hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
21,517 Commits 1,672 Branches 157 Tags
sauyon/java-spring-stringutils
Commit Graph

3069 Commits

Author SHA1 Message Date
CodeQL CI
ad4b9372bd Merge pull request #5302 from RasmusWL/expectation-tests-allow-str-prefix 
Approved by MathiasVP, tausbn
 2021-03-04 06:48:57 -08:00
Anders Schack-Mulligen
45f52289ea Merge branch 'main' into java/merge-5226 2021-03-04 11:36:16 +01:00
Anders Schack-Mulligen
fe07630e40 Merge pull request #5219 from smowton/smowton/feature/backward-dataflow-for-fluent-methods 
Java: Add backward dataflow edges through fluent function invocations.
 2021-03-04 11:13:32 +01:00
Rasmus Lerchedahl Petersen
9f8a028dfc Python: add .expected-file 2021-03-04 00:12:34 +01:00
Rasmus Wriedt Larsen
3dc0c2081e Python: Fix taint-propagation to methods 
Before we would add a step from _any_ request instance to _any_ method (CP).
 2021-03-03 21:55:33 +01:00
Rasmus Lerchedahl Petersen
3dd34c9ba9 Python: rewrite comment 2021-03-03 17:41:20 +01:00
Rasmus Lerchedahl Petersen
dcf8c881ff Python: correct mistake in example 2021-03-03 16:54:36 +01:00
Rasmus Lerchedahl Petersen
fafc36a9cb Python: remove (do not introduce) unused import 2021-03-03 16:49:35 +01:00
Rasmus Lerchedahl Petersen
f02a19669f Python: Make exception info concept local 2021-03-03 16:47:31 +01:00
Marcono1234
b9c0193022 Sync .qhelp file renaming to other languages 2021-03-03 15:38:08 +01:00
Rasmus Wriedt Larsen
dd75ea31df Python: Apply suggestions from code review 
Co-authored-by: Taus <tausbn@github.com>
 2021-03-03 14:17:22 +01:00
yoff
078fbccc9a Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-03-02 22:32:45 +01:00
yoff
4196dc2291 Update python/change-notes/2021-02-25-port-stactrace-exposure-query.md 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-03-02 22:23:29 +01:00
Chris Smowton
5d2f3421d8 Add change notes 2021-03-01 16:59:20 +00:00
Chris Smowton
cdccc1a064 Remove needless typecasts 2021-03-01 16:47:34 +00:00
yoff
92128babef Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-03-01 17:39:17 +01:00
Rasmus Lerchedahl Petersen
38748f9e23 Python: restrict attention to ss.wrap_socket 2021-03-01 16:35:21 +01:00
Rasmus Wriedt Larsen
0874712c97 C++/Java/Python: Allow Python string prefix in InlineExpectationsTest 
I've been writing tests for crypto libraries in Python, and have wanted to write
code along the lines of

```py
md5.hash(b"some message") # $ HashInput=b"some message"
```

which didn't work before this commit, forcing me to store my text in a variable
like below. This turned out to be really annoying when dealing with more complex
examples, so therefore I'm adding this new functionality to allow this behavior.

```py
msg = b"some message"
md5.hash(msg) # $ HashInput=msg
```
 2021-03-01 13:44:28 +01:00
Chris Smowton
c32514bf66 Sync dataflow library files 2021-03-01 10:27:28 +00:00
Rasmus Wriedt Larsen
010488c899 Python/JS: Update QLDoc for crypto algorithms before sharing 2021-02-27 11:38:45 +01:00
Rasmus Wriedt Larsen
646ea55944 Python/JS: Update Python copy of crypto algorithm modeling 
Now to be shared accross both languages, with sync-identical-files
 2021-02-27 11:38:45 +01:00
Rasmus Lerchedahl Petersen
8b68912c40 Python: Update help and add example 2021-02-26 20:19:31 +01:00
Rasmus Lerchedahl Petersen
9533c92fcc Python: Clean up tests and add comment 2021-02-26 19:28:44 +01:00
yoff
1670fa0d0e Update python/change-notes/2021-02-23-port-insecure-default-protocol.md 2021-02-26 18:39:49 +01:00
yoff
9a9bda17ed Update python/change-notes/2021-02-23-port-insecure-default-protocol.md 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-02-26 18:38:35 +01:00
Rasmus Wriedt Larsen
a387496832 Python: Highlight how request.uri works in Tornado 2021-02-26 16:23:21 +01:00
Rasmus Wriedt Larsen
b43533ce8d Python: Ensure old dataflow queries are not used 
There seems to have been some cases where the old ones have been picked up
instead of the new ones. At least I spotted _one_ case where this happened, in
an internal actions run.

