hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,540 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.8
Commit Graph

9615 Commits

Author SHA1 Message Date
Jason Reed
b0f72ebb56 Python: Refactor definitions query, add queries for ide search 
This enables jump-to-definition and find-references in the VS Code
extension, for python source archives.
 2020-05-04 11:27:30 -04:00
Rasmus Wriedt Larsen
16e9d76e22 Merge branch 'master' into python-keyword-only-args 2020-05-04 11:49:00 +02:00
Taus
33f4503ac3 Merge pull request #3213 from RasmusWL/python-iter-str-seq-with-tests 
Python: supress non-useful results (w/ tests) for iter str/seq query
 2020-05-01 11:04:05 +02:00
Rasmus Wriedt Larsen
e569d7ae41 Merge branch 'master' into python-parse_qs 2020-04-30 17:05:17 +02:00
Rasmus Wriedt Larsen
e0b4518a3e Merge branch 'master' into python-improve-file-taint 2020-04-30 11:24:29 +02:00
Rasmus Wriedt Larsen
c5e14f5c0d Python: Handle defaults and annotations for keyword-only arguments 
This commit is based on a change to the extractor
 2020-04-27 17:24:10 +02:00
Rasmus Wriedt Larsen
1fcbb6e9f4 Python: Better test for Argument.getDefault(i) 
Default values for positional arugments follow a rule, so if an argument has a
default value, later positional arguments must also have default values.

The database only stores the actual default values, and nothing about the
arguments that doesn't have default values.

This turns out to be a major problem for Argument.getKwDefault(i), since default
values for keyword-only arguments doesn't have the same rule. So if you know
there is one default value, you can't tell if it is associated with `foo` or
`bar`, as in the examples below:

```
def a(*, foo=None, bar):
    pass

def b(*, foo, bar=None):
    pass
```
 2020-04-27 17:22:56 +02:00
Rasmus Wriedt Larsen
5f6058363f Python: Improve QLdoc for Parameter.getPosition 2020-04-27 17:22:56 +02:00
Rasmus Wriedt Larsen
8c1cfe52f6 Python: Use getAKeywordOnlyArg instead of getAKwonlyarg 
The result is the same, but `getAKeywordOnlyArg` is the method used everywhere
else in the code.
 2020-04-27 17:22:56 +02:00
Rasmus Wriedt Larsen
c508e89a00 Python: Handle keyword-only arguments properly 2020-04-27 17:22:56 +02:00
Rasmus Wriedt Larsen
4185edc087 Python: Expand parameters/functions test 
I want to ensure we handle when only _some_ parameters have default/annotations
 2020-04-27 17:22:56 +02:00
Rasmus Wriedt Larsen
0cc8d49112 Python: Add tests for full Python 3 parameters syntax 
Currently keyword-only parameters are not handled properly :(
 2020-04-27 17:22:56 +02:00
Rasmus Wriedt Larsen
96b36a7f0f Python: Clean up some QLdocs 2020-04-27 17:22:56 +02:00
Rasmus Wriedt Larsen
ce2d7fe04c Python: Improve QLDoc for Arguments 2020-04-27 17:22:56 +02:00
Rasmus Wriedt Larsen
64c013ef4d Merge branch 'master' into python-iter-str-seq-with-tests 2020-04-27 17:20:06 +02:00
Rasmus Wriedt Larsen
4e80abbfa9 Python: Fixup wording in comment 
where you place a not is not without significance :D
 2020-04-27 17:03:01 +02:00
Taus
de08433bd3 Merge pull request #3212 from RasmusWL/python-fix-tests-filter 
Python: Fix (some) shortcomings of tests filter
 2020-04-27 11:26:35 +02:00
Taus
bcb980b3d5 Merge pull request #3302 from RasmusWL/python-str-taint-add-methods 
Python: Add taint for string methods
 2020-04-24 16:29:11 +02:00
Rasmus Wriedt Larsen
b2b0296120 Merge pull request #3242 from BekaValentine/python-objectapi-to-valueapi-incorrectlyoverridenmethod 
Python: ObjectAPI to ValueAPI: IncorrectlyOverriddenMethod
 2020-04-24 16:28:11 +02:00
semmle-qlci
4c7a5007d8 Merge pull request #3314 from RasmusWL/python-model-stdlib-http.server 
Approved by tausbn
 2020-04-24 15:27:21 +01:00
Rasmus Wriedt Larsen
2b3025265b Python: Clean up QLdoc 
Co-Authored-By: Taus <tausbn@gmail.com>
 2020-04-24 14:05:02 +02:00
Rasmus Wriedt Larsen
367ee3e8c4 Python: Modernise security/injection/Path.qll 
And we're making things a bit more clean since it's not *any* argument of `open()` that is a taint-sink.
 2020-04-24 12:03:42 +02:00
Rasmus Wriedt Larsen
67837887c8 Python: Modernise security/injection/Exec.qll 2020-04-24 11:59:05 +02:00
Rasmus Wriedt Larsen
8878884724 Python: Rewrite web/stdlib/Request.qll QLDoc to be more clear 2020-04-24 08:07:23 +02:00
Rasmus Wriedt Larsen
23f3736b67 Python: Simplify CgiFieldStorageFieldKind.getTaintOfAttribute 2020-04-24 08:04:55 +02:00
Taus
1d6b6a48ae Merge pull request #2924 from BekaValentine/python-objectapi-to-valueapi-wrongnumberargumentsincall 
Python: ObjectAPI to ValueAPI: WrongNumberArgumentsInCall
 2020-04-23 17:56:39 +02:00
Rasmus Wriedt Larsen
fe50811bbf Python: In taint test, list comprehension => for loop 
Apparently they're not the same thing :(
 2020-04-23 14:13:00 +02:00
Rasmus Wriedt Larsen
06edd076b6 Python: Enable taint when iterating over ExternalFileObject 2020-04-23 14:11:50 +02:00
Rasmus Wriedt Larsen
1fe0040086 Python: Don't use six in urllib.parse string related tests 
Since this test inheriently has `--max-import-depth=1`, by using six, we would
never look at the actual source-code of urllib.parse/urlparse and therefore the
test would never show if we understood the library code good enough that we
could propagate taint out-of-the-box.

