hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
21,517 Commits 1,671 Branches 157 Tags
sauyon/java-spring-stringutils
Commit Graph

3069 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
6934d5e642 Python: Add django test of RedirectView subclass 2021-02-15 10:55:51 +01:00
Rasmus Wriedt Larsen
79855157b3 Python: Move django response test to django v2/v3 
That's really the django version I care about :P
 2021-02-15 10:55:50 +01:00
Rasmus Wriedt Larsen
2478a9f10e Python: Fix wording of change-note 2021-02-14 23:20:46 +01:00
CodeQL CI
178c54e69b Merge pull request #5139 from RasmusWL/django-improvements 
Approved by yoff
 2021-02-14 02:16:52 -08:00
Taus Brock-Nannestad
2632422783 Python: Add FP test for unknown argument in string format 
Reported in https://github.com/github/codeql/issues/2650

I found this during a bit of spring cleaning in my working
directory. As this doesn't have any immediate security implications, I
don't know when we'll get round to fixing it, but it can't hurt to
have the test case checked in.
 2021-02-12 19:28:12 +01:00
Rasmus Wriedt Larsen
10fdc4bfb9 Python: Add support for more yaml loading functions 2021-02-12 12:30:00 +01:00
Rasmus Wriedt Larsen
2021cdbe33 Python: Add tests for more yaml loading functions 2021-02-12 12:30:00 +01:00
Rasmus Wriedt Larsen
f328e84bd2 Python: Mention yaml.safe_load in the qhelp 2021-02-12 12:29:55 +01:00
Rasmus Wriedt Larsen
1651f81ac8 Python: Refactor to avoid confusing name 
After discussion with @yoff
 2021-02-12 12:19:37 +01:00
Rasmus Wriedt Larsen
ed2dc5f6ad Python: Fix date for change-note 2021-02-12 10:26:31 +01:00
Rasmus Lerchedahl Petersen
cfa72af12c Python: Update test expectation to new format 2021-02-12 09:30:12 +01:00
Taus Brock-Nannestad
4c66071f5f Python: Revert "Python: Support moduleImport("dotted.name") in API graphs" 
This reverts commit 2c4a477a4e.

It's probably best _not_ to do this, as any `getMember` cycle in the
API graph will lead to nontermination.
 2021-02-11 16:08:28 +01:00
Taus Brock-Nannestad
ea30598a08 Python: Split dotted names more efficiently 2021-02-11 16:07:39 +01:00
Rasmus Wriedt Larsen
c57a4df819 Python: Model taint of self.request on django view class 2021-02-10 17:48:48 +01:00
Rasmus Wriedt Larsen
9ca738d921 Python: Add taint test for self.request on django view class 2021-02-10 17:48:41 +01:00
Rasmus Wriedt Larsen
ca0d345987 Django: Model any class used in django route setup as view class 2021-02-10 16:26:25 +01:00
Rasmus Wriedt Larsen
b428945bc2 Django: Fix DjangoRouteHandler char-pred 
Before it the class would contain _all_ functions xD
 2021-02-10 16:21:51 +01:00
Rasmus Wriedt Larsen
78a3206fce Python: Add test with unkown view class in django 2021-02-10 15:56:33 +01:00
Rasmus Wriedt Larsen
42eceb80bd Python: Handle view functions with decorators 2021-02-10 15:47:55 +01:00
Anders Schack-Mulligen
66d0bf6b5e Merge pull request #5128 from hvitved/dataflow/exploration-clears-content 
Data flow: Take `clearsContent()` into account in flow exploration
 2021-02-10 11:52:24 +01:00
Tom Hvitved
1f9b42f9ab Data flow: Sync files 2021-02-09 20:10:23 +01:00
Rasmus Wriedt Larsen
1d25184b32 Python: Add test for type-tracking through decorators 
In general, if there is _some_ decorator on a function, it might not be safe to
track content out of it (since the decorator could do anything), but in this
case, we can see what the decorator does, so we should be able to handle it (but
we don't right now).

By my understanding of how type-tracking works, if we track content through
`my_decorator`, then we would also track content to the result of
`unrelated_func()`, which I wanted to make sure our tests would catch.

