hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
21,517 Commits 1,672 Branches 157 Tags
sauyon/java-spring-stringutils
Commit Graph

3069 Commits

Author SHA1 Message Date
CodeQL CI
bf66bdbb95 Merge pull request #5253 from RasmusWL/no-getAnArg 
Approved by tausbn
 2021-02-24 06:34:31 -08:00
Rasmus Wriedt Larsen
d05a8b8c46 Python: Remove getAnArg in DataFlow::CallCfgNode 
Until we've had further discussion on what is the right approach to
naming (internal discussion in https://github.com/github/codeql-python-team/issues/95)
 2021-02-24 14:58:48 +01:00
Rasmus Wriedt Larsen
a6e5ec2e09 Python: Port py/flask-debug 2021-02-24 11:37:25 +01:00
Rasmus Wriedt Larsen
0cad5ce5ca Python: Expand py/flask-debug tests a bit 2021-02-24 11:35:17 +01:00
Taus Brock-Nannestad
404649d5f1 Python: Get rid of superfluous options file 2021-02-24 11:24:43 +01:00
Rasmus Wriedt Larsen
5c6989cf02 Revert "Python: Accept RequestWithoutValidation expected output change" 
Apparently CI is able to produce the ../ path, I have absolutely no clue what is
goign on...
 2021-02-24 11:14:18 +01:00
yoff
8262f0343b Merge pull request #5208 from RasmusWL/flask-clean-models 
Python: Cleanup Flask models now that we have API graphs
 2021-02-24 10:36:30 +01:00
Taus Brock-Nannestad
af644a0adb Python: Decrease import depth in regex tests 
These were increased because of the indirection needed to get to the
regex flags, but as we no longer rely on this, we can make do with a
smaller import depth.
 2021-02-24 10:23:01 +01:00
Rasmus Wriedt Larsen
5bb4a1a45a Python: Use explicit argument specification instead of getAnArg 
I've seen quite a few places where `getAnArg` leads to wrong behavior, and I
generally just don't like it.
 2021-02-24 10:19:34 +01:00
Taus Brock-Nannestad
e77c1059a3 Python: Use source nodes and prevent bad join order 2021-02-24 10:18:54 +01:00
Taus Brock-Nannestad
cac6c4acc9 Python: Add deprecation notice to mode_from_mode_object 2021-02-24 10:18:21 +01:00
Rasmus Wriedt Larsen
0b9a65d234 Python: Accept RequestWithoutValidation expected output change 
I have no clue why this changed, but since it's only the `..` part, I guess
we'll live with it
 2021-02-24 10:13:25 +01:00
Rasmus Wriedt Larsen
cef37d19ce Python: Split CWE-295 tests 
Mostly just because it's nice. But now we can avoid having the same `options`
files for the tests.
 2021-02-24 10:12:45 +01:00
Rasmus Wriedt Larsen
0ffc801f9b Python: Remove options for InsecureTemporaryFile tests 2021-02-24 09:57:51 +01:00
yoff
c3d2001e85 Merge pull request #5251 from tausbn/python-port-missing-host-key-validation-query 
Python: Port missing host key validation query
 2021-02-24 08:43:52 +01:00
Taus Brock-Nannestad
2942a11a69 Python: Import API graphs privately 2021-02-23 22:45:39 +01:00
Taus Brock-Nannestad
f241dbabab Python: Clean up query a bit 2021-02-23 22:33:18 +01:00
Taus Brock-Nannestad
002d0fe565 Python: Port missing host key query 2021-02-23 22:26:03 +01:00
Taus Brock-Nannestad
e812eb777d Python: Port URL sanitisation queries to API graphs 
Really, this boils down to "Port `re` library model to use API graphs
instead of points-to", which is what this PR actually does.

Instead of using points-to to track flags, we use a type tracker. To
handle multiple flags at the same time, we add additional flow from

`x` to `x | y` and `y | x`

and, as an added bonus, the above with `+` instead of `|`, neatly
fixing https://github.com/github/codeql/issues/4707

I had to modify the `Qualified.ql` test slightly, as it now had a
result stemming from the standard library (in `warnings.py`) that
points-to previously ignored.

