hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 10:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
29,708 Commits 1,671 Branches 157 Tags
henrymercer/js-atm-update-api-graphs-usage
Commit Graph

4508 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
7a5fd02442 Python: API graph tests: add --max-import-depth=1 
Before this, I ended up extracting 454 modules locally 😱
 2021-05-21 15:58:15 +02:00
Rasmus Wriedt Larsen
9a4709c134 Python: API graph tests: Disallow results outside project 
Running the tests locally would result in thousands of results before
this 😱
 2021-05-21 15:57:10 +02:00
Evgenii Protsenko
1e40213abb use <class> instead of <class>::Range 2021-05-20 22:56:08 +03:00
Rasmus Wriedt Larsen
f17fe442a2 Python: Expand test of py/use-of-input 2021-05-20 14:52:10 +02:00
Rasmus Wriedt Larsen
0292ca6b67 Merge pull request #5880 from tausbn/python-limit-builtins 
Python: Limit set of globals that may be built-ins
 2021-05-20 14:47:22 +02:00
Tom Hvitved
2a7ceb2e19 Merge pull request #5928 from hvitved/python/type-tracker-split 
Python: Split up `(small)step` into intra/interprocedural predicates
 2021-05-20 14:13:44 +02:00
Tom Hvitved
1fc95a68ca Python: Add more type tracking QL doc 2021-05-20 13:47:23 +02:00
Taus
c4bb3c27e0 Python: Update python/ql/src/semmle/python/ApiGraphs.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-05-20 13:14:09 +02:00
CodeQL CI
17afbdf258 Merge pull request #5635 from RasmusWL/port-weak-crypto-algorithm 
Approved by yoff
 2021-05-20 01:22:32 -07:00
Tom Hvitved
f63c1d2383 Python: Split up (small)step into intra/interprocedural predicates 2021-05-19 19:59:25 +02:00
Anders Schack-Mulligen
4406b8e339 Dataflow: Sync. 2021-05-19 19:22:36 +02:00
Rasmus Wriedt Larsen
753dca91b1 Python: weak-crypto: Make algorithm selection less brittle 
As discussed in https://github.com/github/codeql/pull/5635#discussion_r633477154
 2021-05-19 17:47:09 +02:00
Rasmus Wriedt Larsen
22d4d7956a Python: Fix typo in QLDoc 2021-05-19 17:47:05 +02:00
Rasmus Wriedt Larsen
8d1e7da851 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-05-19 17:42:46 +02:00
Rasmus Wriedt Larsen
61ad5d0673 Python: Allow printing PostUpdateNode in ConceptsTest.qll 
See how this works in `test_json.py`
 2021-05-19 17:10:33 +02:00
Rasmus Wriedt Larsen
9dbb364cca Python: Move json tests to be part of stdlib 
This is better, since the modeling is also part of Stdlib.qll
 2021-05-19 17:10:33 +02:00
Rasmus Wriedt Larsen
51a25e45fe Python: Use shared prettyExpr in ConceptsTest.qll 
This required quite some changes in the expected output. I think it's much more
clear what the selected nodes are now 👍 (but it was a bit boring work to fix
this up)
 2021-05-19 17:10:33 +02:00
Rasmus Wriedt Larsen
1af6d97c51 Python: Remove straggling f-: annotations 2021-05-19 17:10:33 +02:00
Rasmus Wriedt Larsen
f66dccafda Python: Rename prettyExp => prettyExpr 
So we're consistenly using `expr` and not leaving our the `r`.
 2021-05-19 17:10:33 +02:00
Taus
75a43e76e8 Python: Address review comments. 
- Removes the version check on the set of built-in names.
- Renames the predicate used to represent said set.
- Documents how these lists of names were obtained.
- Gets rid of a superfluous import.
 2021-05-19 11:54:47 +00:00
Rasmus Wriedt Larsen
c4987e94e0 Python: Re-introduce syntactic handling of str/bytes/unicode 
I don't want to loose results on this, so until type-tracking/API graphs
can handle this, I want to keep our syntactic handling.
 2021-05-19 13:00:11 +02:00
Rasmus Wriedt Larsen
aa8b7306a3 Python: Use more API graphs in TaintTrackingPrivate 
But now we suddenly don't handle the call to `unicode` :O -- at least
not when I run the test locally (using Python 3).
 2021-05-19 12:59:58 +02:00
Rasmus Wriedt Larsen
a2e8417c11 Python: Use API graphs in TaintTrackingPrivate 
Some of this modeling could probably go to the standard lib modeling
file, but this chain of commits is already pretty feature creep :|
 2021-05-19 12:39:10 +02:00
Rasmus Wriedt Larsen
53f1d2342d Python: Small refactor of TaintTrackingPrivate 
Highlight why we need to import `DataFlowPrivate`
 2021-05-19 12:19:18 +02:00
Rasmus Wriedt Larsen
3f5602c048 Python: Refactoring of TaintTrackingPrivate 
To use all the good new stuff 🎉
 2021-05-19 12:13:04 +02:00
Rasmus Wriedt Larsen
b02fb90807 Python: Add getObject(string attrName) to AttrRef 
Now that I got started adding small things that are nice, I've been
missing this one (that is available on an `AttrNode`).
 2021-05-19 12:11:49 +02:00
Rasmus Wriedt Larsen
9137f04bd3 Python: Add getPostUpdateNode to DataFlow::Node 
as discussed in https://github.com/github/codeql/pull/5864#discussion_r634675940
 2021-05-19 11:57:49 +02:00
CodeQL CI
23e8092452 Merge pull request #5864 from RasmusWL/some-framework-modeling 
Approved by tausbn
 2021-05-19 02:31:06 -07:00
Rasmus Wriedt Larsen
904eacf9a2 Python: Use absolute import for PEP249 2021-05-19 11:10:06 +02:00
yoff
60da193620 Update python/ql/src/semmle/python/frameworks/Cryptodome.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-05-19 08:08:59 +02:00
Evgenii Protsenko
af75d85b2e ClickHouseSQLInjection.qll : add tests 2021-05-18 22:49:11 +03:00
Rasmus Wriedt Larsen
97fadd9970 Merge branch 'main' into port-weak-crypto-algorithm 2021-05-18 14:04:18 +02:00
Rasmus Wriedt Larsen
6c755024ac Python: Refactor code, inline some type-tracking 2021-05-18 14:03:36 +02:00
Rasmus Wriedt Larsen
770429fd68 Python: Autoformat 2021-05-18 14:02:46 +02:00
Rasmus Wriedt Larsen
9156316b14 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-05-18 11:53:11 +02:00
Rasmus Wriedt Larsen
0ade23ab2a Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-05-18 11:49:59 +02:00
CodeQL CI
12b1bbe484 Merge pull request #5897 from erik-krogh/uid 
Approved by RasmusWL, esbena
 2021-05-17 06:01:04 -07:00
Robin Neatherway
f378513ea3 Add lines-of-code tags 
This is a proposed method for advertising which queries are measuring
the lines of code in a project in a more robust manner than inspecting
the rule id.

