hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 10:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
81,482 Commits 1,671 Branches 157 Tags
move-cors-query-from-experimental2
Commit Graph

4711 Commits

Author SHA1 Message Date
Rebecca Valentine
cf4b7e1270 Swaps arg_count globally 2020-02-25 10:50:30 -08:00
Rebecca Valentine
c2a3af7e67 Adds objectapi suffix to private predicates 2020-02-25 10:48:29 -08:00
Rebecca Valentine
930228acc5 Un-autoformats 2020-02-25 09:52:46 -08:00
Rebecca Valentine
3e53e462d6 changes indents to 4 2020-02-25 09:46:21 -08:00
Rebecca Valentine
04951faf86 autoformat 2020-02-25 09:43:51 -08:00
Taus Brock-Nannestad
35ada17e2a Python: Use object as default return type for built-ins. 2020-02-25 16:31:40 +01:00
Rasmus Wriedt Larsen
8f70101572 Python: docs: Use <code> tag consistently in UseofInput.qhelp 2020-02-25 15:40:08 +01:00
yo-h
43bcd5b26c Add guidelines for experimental CodeQL queries and libraries 2020-02-24 15:08:31 -05:00
Rasmus Wriedt Larsen
9d629aef95 Python: Highlight py/use-of-input is for Python 2 2020-02-24 15:13:19 +01:00
Taus
285be2893c Merge pull request #2893 from BekaValentine/python-objectapi-to-valueapi-unnecessarylambda 
Python: ObjectAPI to ValueAPI: UnnecessaryLambda
 2020-02-21 22:23:02 +01:00
Taus
e444fb8bfa Merge pull request #2818 from BekaValentine/objectapi-to-valueapi-hashedbutnohash 
Python: ObjectAPI to ValueAPI: HashedButNoHash
 2020-02-21 22:19:58 +01:00
Rasmus Wriedt Larsen
bfa7553095 Python: urlsplit sanitizer handles in [KNOWN_VALUE] 2020-02-21 16:03:29 +01:00
Rasmus Wriedt Larsen
31ff652cb3 Python: Make Sanitizer available for urlsplit taint 
It isn't used by default, it has to *actively* be enabled.
 2020-02-21 15:18:53 +01:00
Rasmus Wriedt Larsen
abbc9293db Merge pull request #2891 from tausbn/python-special-operations 
Python: Add AST support for special operations.
 2020-02-21 13:16:22 +01:00
Rebecca Valentine
2b1d9c8d16 Updates last library difference 
I'm not entirely sure if `getLiteralObject` and `getLiteralValue` are equivalent, and there don't see to be library tests for this
 2020-02-20 20:20:56 -08:00
Rebecca Valentine
210387a8be Adds bulk of modernizations 2020-02-20 17:32:42 -08:00
Rebecca Valentine
df7f43ee86 Adds modernization 2020-02-20 17:07:56 -08:00
Rebecca Valentine
376638e9c0 Move query over to Rasmus's API for NumericValue 2020-02-20 16:18:54 -08:00
Rebecca Valentine
ab1fcb32ae autoformats 2020-02-20 16:17:43 -08:00
Rebecca Valentine
5d9d724d43 Removes conflicting NumericValue definition 2020-02-20 16:17:33 -08:00
Rebecca Valentine
28be3b47fc Replaces name-reference to the class with canonical predicate. 2020-02-20 15:41:51 -08:00
Rebecca Valentine
5acd982d59 Swaps ...obj for ...val 2020-02-20 15:41:51 -08:00
Rebecca Valentine
96b8d78650 Adds modernized files. 2020-02-20 15:41:51 -08:00
Taus Brock-Nannestad
913db460b2 Python: Add AST support for special operations. 
These have the form `$name(arg1, arg2, ...)` and currently have no semantics.
They may be useful for testing purposes, however.
 2020-02-20 18:05:37 +01:00
Rasmus Wriedt Larsen
1029f04e76 Python: TarSlip sanitizer: handle not 2020-02-20 16:27:54 +01:00
Rasmus Wriedt Larsen
3c317ed0e6 Python: TarSlip sanitizer: only clear taint on false edge 
maybe it was on purpose, will have to investigate FPs when query is good
 2020-02-20 16:11:24 +01:00
Rasmus Wriedt Larsen
fd270cc02c Python: Add basic taint support for urlsplit/urlparse 2020-02-19 16:31:10 +01:00
Rasmus Wriedt Larsen
4f3149d865 Python: Fix error after merge conflict 2020-02-19 16:27:31 +01:00
Rasmus Wriedt Larsen
e4b83855d9 Python: Autoformat security/strings/External.qll 2020-02-19 16:24:13 +01:00
Rasmus Wriedt Larsen
d7b803a859 Python: Fix modernisation of py/iteration-string-and-sequence 
Introduced a regression, since the old code was:

```
predicate is_a_string_type(ClassObject seqtype) {
    seqtype = theBytesType() and major_version() = 2
    or
    seqtype = theUnicodeType()
}
```

