hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
31,240 Commits 1,672 Branches 157 Tags
codeql-cli-2.7.6
Commit Graph

80 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
09a2a6cdfd Python: Fix django re_path kwarg test 
Since it was using the wrong keyword argument name before :D
 2020-10-16 11:12:12 +02:00
Taus Brock-Nannestad
f07a7bf8cf Python: Autoformat everything using qlformat. 
Will need subsequent PRs fixing up test failures (due to deprecated
methods moving around), but other than that everything should be
straight-forward.
 2020-07-07 15:43:52 +02:00
Rasmus Wriedt Larsen
67be45f045 Merge branch 'master' into python-fix-django-taint-sinks 2020-07-02 11:55:42 +02:00
Rasmus Wriedt Larsen
6cba2fe4f8 Python: Model Django response sinks that are not vuln to XSS 
Since HttpResponse is not *only* used for XSS, it is still valuable to know the
content is send as part of the response.

The *proper* solution to this problem of not all HttpResponses being vulnerable
to XSS is probably to define a new abstract class in Http.qll called
HttpResponseXSSVulnerableSink (or similar). I would like to model a few more
libraries/frameworks before fully comitting to an approach though.
 2020-05-26 16:45:46 +02:00
Rasmus Wriedt Larsen
f602f3e1c7 Python: Use proper import for semmle.python.dataflow.TaintTracking 
It was moved in 637677d515, but imports were not
updated.
 2020-05-25 13:45:49 +02:00
Rasmus Wriedt Larsen
3774310985 Python: Reduce FPs in Django due to bad XSS taint-sinks 
Fixes https://github.com/github/codeql-python-team/issues/38
 2020-05-18 19:14:43 +02:00
Rasmus Wriedt Larsen
fa08676a1d Python: Proper redirect taint sinks for Django 
Also a major restructuring of the code. A bit controversial since it
renames/moves classes that are already public.

Fixes https://github.com/github/codeql/issues/3466
 2020-05-18 19:14:29 +02:00
Rasmus Wriedt Larsen
72ea4ff0dc Python: Add more tests of django responses 
They clearly shouldn't all be XSS sinks
 2020-05-18 16:56:47 +02:00
Rasmus Wriedt Larsen
8150c78ae0 Python: In flask, taint routed prameters for variable rules 
Fixes https://github.com/github/codeql-python-team/issues/79
 2020-05-12 15:02:32 +02:00
Rasmus Wriedt Larsen
7d5e35a7aa Python: Expand flask tests to use "variable rules" 
which is what flask calls them. wildcard rules in bottle, django doesn't even
give them a proper term :(
 2020-05-12 14:23:24 +02:00
Rasmus Wriedt Larsen
22096c36b9 Python: Add standard HttpSources tests for BaseHTTPRequestHandler 2020-04-22 17:28:49 +02:00
Rasmus Wriedt Larsen
51a9094064 Python: Add sinks for http.server.BaseHTTPRequestHandler 2020-04-22 17:28:27 +02:00
Rasmus Wriedt Larsen
6b84137a92 Python: Model cgi.FieldStorage (parsing of submitted forms) 2020-04-22 11:37:47 +02:00
Rasmus Wriedt Larsen
26ed911bb2 Python: Add modeling of http.server.BaseHTTPRequestHandler 2020-04-22 09:52:10 +02:00
Taus Brock-Nannestad
87a9f51c78 Python: Autoformat all .ql files. 2020-03-30 11:59:10 +02:00
Rasmus Wriedt Larsen
6d72e77cdf Python: Django: Handle Class-based views 2020-03-11 14:44:14 +01:00
Rasmus Wriedt Larsen
2da1503942 Merge branch 'master' into python-support-django2 2020-03-11 11:21:47 +01:00
Taus
0da554c701 Merge pull request #2914 from RasmusWL/python-remove-optimize-true-directive 
Python: Remove `--optimize: true` from options files
 2020-02-27 13:16:59 +01:00
Rasmus Wriedt Larsen
4330d4e289 Python: Remove unused import in test 2020-02-26 10:26:30 +01:00
Rasmus Wriedt Larsen
b213db03fd Python: Consolidate stdlib http client tests 
Move the stdlib tests from test/{2,3}/library-tests/ into /test/library-tests/,
and deal with version by using sys.version_info (results should be the same for
both versions).

