hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,540 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.8
Commit Graph

9615 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
31ff652cb3 Python: Make Sanitizer available for urlsplit taint 
It isn't used by default, it has to *actively* be enabled.
 2020-02-21 15:18:53 +01:00
Rasmus Wriedt Larsen
083dd4380b Python: Add example for how to write your own sanitizer 2020-02-21 14:28:48 +01:00
Rasmus Wriedt Larsen
abbc9293db Merge pull request #2891 from tausbn/python-special-operations 
Python: Add AST support for special operations.
 2020-02-21 13:16:22 +01:00
Rebecca Valentine
2b1d9c8d16 Updates last library difference 
I'm not entirely sure if `getLiteralObject` and `getLiteralValue` are equivalent, and there don't see to be library tests for this
 2020-02-20 20:20:56 -08:00
Rebecca Valentine
210387a8be Adds bulk of modernizations 2020-02-20 17:32:42 -08:00
Rebecca Valentine
df7f43ee86 Adds modernization 2020-02-20 17:07:56 -08:00
Rebecca Valentine
2f3ea10cf8 Move the query and examples over to 2/query-tests 2020-02-20 16:31:58 -08:00
Rebecca Valentine
376638e9c0 Move query over to Rasmus's API for NumericValue 2020-02-20 16:18:54 -08:00
Rebecca Valentine
ab1fcb32ae autoformats 2020-02-20 16:17:43 -08:00
Rebecca Valentine
5d9d724d43 Removes conflicting NumericValue definition 2020-02-20 16:17:33 -08:00
Rebecca Valentine
28be3b47fc Replaces name-reference to the class with canonical predicate. 2020-02-20 15:41:51 -08:00
Rebecca Valentine
5acd982d59 Swaps ...obj for ...val 2020-02-20 15:41:51 -08:00
Rebecca Valentine
91ea46f5ee Adds test output. 2020-02-20 15:41:51 -08:00
Rebecca Valentine
115495450d Adds test cases. 2020-02-20 15:41:51 -08:00
Rebecca Valentine
96b8d78650 Adds modernized files. 2020-02-20 15:41:51 -08:00
Taus Brock-Nannestad
913db460b2 Python: Add AST support for special operations. 
These have the form `$name(arg1, arg2, ...)` and currently have no semantics.
They may be useful for testing purposes, however.
 2020-02-20 18:05:37 +01:00
Rasmus Wriedt Larsen
1029f04e76 Python: TarSlip sanitizer: handle not 2020-02-20 16:27:54 +01:00
Rasmus Wriedt Larsen
3c317ed0e6 Python: TarSlip sanitizer: only clear taint on false edge 
maybe it was on purpose, will have to investigate FPs when query is good
 2020-02-20 16:11:24 +01:00
Rasmus Wriedt Larsen
2d637e1cf7 Python: Add more tarslip examples 2020-02-20 16:09:10 +01:00
Rasmus Wriedt Larsen
fd270cc02c Python: Add basic taint support for urlsplit/urlparse 2020-02-19 16:31:10 +01:00
Rasmus Wriedt Larsen
4f3149d865 Python: Fix error after merge conflict 2020-02-19 16:27:31 +01:00
Rasmus Wriedt Larsen
74345b1c05 Python: Make library-tests/taint/strings tests more transparent 
Following the setup I invented for library-tests/taint/unpacking.

TestStep is still a bit annoying, since the output is not easy to eyeball; but
for now I guess we can live with it :)

I honestly didn't get the point of DistinctStringKinds.ql, other than showing we
can handle multiple taint kinds
 2020-02-19 16:24:22 +01:00
Rasmus Wriedt Larsen
e4b83855d9 Python: Autoformat security/strings/External.qll 2020-02-19 16:24:13 +01:00
Rasmus Wriedt Larsen
e7fdfd3d3e Python: Move subprocess.call so super-class detection works 
This is a temporary fix!

