hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 10:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,540 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.8
Commit Graph

4863 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
2b3025265b Python: Clean up QLdoc 
Co-Authored-By: Taus <tausbn@gmail.com>
 2020-04-24 14:05:02 +02:00
Rasmus Wriedt Larsen
367ee3e8c4 Python: Modernise security/injection/Path.qll 
And we're making things a bit more clean since it's not *any* argument of `open()` that is a taint-sink.
 2020-04-24 12:03:42 +02:00
Rasmus Wriedt Larsen
67837887c8 Python: Modernise security/injection/Exec.qll 2020-04-24 11:59:05 +02:00
Rasmus Wriedt Larsen
8878884724 Python: Rewrite web/stdlib/Request.qll QLDoc to be more clear 2020-04-24 08:07:23 +02:00
Rasmus Wriedt Larsen
23f3736b67 Python: Simplify CgiFieldStorageFieldKind.getTaintOfAttribute 2020-04-24 08:04:55 +02:00
Taus
1d6b6a48ae Merge pull request #2924 from BekaValentine/python-objectapi-to-valueapi-wrongnumberargumentsincall 
Python: ObjectAPI to ValueAPI: WrongNumberArgumentsInCall
 2020-04-23 17:56:39 +02:00
Rasmus Wriedt Larsen
06edd076b6 Python: Enable taint when iterating over ExternalFileObject 2020-04-23 14:11:50 +02:00
Rasmus Wriedt Larsen
94ae2febe5 Python: Propagate taint through parse_qsl 2020-04-23 12:14:22 +02:00
Rasmus Wriedt Larsen
86630f1d6c Python: Handle readline, readlines for ExternalFileObject 2020-04-23 10:40:16 +02:00
Rasmus Wriedt Larsen
c479a77d55 Python: Refactor ExternalFileObject to use field 
Instead of string matching. This brings it in line with what CollectionKind,
SequenceKind, and DictKind does.
 2020-04-23 10:28:29 +02:00
Rebecca Valentine
89752f4b55 Merge branch 'master' into python-objectapi-to-valueapi-wrongnumberargumentsincall 2020-04-22 09:52:33 -07:00
Rebecca Valentine
9cd2171fb8 Merge branch 'master' into python-objectapi-to-valueapi-incorrectlyoverridenmethod 2020-04-22 09:40:33 -07:00
Rasmus Wriedt Larsen
51a9094064 Python: Add sinks for http.server.BaseHTTPRequestHandler 2020-04-22 17:28:27 +02:00
Rasmus Wriedt Larsen
a27431e197 Python: Add module level QLDoc in web/stdlib/Request.qll 2020-04-22 16:22:03 +02:00
Rasmus Wriedt Larsen
6b84137a92 Python: Model cgi.FieldStorage (parsing of submitted forms) 2020-04-22 11:37:47 +02:00
Rasmus Wriedt Larsen
1ecfa2eb55 Merge pull request #3278 from tausbn/python-fix-warnings 
Python: Fix remaining deprecation warnings.
 2020-04-22 11:33:16 +02:00
Rasmus Wriedt Larsen
6eb24011eb Python: Add docs to web/stdlib/Request.qll 2020-04-22 11:26:50 +02:00
Taus Brock-Nannestad
2fad5e8e32 Python: Remove deprecated TaintFlow and additionalFlowStepVar. 2020-04-22 10:34:00 +02:00
Rasmus Wriedt Larsen
26ed911bb2 Python: Add modeling of http.server.BaseHTTPRequestHandler 2020-04-22 09:52:10 +02:00
Rasmus Wriedt Larsen
30e2592701 Python: Propagate taint through parse_qs 2020-04-22 08:55:35 +02:00
Taus
5af351eacd Merge pull request #3275 from RasmusWL/python-fix-points-to-deprecations 
Python: Remove deprecated annotation for old PointsTo::points_to
 2020-04-21 18:18:07 +02:00
semmle-qlci
d75d520f35 Merge pull request #3232 from RasmusWL/python-more-deprecated-annotations 
Approved by BekaValentine
 2020-04-21 09:30:27 +01:00
Rasmus Wriedt Larsen
43bc7c6619 Python: Autoformat 
I'm not particularly happy about this one, but I don't care to fight about it today.
 2020-04-20 16:08:53 +02:00
Rasmus Wriedt Larsen
b7145af447 Python: Handle all methods in StringKind.getTaintOfMethodResult 2020-04-20 16:07:30 +02:00
Rasmus Wriedt Larsen
a5d3966cb3 Python: Refactor StringKind.getTaintOfMethodResult 
no need to match on ControlFlowNodes manually anymore 🎉
 2020-04-20 15:01:40 +02:00
Taus
