hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
31,240 Commits 1,671 Branches 157 Tags
codeql-cli-2.7.6
Commit Graph

286 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
83f87f0272 Python: Adjust .expected based on new comment 
That was changed in 9866214
 2021-12-17 15:29:41 +01:00
yoff
9866214ebe Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/full_partial_test.py 2021-12-17 14:26:43 +01:00
Rasmus Wriedt Larsen
1d00730753 Python: Allow http[s]:// prefix for SSRF 2021-12-17 00:27:18 +01:00
Rasmus Wriedt Larsen
8d9a797b75 Python: Add tricky .format SSRF tests 2021-12-17 00:24:51 +01:00
Rasmus Wriedt Larsen
6f297f4e9c Python: Fix SSRF sanitizer tests 
They were very misleading before, because a sanitizer that happened
early, would remove taint from the rest of the cases by use-use flow :|
 2021-12-16 23:24:08 +01:00
Rasmus Wriedt Larsen
4b5599fe17 Python: Improve full/partial SSRF split 
Now full-ssrf will only alert if **all** URL parts are fully
user-controlled.
 2021-12-16 22:48:51 +01:00
Rasmus Wriedt Larsen
cb934e17b1 Python: Adjust SSRF location to request call 
Since that might not be the same place where the vulnerable URL part is.
 2021-12-16 22:48:51 +01:00
Rasmus Wriedt Larsen
b1bca85162 Python: Add interesting test-case 2021-12-16 22:48:51 +01:00
Rasmus Wriedt Larsen
1cc5e54357 Python: Add SSRF queries 
I've added 2 queries:

- one that detects full SSRF, where an attacker can control the full URL,
  which is always bad
- and one for partial SSRF, where an attacker can control parts of an
  URL (such as the path, query parameters, or fragment), which is not a
  big problem in many cases (but might still be exploitable)

full SSRF should run by default, and partial SSRF should not (but makes
it easy to see the other results).

Some elements of the full SSRF queries needs a bit more polishing, like
being able to detect `"https://" + user_input` is in fact controlling
the full URL.
 2021-12-16 01:48:34 +01:00
Nick Rolfe
05415768c9 Merge remote-tracking branch 'origin/main' into nickrolfe/regexp_g_anchor 2021-12-02 12:07:13 +00:00
yoff
4609b2060a Merge pull request #7217 from RasmusWL/more-path-injection-fps 
Python: Add `x in <var>` test for StringConstCompare
 2021-12-02 12:35:33 +01:00
Taus
8cccee6eba Merge pull request #6972 from yoff/python/promote-redos 
Python: Promote ReDoS queries
 2021-11-23 14:02:09 +01:00
Rasmus Wriedt Larsen
baafd9f8ba Python: Add an other path injection FP 
Along with the root cause, which is the `StringConstCompare`
BarrierGuard, that does only allows `in <iterable literal>` and not
`in <variable referencing iterable literal>`
 2021-11-23 12:59:15 +01:00
Nick Rolfe
df6ba43cca Python: treat \A, \Z, \b, \B as special chars, not escapes 2021-11-19 15:49:53 +00:00
Erik Krogh Kristensen
1cca377e7d Merge pull request #6561 from erik-krogh/htmlReg 
JS/Py/Ruby: add a bad-tag-filter query
 2021-11-18 09:39:13 +01:00
Rasmus Wriedt Larsen
7c3b68b7f8 Merge pull request #7091 from RasmusWL/port-request-without-validation 
Python: Port `py/request-without-cert-validation` to use API graphs
 2021-11-15 13:51:57 +01:00
Rasmus Wriedt Larsen
985cd1ebdb Python: Port py/request-without-cert-validation to use API graphs 2021-11-09 16:37:50 +01:00
Rasmus Wriedt Larsen
59581690fd Python: Add py/request-without-cert-validation tests 2021-11-09 16:29:57 +01:00
Rasmus Wriedt Larsen
f70e4fea55 Python: Add interesting path-injection FP 2021-11-09 14:53:32 +01:00
Erik Krogh Kristensen
02f500b9c2 Merge branch 'main' into htmlReg 2021-11-04 12:58:42 +01:00
Rasmus Lerchedahl Petersen
8536f5f5a2 Python: remember to update refs... 2021-10-28 14:32:53 +02:00
Rasmus Wriedt Larsen
8c3349f40f Python: Properly model flask.send_from_directory 
To not include `filename` as path-injection sink.
 2021-10-28 13:41:39 +02:00
Rasmus Wriedt Larsen
6648a695eb Python: Add flask specific path-injection test 2021-10-28 13:34:18 +02:00
Erik Krogh Kristensen
44afa34e37 Merge branch 'main' of github.com:github/codeql into htmlReg 2021-10-26 14:46:27 +02:00
Rasmus Wriedt Larsen
7cd5e681dd Merge pull request #6693 from yoff/python/promote-regex-injection 
Python: Promote `py/regex-injection`
 2021-10-14 14:49:05 +02:00
Rasmus Lerchedahl Petersen
61008fd3d0 Merge branch 'main' of github.com:github/codeql into python/promote-regex-injection 2021-10-12 11:28:12 +02:00
Rasmus Lerchedahl Petersen
f34d1ee997 Python: Update test expectation following rename 2021-10-12 10:36:18 +02:00
Rasmus Wriedt Larsen
a83bb39d0f Python: Merge SQLAlchemy TextClause injection into py/sql-injection 
As discussed in a meeting today, this will end up presenting an query
suite that's easier to use for customers.