I found out the core of the problem seems to come from our lack of being able to
track to the inner scope, and added an explicit test for that.
 2021-02-09 13:43:10 +01:00
Rasmus Wriedt Larsen
eb7e30d472 Python: Add test of django view handler with decorator 
Which we currently don't handle :(

Also added a bit more explanatory comments
 2021-02-09 13:25:12 +01:00
Rasmus Lerchedahl Petersen
e3002aa1bf Python: model for sys.exc_info 
made _easy_ by API graphs :D
 2021-02-09 11:39:44 +01:00
Rasmus Lerchedahl Petersen
0ea2f457a1 Python: type trackers for exceptions 2021-02-09 11:39:44 +01:00
Rasmus Lerchedahl Petersen
232d9b006a Python: Implement traceback module 
Just functions, not the classes for now
 2021-02-09 11:39:44 +01:00
Rasmus Lerchedahl Petersen
6a45f6e7e0 Python: Port StackTraceExposure query 
using empty concept implementation
 2021-02-09 11:12:44 +01:00
Rasmus Lerchedahl Petersen
77ae91c47d Python: Add concept ExceptionSource 2021-02-09 11:12:44 +01:00
Taus Brock-Nannestad
c59b5c98cb Python: Replace use of AttrNode with getMember 2021-02-08 19:14:11 +01:00
Taus Brock-Nannestad
72a699e099 Python: Add CallCfgNode class and rewrite using that class 
I prefer this name to `CfgCallNode` as the latter will make
autocomplete more difficult.
 2021-02-08 16:55:18 +01:00
Taus Brock-Nannestad
46eb3fd10a Python: Even more API::Node pushing. 2021-02-08 14:22:42 +01:00
Taus
c0c2aa69b3 Merge branch 'main' into python-port-flask-to-api-graphs 2021-02-08 14:17:25 +01:00
Taus Brock-Nannestad
2c4a477a4e Python: Support moduleImport("dotted.name") in API graphs 2021-02-08 14:08:34 +01:00
Taus
738d1bc3d4 Python: More use of API::Node 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-02-08 14:08:16 +01:00
yoff
f1a0ec2dec Merge pull request #4981 from RasmusWL/port-url-redirect-query 
Python: Port url redirect query
 2021-02-06 00:39:10 +01:00
yoff
ddd362bc16 Update python/ql/src/semmle/python/frameworks/Django.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswl@github.com>
 2021-02-05 23:31:20 +01:00
Taus
d3a79ecff1 Update python/ql/src/semmle/python/frameworks/Flask.qll 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-02-05 22:54:27 +01:00
Taus Brock-Nannestad
3d2548ed28 Python: Get rid of remaining type trackers in Flask model 
At this point, we may want to reconsider whether we really want the
deeply-nested module structure we had before (and which made the type
trackers somewhat bearable).

There's also a question of how we can make this a bit more
smooth. I think we need to consider exactly how we would like the
interface to this to work.
 2021-02-05 21:58:08 +01:00
Taus Brock-Nannestad
5bfde2c0f2 Python: Fix overly broad class attribute node class 
This is not strictly necessary, but it was bothering me that this
simply covered _all_ nodes that were both definitions and names at the
same time. Now it actually encompasses what the documentation claims
it does.
 2021-02-05 21:56:57 +01:00
Taus Brock-Nannestad
7f3c6acd08 Python: Handle class attribute references in API graph 
This is slightly dubious, and should really be in the currently
unimplemented "def" counterpart to the "use" bits we already have.

However, it seems to work correctly, and in the spirit of moving
things along, this seemed like the easier solution. We can always
replace the implementation with the "proper" approach at a later point.
 2021-02-05 21:54:35 +01:00
Taus Brock-Nannestad
ef600575ca Python: Add API graph support for subclasses 2021-02-05 16:52:58 +01:00
Taus Brock-Nannestad
b39cbf82c6 Python: Port Flask models to use API graphs 
Most of the type trackers in this model were easily replaceable with
uses of the API graph, but the ones for tracking subclasses are
problematic, as these take us out of the API graph.
 2021-02-05 14:41:42 +01:00
yoff
7fef1a8817 Merge pull request #5069 from tausbn/python-api-graphs 
Python: Add support for API graphs
 2021-02-05 13:17:09 +01:00
Taus Brock-Nannestad
78cb53449d Python: Slight cleanup of Cached::call 
Makes it more similar to the other functions in this module.
 2021-02-05 12:47:26 +01:00
Taus
6c8dfb253d Python: Use flowsTo instead of hasLocalSource 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-02-05 12:42:41 +01:00
Taus
a66743192e Python: Fix typo in docs 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-02-05 10:58:47 +01:00
Taus
f0d5a91d59 Merge pull request #5093 from RasmusWL/fix-query-names-with-dunder 
Python: Fix query names with dunder (__)
 2021-02-04 18:47:45 +01:00
Taus Brock-Nannestad
d035937083 Python: Add change note 2021-02-04 18:43:44 +01:00
Taus Brock-Nannestad
a505eb6922 Python: Adhere to QLDoc style guide 2021-02-04 18:34:06 +01:00
Taus Brock-Nannestad
3c7d9c3c4b Python: Fix typo 2021-02-04 18:33:50 +01:00