six tests were moved from /library-tests/web/client/stdlib => /library-tests/web/client/six
 2020-02-26 10:26:30 +01:00
Rasmus Wriedt Larsen
cd5399d43e Python: Model outgoing http client requests 2020-02-26 10:26:30 +01:00
Rasmus Wriedt Larsen
f10a86d3ac Python: Remove --optimize: true from options files 
Tests will be run with optimizations on by default now.
 2020-02-25 15:52:00 +01:00
Rasmus Wriedt Larsen
5a0babe88b Python: Add support for Django 2.x and 3.x 
I changed the django mock to support both 1.x and 2.x routing APIs, which is not
really a nice long term solution.
 2020-02-18 11:22:35 +01:00
Rasmus Wriedt Larsen
362e7aebbb Python: Add HttpRedirectSinks test for django 2020-02-17 16:54:06 +01:00
Rasmus Wriedt Larsen
a3c6472b9b Python: Improve django tests (and prepare for v2 + v3 support) 2020-02-17 16:39:01 +01:00
Taus
895f2f74ab Merge branch 'master' into python-clean-qltest-options 2020-02-12 13:44:41 +01:00
Rasmus Wriedt Larsen
efedcd26d0 Python: Django tests need --lang=3 2020-02-11 13:16:52 +01:00
Rasmus Wriedt Larsen
397c17c4ff Python: Use --lang=3 in tests 
With internal update to qltest it will not actually do something.

- also remove it from the tests that never needed it.
 2020-02-06 14:20:59 +01:00
Rasmus Wriedt Larsen
c25782d6da Python: For web tests, use more precise name HttpResponseSinks 
Since there are also HttpRedirectTaintSink, using HttpSink is confusing
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
46f4b74134 Python: Fix tornado lib: a redirect is not a http response 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
ee382bb2ea Python: Fix typo (reques => request) 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
9bc72450a0 Python: Temporarily disable falcon HttpSinks test 
I will fix this in an other PR
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
9b2ca0c9c7 Python: Update web libraries to use HttpSources and HttpSinks 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
2cdbae08b6 Python: Don't make duplicate sink for Tornado handler 
`self.write(...)` would be treated as *both* TornadoConnectionWrite and
TornadoHttpRequestHandlerWrite
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
effa4548ab Python: Add toString to TurboGears HttpResponseTaintSinks 
Naming these were a bit hard, but better than generic "Taint Sink"
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
6b87458c2e Python: Add explicit tests for HttpSources and HttpSinks 
Some of the tests currently fail, since they can't reproduce the old tests
results (since the sinks/sources defined in the library code are not
HttpResponseTaintSink/HttpRequestTaintSource)
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
0a1c91fbb8 Python: Autoformat web tests QL files 2020-01-28 13:05:25 +01:00
Rasmus Wriedt Larsen
96d5703f2c Python: Remove use of deprecated methods 2020-01-22 13:45:14 +01:00
Taus
52d231c219 Merge pull request #2469 from RasmusWL/python-modernise-twisted-library 
Python: modernise twisted library
 2019-12-18 13:55:50 +01:00
Rasmus Wriedt Larsen
ac55e6aba6 Python: Modernise twisted library 2019-12-18 10:42:39 +01:00
Rasmus Wriedt Larsen
4e3c183676 Python: Adapt twisted tests so they pass 2019-12-18 10:42:39 +01:00
Rasmus Wriedt Larsen
6011cb74f8 Python: Add twisted tests from internal repo 2019-12-18 10:42:39 +01:00
Rasmus Wriedt Larsen
8b5d6ae2cf Python: Modernise zope web tests 2019-12-17 17:42:03 +01:00
Rasmus Wriedt Larsen
e257ba40c4 Python: Make zope web tests pass 2019-12-17 17:42:03 +01:00
Rasmus Wriedt Larsen
387ab52855 Python: Add zope web tests from internal repo 2019-12-02 14:38:03 +01:00
Rasmus Wriedt Larsen
44cc9dd0be Python: Add TurboGears templating example 2019-11-27 15:07:32 +01:00
Taus
4c700882b6 Merge pull request #2190 from RasmusWL/python-modernise-tornado-library 
Python: modernise tornado library
 2019-11-19 09:36:30 +01:00
Taus
78109db243 Merge pull request #2181 from RasmusWL/python-modernise-pyramid-library 
Python: modernise pyramid library
 2019-11-15 15:05:44 +01:00
Rasmus Wriedt Larsen
3ad43f32b6 Python: Add flask xss examples to flask tests 2019-11-12 10:36:10 +01:00
Rasmus Wriedt Larsen
edfcf39137 Python: Add flask tests from internal repo 2019-11-11 17:18:26 +01:00