Added minimal working example (MWE) as a regression, so it's easier to fix the
real problem.

only Python 3 is facing the problem -- and without --max-import-depth=1 the test
times out at 10 minutes :O
 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen
d7b803a859 Python: Fix modernisation of py/iteration-string-and-sequence 
Introduced a regression, since the old code was:

```
predicate is_a_string_type(ClassObject seqtype) {
    seqtype = theBytesType() and major_version() = 2
    or
    seqtype = theUnicodeType()
}
```

but *now* we're good!
 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen
0509228296 Python: Make ModelUsage test language agnostic 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen
87eff7f062 Python: More iterator => iterable renaming 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen
82b29b5698 Python: Recognize shebangs in module usage detection 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen
01f5b3dc63 Python: Add a script that we can't classify usage of 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen
3e7e9636ea Python: Add ModuleValue.{isUsedAsModule, isUsedAsScript} 
and a few test cases
 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen
b4ab0b55be Python: Modernise Statements/RedundantAssignment 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen
79a4d7e9cc Python: Add some confusing (but valid) property tests 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen
67e9edb820 Python: Add PropertyValue 
+ Extend PropertyInternal.getSetter to handle non-decorator
+ Add PropertyInternal.getDeleter

It seems like a bit hacky way to do things, since we're not using the
PropertySetterOrDeleter class at all, but for now I'll leave it be.
 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen
e747add485 Python: Descriptor tests fixup (3/3) 
Better tests for properties
 2020-02-19 14:10:29 +01:00
Rasmus Wriedt Larsen
aed7bfb820 Python: Descriptor tests fixup (2/3) 
Test format improved
 2020-02-19 14:10:29 +01:00
Rasmus Wriedt Larsen
3f49aeecfe Python: Descriptor tests fixup (1/3) 2020-02-19 14:10:29 +01:00
Rasmus Wriedt Larsen
13568b7b9f Python: Modernise Statements/ queries 
Almost. Left out a few things marked with TODO
 2020-02-19 14:10:29 +01:00
Rasmus Wriedt Larsen
83d40f167b Python: Update py/ineffectual-statement 
e.(StrConst).isDocString() can only hold if e instanceof StrConst, since we have
that condition on the line above, we can safely remove this condition.
 2020-02-19 14:05:55 +01:00
Rasmus Wriedt Larsen
6e349eb6e7 Python: Make py/side-effect-in-assert handle example 
Also removed parantheses
 2020-02-19 14:05:55 +01:00
Rasmus Wriedt Larsen
ae8dbd81f3 Python: Update test-file for py/redundant-assignment 
now the test code can be pasted, and actually works ;)
 2020-02-19 14:05:55 +01:00
Rasmus Wriedt Larsen
381668871d Python: Autoformat statements 2020-02-19 14:05:55 +01:00
Rebecca Valentine
2fa20eb805 Fixes bug introduced by merge of foresight additions. 2020-02-18 21:37:52 -08:00
Rebecca Valentine
7997e1dc98 Merge branch 'master' into objectapi-to-valueapi-expectedmappingforformatstring 2020-02-18 21:33:12 -08:00
Rebecca Valentine
9e3ed214d0 Python: ObjectAPI to ValueAPI: Foresight Additions (#2819) 
* Adds the...Type() predicates as foresight modernizations.

* Removes predicates that are not currently ported/portable

* Adds range types

* Update python/ql/src/semmle/python/objects/ObjectAPI.qll

Co-Authored-By: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>

* Update python/ql/src/semmle/python/objects/ObjectAPI.qll

Co-Authored-By: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>

* Swaps xType for just x, at least when it's new

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2020-02-18 21:29:20 -08:00
Rebecca Valentine
810efef9de Adds python3 test 2020-02-18 15:02:47 -08:00
Rebecca Valentine
e55f01d905 Adds new UseofApply test case and results to the Python2 tests dir 2020-02-18 12:12:25 -08:00
Rebecca Valentine
9338d21aaf Removes unnecessary explanation 2020-02-18 11:43:43 -08:00
Rebecca Valentine
4059a99da6 Autoformats the query 2020-02-18 11:43:31 -08:00
Rebecca Valentine
d0617ef7bc Autoformat 2020-02-18 09:00:31 -08:00
Taus
ffbb5d0529 Merge pull request #2739 from RasmusWL/python-modernise-security 
Python: modernise Security/ queries
 2020-02-18 16:28:53 +01:00