hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
29,247 Commits 1,672 Branches 157 Tags
revert-update
Commit Graph

2160 Commits

Author SHA1 Message Date
yoff
1c78c792ff Merge pull request #6991 from RasmusWL/flask-blueprints 
Python: Support `flask.blueprints.Blueprint`
 2021-10-29 14:06:43 +02:00
Rasmus Wriedt Larsen
85f00fda19 Merge pull request #6776 from yoff/python/model-asyncpg 
Python: Model `asyncpg`
 2021-10-29 13:54:44 +02:00
Rasmus Lerchedahl Petersen
0f2f68bcbb Python: rename file 2021-10-28 19:14:02 +02:00
Rasmus Lerchedahl Petersen
c92249525b Python: update test expectations 2021-10-28 14:03:09 +02:00
Rasmus Wriedt Larsen
a33a8fd518 Python: Support flask.blueprints.Blueprint 
Thanks to @haby0 who originally proposed this as part of
https://github.com/github/codeql/pull/6977
 2021-10-28 14:02:03 +02:00
Rasmus Wriedt Larsen
8c3349f40f Python: Properly model flask.send_from_directory 
To not include `filename` as path-injection sink.
 2021-10-28 13:41:39 +02:00
Rasmus Wriedt Larsen
6648a695eb Python: Add flask specific path-injection test 2021-10-28 13:34:18 +02:00
jorgectf
3dec222922 Merge remote-tracking branch 'origin/main' into jorgectf/python/jwt-queries 2021-10-28 13:11:46 +02:00
Rasmus Wriedt Larsen
436152a46d Python: Refactor flask file sending tests 2021-10-28 12:37:07 +02:00
Rasmus Wriedt Larsen
6d09334cba Merge pull request #6330 from porcupineyhairs/pyPathTraversal 
Python : Add Flask sinks for path injection query
 2021-10-28 11:39:40 +02:00
Rasmus Wriedt Larsen
3fa66519f5 Merge branch 'main' into fastapi 2021-10-28 11:37:40 +02:00
Rasmus Wriedt Larsen
358663ffbb Python: Fix tests 2021-10-28 11:14:41 +02:00
yoff
9478faf040 Merge pull request #6967 from RasmusWL/ruamel.yaml 
Python: Model `ruamel.yaml` PyPI package
 2021-10-28 10:19:08 +02:00
Rasmus Lerchedahl Petersen
cca675a161 Python: Add test for async taint 
(which we belive we have just broken)
 2021-10-28 09:47:04 +02:00
Porcuiney Hairs
4fd3f212f8 Python : Add Flask sinks for path injection query 2021-10-28 02:12:11 +05:30
Rasmus Lerchedahl Petersen
06586a13a3 Python: merge tests files 2021-10-27 11:55:04 +02:00
Rasmus Lerchedahl Petersen
826f44d98e Python: Share implementation of awaited 2021-10-27 11:41:18 +02:00
Rasmus Wriedt Larsen
cd6d73d553 Python: Handle kwarg in PyYAML 
Really surprised that we didn't already :|
 2021-10-26 17:48:10 +02:00
Rasmus Wriedt Larsen
6c0083e584 Python: Add PoC for PyYAML code execution 2021-10-26 17:48:10 +02:00
Rasmus Wriedt Larsen
1ce09afa08 Python: Add modeling of ruamel.yaml PyPI package 2021-10-26 17:48:10 +02:00
Rasmus Wriedt Larsen
29e3abc977 Python: FastAPI: Add HTTP header taint example 2021-10-26 15:34:16 +02:00
Erik Krogh Kristensen
a3c55c2aec use set literal instead of big disjunction of literals 2021-10-26 12:55:25 +02:00
Rasmus Lerchedahl Petersen
8a81d42e6f Python: more logic adjustment 
Not sure why the missing result is missing. There is
and edge with label `getAwaited` from `pkg.async_func` on line 22
to `coro` on line 23.