It might be possible to implement this as a type tracker on
`LocalSourceNode`s, but with the added steps for the above operations,
this was not obvious to me, and so I opted for the simpler
"`smallstep`" variant.
 2021-02-23 22:02:35 +01:00
Rasmus Wriedt Larsen
358ade67e5 Merge pull request #5248 from tausbn/python-port-insecure-temporary-file 
Python: Port `py/insecure-temporary-file`
 2021-02-23 21:37:59 +01:00
Taus Brock-Nannestad
b8ce5e969e Python: Port py/insecure-temporary-file 2021-02-23 20:02:22 +01:00
yoff
9eed17f647 Merge pull request #5152 from RasmusWL/improve-pyyaml-support 
Python: Improve pyyaml support
 2021-02-23 19:58:04 +01:00
Rasmus Lerchedahl Petersen
6abbb5040c Python: add change note 2021-02-23 19:54:09 +01:00
Rasmus Lerchedahl Petersen
b28544da9c Python: Port insecure default protocol 
- use API graphs
- update .qlhelp-file
- limit to versions below 3.4
- move tests to its own directory to only test on old version
 2021-02-23 19:41:36 +01:00
Rasmus Wriedt Larsen
a09f8c4b4a Python: Port bind-to-all-interfaces to type-tracking 2021-02-23 16:01:24 +01:00
Rasmus Wriedt Larsen
4026d54095 Python: Expand bind-to-all-interfaces tests slightly 2021-02-23 15:53:47 +01:00
Rasmus Wriedt Larsen
fd18fd8403 Python: Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-02-23 15:24:52 +01:00
Rasmus Wriedt Larsen
6e2445cce6 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-02-23 15:19:29 +01:00
Rasmus Wriedt Larsen
42de872bfa Python: Add INTERNAL annotation to Response::InstanceSource 
Since we need to reserve the flexibility to change this setup within the next
few months, we don't want to commit to keeping this extension point around for
the 12 months that the normal API deprecation cycle requires.
 2021-02-23 15:10:58 +01:00
Rasmus Wriedt Larsen
8ebedf26d2 Python: Add comment for MethodView being known subclass 2021-02-23 15:08:07 +01:00
Taus
53711dc82f Merge pull request #5238 from RasmusWL/no-flow-default-value 
Python: Highlight missing flow from default value in functions
 2021-02-23 13:27:41 +01:00
Rasmus Wriedt Larsen
e160c855ad Merge pull request #5233 from yoff/python-for-tuple-iteration 
Python: `for`-iteration of tuples
 2021-02-22 15:28:13 +01:00
Rasmus Wriedt Larsen
5249b54a9b Python: Highlight missing flow from default value in functions 
Although it is becoming non-trivial to get an overview of what tests we have and
don't have, I didn't find any that highlighted this one

I used all 3 variants of parameters, just to be sure :)
 2021-02-22 14:52:51 +01:00
Rasmus Lerchedahl Petersen
d23a8ad016 Python: elide test output 2021-02-21 13:12:54 +01:00
Rasmus Lerchedahl Petersen
46faba69ff Python: Fix for-iteration of tuples 2021-02-21 12:41:16 +01:00
Rasmus Lerchedahl Petersen
0aecf33fe6 Python: test iteration through overflow parameters 
These are in a tuple, so the for-step does not fire
 2021-02-21 12:33:04 +01:00
Rasmus Wriedt Larsen
40c592ab85 Python: Introduce DataFlowOnlyInternalUse to avoid re-evaluation 2021-02-19 15:29:23 +01:00
Rasmus Wriedt Larsen
d084261a79 Python: Ignore weak key-sizes from test-code in weak-crypto-key 
From looking at old results on LGTM.com, this was quite common (and those alerts
doesn't really provide value).
 2021-02-19 15:04:41 +01:00
Rasmus Wriedt Larsen
bfc8ead667 Python: Add example of test-code with weak crypto key 2021-02-19 15:04:14 +01:00
Rasmus Wriedt Larsen
dfa223ac6a Python: Better IntegerLiteral tracking for weak crypto key 2021-02-19 15:03:50 +01:00
Rasmus Wriedt Larsen
a6583345ba Python: Add weak crypto key example through function call 
We used to handle this, but no more :(

Adding this example was inspired by looking at results differences
 2021-02-19 15:03:49 +01:00
Rasmus Wriedt Larsen
37f0d5a28a Python: Make KeyGeneration range member overrides final 
This was the result of an internal dicussion we had about this some time ago.
 2021-02-19 15:03:49 +01:00
Rasmus Wriedt Larsen
2a8f720bc6 Python: Port cryptodome models to use API graphs 2021-02-19 15:03:48 +01:00
Rasmus Wriedt Larsen
1eabfbd0e4 Python: Port cryptography models to use API graphs (mostly) 2021-02-19 15:03:47 +01:00
Rasmus Wriedt Larsen
bfbaa85272 Python: Add test of public_key method with cryptodome 
Added in 3.10 release https://github.com/Legrandin/pycryptodome/blob/master/Changelog.rst#3100-6-february-2021
 2021-02-19 15:03:47 +01:00
Rasmus Wriedt Larsen
8d3170bcb4 Python: Fix bad join in crypto models 2021-02-19 15:03:46 +01:00
Rasmus Wriedt Larsen
32d0790500 Python: Use camelCase for RSA/DSA/ECC 
after asking around, this seems to be the right approach
 2021-02-19 15:03:45 +01:00
Rasmus Wriedt Larsen
0e9a54e9a9 Python: Rename WeakCrypto to WeakCryptoKey 
Since WeakCrypto always makes me think that it's about all weak crypto (like
using MD5, or completely broken ciphers such as ARC4 ro DES) and not just about
weak key generation.
 2021-02-19 15:03:44 +01:00
Rasmus Wriedt Larsen
46ad611d57 Python: Port py/weak-crypto-key to use type-tracking 
instead of points-to.

Looking at query results also made me realize I didn't supply a very good
"origin" for ECC in cryptography package, so I improved that 👍 -- maybe that
sohuld have been split into multiple commits... too late :(
 2021-02-19 15:03:43 +01:00
Rasmus Wriedt Larsen
2429c6c450 Python: Rewrite py/weak-crypto-key tests 
* Removed backend arugment that is not required
* Added DSA constants (they are just accidentially the same as RSA right now)
* Removed FakeWeakEllipticCurve and used a real weak elliptic curve instead
 2021-02-19 13:59:19 +01:00