hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,161 Commits 1,672 Branches 157 Tags
codeql-cli-2.23.6
Commit Graph

9600 Commits

Author SHA1 Message Date
erik-krogh
c15f63ce62 sync files 2022-11-01 21:35:27 +01:00
Dave Bartolomeo
9d5e5e3ee7 ${workspace} all the things 2022-11-01 13:29:05 -04:00
Rasmus Wriedt Larsen
ead0844174 Merge pull request #10998 from RasmusWL/essa-use-use-test 
Python: Add failing ESSA use-use test
 2022-10-31 10:38:26 +01:00
Chris Smowton
ee63e60bb7 qlpacks: libraryPathDependencies -> dependencies 2022-10-28 16:07:36 +01:00
Rasmus Wriedt Larsen
a04c78ab94 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-10-28 15:31:42 +02:00
Rasmus Wriedt Larsen
8628ff5e52 Merge pull request #10999 from RasmusWL/inline-fail-tag 
InlineExpectationsTest: Fail if missing `getARelevantTag`
 2022-10-28 10:35:49 +02:00
Rasmus Wriedt Larsen
e8fdff7a3b Python: Expand ExternalAPIs test 
We never had a showcase of how keyword arguments were handled
 2022-10-28 09:38:02 +02:00
Rasmus Wriedt Larsen
6577281bed Python: Add crosstalk fieldflow test 2022-10-28 09:31:16 +02:00
Rasmus Wriedt Larsen
c1b2561598 Python: Extend fieldflow tests with bound method call 2022-10-28 09:31:16 +02:00
Rasmus Wriedt Larsen
0f34752f8f Python: Delete classesCallGraph.ql 
I don't see the value from this, so just going to outright delete it.
(it actually stayed alive for quite some time in the original git history,
but never seemed to be that useful.)
 2022-10-28 09:31:01 +02:00
Rasmus Wriedt Larsen
7d8c0c663f Python: Remove dataflow/coverage/dataflow.ql 
The selected edges is covered by `NormalDataflowTest.ql` now... and
reading the test-output changes in `edges` is just going to make commits
larger while not providing any real value.
 2022-10-28 09:29:32 +02:00
Rasmus Wriedt Larsen
609a4cfd42 Python: validate tests in datamodel.py 
And adopt argument passing tests as well.

turns out that `C.staticmethod.__func__` doesn't actually work :O
 2022-10-28 09:29:32 +02:00
Rasmus Wriedt Larsen
39081e9c1c Python: Fix staticmethod datamodel test 2022-10-28 09:29:32 +02:00
Taus
503cc560cf Merge pull request #10943 from bananabr/main 
Javascript/Python: Tokens built from predictable UUIDs
 2022-10-27 14:12:34 +02:00
Rasmus Wriedt Larsen
adf109b624 Merge branch 'main' into inline-fail-tag 2022-10-27 13:42:32 +02:00
Jeroen Ketema
1d7efd8e82 Merge pull request #10905 from jsoref/spelling-code-scanning-product 
Spelling code scanning product
 2022-10-27 12:55:37 +02:00
Rasmus Wriedt Larsen
dbd84b2d37 InlineExpectationsTest: Add quote around missing tag 
To aid with quickly scanning where the missing tag is. I just had to do
this myself looking over some test failures, and it all just blurred
into each other in the logs.

see https://github.com/github/codeql/actions/runs/3332266045/jobs/5512944867#step:5:467
 2022-10-27 09:02:28 +02:00
Rasmus Wriedt Larsen
76e84ef63a InlineExpectationsTest: Fail if missing getARelevantTag 2022-10-26 18:20:37 +02:00
Rasmus Wriedt Larsen
bfe9aa1225 InlineExpectationsTest: Add test showing what happens if you leave out getARelevantTag 2022-10-26 18:00:03 +02:00
Rasmus Wriedt Larsen
b3f29b0a53 Python: Add failing ESSA use-use test 
I initially created this as a dataflow test, but then realized it could
just be an ESSA test. I cound't find any existing ESSA tests though :|
so created a new dir for it.
 2022-10-26 17:49:33 +02:00
Daniel Santos
feece6f7b4 Merge branch 'github:main' into main 2022-10-25 10:43:20 -05:00
Daniel Santos
5b080481aa TokenBuiltFromUuid formatting 2022-10-25 09:51:48 -05:00
Daniel Santos
b8d60edb49 TokenBuiltFromUuid isAdditionalTaintStep refactor 2022-10-25 09:51:07 -05:00
Daniel Santos
375edf7455 TokenAssignmentValueSink refactor 2022-10-25 09:50:04 -05:00
yoff
9d542f1be9 Merge pull request #10887 from Sim4n6/TarSlipImprov 
Python: Add TarSlip Improv query
 2022-10-25 13:02:52 +02:00
Daniel Santos
5ab068a3cc Update python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql 
Co-authored-by: Taus <tausbn@github.com>
 2022-10-24 11:55:21 -05:00
Daniel Santos
be8780742b Update python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql 
You are totally right! I just scanned the module's document and assumed it would implement it all. Pasting the documentation here for future reference https://docs.python.org/3/library/uuid.html?highlight=uuid#uuid.UUID.