964a619450 Merge pull request #3211 from RasmusWL/python-unused-import-small-fix 
Python: Fix FN in unused import
 2020-04-16 14:22:50 +02:00
Taus
a92d926b56 Merge pull request #3218 from RasmusWL/python-add-missing-override 
Python: Add missing override to ClassValue.hasAttribute
 2020-04-16 14:06:23 +02:00
Taus Brock-Nannestad
2d8770d17c Python: Fix remaining deprecation warnings. 2020-04-16 14:03:21 +02:00
Rasmus Wriedt Larsen
ab120ed7af Python: Remove deprecated annotation for old PointsTo::points_to 
We should only deprecate it when we're ready to deprecate the old refersTo and
all the old Object classes
 2020-04-16 09:47:45 +02:00
Rasmus Wriedt Larsen
b179a0bdc2 Python: Add deprecated comment for FinalCustomPointsToFact 2020-04-15 16:59:07 +02:00
Rasmus Wriedt Larsen
5a51d2cc4c Merge pull request #3245 from BekaValentine/python-objectapi-to-valueapi-wrongnameforargumentinclassinstantiation 
Python: ObjectAPI to ValueAPI: WrongNameForArgumentInClassInstantiation
 2020-04-15 16:48:26 +02:00
Rasmus Wriedt Larsen
390959713a Merge pull request #3246 from BekaValentine/python-objectapi-to-valueapi-uselessclass 
Python: ObjectAPI to ValueAPI: UselessClass
 2020-04-15 16:45:02 +02:00
Taus
8402e6a2e1 Merge pull request #3243 from BekaValentine/python-objectapi-to-valueapi-incorrectlyspecifiedoverriddenmethod 
Python: ObjectAPI to ValueAPI: IncorrectlySpecifiedOverriddenMethod
 2020-04-14 18:55:42 +02:00
Taus
3e46604fa5 Merge pull request #3223 from BekaValentine/python-objectapi-to-valueapi-iterreturnsnoniterator 
Python: ObjectAPI to ValueAPI: IterReturnsNonIterator
 2020-04-14 12:55:21 +02:00
Taus
d9a2429de8 Merge pull request #3244 from BekaValentine/python-objectapi-to-valueapi-wrongnumberargumentsinclassinstantiation 
Python: ObjectAPI to ValueAPI: WrongNumberArgumentsInClassInstantiation
 2020-04-14 12:46:29 +02:00
semmle-qlci
52b76b1373 Merge pull request #3233 from RasmusWL/python-use-getAbsolutePath 
Approved by BekaValentine
 2020-04-14 10:43:24 +01:00
semmle-qlci
2e95cab970 Merge pull request #3234 from RasmusWL/python-modenise-files 
Approved by BekaValentine
 2020-04-14 10:38:26 +01:00
Rebecca Valentine
8e91f10030 Python: ObjectAPI to ValueAPI: UselessClass: Adds preliminary modernization 2020-04-09 15:25:38 -07:00
Rebecca Valentine
339758fa70 Python: ObjectAPI to ValueAPI: WrongNameForArgumentInClassInstantiation: Adds preliminary modernization 2020-04-09 15:04:44 -07:00
Rebecca Valentine
8dc1933a02 Python: ObjectAPI to ValueAPI: WrongNumberArgumentsInClassInstantiation: Adds preliminary modernization 2020-04-09 14:58:30 -07:00
Rebecca Valentine
336e48c5c6 Python: ObjectAPI to ValueAPI: IncorrectlySpecifiedOverriddenMethod: Adds preliminary modernization 2020-04-09 14:50:26 -07:00
Rebecca Valentine
be00d71b99 Python: ObjectAPI to ValueAPI: IncorrectlyOverriddenMethod: Adds preliminary modernization 2020-04-09 14:41:22 -07:00
Rebecca Valentine
7a586c97a4 Python: ObjectAPI to ValueAPI: IterReturnsNonIterature: Replaces custom return_type predicate with call to getAnInferredReturnType 2020-04-09 14:30:40 -07:00
Pavel Avgustinov
6737e99d65 Merge pull request #3209 from hmakholm/baselib-extractor 
Add extractor field in base language QL packs
 2020-04-09 15:24:49 +01:00
Rasmus Wriedt Larsen
a2440f0fcd Python: Modernise semmle/python/dataflow/Files.qll 2020-04-08 16:53:19 +02:00
Rasmus Wriedt Larsen
32c04ad765 Python: Use getAbsolutePath() instead of deprecated getName() 2020-04-08 16:46:33 +02:00
Rasmus Wriedt Larsen
ac3acb9187 Python: Add more deprecated annotations 
These classes/predicates are not used by anything in our codebase, and is using
deprecated classes/predicates, so I think it's safe to assume they should also
have been marked with the deprecated annotation.

