hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,738 Commits 1,671 Branches 157 Tags
tausbn/python-add-models-for-zstd-compression
Commit Graph

4065 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
397c17c4ff Python: Use --lang=3 in tests 
With internal update to qltest it will not actually do something.

- also remove it from the tests that never needed it.
 2020-02-06 14:20:59 +01:00
Rasmus Wriedt Larsen
cb891a1a49 Python: Clean up six tests 
We can't understand the real `six.py` file, so we have some internal plumbing
that enables us to handle six anyway. While updating that, I had a hell of a lot
of trouble with these tests.

What we actually want, is to see that we can understand what the values imported
from six are (i.e., their points-to information). I added a few more, that I
think would be useful. If we can figure out all of these, I don't actually care
if we're doing it by understanding the real `six.py` file, or by some internal
trick.

I verified that we don't get results with the real `six.py` file by disabling
our internal tricks, and putting a copy of six.py just next to test.py.

We used to have an other file that would list all the properties we knew and
their value, but that turned out to be a fragile and annoying test, since the
results differed from which version of python you ran it with (3.5 vs 3.8) and
which machine you ran it on (my machien vs jenkins). I don't care about the
results in this file, and I can certainly not eyeball it to see if it's correct
or not.
 2020-02-06 13:50:51 +01:00
Rasmus Wriedt Larsen
c1d073a54d Python: Add test-cases for py/hardcoded-credentials 2020-02-04 11:42:11 +01:00
Rasmus Wriedt Larsen
2837f987c5 Python: Show how pointsTo handles 0+0 == 0 (2/2) 2020-02-04 11:42:11 +01:00
Rasmus Wriedt Larsen
4231bb1bcf Python: Show how pointsTo handles 0+0 == 0 (1/2) 2020-02-04 11:42:11 +01:00
Rasmus Wriedt Larsen
6b5b28aded Python: Add Value.getABooleanValue and Value.getDefiniteBooleanValue 
Replacing `Value.booleanValue`. We wanted to match `Object.booleanValue` that
only gives a result if it is either `true` or `false`, but also wanted to keep
the flexibility to see if the Value _could_ be `true`/`false`. We don't have a
motivating usecase, so let's see if we ever need it :P

+ fix modernisation regression on py/jinja2/autoescape-false
 2020-02-04 11:42:11 +01:00
Rasmus Wriedt Larsen
bd1f21fb7a Python: Fix modernisation regression on py/weak-crypto-key 
also fixes test code to use the right argument name
 2020-02-04 11:42:11 +01:00
Rasmus Wriedt Larsen
e5abfd0196 Python: Modernise Security/ queries 2020-02-04 11:42:11 +01:00
Rasmus Wriedt Larsen
5bc592514a Python: Consistenly use "a user-provided value" 
ReflectedXss was the only query that used it with the "a"
 2020-02-03 14:35:09 +01:00
Rasmus Wriedt Larsen
4ca72de4cd Python: Fix recommended module for deprecated posixfile 
$ python2 -W default -c 'import posixfile'
-c:1: DeprecationWarning: The posixfile module is deprecated; fcntl.lockf() provides better locking

https://docs.python.org/2.7/library/posixfile.html
 2020-01-28 16:44:47 +01:00
Rasmus Wriedt Larsen
6c7cddf258 Python: py/import-deprecated-module handle backwards compatible code 2020-01-28 16:36:47 +01:00
Rasmus Wriedt Larsen
e92d6c0459 Python: Stop py/import-deprecated-module from double alerting 
This changes the location from the import statement, to the actual expression
 2020-01-28 16:15:46 +01:00
Rasmus Wriedt Larsen
194228850a Python: Add tests for py/import-deprecated-module 2020-01-28 16:15:21 +01:00
Rasmus Wriedt Larsen
c25782d6da Python: For web tests, use more precise name HttpResponseSinks 
Since there are also HttpRedirectTaintSink, using HttpSink is confusing
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
46f4b74134 Python: Fix tornado lib: a redirect is not a http response 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
ee382bb2ea Python: Fix typo (reques => request) 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
9bc72450a0 Python: Temporarily disable falcon HttpSinks test 
I will fix this in an other PR
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
9b2ca0c9c7 Python: Update web libraries to use HttpSources and HttpSinks 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
2cdbae08b6 Python: Don't make duplicate sink for Tornado handler 
`self.write(...)` would be treated as *both* TornadoConnectionWrite and
TornadoHttpRequestHandlerWrite
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
effa4548ab Python: Add toString to TurboGears HttpResponseTaintSinks 
Naming these were a bit hard, but better than generic "Taint Sink"
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
6b87458c2e Python: Add explicit tests for HttpSources and HttpSinks 
Some of the tests currently fail, since they can't reproduce the old tests
results (since the sinks/sources defined in the library code are not
HttpResponseTaintSink/HttpRequestTaintSource)
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen
0a1c91fbb8 Python: Autoformat web tests QL files 2020-01-28 13:05:25 +01:00
Rasmus Wriedt Larsen
081d66eaa3 Python: Recognize taint for extended iterable unpacking 2020-01-27 15:28:53 +01:00
Rasmus Wriedt Larsen
1b670354b2 Python: Add tests for extended iterable unpacking 2020-01-27 15:24:55 +01:00
Rasmus Wriedt Larsen
781024d679 Python: Recognize taint for iterable unpacking 2020-01-27 14:43:07 +01:00
Rasmus Wriedt Larsen
a3f1f4cb87 Python: Add iterable unpacking tests 2020-01-27 14:43:07 +01:00
Rasmus Wriedt Larsen
fa48fb04f5 Python: Recognize nested tuple/list assignment 
Now we recognize `[(x,y)] = [(1,2)]` -- in itself not a widely used idiom, but
more of a warmup excersize for me
 2020-01-27 14:42:54 +01:00
Rasmus Wriedt Larsen
9763ec71fe Python: Add tests for nested assignment 2020-01-27 14:39:34 +01:00
Taus
5a2dfd40af Merge pull request #2639 from RasmusWL/python-improve-dict-taint 
Python: Improve tests for tainted collections
 2020-01-24 15:06:01 +01:00
Rasmus Wriedt Larsen
5778764a48 Python: Stop using deprecated getName in collections taint test 2020-01-24 10:32:17 +01:00
Rasmus Wriedt Larsen
3db551d6bc Python: Use variables in collection-taint test 
They are not tainted in assignment, only in use.

