hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 10:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,161 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.6
Commit Graph

4040 Commits

Author SHA1 Message Date
Tom Hvitved
f4b82cb2e8 Python: Update expected test output 2022-09-22 15:01:40 +02:00
Rasmus Wriedt Larsen
d3f811cab3 Python: Accept any arg to flask.jsonify 
Thanks @tausbn 👍
 2022-09-22 14:59:06 +02:00
Rasmus Wriedt Larsen
8174120916 Python: Model flask.jsonify 2022-09-22 14:43:39 +02:00
Rasmus Wriedt Larsen
078d3d0062 Python: Add stacktrace exposure example 2022-09-22 14:27:49 +02:00
yoff
18a8a3332d Merge pull request #10494 from RasmusWL/tarslip-test-imports 
Python: Fix imports for tarslip tests
 2022-09-20 20:04:14 +02:00
Rasmus Wriedt Larsen
253d9cf39f Python: Fix imports for tarslip tests 
This doesn't change results, but makes the test-code more valid
 2022-09-20 17:25:46 +02:00
yoff
ea743173d5 Merge pull request #8781 from yoff/python-dataflow/flow-summaries-from-scratch 
Python dataflow: flow summaries restart
 2022-09-20 14:08:31 +02:00
Rasmus Wriedt Larsen
556e93ae68 Merge pull request #10384 from RasmusWL/callnode-getargbyname 
Python: Allow `CallNode.getArgByName` for keyword args after `**kwargs`
 2022-09-19 15:05:59 +02:00
Rasmus Lerchedahl Petersen
37fb27fa1c Python: change type of LibraryCallable::getACall 
The other callables return control flow nodes,
so it is slightly inconsistent for this to return a
data flow node, but it does make models based
on API graphs nicer.
 2022-09-19 14:02:52 +02:00
Erik Krogh Kristensen
a4cd913aea Merge pull request #10312 from erik-krogh/fix-caseDiff 
ensure consistent casing of names
 2022-09-19 10:43:12 +02:00
CodeQL CI
b48808778f Merge pull request #10264 from yoff/python/port-RaisesTuple 
Approved by tausbn
 2022-09-19 00:51:29 -07:00
CodeQL CI
ed4b64b1c4 Merge pull request #10265 from yoff/python/port-UnguardedNextInGenerator 
Approved by tausbn
 2022-09-19 00:50:52 -07:00
Rasmus Lerchedahl Petersen
33b508d6e6 Python: undo change to --max-import-depth 
This is not necessary as long as `LibraryCall` only
includes unresolved calls.
 2022-09-14 12:52:27 +02:00
Rasmus Lerchedahl Petersen
245baa51a3 Python: rename summary map -> list_map, 
since map resolves to a class call

also fix test expectation
 2022-09-14 11:21:16 +02:00
Rasmus Lerchedahl Petersen
f83158ff8b Python: do not stake out too much territory 2022-09-14 10:28:11 +02:00
Rasmus Lerchedahl Petersen
58cfac27d2 Python: adjust expectations to new spelling 2022-09-13 10:10:17 +02:00
Rasmus Lerchedahl Petersen
c1ab66181b Python: format 2022-09-13 08:08:04 +02:00
Rasmus Lerchedahl Petersen
03c243175b Python: fix QL alerts 2022-09-12 23:53:42 +02:00
Rasmus Lerchedahl Petersen
56dcfc2161 Python: --max-import-depth=0 
to avoid nodes in the extracted stdlib

Was there a reason for this depth to be 1?
 2022-09-12 23:25:48 +02:00
Rasmus Lerchedahl Petersen
bf16e220a0 Python: adjust expectations 2022-09-12 22:43:03 +02:00
Rasmus Lerchedahl Petersen
efc5cfb852 Merge branch 'main' of github.com:github/codeql into python-dataflow/flow-summaries-from-scratch 2022-09-12 19:56:16 +02:00
Rasmus Lerchedahl Petersen
0f95992b2f Python: remove NonLibraryDataFlowCallable 
this required managing parameters and their pre-update nodes a bit
 2022-09-12 15:17:29 +02:00
Rasmus Wriedt Larsen
4296ac1ac0 Python: Allow CallNode.getArgByName for keyword args after **kwargs 2022-09-12 15:03:13 +02:00
Rasmus Lerchedahl Petersen
895f5480c2 Python: Added recursion guard 
to ensure that the call graph seen by type tracking
does not include summary calls resolved by type tracking.

(I tried inserting a similar test into the Ruby codebase,
 and it still compiled)

To get this to compile, I had to move the resolution of summary calls
out of the data flow nodes and into the `viableCallable` predicate.
This means that we now have a potential summary call for each
cfg call node. (I tried using the base class, `DataFlowCall`, for this
but calls to `map` got identified as class calls and would no longer
be associated with a summary.)