Changes the QL compiler warnings with:

-WARNING: Type Configuration has been deprecated and may be removed in future (/home/rasmus/code/ql/python/ql/src/semmle/python/dataflow/TaintTracking.qll:663,50-63)
-WARNING: Type Configuration has been deprecated and may be removed in future (/home/rasmus/code/ql/python/ql/src/semmle/python/dataflow/TaintTracking.qll:666,19-32)
-WARNING: Type Configuration has been deprecated and may be removed in future (/home/rasmus/code/ql/python/ql/src/semmle/python/dataflow/TaintTracking.qll:671,19-32)
-WARNING: Type Configuration has been deprecated and may be removed in future (/home/rasmus/code/ql/python/ql/src/semmle/python/dataflow/TaintTracking.qll:733,16-39)

-WARNING: Type CustomPointsToAttribute has been deprecated and may be removed in future (/home/rasmus/code/ql/python/ql/src/semmle/python/types/Extensions.qll:181,28-51)

-WARNING: Type CustomPointsToFact has been deprecated and may be removed in future (/home/rasmus/code/ql/python/ql/src/semmle/python/types/Extensions.qll:155,60-78)
-WARNING: Type CustomPointsToFact has been deprecated and may be removed in future (/home/rasmus/code/ql/python/ql/src/semmle/python/types/Extensions.qll:159,19-37)
-WARNING: Type CustomPointsToFact has been deprecated and may be removed in future (/home/rasmus/code/ql/python/ql/src/semmle/python/types/Extensions.qll:41,33-51)
+WARNING: Type CustomPointsToFact has been deprecated and may be removed in future (/home/rasmus/code/ql/python/ql/src/semmle/python/types/Extensions.qll:41,44-62)
 2020-04-08 15:10:35 +02:00
Rebecca Valentine
c2443f2342 Python: ObjectAPI to ValueAPI: OverlyComplexDelMethod: Adds preliminary modernization 2020-04-07 21:31:35 -07:00
Rebecca Valentine
0d65db148f Python: ObjectAPI to ValueAPI: IterReturnsNonIterator: Adds preliminary modernization 2020-04-07 21:14:25 -07:00
Rasmus Wriedt Larsen
7af5f038ab Python: Add missing override to ClassValue.hasAttribute 
I was considering if this was actually something different than
Value.hasAttribute, and the names were just accidentially the same. But after
looking at the definition for Value, I'm happy about marking this as an
override (I did not test whether it was neede though):

```codeql
class Value extends TObject {
    ...

    /** Holds if this value has the attribute `name` */
    predicate hasAttribute(string name) { this.(ObjectInternal).hasAttribute(name) }
```
 2020-04-07 14:02:53 +02:00