I also adopted an attempt at a better test-setup, where it's easy to see if
everything is the way you hoped for, instead of browsing through 100 of lines of
taint-step output :P
 2020-01-24 10:32:17 +01:00
Taus
618a35bb7c Merge pull request #2664 from RasmusWL/python-fix-redirect-example 
Python: Remove unused variable in example for py/url-redirection
 2020-01-23 13:42:00 +01:00
Taus
d06e86f54d Merge pull request #2662 from RasmusWL/python-taint-on-eq-test 
Python: Only clear taint on constant comparison in if
 2020-01-23 13:41:40 +01:00
Rasmus Wriedt Larsen
772538ff46 Python: Move tests of collection-taint to own dir 2020-01-22 14:24:50 +01:00
Rasmus Wriedt Larsen
df8be438bb Python: Show that list(tainted_string) works 2020-01-22 14:24:50 +01:00
Rasmus Wriedt Larsen
0da78f216a Python: Show that e, f, g = tainted_list doesn't work 2020-01-22 14:24:50 +01:00
Rasmus Wriedt Larsen
a55c13e61c Python: Improve tests for StringDictKind taint 
+ show we handle dict.values()
+ show we don't handle dict.items()
 2020-01-22 14:24:50 +01:00
Rasmus Wriedt Larsen
12bb05522a Python: Make py/weak-cryptographic-algorithm a path-problem 
and stop using deprecated hasFlow
 2020-01-22 13:45:14 +01:00
Rasmus Wriedt Larsen
c5091f1ce7 Python: Make py/hardcoded-credentials a path-problem 
and stop using deprecated hasFlow
 2020-01-22 13:45:14 +01:00
Rasmus Wriedt Larsen
96d5703f2c Python: Remove use of deprecated methods 2020-01-22 13:45:14 +01:00
Rasmus Wriedt Larsen
422658bbdb Python: Remove unused variable in example for py/url-redirection 2020-01-21 15:45:05 +01:00
Taus Brock-Nannestad
ead687da06 Python: Add false positive test example for issue #2652. 2020-01-21 15:28:01 +01:00
Rasmus Wriedt Larsen
bbe93f43d3 Python: Only comparison with constant will clear taint 
tainted = SOURCE
    if tainted == tainted:
        SINK(tainted) # unsafe

before, in the body of the if statement, `tainted` was not tainted
 2020-01-21 15:25:57 +01:00
Rasmus Wriedt Larsen
1498145415 Python: Highlight that any comparison will clear taint 2020-01-21 15:24:56 +01:00
Taus
cfb84be7b1 Merge pull request #2540 from RasmusWL/python-modernise-variables-queries 
Python: modernise variables queries
 2020-01-10 14:45:12 +01:00
Rasmus Wriedt Larsen
9b0b0c338f Python: Cleanup overrides tests 2020-01-06 10:55:37 +01:00
Rasmus Wriedt Larsen
15bc4cd090 Python: Add override helpers to Value classes 2019-12-20 15:05:49 +01:00
Rasmus Wriedt Larsen
81e27aab8d Python: Modernise py/unused-loop-variable 2019-12-20 15:05:49 +01:00
Taus
52d231c219 Merge pull request #2469 from RasmusWL/python-modernise-twisted-library 
Python: modernise twisted library
 2019-12-18 13:55:50 +01:00
Taus
eb6feeeaf8 Merge pull request #2482 from RasmusWL/python-include-zope-web-tests 
Python: include zope web tests from internal repo
 2019-12-18 13:55:23 +01:00