Since https://github.com/github/codeql/pull/6589 has JUST been merged,
if we get this change in fast enough, no end-user will ever have run
`py/sqlalchemy-textclause-injection` as part of LGTM.com or Code
Scanning.
 2021-09-21 20:21:42 +02:00
Erik Krogh Kristensen
99ed4a1a89 add a bad-tag-filter query for Python and JavaScript 2021-09-21 15:04:03 +02:00
Erik Krogh Kristensen
8535e6f281 use toUnicode in RegexTreeView 2021-09-21 12:13:37 +02:00
Rasmus Wriedt Larsen
f8e6ba633a Python: Fix .expected for new subpaths query predicate 2021-09-21 09:40:13 +02:00
Rasmus Wriedt Larsen
c7c8e2f3e3 Merge branch 'main' into promote-sqlalchemy 2021-09-21 09:36:07 +02:00
Rasmus Lerchedahl Petersen
1c7982b319 Python: Move query tests over 2021-09-14 13:29:21 +02:00
Chris Smowton
38cc9bef02 ReDoS: fix unpaired surrogate test 
This actually does result in an FP, but this was previously hidden by non-interpretation of '\u' escapes within a raw string.
 2021-09-10 15:37:34 +01:00
Anders Schack-Mulligen
f30dad7705 Dataflow: Update test expected outputs. 2021-09-07 13:02:20 +02:00
Rasmus Wriedt Larsen
9f590dbf2d Python: Fix .expected 
After we now model `db.text()` calls from Flask-SQLAlchemy
 2021-09-02 16:04:25 +02:00
Rasmus Wriedt Larsen
f1744890b1 Python: Add tests for Flask-SQLAlchemy 2021-09-02 10:48:15 +02:00
Rasmus Wriedt Larsen
c34d6d1162 Python: Add query to handle SQLAlchemy TextClause Injection 
instead of doing this via taint-steps. See description in code/tests.
 2021-09-02 10:19:57 +02:00
yoff
2f5ed03798 Merge pull request #6323 from RasmusWL/sec-test-layout 
Python: Restructure security tests to contain query name
 2021-08-24 16:50:08 +02:00
Erik Krogh Kristensen
46959234b7 Merge pull request #6288 from erik-krogh/emptyRedos 
JS/Python: Fix FP in redos related to empty lookaheads
 2021-08-16 13:48:22 +02:00
Taus
e9a4114c04 Python: Hotfix: Disable ReDoS queries 2021-07-22 10:58:49 +00:00
Rasmus Wriedt Larsen
5249591747 Python: Fix test folder for InsecureProtocol 2021-07-19 16:57:00 +02:00
Rasmus Wriedt Larsen
5939128a76 Python: Fix test folder for InsecureDefaultProtocol 
it was named wrong before. whoops.
 2021-07-19 16:56:07 +02:00
Rasmus Wriedt Larsen
77021ae119 Python: Restructure security tests to contain query name 
We were mixing between things, so this is just to keep things
consistent. Even though it's not strictly needed for all queries,
it does look nice I think
 2021-07-19 16:54:34 +02:00
Rasmus Wriedt Larsen
da021feb8b Python: Move py/incomplete-hostname-regexp tests to own folder 2021-07-19 16:48:21 +02:00
Rasmus Wriedt Larsen
7939a1372e Python: Move Jinja2WithoutEscaping tests to own folder 2021-07-19 16:44:41 +02:00
Rasmus Wriedt Larsen
a07de3faae Merge branch 'main' into emptyRedos 2021-07-15 18:21:29 +02:00
Rasmus Wriedt Larsen
a5834c4d78 Python: Fix py/polynomial-redos 2021-07-15 14:16:19 +02:00
Rasmus Wriedt Larsen
76caf43b54 Python: Add tests for py/polynomial-redos 2021-07-15 14:15:44 +02:00
Rasmus Wriedt Larsen
1be0dc0876 Python: Move test for ReDoS 2021-07-15 14:15:24 +02:00