hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
32,907 Commits 1,672 Branches 157 Tags
codeql-cli-2.8.2
Commit Graph

4792 Commits

Author SHA1 Message Date
yoff
e3b3825ab0 Merge pull request #5151 from RasmusWL/django-get-redirect-url 
Python: Model get_redirect_url in django
 2021-02-25 23:07:33 +01:00
Rasmus Wriedt Larsen
81b29316e1 Merge pull request #4737 from yoff/python-dataflow-add-cast-nodes 
Python: Force read- and store steps to add nodes.
 2021-02-25 14:28:54 +01:00
Taus
d326d40d71 Merge pull request #5252 from RasmusWL/test-cleanup 
Python: Minor cleanup of test setup
 2021-02-25 13:33:10 +01:00
Taus
01d581ecf3 Merge pull request #5250 from tausbn/python-port-re-security-queries 
Python: Port URL sanitisation queries to API graphs
 2021-02-25 13:13:55 +01:00
Rasmus Lerchedahl Petersen
64c0eaf305 Python: Update test expectations 2021-02-25 11:49:57 +01:00
yoff
f15084254b Add comment explaining tacky nature of code 2021-02-25 11:49:57 +01:00
Rasmus Lerchedahl Petersen
5b51a3461d Python: Force read- and store steps to add nodes. 
This gives muche nicer path explanations on some snapshots.
It is achieved by making stepped-to nodes `CastNode`s.
This seems somewhat reasonable as types then to change, when we move
between content and container.
We could probably refine it, though.
 2021-02-25 11:49:57 +01:00
Rasmus Wriedt Larsen
4610b1b392 Pyhton: Use type back-tracking for keysize on key-generation 
Internal evaluation showed that this didn't perform better than normal (forward)
type-tracking, but it feels more like the right approach.
 2021-02-25 11:31:00 +01:00
Rasmus Wriedt Larsen
c195c64982 Python: Use type-tracking for integer literal tracking 
Like we've done for pretty much everything else. An experiment to see what this
means for query performance.
 2021-02-25 11:30:56 +01:00
Rasmus Wriedt Larsen
27987717dc Merge branch 'main' into crypto 2021-02-25 11:30:32 +01:00
Rasmus Lerchedahl Petersen
aba22689fa Python: Add change note 2021-02-25 09:25:17 +01:00
Rasmus Lerchedahl Petersen
86cec40286 Python: update test 2021-02-25 09:22:57 +01:00
Rasmus Lerchedahl Petersen
780a6a96f8 Python: Add concept tests 2021-02-25 08:54:42 +01:00
Rasmus Lerchedahl Petersen
41743b6afa Python: restrict to caught exceptions 
also modernise code
 2021-02-25 07:53:35 +01:00
Rasmus Lerchedahl Petersen
24b51e8851 Merge branch 'main' of github.com:github/codeql into python-port-stacktrace-exosure 2021-02-25 07:24:41 +01:00
Rasmus Lerchedahl Petersen
76f080978a Python: Add missing QLDoc 2021-02-24 23:35:44 +01:00
Rasmus Lerchedahl Petersen
192988077e Python: Move <ul> outside of <p> 2021-02-24 23:28:13 +01:00
Rasmus Lerchedahl Petersen
bf3e5fceea Python: Rearrange directories 2021-02-24 22:07:27 +01:00
Rasmus Lerchedahl Petersen
10657160bc Python: Improve qlhelp according to review 2021-02-24 22:02:16 +01:00
yoff
89d0724fb4 Update python/change-notes/2021-02-23-port-insecure-default-protocol.md 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-02-24 19:57:49 +01:00
CodeQL CI
bf66bdbb95 Merge pull request #5253 from RasmusWL/no-getAnArg 
Approved by tausbn
 2021-02-24 06:34:31 -08:00
Rasmus Wriedt Larsen
d05a8b8c46 Python: Remove getAnArg in DataFlow::CallCfgNode 
Until we've had further discussion on what is the right approach to
naming (internal discussion in https://github.com/github/codeql-python-team/issues/95)
 2021-02-24 14:58:48 +01:00
Rasmus Wriedt Larsen
a6e5ec2e09 Python: Port py/flask-debug 2021-02-24 11:37:25 +01:00
Rasmus Wriedt Larsen
0cad5ce5ca Python: Expand py/flask-debug tests a bit 2021-02-24 11:35:17 +01:00
Taus Brock-Nannestad
404649d5f1 Python: Get rid of superfluous options file 2021-02-24 11:24:43 +01:00
Rasmus Wriedt Larsen
5c6989cf02 Revert "Python: Accept RequestWithoutValidation expected output change" 
Apparently CI is able to produce the ../ path, I have absolutely no clue what is
goign on...
 2021-02-24 11:14:18 +01:00
yoff
8262f0343b Merge pull request #5208 from RasmusWL/flask-clean-models 
Python: Cleanup Flask models now that we have API graphs
 2021-02-24 10:36:30 +01:00
Taus Brock-Nannestad
af644a0adb Python: Decrease import depth in regex tests 
These were increased because of the indirection needed to get to the
regex flags, but as we no longer rely on this, we can make do with a
smaller import depth.
 2021-02-24 10:23:01 +01:00
Rasmus Wriedt Larsen
5bb4a1a45a Python: Use explicit argument specification instead of getAnArg 
I've seen quite a few places where `getAnArg` leads to wrong behavior, and I
generally just don't like it.
 2021-02-24 10:19:34 +01:00
Taus Brock-Nannestad
e77c1059a3 Python: Use source nodes and prevent bad join order 2021-02-24 10:18:54 +01:00
Taus Brock-Nannestad
cac6c4acc9 Python: Add deprecation notice to mode_from_mode_object 2021-02-24 10:18:21 +01:00
Rasmus Wriedt Larsen
0b9a65d234 Python: Accept RequestWithoutValidation expected output change 
I have no clue why this changed, but since it's only the `..` part, I guess
we'll live with it
 2021-02-24 10:13:25 +01:00
Rasmus Wriedt Larsen
cef37d19ce Python: Split CWE-295 tests 
Mostly just because it's nice. But now we can avoid having the same `options`
files for the tests.
 2021-02-24 10:12:45 +01:00
Rasmus Wriedt Larsen
0ffc801f9b Python: Remove options for InsecureTemporaryFile tests 2021-02-24 09:57:51 +01:00
yoff
c3d2001e85 Merge pull request #5251 from tausbn/python-port-missing-host-key-validation-query 
Python: Port missing host key validation query
 2021-02-24 08:43:52 +01:00
Taus Brock-Nannestad
2942a11a69 Python: Import API graphs privately 2021-02-23 22:45:39 +01:00
Taus Brock-Nannestad
f241dbabab Python: Clean up query a bit 2021-02-23 22:33:18 +01:00
Taus Brock-Nannestad
002d0fe565 Python: Port missing host key query 2021-02-23 22:26:03 +01:00
Taus Brock-Nannestad
e812eb777d Python: Port URL sanitisation queries to API graphs 
Really, this boils down to "Port `re` library model to use API graphs
instead of points-to", which is what this PR actually does.