All tests moved by one line... that is why the diff is so big
 2020-04-23 13:00:45 +02:00
Rasmus Wriedt Larsen
94ae2febe5 Python: Propagate taint through parse_qsl 2020-04-23 12:14:22 +02:00
Taus
54d1991a9d Merge pull request #3300 from RasmusWL/python-pointsto-regression-open 
Python: Add points-to regression for uncalled function
 2020-04-23 11:50:30 +02:00
Rasmus Wriedt Larsen
86630f1d6c Python: Handle readline, readlines for ExternalFileObject 2020-04-23 10:40:16 +02:00
Rasmus Wriedt Larsen
7385ea5024 Python: Add tests for ExternalFileObject 2020-04-23 10:36:51 +02:00
Rasmus Wriedt Larsen
c479a77d55 Python: Refactor ExternalFileObject to use field 
Instead of string matching. This brings it in line with what CollectionKind,
SequenceKind, and DictKind does.
 2020-04-23 10:28:29 +02:00
Rebecca Valentine
89752f4b55 Merge branch 'master' into python-objectapi-to-valueapi-wrongnumberargumentsincall 2020-04-22 09:52:33 -07:00
Rebecca Valentine
9cd2171fb8 Merge branch 'master' into python-objectapi-to-valueapi-incorrectlyoverridenmethod 2020-04-22 09:40:33 -07:00
Rasmus Wriedt Larsen
22096c36b9 Python: Add standard HttpSources tests for BaseHTTPRequestHandler 2020-04-22 17:28:49 +02:00
Rasmus Wriedt Larsen
51a9094064 Python: Add sinks for http.server.BaseHTTPRequestHandler 2020-04-22 17:28:27 +02:00
Rasmus Wriedt Larsen
a27431e197 Python: Add module level QLDoc in web/stdlib/Request.qll 2020-04-22 16:22:03 +02:00
Rasmus Wriedt Larsen
6b84137a92 Python: Model cgi.FieldStorage (parsing of submitted forms) 2020-04-22 11:37:47 +02:00
Rasmus Wriedt Larsen
1ecfa2eb55 Merge pull request #3278 from tausbn/python-fix-warnings 
Python: Fix remaining deprecation warnings.
 2020-04-22 11:33:16 +02:00
Rasmus Wriedt Larsen
6eb24011eb Python: Add docs to web/stdlib/Request.qll 2020-04-22 11:26:50 +02:00
Taus Brock-Nannestad
2fad5e8e32 Python: Remove deprecated TaintFlow and additionalFlowStepVar. 2020-04-22 10:34:00 +02:00
Rasmus Wriedt Larsen
26ed911bb2 Python: Add modeling of http.server.BaseHTTPRequestHandler 2020-04-22 09:52:10 +02:00
Rasmus Wriedt Larsen
30e2592701 Python: Propagate taint through parse_qs 2020-04-22 08:55:35 +02:00
Taus
5af351eacd Merge pull request #3275 from RasmusWL/python-fix-points-to-deprecations 
Python: Remove deprecated annotation for old PointsTo::points_to
 2020-04-21 18:18:07 +02:00
Rasmus Wriedt Larsen
32a97266cf Python: Fix deprecation warnings in test output 2020-04-21 11:39:44 +02:00
semmle-qlci
d75d520f35 Merge pull request #3232 from RasmusWL/python-more-deprecated-annotations 
Approved by BekaValentine
 2020-04-21 09:30:27 +01:00
Rasmus Wriedt Larsen
43bc7c6619 Python: Autoformat 
I'm not particularly happy about this one, but I don't care to fight about it today.
 2020-04-20 16:08:53 +02:00
Rasmus Wriedt Larsen
b7145af447 Python: Handle all methods in StringKind.getTaintOfMethodResult 2020-04-20 16:07:30 +02:00