hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,161 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.6
Commit Graph

4040 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
49276b1f38 Merge branch 'main' into refacReDoS 2022-08-09 16:18:46 +02:00
Rasmus Wriedt Larsen
f89b32183f Merge branch 'main' into typetracker-decorators 2022-08-08 11:52:09 +02:00
Ahmed Farid
ae4ded08fa Update and rename TimingAttackAgainstHeader.qlref to TimingAttackAgainstHeaderValue.qlref 2022-08-04 12:42:52 +01:00
Rasmus Wriedt Larsen
3d0c23e441 Python: Accept .expected for TarSlip 
Changed after merging https://github.com/github/codeql/pull/9579,
which improved our handling of `not` for guards.
 2022-08-03 09:52:11 +02:00
Rasmus Wriedt Larsen
1737d08145 Merge pull request #9579 from yoff/python/more-logic-tests 
Python: Improve `BarrierGuard`
 2022-08-01 11:36:11 +02:00
Ahmed Farid
813e2394f7 Merge branch 'main' into timing-attack-py 2022-07-27 14:40:55 +01:00
Ahmed Farid
e3340c9345 Update TimingAttackAgainstSensitiveInfo.py 2022-07-27 00:25:42 +01:00
Ahmed Farid
ad57ff4def Rename PossibleTimingAttackAgainstSignature.qlref to PossibleTimingAttackAgainstHash.qlref 2022-07-26 23:56:24 +01:00
Ahmed Farid
f35985097d Update and rename PossibleTimingAttackAgainstSignature.expected to PossibleTimingAttackAgainstHash.expected 2022-07-26 23:50:44 +01:00
Ahmed Farid
4f082e28e5 Update and rename TimingAttackAgainstSignature.py to TimingAttackAgainstHash.py 2022-07-20 12:26:57 +01:00
Ahmed Farid
b3925ae988 Update PossibleTimingAttackAgainstSignature.qlref 2022-07-20 00:57:26 +01:00
Erik Krogh Kristensen
ff25451699 rename query to overly-large-range, and rewrite the @description 2022-07-12 16:02:46 +02:00
yoff
f52d792b36 Merge branch 'main' of https://github.com/github/codeql into python-dataflow/flow-summaries-from-scratch 2022-07-01 12:01:07 +00:00
yoff
61523bd330 python: better names 
- "Normal" instead of "NonSpecial"
- "NonLibrary" instead of "2"