Instead of using points-to to track flags, we use a type tracker. To
handle multiple flags at the same time, we add additional flow from

`x` to `x | y` and `y | x`

and, as an added bonus, the above with `+` instead of `|`, neatly
fixing https://github.com/github/codeql/issues/4707

I had to modify the `Qualified.ql` test slightly, as it now had a
result stemming from the standard library (in `warnings.py`) that
points-to previously ignored.

It might be possible to implement this as a type tracker on
`LocalSourceNode`s, but with the added steps for the above operations,
this was not obvious to me, and so I opted for the simpler
"`smallstep`" variant.
 2021-02-23 22:02:35 +01:00
Rasmus Wriedt Larsen
358ade67e5 Merge pull request #5248 from tausbn/python-port-insecure-temporary-file 
Python: Port `py/insecure-temporary-file`
 2021-02-23 21:37:59 +01:00
Taus Brock-Nannestad
b8ce5e969e Python: Port py/insecure-temporary-file 2021-02-23 20:02:22 +01:00
yoff
9eed17f647 Merge pull request #5152 from RasmusWL/improve-pyyaml-support 
Python: Improve pyyaml support
 2021-02-23 19:58:04 +01:00
Rasmus Lerchedahl Petersen
6abbb5040c Python: add change note 2021-02-23 19:54:09 +01:00
Rasmus Lerchedahl Petersen
b28544da9c Python: Port insecure default protocol 
- use API graphs
- update .qlhelp-file
- limit to versions below 3.4
- move tests to its own directory to only test on old version
 2021-02-23 19:41:36 +01:00
Rasmus Wriedt Larsen
a09f8c4b4a Python: Port bind-to-all-interfaces to type-tracking 2021-02-23 16:01:24 +01:00
Rasmus Wriedt Larsen
4026d54095 Python: Expand bind-to-all-interfaces tests slightly 2021-02-23 15:53:47 +01:00
Rasmus Wriedt Larsen
fd18fd8403 Python: Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-02-23 15:24:52 +01:00
Rasmus Wriedt Larsen
6e2445cce6 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-02-23 15:19:29 +01:00
Rasmus Wriedt Larsen
42de872bfa Python: Add INTERNAL annotation to Response::InstanceSource 
Since we need to reserve the flexibility to change this setup within the next
few months, we don't want to commit to keeping this extension point around for
the 12 months that the normal API deprecation cycle requires.
 2021-02-23 15:10:58 +01:00
Rasmus Wriedt Larsen
8ebedf26d2 Python: Add comment for MethodView being known subclass 2021-02-23 15:08:07 +01:00