hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,275 Commits 1,671 Branches 157 Tags
tausbn/python-refine-location-of-flask-request-sources
Commit Graph

9154 Commits

Author SHA1 Message Date
Taus
1b6e3c4ef4 Merge branch 'main' into tausbn/python-refine-location-of-flask-request-sources 2025-09-02 14:59:55 +02:00
Michael Nebel
31852985e5 Merge pull request #20335 from michaelnebel/shared/ql4ql 
Shared and Sync: Fix some Ql4Ql violations.
 2025-09-02 14:37:34 +02:00
Arthur Baars
0bb7fdccf6 Merge pull request #20347 from github/post-release-prep/codeql-cli-2.23.0 
Post-release preparation for codeql-cli-2.23.0
 2025-09-02 14:14:03 +02:00
Anders Schack-Mulligen
f833fe0e6e Merge pull request #20300 from aschackmull/cfg/successortype 
Shared: Add a shared SuccessorType implementation
 2025-09-02 14:09:35 +02:00
Michael Nebel
d3d737b383 Merge pull request #20330 from michaelnebel/python/ql4ql 
Python: Fix some Ql4Ql violations.
 2025-09-02 14:01:54 +02:00
Michael Nebel
7490d8ddd2 Shared and Sync: Fix some Ql4Ql violations. 2025-09-02 13:54:22 +02:00
github-actions[bot]
e8a2600a0c Post-release preparation for codeql-cli-2.23.0 2025-09-02 11:46:23 +00:00
github-actions[bot]
0bfa93828b Release preparation for version 2.23.0 2025-09-02 11:09:32 +00:00
Michael Nebel
90caded4fe Apply suggestion from @aschackmull 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2025-09-02 13:08:31 +02:00
Michael Nebel
dbd31259b3 Python: Fix some Ql4Ql violations. 2025-09-01 15:16:25 +02:00
Anders Schack-Mulligen
144e34c669 Shared: Use shared SuccessorType in shared Cfg and BasicBlock libs. 2025-09-01 13:43:32 +02:00
Anders Schack-Mulligen
09b2c5abf0 BasicBlock: Replace entryBlock predicate with subclass. 2025-09-01 11:48:44 +02:00
Anders Schack-Mulligen
f459ddc40a Languages: Adapt to api changes. 2025-09-01 11:26:33 +02:00
Anders Schack-Mulligen
bb3abc815f SSA: Update input to use member predicates. 2025-09-01 11:19:48 +02:00
Taus
0f4f909ded Python: Update test .expected files 
Really starting to regret our widespread use of `flask.request` as _the_
example of a remote flow source.
 2025-08-29 12:01:29 +00:00
Taus
f89fae39c5 Merge pull request #20276 from github/tausbn/python-model-psycopg2-connection-pools 
Python: Add support for Psycopg2 database connection pools
 2025-08-29 13:52:59 +02:00
Napalys Klicius
bafe22c50c Merge pull request #20048 from Napalys/js/xml_bomb_sinks 
JS: Exclude patched libraries from `xml-bomb` sink
 2025-08-29 08:10:55 +02:00
Taus
6dea27837e Python: More refinements 
As it turns out, referring to the request object using `flask.request`
is not uncommon, and this meant restricting to `Name` nodes was too
strong. With the changes in this commit, we now include those
occurrences as well.
 2025-08-28 13:23:39 +00:00
Joe Farebrother
7ef2b01119 Merge pull request #20142 from joefarebrother/python-qual-subclass-shadow 
Python: Modernise Superclass attribute shadows subclass method query
 2025-08-28 13:40:26 +01:00
Tom Hvitved
fa7295f0a1 Merge pull request #20303 from hvitved/python/jump-to-def-unpack-tests 
Python: Add jump-to-def tests for unpacking assignments
 2025-08-28 12:03:55 +02:00
Tom Hvitved
bf47f66691 Python: Add jump-to-def tests for unpacking assignments 2025-08-28 10:38:21 +02:00
Joe Farebrother
bde143e4c1 Merge pull request #20038 from joefarebrother/python-qual-comparison 
Python: Modernize 3 quality queries for comparison methods
 2025-08-28 09:37:20 +01:00
Joe Farebrother
45910b9505 Merge remote-tracking branch 'origin/python-qual-subclass-shadow' into python-qual-subclass-shadow 2025-08-28 09:23:42 +01:00
Joe Farebrother
c6ababd262 Fix test output 2025-08-28 08:49:34 +01:00
Joe Farebrother
ada0b372c6 Merge pull request #20120 from joefarebrother/python-qual-unexpected-raise-special 
Python: Modernize Unexpected Raise In Special Method query
 2025-08-27 15:01:46 +01:00
Joe Farebrother
2c6b2df7cc Update python/ql/src/Classes/SubclassShadowing/SubclassShadowing.qhelp 
Co-authored-by: Taus <tausbn@github.com>
 2025-08-27 13:20:54 +01:00
Joe Farebrother
5b0beb91d1 Update python/ql/src/Functions/IncorrectRaiseInSpecialMethod.qhelp 
Co-authored-by: Taus <tausbn@github.com>
 2025-08-27 13:19:55 +01:00
Taus
f3a5d0a243 Python: Refine the location of flask.request flow sources 
The `flask.request` global object is commonly used in request handlers
to access data in the active request. In our modelling, we handled this
by treating the initial (module-local) definition of `request` as a
source of remote flow. In practice this meant a lot of alerts would act
as if `from flask import request` was the ultimate "source" of remote
flow, and to find the actual request-handler-local instance of `request`
one would have to inspect the data-flow path between source and sink.