I'm not sure how to actual debug this, so just removing all the tags that could
make these queries to become picked up :|
 2021-02-26 11:22:23 +01:00
yoff
7f7320ae4c Update python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-02-26 10:56:48 +01:00
Rasmus Lerchedahl Petersen
311149ab4f Python: fix spelling 2021-02-26 09:44:24 +01:00
yoff
a067adbaf3 Update python/ql/test/query-tests/Security/CWE-327-py2/options 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-02-26 08:53:20 +01:00
yoff
e3b3825ab0 Merge pull request #5151 from RasmusWL/django-get-redirect-url 
Python: Model get_redirect_url in django
 2021-02-25 23:07:33 +01:00
Rasmus Wriedt Larsen
81b29316e1 Merge pull request #4737 from yoff/python-dataflow-add-cast-nodes 
Python: Force read- and store steps to add nodes.
 2021-02-25 14:28:54 +01:00
Taus
d326d40d71 Merge pull request #5252 from RasmusWL/test-cleanup 
Python: Minor cleanup of test setup
 2021-02-25 13:33:10 +01:00
Taus
01d581ecf3 Merge pull request #5250 from tausbn/python-port-re-security-queries 
Python: Port URL sanitisation queries to API graphs
 2021-02-25 13:13:55 +01:00
Rasmus Lerchedahl Petersen
64c0eaf305 Python: Update test expectations 2021-02-25 11:49:57 +01:00
yoff
f15084254b Add comment explaining tacky nature of code 2021-02-25 11:49:57 +01:00
Rasmus Lerchedahl Petersen
5b51a3461d Python: Force read- and store steps to add nodes. 
This gives muche nicer path explanations on some snapshots.
It is achieved by making stepped-to nodes `CastNode`s.
This seems somewhat reasonable as types then to change, when we move
between content and container.
We could probably refine it, though.
 2021-02-25 11:49:57 +01:00
Rasmus Wriedt Larsen
4610b1b392 Pyhton: Use type back-tracking for keysize on key-generation 
Internal evaluation showed that this didn't perform better than normal (forward)
type-tracking, but it feels more like the right approach.
 2021-02-25 11:31:00 +01:00
Rasmus Wriedt Larsen
c195c64982 Python: Use type-tracking for integer literal tracking 
Like we've done for pretty much everything else. An experiment to see what this
means for query performance.
 2021-02-25 11:30:56 +01:00
Rasmus Wriedt Larsen
27987717dc Merge branch 'main' into crypto 2021-02-25 11:30:32 +01:00
Rasmus Lerchedahl Petersen
aba22689fa Python: Add change note 2021-02-25 09:25:17 +01:00
Rasmus Lerchedahl Petersen
86cec40286 Python: update test 2021-02-25 09:22:57 +01:00
Rasmus Lerchedahl Petersen
780a6a96f8 Python: Add concept tests 2021-02-25 08:54:42 +01:00
Rasmus Lerchedahl Petersen
41743b6afa Python: restrict to caught exceptions 
also modernise code
 2021-02-25 07:53:35 +01:00
Rasmus Lerchedahl Petersen
24b51e8851 Merge branch 'main' of github.com:github/codeql into python-port-stacktrace-exosure 2021-02-25 07:24:41 +01:00
Rasmus Lerchedahl Petersen
76f080978a Python: Add missing QLDoc 2021-02-24 23:35:44 +01:00
Rasmus Lerchedahl Petersen
192988077e Python: Move <ul> outside of <p> 2021-02-24 23:28:13 +01:00
Rasmus Lerchedahl Petersen
bf3e5fceea Python: Rearrange directories 2021-02-24 22:07:27 +01:00
Rasmus Lerchedahl Petersen
10657160bc Python: Improve qlhelp according to review 2021-02-24 22:02:16 +01:00
yoff
89d0724fb4 Update python/change-notes/2021-02-23-port-insecure-default-protocol.md 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-02-24 19:57:49 +01:00