hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,347 Commits 1,672 Branches 157 Tags
hmac-cli-injection-from-library-inputs
Commit Graph

716 Commits

Author SHA1 Message Date
Taus
7b877fb317 Merge pull request #8336 from tausbn/python-fix-a-bunch-of-ql-warnings 
Python: Fix a bunch of QL warnings
 2022-03-09 16:31:28 +01:00
Taus
d2603884ca Python: Fix a bunch of class QLDoc 2022-03-07 18:59:49 +00:00
Taus
af7f532212 Python: Fix up a bunch of function QLDoc 2022-03-07 18:59:49 +00:00
haby0
7e6666bc63 Merge branch 'main' into py/add-ssrf-sinks 2022-03-07 12:09:14 +08:00
Rasmus Wriedt Larsen
f620e2599d Merge branch 'main' into py/add-ssrf-sinks 2022-03-04 11:50:12 +01:00
Rasmus Wriedt Larsen
02a97b08bb Python: Move urllib and urllib2 to be part of stdlib modeling 2022-03-04 11:31:47 +01:00
Rasmus Wriedt Larsen
c65839bb77 Python: improve urllib3 modeling 2022-03-04 11:25:14 +01:00
Rasmus Wriedt Larsen
7d6d8be179 Python: Fix httpx modeling 2022-03-04 11:07:51 +01:00
Rasmus Wriedt Larsen
40feb1fb8d Python: SPURIOUS results for httpx 2022-03-04 11:03:32 +01:00
yoff
d0a393e8d1 Update python/ql/test/library-tests/frameworks/stdlib/XPathExecution.py 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-03-04 10:56:53 +01:00
Rasmus Lerchedahl Petersen
143e9ee954 Merge branch 'main' of github.com:github/codeql into python/promote-xpath-injection 2022-03-02 13:14:08 +01:00
Rasmus Lerchedahl Petersen
80be767a7a python: implement stdlib xpath support 2022-03-02 12:59:34 +01:00
Rasmus Lerchedahl Petersen
06e0f140c5 python: add tests for stdlib xpath 2022-03-02 12:58:37 +01:00
Rasmus Lerchedahl Petersen
f55d7d627e python: model XPathEvaluator 2022-03-01 14:40:13 +01:00
Rasmus Lerchedahl Petersen
3bb17be389 python: add concept and library tests 2022-03-01 14:39:28 +01:00
Arthur Baars
5ce6b847d1 Merge pull request #8166 from aibaars/regex-char-sequence-1 
Ruby/Python: regex parser: group sequences of 'normal' characters
 2022-02-28 17:47:53 +01:00
haby0
be40b54b9f add test 2022-02-28 20:34:58 +08:00
Arthur Baars
5044f89105 Ruby/Python re-introduce normalCharacterSequence 2022-02-25 18:43:43 +01:00
Arthur Baars
69ed121ecb Ruby/Python: regex parser: group sequences of 'normal' characters 2022-02-22 16:15:33 +01:00
Rasmus Wriedt Larsen
d2cd77aefb Merge branch 'main' into dataflow-improvements 2022-02-21 14:49:40 +01:00
Rasmus Wriedt Larsen
2e788ea86e Python: Accept deprecation warnings for old tests 2022-02-04 12:02:09 +01:00
Rasmus Wriedt Larsen
b2ce0fcb72 Python: Add post-update nodes to args of unresolved calls 
Besides solving the problem with `setattr`, it also solved some old
problems with json library modeling (yay).
 2022-02-04 11:51:53 +01:00
Rasmus Wriedt Larsen
301318020f Merge pull request #7455 from haby0/py/add-shutil-module-path-injection-sinks 
Python: Add shutil module sinks for path injection query
 2022-01-24 20:06:36 +01:00
Erik Krogh Kristensen
ddfc3bc00f use set literals instead of big disjunctions 2022-01-21 11:46:33 +01:00
Rasmus Wriedt Larsen
95e935e9c1 Python: Support SQLAlchemy scoped_session 2022-01-18 14:34:31 +01:00
haby0
759ec31508 Delete shutil_path_injection.py file 2022-01-06 21:38:35 +08:00
haby0
05b0daa0b7 Add the test of shutil module in FileSystemAccess.py 2022-01-06 14:14:42 +08:00
Rasmus Wriedt Larsen
6ce1524192 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-12-16 15:19:37 +01:00
Rasmus Wriedt Larsen
f8fc583af3 Python: client request: getUrl => getAUrlPart 
I think `getUrl` is a bit too misleading, since from the name, I would
only ever expect ONE result for one request being made.