 2021-10-26 10:57:27 +02:00
Rasmus Lerchedahl Petersen
f91e43c068 Python: Add more honest test for awaited 2021-10-26 10:43:06 +02:00
Rasmus Lerchedahl Petersen
a8a181a32f Python: adjust logic and add tests 
Due to the way paths a re printed, the tests look surprising
 2021-10-26 09:55:47 +02:00
Rasmus Wriedt Larsen
7619d0fc33 Python: FastAPI: Model WebSocket usage 2021-10-25 15:23:33 +02:00
Rasmus Wriedt Larsen
b69977b37a Python: FastAPI: Ignore scheme as tainted 
reasoning highlighted in the comment
 2021-10-25 15:23:33 +02:00
Rasmus Wriedt Larsen
bd8eec8475 Python: FastAPI: Add websocket test 2021-10-25 15:23:33 +02:00
Rasmus Wriedt Larsen
7e7a6464ec Python: FastAPI: Model extra-taint for pydantic models 
It feels a bit strange to add it to `frameworks.rst` since we only
support a little bit of it, but if I don't do it now, we will most
likely forget to do it later on (since it has already been added to
`frameworks.qll`).
 2021-10-25 15:22:50 +02:00
Rasmus Lerchedahl Petersen
5a02b3880e Python: use SqlConstruction in SqlAlchemy and 
`SqlInjection`
 2021-10-25 13:30:14 +02:00
Rasmus Lerchedahl Petersen
e5b68d68cb Python: Use SqlConstruction in Asyncpg.qll 2021-10-25 13:15:09 +02:00
Rasmus Lerchedahl Petersen
03ada6e97a Python: Add concept test for SqlConstruction 2021-10-25 13:09:43 +02:00
Rasmus Wriedt Larsen
f5464b79e4 Merge branch 'main' into fastapi 2021-10-25 09:49:42 +02:00
Rasmus Wriedt Larsen
8167e83ae5 Python: Fix tests 2021-10-20 17:58:03 +02:00
jorgectf
271e2e4c49 Update .expected 2021-10-16 13:12:33 +02:00
jorgectf
45146bc798 Merge branch 'main' into jorgectf/python/headerInjection 2021-10-16 12:46:57 +02:00
jorgectf
bf76d9cd8b Fix django test 2021-10-16 10:45:25 +02:00
jorgectf
2db1ffef1e Merge remote-tracking branch 'origin/main' into jorgectf/python/headerInjection 2021-10-16 10:40:52 +02:00
Anders Schack-Mulligen
8b6baa250c Merge pull request #6878 from aschackmull/remove-singleton-setliteral 
C++/C#/Java/JavaScript/Python: Remove singleton set literals.
 2021-10-14 14:53:05 +02:00
Rasmus Wriedt Larsen
7cd5e681dd Merge pull request #6693 from yoff/python/promote-regex-injection 
Python: Promote `py/regex-injection`
 2021-10-14 14:49:05 +02:00
Mathias Vorreiter Pedersen
47a85bbb1d Merge pull request #6869 from MathiasVP/fix-prefix/suffix-equality 
Java/JS/Python: Replace '.prefix'/'.suffix' with '.matches'
 2021-10-14 13:47:03 +01:00
Anders Schack-Mulligen
57cb300759 C++/C#/Java/JavaScript/Python: Remove singleton set literals. 2021-10-14 11:34:22 +02:00
CodeQL CI
2b0415e238 Merge pull request #6741 from yoff/python/model-os-path-file-accesses 
Approved by RasmusWL
 2021-10-13 11:11:41 -07:00
Mathias Vorreiter Pedersen
a80860cdc6 Python: Replace '.prefix'/'.suffix' with '.matches'. 2021-10-13 13:23:12 +01:00
Taus
75c4d6a8a0 Merge pull request #6650 from yoff/python-dataflow/init-time 
Python: Import time dataflow
 2021-10-12 11:31:03 +02:00
Rasmus Lerchedahl Petersen
61008fd3d0 Merge branch 'main' of github.com:github/codeql into python/promote-regex-injection 2021-10-12 11:28:12 +02:00
yoff
43f7eede0b Merge pull request #6182 from haby0/python/LogInjection 
Python: CWE-117 Log injection
 2021-10-12 10:54:45 +02:00
yoff
c007c9460c Merge pull request #6843 from RasmusWL/dataflow-bool-expr 
Python: Add data-flow for `x or y` and `x and y`
 2021-10-12 10:40:54 +02:00
Rasmus Lerchedahl Petersen
f34d1ee997 Python: Update test expectation following rename 2021-10-12 10:36:18 +02:00
yoff
0629ce00de Merge pull request #6214 from haby0/python/ClientSuppliedIpUsedInSecurityCheck 
[Python] CWE-348:  Client supplied ip used in security check
 2021-10-11 16:38:04 +02:00