but *now* we're good!
 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen
82b29b5698 Python: Recognize shebangs in module usage detection 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen
3e7e9636ea Python: Add ModuleValue.{isUsedAsModule, isUsedAsScript} 
and a few test cases
 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen
b4ab0b55be Python: Modernise Statements/RedundantAssignment 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen
67e9edb820 Python: Add PropertyValue 
+ Extend PropertyInternal.getSetter to handle non-decorator
+ Add PropertyInternal.getDeleter

It seems like a bit hacky way to do things, since we're not using the
PropertySetterOrDeleter class at all, but for now I'll leave it be.
 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen
13568b7b9f Python: Modernise Statements/ queries 
Almost. Left out a few things marked with TODO
 2020-02-19 14:10:29 +01:00
Rasmus Wriedt Larsen
83d40f167b Python: Update py/ineffectual-statement 
e.(StrConst).isDocString() can only hold if e instanceof StrConst, since we have
that condition on the line above, we can safely remove this condition.
 2020-02-19 14:05:55 +01:00
Rasmus Wriedt Larsen
6e349eb6e7 Python: Make py/side-effect-in-assert handle example 
Also removed parantheses
 2020-02-19 14:05:55 +01:00
Rasmus Wriedt Larsen
381668871d Python: Autoformat statements 2020-02-19 14:05:55 +01:00
Rebecca Valentine
2fa20eb805 Fixes bug introduced by merge of foresight additions. 2020-02-18 21:37:52 -08:00
Rebecca Valentine
7997e1dc98 Merge branch 'master' into objectapi-to-valueapi-expectedmappingforformatstring 2020-02-18 21:33:12 -08:00
Rebecca Valentine
9e3ed214d0 Python: ObjectAPI to ValueAPI: Foresight Additions (#2819) 
* Adds the...Type() predicates as foresight modernizations.

* Removes predicates that are not currently ported/portable

* Adds range types

* Update python/ql/src/semmle/python/objects/ObjectAPI.qll

Co-Authored-By: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>

* Update python/ql/src/semmle/python/objects/ObjectAPI.qll

Co-Authored-By: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>

* Swaps xType for just x, at least when it's new

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2020-02-18 21:29:20 -08:00
Rebecca Valentine
9338d21aaf Removes unnecessary explanation 2020-02-18 11:43:43 -08:00
Rebecca Valentine
4059a99da6 Autoformats the query 2020-02-18 11:43:31 -08:00
Rebecca Valentine
d0617ef7bc Autoformat 2020-02-18 09:00:31 -08:00
Taus
ffbb5d0529 Merge pull request #2739 from RasmusWL/python-modernise-security 
Python: modernise Security/ queries
 2020-02-18 16:28:53 +01:00
Rasmus Wriedt Larsen
1826abcdda Python: Autoformat django/General.qll 
Should get into the habbit of doing this, but this time it slipped :P
 2020-02-18 11:26:16 +01:00
Rasmus Wriedt Larsen
48c1c598bc Python: Write DjangoRegexRoute in more modern way 
That is, assigning to fields instead of repeatedly using helper predicate
 2020-02-18 11:25:27 +01:00
Rasmus Wriedt Larsen
ed9aa7dced Python: Write DjangoPathRoute in modern way 
That is, assigning to fields instead of repeatedly using helper predicate
 2020-02-18 11:24:24 +01:00
Rasmus Wriedt Larsen
5a0babe88b Python: Add support for Django 2.x and 3.x 
I changed the django mock to support both 1.x and 2.x routing APIs, which is not
really a nice long term solution.
 2020-02-18 11:22:35 +01:00
Rebecca Valentine
4178002d59 Merge branch 'master' into python-objectapi-to-valueapi-useofapply 2020-02-17 17:20:00 -08:00