hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,540 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.8
Commit Graph

4863 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
73971cff76 Python: Model exec statement (Python 2 only) as CodeExecution 2020-10-07 21:12:35 +02:00
Rasmus Wriedt Larsen
0af86cba50 Python: Port CodeInjection query 
and the dummy test-case we already have
 2020-10-07 18:47:23 +02:00
Rasmus Wriedt Larsen
5f6e4d47ca Python: Add CodeExecution concept 2020-10-07 18:22:45 +02:00
Rasmus Lerchedahl Petersen
8196cfd21a Python: Attempt at clearer naming of parameters 2020-10-07 15:56:35 +02:00
yoff
35b0b6b472 Update python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2020-10-07 15:48:44 +02:00
Rasmus Lerchedahl Petersen
27a75c0bd1 Merge branch 'main' of github.com:github/codeql into SharedDataflow_ArgumentPassing 2020-10-07 15:43:31 +02:00
yoff
7e6f0b0bc3 Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2020-10-07 15:11:15 +02:00
Rasmus Wriedt Larsen
bec33b745e Python: Use range instead of self for ::Range pattern 
Following the suggestions from https://github.com/github/codeql/pull/4357
 2020-10-07 14:54:51 +02:00
Rasmus Wriedt Larsen
c09695af7d Python: Properly handle invoke.task decorator 2020-10-07 12:29:19 +02:00
Rasmus Wriedt Larsen
67c5c590d2 Python: Expose getParameter on ParameterNode 2020-10-07 12:28:35 +02:00
Rasmus Wriedt Larsen
6d7f4a048b Python: Attempt to model invoke.task decorator 2020-10-07 12:26:49 +02:00
Rasmus Wriedt Larsen
c9219b3744 Clean module imports 2020-10-07 12:21:30 +02:00
Rasmus Wriedt Larsen
ebff1794fc Python: Model invoke.context.Context 2020-10-07 12:16:53 +02:00
Rasmus Wriedt Larsen
4ef5202382 Python: Add simple model for invoke.run and invoke.sudo 
and I sorted the list in Frameworks.qll, that kinda makes sense :)
 2020-10-07 12:13:59 +02:00
Rasmus Wriedt Larsen
7721db206e Python: Don't double report paths for platform.popen and popen2.* 
I was a bit surprised that we hadn't double reported for popen2, but it turns
out that the implementation (at least on unix) looks like:

```
def popen2(cmd, bufsize=-1, mode='t'):
    ... = Popen3(cmd, False, bufsize)
    ...
```

but since the modeling I did only considers calls to `Popen3` only if it has
been imported from the `popen2` module, we don't consider that call as a sink.
 2020-10-07 10:57:31 +02:00
Rasmus Wriedt Larsen
737b2b896f Python: Fix QLDoc for popen2 module 2020-10-07 10:49:22 +02:00
Rasmus Wriedt Larsen
6c4fd7c1ff Python: Model Python 2 only platform.popen command execution 2020-10-06 20:25:03 +02:00
Rasmus Wriedt Larsen
12e4e07cae Python: Model Python 2 only module popen2 2020-10-06 20:25:02 +02:00
Rasmus Wriedt Larsen
8c2f55fbd0 Python: Model Python 2 only os.popen2, popen3, popen4 functions 2020-10-06 20:25:01 +02:00
Taus Brock-Nannestad
b905a3d5e3 Python: Attribute access API 2020-10-06 16:36:29 +02:00
Rasmus Wriedt Larsen
d26a89b95e Python: Fix QLDoc for RouteSetup 2020-10-06 11:35:18 +02:00
Rasmus Wriedt Larsen
b82727d0b8 Python: Consider routed parameter if URL pattern unknown 2020-10-06 11:03:25 +02:00
Rasmus Lerchedahl Petersen
0f077f5d7d Python: Add flow inside IfExprNodes 2020-10-06 10:54:23 +02:00
Rasmus Wriedt Larsen
f03a8a838b Python: Make any routed parameter a RemoteFlowSource 
I'm not 100% sure whether this approach makes everything too magic, but I like
the fact that you can't _forget_ to make routed params remove-flow sources.