It is possible that the "NonLIbrary"-layers the were inserted into the
hierarchy can be removed again.
 2022-09-09 22:47:47 +02:00
erik-krogh
26d8553f6e ensure consistent casing of names 2022-09-09 10:34:14 +02:00
Taus
8b8e74cc9a Merge pull request #10314 from RasmusWL/revert-alert-msgs-change 2022-09-08 13:00:47 +02:00
Asger F
6b2ebcce3a Merge pull request #10276 from asgerf/mad-typedef-entry-points 
Add TypeModel hook for adding MaD type-defs from CodeQL
 2022-09-07 14:14:48 +02:00
Rasmus Lerchedahl Petersen
f6d807aec0 Python: Add summary test append_to_list 2022-09-06 18:42:32 +02:00
Taus
0b8bdc0f85 Python: Fix broken test 2022-09-06 16:37:43 +00:00
Taus
3bb7e28712 Merge pull request #10176 from RasmusWL/import-problem 
Python: Add testcase for import problem
 2022-09-06 18:12:37 +02:00
Rasmus Lerchedahl Petersen
4cd41c24c7 Python: remove comments and start design document 2022-09-06 17:23:40 +02:00
Rasmus Lerchedahl Petersen
67c3a9b2f4 Python: resolve library calls in the CFG 
rather than in the AST
 2022-09-06 17:00:28 +02:00
Rasmus Wriedt Larsen
5f6e3dcc2e Python: Revert changes to sensitive data query alert messages 
This partly reverts the changes from https://github.com/github/codeql/pull/10252

Although consistency is nice, the new messages didn't sound as natural.

New alert message would read

> Insecure hashing algorithm (md5) depends on sensitive data (password). (...)

I'm not sure what it means that a hashing algorithm depends on data. So
for me, the original text below is much easier to understand.

> Sensitive data (password) is used in a hashing algorithm (md5) that is insecure (...)

Same goes for the other sensitive data queries.
 2022-09-06 12:01:24 +02:00
Rasmus Wriedt Larsen
d708abfc80 Python: Accept more .expected changes 2022-09-06 10:11:37 +02:00
Rasmus Wriedt Larsen
e979dffc08 Python: Fix variable access from extractor-change 
These changes are from internal PR.
 2022-09-06 10:11:37 +02:00
Rasmus Wriedt Larsen
985e87ccde Python: Add variable scope example with subclass 2022-09-06 10:11:37 +02:00
Rasmus Wriedt Larsen
0e3d520712 Python: Add variables regression test 
As illustrated when running the python file, the non qualified reads in
the `use` method all refer to the global variables, whereas `ex =
func(baz)` are to the things defined on the class.

The important part of the .expected changes is that the _global_
variable `bar` is used inside the function, whereas it's the local
variable for `foo` (on class scope) that is used inside the function
(which is wrong).
 2022-09-06 10:11:37 +02:00
Rasmus Wriedt Larsen
98db1af898 Python: Also show variable access 2022-09-06 10:11:37 +02:00
Rasmus Wriedt Larsen
fd4f60dd1b Python: Adjust variables tests 2022-09-06 10:11:37 +02:00
Rasmus Wriedt Larsen
ebd97f4496 Python: Add type-tracking regession example 2022-09-06 10:11:36 +02:00
Rasmus Lerchedahl Petersen
d31d763328 Python: adjust test expectations 
We now locate a `DataFlow::Node` rather than an 'AstNode`.
 2022-09-05 16:45:43 +02:00
Rasmus Lerchedahl Petersen
5fc1bbc8c5 Python: Only alert on Python 2 code 
since
- Python 3 is ok from 3.7 onwards
- support for Python 3.6 was just dropped
- we do not actually know the minor version of the analysed code
  (only of the extractor)
 2022-09-05 13:38:14 +02:00
erik-krogh
0de0325c8e change the alert-message for py/modification-of-default-value 2022-09-05 13:30:56 +02:00
Rasmus Lerchedahl Petersen
a8a042db57 python: remove illegal option 2022-09-03 20:33:48 +02:00
Asger F
296aa52ef0 Python: Add API::EntryPoint 
Python: add EntryPoint test
 2022-09-03 13:24:46 +02:00
erik-krogh
089ce5a8a4 change alert messages of path queries to use the same template 2022-09-02 14:45:40 +02:00
Rasmus Lerchedahl Petersen
0599e8ac35 python: add version check 
and attempt to set version for tests
 2022-09-01 23:47:07 +02:00
Ahmed Farid
8153b790ad Update test result 2022-08-31 16:01:09 +01:00
Ahmed Farid
56d48e6264 Add more tests 2022-08-31 15:59:51 +01:00
erik-krogh
1d1aa7c8b4 update some expected output 2022-08-25 20:52:30 +02:00