I could not find a good replacement for "NonLibrary", nor for "Source",
but I added QLDocs in a few places to help the reading.
 2022-07-01 11:55:20 +00:00
yoff
71583bf6be python: fix import of AccessPathSyntax 2022-07-01 08:48:55 +00:00
yoff
1105cd569b Merge branch 'main' into python/port-tarslip 2022-06-28 22:17:28 +02:00
yoff
6087bc6888 Merge branch 'main' into python/more-logic-tests 2022-06-28 22:16:38 +02:00
Asger F
a522562f93 Merge pull request #9369 from asgerf/python/api-graph-api 
Python: API graph renaming and documentation
 2022-06-28 14:48:12 +02:00
Erik Krogh Kristensen
a343ceaf8b add suspicious-regexp-range query 2022-06-28 09:49:27 +02:00
Rasmus Lerchedahl Petersen
a1fe8a5b2b python: handle not in BarrierGuard 
in the program
```python
if not is_safe(path):
  return
```
the last node in the `ConditionBlock` is `not is_safe(path)`,
so it would never match "a call to is_safe".
Thus, guards inside `not` would not be part of `GuardNode`
(nor `BarrierGuard`). Now they can.
 2022-06-27 20:10:47 +00:00
Rasmus Lerchedahl Petersen
882000afb3 python: not is confusing our logic 
- added `is_unsafe`
- added "negated version" of two tests.
These versions do not use `not` and the analysis gets the taint right.
 2022-06-27 20:10:47 +00:00
root
655b9d4262 Python: Timing attack 2022-06-27 12:18:45 -04:00
Rasmus Wriedt Larsen
9e154ff4bd Merge branch 'main' into python/port-tarslip 2022-06-27 14:36:15 +02:00
Erik Krogh Kristensen
13482fc97b rename ReDoSUtil to NfaUtils, and rename the "performance" folder to "regexp" 2022-06-23 14:36:25 +02:00
Erik Krogh Kristensen
7fb3d81d2f add further normalization of char classses 2022-06-23 14:36:25 +02:00
Rasmus Wriedt Larsen
3248f7b423 Merge pull request #9649 from RasmusWL/certificate-modeling 
Python/JS/Ruby: Ignore common words (like certain) as sensitive data source
 2022-06-23 12:04:58 +02:00
yoff
140dc1a61e merge in main 2022-06-23 09:05:32 +00:00
yoff
8bf60301da python: we have hidden isParameterOf 
but now allow a clear alternative
 2022-06-23 08:57:50 +00:00
yoff
fe0c5d8ee5 python: make ArgumentNode publicly usable 
- add `getCall`
 2022-06-23 08:48:55 +00:00
yoff
cedf9ef538 python: make DataFlowCall "publicly usable" 
- add `getCallable`, `getArg` and `getNode`
- these are `none` for summary calls
- revert "external" uses (they had been changed to `DataFlowSourceCall`)
 2022-06-23 08:32:23 +00:00
Rasmus Wriedt Larsen
4be375521f Python: Handle _ in sensitive-data-sources 2022-06-22 11:05:14 +02:00
Rasmus Wriedt Larsen
4a844312f4 Python: _ in var name not handled by sensitive-data-sources 2022-06-22 11:05:14 +02:00
Rasmus Wriedt Larsen
5dc2bb717a Python: ignore common words (certain/concert) as sensitive source 2022-06-22 11:05:05 +02:00
Anders Schack-Mulligen
df6d68b215 Merge pull request #9618 from aschackmull/dataflow/deprecate-barrierguard-class 
Dataflow: Deprecate BarrierGuard class
 2022-06-22 10:44:08 +02:00
Rasmus Wriedt Larsen
abdcfd55c3 Python: uncertainty is treated as a certificate :O 2022-06-22 10:16:28 +02:00
yoff
dd69100dcd python: ParameterNode -> SourceParameterNode 2022-06-21 12:55:22 +00:00
Asger F
b096f9ec72 Python: Rename getAUse -> getAValueReachableFromSource 2022-06-21 12:44:06 +02:00
Asger F
181a53bd03 Python: Rename getAnImmediateUse -> asSource 2022-06-21 12:44:06 +02:00
Asger F
60fde3c031 Python: Rename getARhs -> asSink 2022-06-21 12:44:06 +02:00
Anders Schack-Mulligen
a7c268f804 Python: adjust test. 2022-06-20 15:46:38 +02:00
Anders Schack-Mulligen
f473a0a961 Python: Deprecate and replace BarrierGuard class. 2022-06-20 15:46:38 +02:00
Rasmus Wriedt Larsen
ae44a941f9 Merge pull request #9421 from RasmusWL/inline-brackets 
Inline Expectation Tests: Allow `tag[foo bar]`
 2022-06-20 10:01:19 +02:00
Taus
3a328f6a3f Merge pull request #6570 from yoff/python/broaden-noqa-regex 
Python: Broaden noqa regex to allow comments
 2022-06-17 23:56:39 +02:00
Rasmus Wriedt Larsen
5fb41e4894 Inline Expectation Tests: Disallow tag[[[foo bar] 2022-06-17 17:36:04 +02:00
Taus
9bf2eb55ca Python: Allow whitespace before colon 
As suggested by @DimitriPapadopolous.

Also fixes the test output to account for the `noqa` annotation (with
added comment) that we're now detecting.
 2022-06-16 11:16:58 +02:00
Rasmus Wriedt Larsen
d6e68258a4 Python: API-graphs: allow class decorators in .getASubclass() 2022-06-15 17:30:34 +02:00
Rasmus Wriedt Larsen
5f32f898d5 Python: API-graphs: test class decorators and subclass 
A class decorator could change the class definition in any way.

In this specific case, it would be better if we allowed the subclass to
be found with API graphs still.

inspired by
c2250cfb80/tests/auth_tests/test_views.py (L40-L46)
 2022-06-15 16:16:34 +02:00
Rasmus Wriedt Larsen
b2c8e0fe8d Python: Add comment to test 2022-06-15 15:59:54 +02:00
Rasmus Wriedt Larsen
24c9aff2fc Python: Fix a type-tracking test 2022-06-15 15:58:17 +02:00
yoff
f14a90ff09 Merge pull request #9200 from tausbn/python-modernise-weak-file-permissions-query 
Python: Modernise weak file permissions query
 2022-06-15 14:37:17 +02:00