 2020-10-06 03:03:14 +02:00
Rasmus Wriedt Larsen
b78c665f34 Python: Model RouteSetup for flask 2020-10-06 03:03:13 +02:00
Rasmus Wriedt Larsen
ebc3d32ff1 Python: Add concept for HTTP server modeling 
If we want to separate out into a file, we can always do this with

```
import experimental.semmle.python.HTTP as HTTP
```
 2020-10-06 03:02:32 +02:00
Rasmus Wriedt Larsen
9f1aa8ca0c Python: Expose getParameter on ParameterNode 2020-10-06 03:02:31 +02:00
Rasmus Lerchedahl Petersen
478cfd7310 Python: Small clean-up 2020-10-05 12:43:30 +02:00
Rasmus Lerchedahl Petersen
f449da2fdb Python: Write explanatory examples. 2020-10-05 11:39:18 +02:00
Rasmus Lerchedahl Petersen
8e27904f65 Python: Add explanatory comment. 2020-10-04 15:34:25 +02:00
Rasmus Lerchedahl Petersen
3463889010 Python: Add comments 2020-10-04 09:40:06 +02:00
Rasmus Lerchedahl Petersen
385e213fcf Python: Fix comments 2020-10-04 09:33:30 +02:00
Rasmus Lerchedahl Petersen
ce18bff274 Python: Support method calls 2020-10-03 23:34:39 +02:00
Arthur Baars
78c58c2415 Merge pull request #4384 from tausbn/python-fix-package-locations 
Python: Fix `hasLocationInfo` for packages
 2020-10-02 20:48:43 +02:00
Alexander Eyers-Taylor
30ed6a0dac Merge pull request #4385 from aibaars/drop-queries 
Drop 'tech-inventory' and 'code duplication' queries from the standard query suites
 2020-10-02 18:31:25 +01:00
Arthur Baars
daa1bcc06e Also mark 'tech inventory' queries as deprecated 2020-10-02 17:23:11 +02:00
Arthur Baars
fc45b6cd3c Drop 'tech-inventory' and 'code duplication' queries from the standard query suites 2020-10-02 17:22:04 +02:00
Taus
fce76e2799 Merge pull request #4354 from RasmusWL/python-command-execution-modeling 
Python: Better command execution modeling
 2020-10-02 16:14:34 +02:00
Rasmus Wriedt Larsen
eb67986916 Python: Exlucde only command injection sinks in os and subprocess 2020-10-02 14:11:07 +02:00
Rasmus Wriedt Larsen
68eacef23c Python: Refactor OsExecCall and friends for better readability 2020-10-02 13:38:54 +02:00
Rasmus Wriedt Larsen
de07d9e5d9 Python: Highlight that os.popen is not only problem for extra alerts 2020-10-02 13:34:33 +02:00
Taus Brock-Nannestad
75f4051cb5 Python: Fix hasLocationInfo for packages 2020-10-01 17:21:53 +02:00
Rasmus Lerchedahl Petersen
5326125b70 Python: Handle positional construtor arguments 2020-10-01 15:28:26 +02:00
Chris Smowton
578ea1ae43 Fix OWASP broken links 2020-10-01 13:09:52 +01:00
Rasmus Wriedt Larsen
3247b300ae Python: Fix problem with missing use-use flow 2020-10-01 12:55:11 +02:00
Rasmus Lerchedahl Petersen
db23dad6ec Python: Allow callables to connect to calls freely 2020-10-01 12:33:42 +02:00
Rasmus Lerchedahl Petersen
b092df48a5 Python: Location and toString for KwUnpacked 2020-10-01 10:15:19 +02:00
Rasmus Lerchedahl Petersen
29a162bc9c Python: Proper flow **arg -> **param 2020-09-30 23:55:02 +02:00
Rasmus Wriedt Larsen
428c2a3fda Merge branch 'main' into python-command-execution-modeling 2020-09-30 17:38:59 +02:00
Rasmus Wriedt Larsen
c4a2e1d6d1 Python: Rewrite attribute lookup helpers for better performance 
Not that they actually had a huge problem right now, just that using the old
pattern HAS lead to bad performance in the past. See
https://github.com/github/codeql/pull/4361
 2020-09-30 17:31:20 +02:00