handle `find_library` assignment to temp variable	2022-04-13 11:44:15 +02:00
Porcupiney Hairs	785dc1af3c	Include changes from review	2022-04-12 21:17:39 +05:30
Taus	3d14c5f3c3	Python: Update tests We need to import `tty` in order to be able to detect the standard library correctly.	2022-04-08 23:20:47 +02:00
Rasmus Wriedt Larsen	517444b5ff	Python: Fix `SimpleXmlRpcServer.expected`	2022-04-07 16:42:40 +02:00
Rasmus Wriedt Larsen	ec66f26ade	Python: Handle `get_collection` on pymongo DB	2022-04-07 16:32:20 +02:00
Rasmus Wriedt Larsen	89eeaf85d5	Python: Handle `get_database` on `MongoClient` instance	2022-04-07 16:31:17 +02:00
Rasmus Wriedt Larsen	81fdc1bd78	Python: Add more `pymongo` NoSQL tests	2022-04-07 16:22:16 +02:00
Rasmus Wriedt Larsen	30fff1cf8b	Python: Merge pymongo NoSQL tests	2022-04-07 16:04:25 +02:00
Ahmed Farid	29f69bde75	Update zipslip_bad.py	2022-04-05 12:46:51 +00:00
Rasmus Wriedt Larsen	4abab22066	Python: Promote XXE and XML-bomb queries Need to write a change-note as well, but will do that tomorrow	2022-03-31 18:47:50 +02:00
Rasmus Wriedt Larsen	c365337867	Python: Delete `XmlEntityInjection.ql` Kept the test of SimpleXmlRpcServer, and kept the qhelp so it can be used to write the new qhelp files	2022-03-31 09:52:55 +02:00
Rasmus Wriedt Larsen	91795b8577	Python: Add simple test of Xxe/XmlBomb Note that most of the testing happens in the framework specific tests, with an inline-expectation test	2022-03-31 09:52:54 +02:00
Porcupiney Hairs	92033047a5	Python : Add query to detect PAM authorization bypass Using only a call to `pam_authenticate` to check the validity of a login can lead to authorization bypass vulnerabilities. A `pam_authenticate` only verifies the credentials of a user. It does not check if a user has an appropriate authorization to actually login. This means a user with a expired login or a password can still access the system. This PR includes a qhelp describing the issue, a query which detects instances where a call to `pam_acc_mgmt` does not follow a call to `pam_authenticate` and it's corresponding tests. This PR has multiple detections. Some of the public one I can find are : * [CVE-2022-0860](https://nvd.nist.gov/vuln/detail/CVE-2022-0860) found in [cobbler/cobbler](https://www.github.com/cobbler/cobbler) * [fredhutch/motuz](https://www.huntr.dev/bounties/d46f91ca-b8ef-4b67-a79a-2420c4c6d52b/)	2022-03-30 00:47:58 +05:30
Ahmed Farid	53f756b078	Update ZipSlip.expected	2022-03-28 08:54:44 +00:00
Ahmed Farid	a50f051cdd	Update zipslip_bad.py	2022-03-28 01:38:58 +00:00
Ahmed Farid	f364e41dbe	Update ZipSlip.expected	2022-03-28 01:02:38 +00:00
Ahmed Farid	a8c14ed6c3	Update zipslip_bad.py	2022-03-28 01:00:38 +00:00
Ahmed Farid	8dea7248ea	Update zipslip_bad.py	2022-03-24 00:34:52 +01:00
Ahmed Farid	a05318f10c	Update zipslip_good.py	2022-03-24 00:32:11 +01:00
Ahmed Farid	1836723ecb	Merge branch 'main' into ZipSlip	2022-03-23 19:27:12 -04:00
Mathias Vorreiter Pedersen	abe30457ee	Python: Accept test changes.	2022-03-17 14:03:58 +01:00
Erik Krogh Kristensen	f3ca6bbc2e	PY: update expected output after fixing bug in flask model	2022-03-17 09:42:30 +01:00
haby0	4195eef9ba	Add CSV injection model	2022-03-15 15:15:38 +08:00
Taus	4ee4bba4d1	Merge branch 'main' into ZipSlip	2022-03-10 13:30:51 +01:00
Ahmed Farid	23bd53a325	Update zipslip_good.py	2022-03-08 23:55:17 +01:00
Rasmus Wriedt Larsen	6b14c1d6b9	Merge branch 'main' into jorgectf/python/deserialization	2022-03-08 11:15:03 +01:00
Ahmed Farid	3b8c7e8944	Update ZipSlip.expected	2022-03-07 10:11:34 +01:00
Ahmed Farid	8402d661df	Update zipslip_bad.py	2022-03-07 10:11:00 +01:00
Ahmed Farid	35a1c80ceb	Update zipslip_bad.py	2022-03-07 00:24:45 +01:00
Ahmed Farid	6233309028	Update ZipSlip.expected	2022-03-07 00:23:48 +01:00
Ahmed Farid	e8449d8f40	Update zipslip_bad.py	2022-03-07 00:23:03 +01:00
Ahmed Farid	b7d4715c4e	Create ZipSlip.expected	2022-03-07 00:06:24 +01:00
Ahmed Farid	908db6a05f	Update zipslip_bad.py	2022-03-07 00:01:09 +01:00
Ahmed Farid	7f2d242702	Update zipslip_good.py	2022-03-06 23:59:11 +01:00
Ahmed Farid	be7c619ca8	Update zipslip_bad.py	2022-03-04 00:48:45 +01:00
Rasmus Wriedt Larsen	f72f673e7e	Python: Update `XmlEntityInjection.expected` I had forgotten about this, but better late than never... also added a small representative test	2022-03-03 21:18:18 +01:00
Rasmus Wriedt Larsen	2451123c67	Python: Move XML PoC to new test dir	2022-03-03 21:18:18 +01:00
Rasmus Wriedt Larsen	c739ae40b6	Python: Port `xmltodict` tests	2022-03-03 21:18:18 +01:00
Rasmus Wriedt Larsen	0b12d91817	Python: Port xml.sax tests	2022-03-03 21:18:18 +01:00
Rasmus Wriedt Larsen	5fb4c4d152	Python: Port xml.etree tests	2022-03-03 20:51:02 +01:00
Rasmus Wriedt Larsen	a7134cac2e	Python: Port xml.dom tests	2022-03-03 20:39:56 +01:00

... 3 4 5 6 7 ...

470 Commits