Co-authored-by: Taus <tausbn@github.com>
 2022-10-24 11:49:17 -05:00
Daniel Santos
a2ad924376 Minor formatting fixes 2022-10-24 09:38:17 -05:00
Daniel Santos
066ffb7520 Tokens built from predictable UUIDs 2022-10-22 11:15:43 -05:00
ALJI Mohamed
92a3846102 Fix query to omit sinks within std lib files 2022-10-22 09:35:55 +01:00
ALJI Mohamed
fdbed2a019 Add expected test results without considering inStdLib files. 2022-10-22 09:34:57 +01:00
ALJI Mohamed
0f44268038 Add expected test results 2022-10-21 22:14:55 +01:00
ALJI Mohamed
7d60f1f1c8 Modified the QL ref file and add TarSlip examples 2022-10-21 22:14:00 +01:00
ALJI Mohamed
7319052495 Delete the examples/ 2022-10-21 21:47:00 +01:00
ALJI Mohamed
31a6fb4181 Add TarSlip qlref for query-tests 2022-10-21 21:28:20 +01:00
Sim4n6
925f9d09e5 Update python/ql/src/experimental/Security/CWE-022bis/TarSlipImprov.ql 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-10-21 21:06:51 +01:00
Arthur Baars
a56ed88db2 Merge pull request #10920 from github/post-release-prep/codeql-cli-2.11.2 
Post-release preparation for codeql-cli-2.11.2
 2022-10-21 11:58:12 +02:00
github-actions[bot]
be7693283b Post-release preparation for codeql-cli-2.11.2 2022-10-21 08:07:17 +00:00
Rasmus Wriedt Larsen
ad915e2698 Python: add debug based on location snippet 2022-10-20 21:20:24 +02:00
Arthur Baars
45c9a0d0b1 Apply suggestions from code review 
Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com>
 2022-10-20 15:22:29 +02:00
Josh Soref
474aef438b spelling: connection 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-20 08:18:23 -04:00
github-actions[bot]
9a0848bbc4 Release preparation for version 2.11.2 2022-10-20 11:05:19 +00:00
ALJI Mohamed
9163cbec09 Restrict the reach for an additional taint step 2022-10-19 16:08:49 +01:00
ALJI Mohamed
25a7fcffc0 Add an additional taint step 2022-10-19 16:01:34 +01:00
ALJI Mohamed
d6fa745279 Add TarSlip Improv query 2022-10-19 14:01:40 +01:00
Taus
58754982ce Python: Update type tracking tests 
No longer missing! 🎉
 2022-10-17 14:34:10 +00:00
Taus
ad13fbaeb6 Python: Add tests 
A slightly complicated test setup. I wanted to both make sure I captured
the semantics of Python and also the fact that the kinds of global flow
we expect to see are indeed present.

The code is executable, and prints out both when the execution reaches
certain files, and also what values are assigned to the various
attributes that are referenced throughout the program. These values are
validated in the test as well.

My original version used introspection to avoid referencing attributes
directly (thus enabling better error diagnostics), but unfortunately
that made it so that the model couldn't follow what was going on.

The current setup is a bit clunky (and Python's scoping rules makes it
especially so -- cf. the explicit calls to `globals` and `locals`), but
I think it does the job okay.
 2022-10-17 14:29:41 +00:00
Taus
651afaf11b Python: Hook up new implementation 
Left as its own commit, as otherwise the diff would have been very
confusing.
 2022-10-17 14:29:41 +00:00
Taus
0051ba1596 Python: Add new module resolution implementation 
A fairly complicated bit of modelling, mostly due to the quirks of
how imports are handled in Python.

A few notes:

- The handling of `__all__` is not actually needed (and perhaps not
  desirable, as it only pertains to `import *`, though it does match
  the current behaviour), but it might become useful at a later date,
  so I left it in.
- Ideally, we would represent `foo as bar` in an `import` as a
  `DefinitionNode` in the CFG. I opted _not_ to do this, as it would
  also affect points-to, and I did not want to deal with any fallout
  arising from that.
 2022-10-17 14:29:41 +00:00
Taus
f5b2eb94a6 Merge pull request #10783 from yoff/python/subscript-nodes 
Python: API graph improvements for subscripts
 2022-10-17 15:21:56 +02:00