`getAUrlPart` captures that there could be multiple results, and that
they might not constitute a whole URl.

Which is the same naming I used when I tried to model this a long time ago
a80860cdc6/python/ql/lib/semmle/python/web/Http.qll (L102-L111)
 2021-12-15 21:55:04 +01:00
Rasmus Wriedt Larsen
6f81685f48 Python: Add modeling of http.client.HTTPResponse 2021-12-15 21:55:04 +01:00
Rasmus Wriedt Larsen
a5bae30d81 Python: Add tests of http.client.HTTPResponse 2021-12-15 20:39:46 +01:00
Rasmus Wriedt Larsen
cf2ee0672f Python: Model requests Responses 2021-12-13 15:09:46 +01:00
Rasmus Wriedt Larsen
35cba17642 Python: Consider taint of client http requests 2021-12-13 14:56:16 +01:00
Rasmus Wriedt Larsen
b68d280129 Python: Add modeling of requests 2021-12-13 14:56:16 +01:00
Rasmus Wriedt Larsen
1ff56d5143 Python: Add tests of requests 
Also adjusts test slightly. Writing
`clientRequestDisablesCertValidation=False` to mean that certificate
validation was disabled by the `False` expression is just confusing, as
it easily reads as _certificate validate was NOT disabled_ :|

The new one ties to each request that is being made, which seems like
the right setup.
 2021-12-13 14:07:32 +01:00
yoff
d8857c7ce8 Merge pull request #7246 from tausbn/python/import-star-flow 
Python: Support flow through `import *`
 2021-12-10 16:34:32 +01:00
yoff
8e11c2c476 Merge pull request #7259 from RasmusWL/even-more-path-injection-sinks 
Python: Add more path-injection sinks from `os` and `tempfile` modules
 2021-12-09 14:46:41 +01:00
Nick Rolfe
05415768c9 Merge remote-tracking branch 'origin/main' into nickrolfe/regexp_g_anchor 2021-12-02 12:07:13 +00:00
yoff
f10f053c36 Merge pull request #7228 from RasmusWL/fastapi-improvements 
Python: FastAPI improvements
 2021-12-02 12:58:53 +01:00
yoff
19802ccb73 Merge pull request #7046 from RasmusWL/django-own-json-response 
Python: Add test with custom django json response (FP)
 2021-11-29 16:05:20 +01:00
Rasmus Wriedt Larsen
cbd7434a7e Python: Add modeling of tempfile module 2021-11-29 15:08:36 +01:00
Rasmus Wriedt Larsen
b68538376c Python: Add tests of tempfile module 2021-11-29 15:08:36 +01:00
Rasmus Wriedt Larsen
58f92764f7 Python: Model more file access from os module 2021-11-29 14:54:02 +01:00
Rasmus Wriedt Larsen
e79b8f3e23 Python: Treat os.exec*, os.spawn*, and os.posix_spawn* as FileSystemAccess 2021-11-29 14:54:02 +01:00
Rasmus Wriedt Larsen
d2d5cce787 Python: Recognize keyword arguments for os.*spawn* calls 2021-11-29 14:54:02 +01:00
Rasmus Wriedt Larsen
14590436f9 Python: Expand tests for os.exec*, os.spawn*, and os.posix_spawn* 2021-11-29 14:54:02 +01:00
Rasmus Wriedt Larsen
50d3592ad3 Python: Add more complete tests of os module 
I went through https://docs.python.org/3.10/library/os.html in order,
and added all the functions that works on paths.

`lstat` and `statvfs` were already modeled, but did not have any tests.
 2021-11-29 14:54:02 +01:00
Rasmus Wriedt Larsen
a91208fd2c Python: Fix kwarg modeling for os.path.isdir 2021-11-29 14:54:02 +01:00
Rasmus Wriedt Larsen
36f14b31bc Python: Add explicit tests for kwargs 
I also renamed the arguments to match what the keyword argument is
called. It doesn't matter too much for these specific tests, but for the
tests I'm about to add, it makes things a lot easier to get an overview
of.

Oh, and a test failure :O
 2021-11-29 14:54:02 +01:00
Rasmus Wriedt Larsen
82602014ad Python: Minor refactor to use os.path.<func> 
Since that's the idiomatic way to use this module
 2021-11-29 14:54:02 +01:00