hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 02:44:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
29,708 Commits 1,672 Branches 157 Tags
henrymercer/js-atm-update-api-graphs-usage
Commit Graph

4508 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
141e2665ea Python: Align ViewClass naming with django 
Just as part of tyding up
 2021-02-18 15:10:21 +01:00
Rasmus Wriedt Larsen
19b7ea8d85 Python: Align flask taint modeling with rest of code 
This was a good time to do this, so we don't have 2 different ways of doing the
same thing.

I needed to do this to figure out if we should expose
`API::moduleImport("flask").getMember("request")` in a helper predicate or
not. I think I ended up using more refenreces to this in the end. Although it's
not unreasonable to let someone do this themselves, I also think it's reasonable
that we provide a helper predicate for this.
 2021-02-18 15:04:07 +01:00
Rasmus Wriedt Larsen
ba61099172 Python: flask.make_response as InstanceSource of flask.Response 2021-02-18 12:52:59 +01:00
Rasmus Wriedt Larsen
e3d530dbbc Python: Flask: Remove more type-tracking helper predicates 2021-02-18 12:13:47 +01:00
Rasmus Wriedt Larsen
e4ea5f25dc Python: Flask: Moderize app and blueprint 2021-02-18 12:09:37 +01:00
Rasmus Wriedt Larsen
7de488b987 Python: Flask: Moderize views 2021-02-18 12:05:56 +01:00
CodeQL CI
d94f20ff2f Merge pull request #5194 from RasmusWL/type-tracking-snippets 
Approved by tausbn
 2021-02-18 02:13:21 -08:00
Taus Brock-Nannestad
23e9785efd Python: Add missing QLDoc 2021-02-17 21:38:48 +01:00
Taus Brock-Nannestad
99f3a61f61 Python: Add TypeBackTracker 
This is a fairly straight port of the JS equivalent. Also adds
`Node::getALocalSourceNode` which seems like it might come in handy.
 2021-02-17 21:14:20 +01:00
Rasmus Wriedt Larsen
4880350420 Python: Add a single missing QLDoc 2021-02-17 16:33:12 +01:00
Rasmus Wriedt Larsen
7afe3972d8 Revert "Merge pull request #5171 from RasmusWL/restructure-queries" 
This reverts commit 8caafb3710, reversing
changes made to ec79094957.
 2021-02-17 16:32:53 +01:00
Rasmus Wriedt Larsen
63a09fccdd Python: Use this = <...>.getACall() for DataFlow::CallCfgNode 
I think this reads a bit cleaner
 2021-02-17 14:43:48 +01:00
Taus
ce1d8ded22 Merge pull request #5192 from RasmusWL/framework-for-routed-params 
Python: Expose framework identifier for route-setup and request handler
 2021-02-17 13:19:43 +01:00
Rasmus Wriedt Larsen
0cdb5c48cf Python: Remove type-tracking snippets for framework modeling 
We won't need these anymore, since we can now use API graphs
 2021-02-17 13:14:23 +01:00
Rasmus Wriedt Larsen
a4de88d39c Python: Update type-tracking snippet 
based on what I learned in https://github.com/github/codeql/pull/5184
 2021-02-17 13:13:25 +01:00
Rasmus Wriedt Larsen
eee49cde85 Merge pull request #5184 from tausbn/python-move-type-tracker-tests-to-source-nodes 
Python: Use `LocalSourceNode` in type tracker tests
 2021-02-17 12:13:47 +01:00
Taus
8caafb3710 Merge pull request #5171 from RasmusWL/restructure-queries 
Python: Restructure query file layout
 2021-02-17 12:09:32 +01:00
Rasmus Wriedt Larsen
cf9ad0cdc5 Python: Move ExternalAPI queries back under Security 
This was raised as a question at review, and I don't really have a good enough
argument for moving it under POI. At the end of the day, they are _security_
related enough I guess :)
 2021-02-17 11:29:33 +01:00
Rasmus Wriedt Larsen
dec026a820 Python: Fix security qlref to have single empty line 2021-02-17 11:26:02 +01:00
Rasmus Wriedt Larsen
1adb510578 Python: Add a single missing QLDoc 2021-02-17 11:24:11 +01:00
Rasmus Wriedt Larsen
2927d888cf Python: Fix location of PathInjection tests 2021-02-17 11:20:00 +01:00
Rasmus Wriedt Larsen
d98aae9fc1 Python: Expose framework identifier for route-setup and req handler 
This makes collecting metrics on framework coverage a bit simpler (specifically
giving the RoutedParameter class a more descriptive result for getSourceType).

