hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
31,240 Commits 1,672 Branches 157 Tags
codeql-cli-2.7.6
Commit Graph

238 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
81dbe36e99 Python: Promote SQLAlchemy modeling 
Due to the split between `src/` and `lib/`, I was not really able to do
the next step without having moved the SQLAlchemy modeling over to be in
`lib/` as well.
 2021-09-02 10:19:57 +02:00
Rasmus Wriedt Larsen
91442e100c Python: Model sessionmaker().begin() 2021-09-02 10:19:57 +02:00
Rasmus Wriedt Larsen
feb2303e1f Python: Model the underlying DB-API connection 2021-09-02 10:19:57 +02:00
Rasmus Wriedt Larsen
1ab04a7276 Python: Model Connection.execution_options 2021-09-02 10:19:57 +02:00
Rasmus Wriedt Larsen
2acf518037 Python: Model exec_driver_sql 2021-09-02 10:19:57 +02:00
Rasmus Wriedt Larsen
fe143c7dfa Python: Rewrite most of SQLAlchemy modeling 2021-09-02 10:19:57 +02:00
Rasmus Wriedt Larsen
b39bb24fcf Python: Add more SQLAlchemy tests 2021-09-02 10:19:57 +02:00
Rasmus Wriedt Larsen
a5a7f3e38a Python: Add taint-step for sqlalchemy.text 2021-06-29 11:06:25 +02:00
Rasmus Wriedt Larsen
ef48734206 Python: Add taint-tests for SQLAlchemy 2021-06-29 11:03:40 +02:00
Rasmus Wriedt Larsen
cb112395f8 Python: Fixup after merging main 2021-06-29 11:02:43 +02:00
Rasmus Wriedt Larsen
eac1c5d109 Python: Fix concepts-tests for SQLAlchemy 2021-06-29 10:58:28 +02:00
thank_you
3ace49549a Add tests for SqlAlchemy modeling library 
After researching SqlAlchemy and it's various query methods, I discovered several types of SQL injection possibilities.