Note that the python "LinesOfUserCode" query should _not_ have this
property, as otherwise the results of the two queries will be summed.
 2021-05-14 11:20:43 +01:00
Erik Krogh Kristensen
9d60ec035f fix casing on the uid regexp 2021-05-13 23:04:30 +02:00
Erik Krogh Kristensen
662e335424 keep python in sync 2021-05-13 22:54:39 +02:00
Taus
79cfe5aca2 Python: Limit py/use-of-input to Python 2 2021-05-12 21:23:16 +00:00
Taus
fad55b3635 Python: Reimplement py/use-of-input 2021-05-12 21:09:51 +00:00
Evgenii Protsenko
470e3eb089 [python] ClickHouseDriver.qll: add support for subclasses 2021-05-13 00:03:53 +03:00
Evgenii Protsenko
2efa0ad105 [C++] Implement module ClickHouseDriver.qll 2021-05-12 22:36:24 +03:00
Taus
fe12e620dd Python: Avoid clobbering range in test 
This was an unwanted interaction between two unrelated tests, so I
switched to a different built-in in the second test. I also added a test
case that shows an unfortunate side effect of this more restricted
handling of built-ins.
 2021-05-12 18:42:10 +00:00
Taus
ff2b6b9737 Python: Correctly locate stores to built-ins 2021-05-12 18:07:18 +00:00
Taus
3d30efed11 Python: Add exec as a shared built-in 
This is _slightly_ wrong, since `exec` isn't a built-in function in
Python 2. It should be harmless, however, since `exec` is a keyword,
and so cannot be redefined anyway.
 2021-05-12 11:07:16 +00:00
Taus
5c7e73d485 Python: Add exception types 2021-05-12 09:53:09 +00:00
Taus
07a70af344 Python: Limit set of globals that may be built-ins 
I am very tempted to leave out the constants, or at the very least
`False`, `True`, and `None`, as these have _many_ occurrences in the
average codebase, and are not terribly useful at the API-graph level.

If we really do want to capture "nodes that refer to such and such
constant", then I think a better solution would be to create classes
extending `DataFlow::Node` to facilitate this.
 2021-05-12 08:19:35 +00:00
Anders Schack-Mulligen
74ae2e0857 Merge pull request #5773 from hvitved/dataflow/aggressive-caching 
Data flow: Cache most language-dependent predicates
 2021-05-12 09:41:55 +02:00