I guess it can also help a bit when trying to get an overview of a new DB, but
making metrics collection easier is my main motivation for this.
 2021-02-16 23:44:03 +01:00
Taus
36be72972d Merge pull request #2663 from tausbn/python-type-annotation-reuse-fp 
Python: Add false positive test example for issue #2652.
 2021-02-16 18:46:15 +01:00
Taus Brock-Nannestad
04eb0c774c Python: Use LocalSourceNode in type tracker tests 
One minor change to the tests results needed: there is no longer local
flow going into the `ModuleVariableNode` for `attr_ref` in the
`moduleattr.ql` test, but I think this is reasonable.
 2021-02-16 18:25:54 +01:00
Rasmus Wriedt Larsen
bc8e61366b Python: Clarify comment about flask blueprint URL prefixes 2021-02-16 15:29:25 +01:00
Rasmus Wriedt Larsen
1e1cb87436 Python: Model flask blueprints 2021-02-16 15:26:51 +01:00
Rasmus Wriedt Larsen
b7ea469e26 Python: Add tests for flask blueprints 2021-02-16 15:03:00 +01:00
Rasmus Wriedt Larsen
bf401c7498 Merge pull request #5103 from tausbn/python-port-flask-to-api-graphs 
Python: Port Flask models to use API graphs
 2021-02-16 15:00:46 +01:00
Rasmus Wriedt Larsen
8494fcf45f Python: Move query tests to reflect new file layout 2021-02-16 13:15:01 +01:00
Rasmus Wriedt Larsen
1d6f9bee08 Python: Update qlrefs 2021-02-16 11:48:36 +01:00
Rasmus Wriedt Larsen
3a18881660 Python: Restructure query file location 
Since I can never remember the CWE numbers
 2021-02-16 11:36:10 +01:00
Rasmus Wriedt Larsen
1961ec6e8d Merge pull request #5159 from tausbn/python-unknown-argument-in-format-string-fp 
Python: Add FP test for unknown argument in string format
 2021-02-15 14:39:10 +01:00
Rasmus Wriedt Larsen
69e081e897 Python: Apply code-review suggestion 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-02-15 14:38:20 +01:00
Taus
2ca12aa612 Update python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-02-15 14:21:12 +01:00
Taus Brock-Nannestad
27c479a8ba Python: Limit RequestInputAccess to immediate uses 
This fixes some spurious results that occurred when we considered
_any_ use of `request.something` to be a source, even ones we had
tracked into other functions. To prevent this, using
`getAnImmediateUse` better captures the fact that we want the source
to be just the actual attribute access.
 2021-02-15 13:51:29 +01:00
Rasmus Wriedt Larsen
745148474a Python: Model get_redirect_url in django 2021-02-15 10:55:52 +01:00
Rasmus Wriedt Larsen
6934d5e642 Python: Add django test of RedirectView subclass 2021-02-15 10:55:51 +01:00
Rasmus Wriedt Larsen
79855157b3 Python: Move django response test to django v2/v3 
That's really the django version I care about :P
 2021-02-15 10:55:50 +01:00
Rasmus Wriedt Larsen
2478a9f10e Python: Fix wording of change-note 2021-02-14 23:20:46 +01:00
CodeQL CI
178c54e69b Merge pull request #5139 from RasmusWL/django-improvements 
Approved by yoff
 2021-02-14 02:16:52 -08:00
Taus Brock-Nannestad
2632422783 Python: Add FP test for unknown argument in string format 
Reported in https://github.com/github/codeql/issues/2650

I found this during a bit of spring cleaning in my working
directory. As this doesn't have any immediate security implications, I
don't know when we'll get round to fixing it, but it can't hurt to
have the test case checked in.
 2021-02-12 19:28:12 +01:00
Rasmus Wriedt Larsen
10fdc4bfb9 Python: Add support for more yaml loading functions 2021-02-12 12:30:00 +01:00
Rasmus Wriedt Larsen
2021cdbe33 Python: Add tests for more yaml loading functions 2021-02-12 12:30:00 +01:00
Rasmus Wriedt Larsen
f328e84bd2 Python: Mention yaml.safe_load in the qhelp 2021-02-12 12:29:55 +01:00
Rasmus Wriedt Larsen
1651f81ac8 Python: Refactor to avoid confusing name 
After discussion with @yoff
 2021-02-12 12:19:37 +01:00
Rasmus Wriedt Larsen
ed2dc5f6ad Python: Fix date for change-note 2021-02-12 10:26:31 +01:00
Rasmus Lerchedahl Petersen
cfa72af12c Python: Update test expectation to new format 2021-02-12 09:30:12 +01:00
Taus Brock-Nannestad
4c66071f5f Python: Revert "Python: Support moduleImport("dotted.name") in API graphs" 
This reverts commit 2c4a477a4e.

It's probably best _not_ to do this, as any `getMember` cycle in the
API graph will lead to nontermination.
 2021-02-11 16:08:28 +01:00
Taus Brock-Nannestad
ea30598a08 Python: Split dotted names more efficiently 2021-02-11 16:07:39 +01:00
Rasmus Wriedt Larsen
c57a4df819 Python: Model taint of self.request on django view class 2021-02-10 17:48:48 +01:00