The SQLExecution.py file contains these examples and can be broken up into two types of injections. Injections requiring the text() taint-step and injections NOT requiring the text() taint step.
 2021-05-10 16:12:15 -04:00
Rasmus Wriedt Larsen
d9079e34e3 Python: Move framework tests out of experimental 
Since they are not experimental anymore 😄
 2021-03-19 15:51:54 +01:00
yoff
37036b5e76 Merge pull request #5437 from RasmusWL/small-pyyaml-improvements 
Python: Small PyYAML improvements
 2021-03-19 11:15:49 +01:00
Rasmus Wriedt Larsen
7543f10593 Python: Reorganize PyYAML tests a bit 2021-03-19 09:53:25 +01:00
yoff
746e9948b0 Merge pull request #5075 from RasmusWL/crypto 
Python: Port py/weak-crypto-key to use type-tracking
 2021-03-18 20:53:28 +01:00
Rasmus Wriedt Larsen
42b2c3ed52 Python: Model C-based loaders for PyYAML 
Not really that important. But easy to do while I was working on this library.
 2021-03-18 11:55:01 +01:00
Rasmus Wriedt Larsen
54e6f51512 Python: Add example of C-based PyYAML loaders 
```
In [6]: yaml.load("!!python/object/new:os.system [echo EXPLOIT!]", yaml.CLoader)
EXPLOIT!
Out[6]: 0
```
 2021-03-18 11:50:59 +01:00
Rasmus Wriedt Larsen
14e9bda5de Python: Refactor PyYAML tests a bit 2021-03-18 11:39:47 +01:00
Rasmus Wriedt Larsen
d52d328587 Python: Use new API::builtin in stdlib modeling 2021-03-17 15:50:01 +01:00
Taus
d2ed216670 Merge pull request #5280 from RasmusWL/highlight-tornado-uri 
Python: Highlight how request.uri works in Tornado
 2021-03-04 23:31:02 +01:00
Rasmus Wriedt Larsen
a387496832 Python: Highlight how request.uri works in Tornado 2021-02-26 16:23:21 +01:00
yoff
e3b3825ab0 Merge pull request #5151 from RasmusWL/django-get-redirect-url 
Python: Model get_redirect_url in django
 2021-02-25 23:07:33 +01:00
Rasmus Lerchedahl Petersen
5b51a3461d Python: Force read- and store steps to add nodes. 
This gives muche nicer path explanations on some snapshots.
It is achieved by making stepped-to nodes `CastNode`s.
This seems somewhat reasonable as types then to change, when we move
between content and container.
We could probably refine it, though.
 2021-02-25 11:49:57 +01:00
Rasmus Wriedt Larsen
27987717dc Merge branch 'main' into crypto 2021-02-25 11:30:32 +01:00
yoff
9eed17f647 Merge pull request #5152 from RasmusWL/improve-pyyaml-support 
Python: Improve pyyaml support
 2021-02-23 19:58:04 +01:00
Rasmus Wriedt Larsen
bfbaa85272 Python: Add test of public_key method with cryptodome 
Added in 3.10 release https://github.com/Legrandin/pycryptodome/blob/master/Changelog.rst#3100-6-february-2021
 2021-02-19 15:03:47 +01:00
Rasmus Wriedt Larsen
d5ff477644 Python: Add modeling for pycryptodome PyPI package 2021-02-19 13:59:18 +01:00
Rasmus Wriedt Larsen
6e4c627209 Python: Add modeling for pycryptodomex PyPI package 2021-02-19 13:59:17 +01:00
Rasmus Wriedt Larsen
bd40965afe Python: Add modeling for cryptography PyPI package 2021-02-19 13:59:17 +01:00
Rasmus Wriedt Larsen
1bf9f7d135 Python: Add missing annotations to new crypto tests 2021-02-19 13:59:16 +01:00
Rasmus Wriedt Larsen
4ab61bb088 Python: Add a few tests for crypto frameworks 
Tests working can be verified by running

```
ls ql/python/ql/test/experimental/library-tests/frameworks/crypto*/*.py | xargs -L1 sh -c 'python $0 || exit 255'
```
 2021-02-19 13:26:45 +01:00
Rasmus Wriedt Larsen
bc8e61366b Python: Clarify comment about flask blueprint URL prefixes 2021-02-16 15:29:25 +01:00
Rasmus Wriedt Larsen
1e1cb87436 Python: Model flask blueprints 2021-02-16 15:26:51 +01:00
Rasmus Wriedt Larsen
b7ea469e26 Python: Add tests for flask blueprints 2021-02-16 15:03:00 +01:00
Rasmus Wriedt Larsen
745148474a Python: Model get_redirect_url in django 2021-02-15 10:55:52 +01:00
Rasmus Wriedt Larsen
6934d5e642 Python: Add django test of RedirectView subclass 2021-02-15 10:55:51 +01:00
Rasmus Wriedt Larsen
79855157b3 Python: Move django response test to django v2/v3 
That's really the django version I care about :P
 2021-02-15 10:55:50 +01:00
Rasmus Wriedt Larsen
10fdc4bfb9 Python: Add support for more yaml loading functions 2021-02-12 12:30:00 +01:00
Rasmus Wriedt Larsen
2021cdbe33 Python: Add tests for more yaml loading functions 2021-02-12 12:30:00 +01:00
Rasmus Wriedt Larsen
c57a4df819 Python: Model taint of self.request on django view class 2021-02-10 17:48:48 +01:00
Rasmus Wriedt Larsen
9ca738d921 Python: Add taint test for self.request on django view class 2021-02-10 17:48:41 +01:00
Rasmus Wriedt Larsen
ca0d345987 Django: Model any class used in django route setup as view class 2021-02-10 16:26:25 +01:00
Rasmus Wriedt Larsen
78a3206fce Python: Add test with unkown view class in django 2021-02-10 15:56:33 +01:00
Rasmus Wriedt Larsen
42eceb80bd Python: Handle view functions with decorators 2021-02-10 15:47:55 +01:00
Rasmus Wriedt Larsen
eb7e30d472 Python: Add test of django view handler with decorator 
Which we currently don't handle :(

Also added a bit more explanatory comments
 2021-02-09 13:25:12 +01:00
Rasmus Wriedt Larsen
e57e4e1916 Merge branch 'main' into port-url-redirect-query 2021-02-02 13:37:34 +01:00
Rasmus Wriedt Larsen
d046e39a82 Python: Fix tornado inline expectations in tests 
After merge commit
 2021-02-02 12:04:24 +01:00
Rasmus Wriedt Larsen
4b6a59a126 Python: Apply code-review suggestion 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-02-01 11:12:32 +01:00
Rasmus Wriedt Larsen
94e7980ca4 Merge branch 'main' into port-url-redirect-query 2021-01-29 16:22:50 +01:00