To improve this state of affairs, I have made the following changes to
the definition of `FlaskRequestSource`:

- We no longer consider `from flask import request` to be a source.
- Instead, we look at all places where that `request` value can flow,
and include only the ones that are `LocalSourceNode`s (so that inside a
request handler, the first occurrence of the `request` object is the
source).

In practice, this leads to alerts that are much easier to decipher.
 2025-08-25 14:46:17 +00:00
Taus
1008ca9744 Python: Add psycopg2.pool tests 2025-08-25 14:14:16 +00:00
Taus
d5e0298999 Python: Add support for Psycopg2 database connection pools 
Our current modelling only treated `psycopg2` insofar as it implemented
PEP 249 (which does not define any notion of connection pool), which
meant we were missing database connections that arose from such pools.

With these changes, we add support for the three classes relating to
database pools that are defined in `psycopg2`. (Note that
`getAnInstance` automatically looks at subclasses, which means this
should also handle cases where the user has defined a new subclass that
inherits from one of these three classes.)
 2025-08-25 12:35:57 +00:00
Tom Hvitved
bf7e3dabd6 Python: Only include relevant YAML in printAst.ql 2025-08-25 13:54:19 +02:00
github-actions[bot]
42e3d31c49 Post-release preparation for codeql-cli-2.22.4 2025-08-18 14:42:42 +00:00
github-actions[bot]
90d29994c8 Release preparation for version 2.22.4 2025-08-18 14:06:09 +00:00
Nora Dimitrijević
4199859eaa Merge pull request #20079 from d10c/d10c/diff-informed-phase-3-python 
Python: Diff-informed queries: phase 3 (non-trivial locations)
 2025-08-18 09:33:57 +02:00
github-actions[bot]
fb4b0aac53 Post-release preparation for codeql-cli-2.22.3 2025-08-04 17:18:08 +00:00
github-actions[bot]
fd82aeb1f8 Release preparation for version 2.22.3 2025-08-04 15:47:57 +00:00
Joe Farebrother
5e09c1d3d3 Merge remote-tracking branch 'origin/python-qual-subclass-shadow' into python-qual-subclass-shadow 2025-08-01 12:39:30 +01:00
Joe Farebrother
bc60914ed7 Update test output 2025-08-01 12:37:51 +01:00
Joe Farebrother
d8083add3e Doc updates 2025-08-01 12:35:01 +01:00
Joe Farebrother
79d1deb28d Update python/ql/src/Classes/SubclassShadowing/SubclassShadowing.ql 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2025-07-31 06:05:48 +01:00
Joe Farebrother
71a6b22815 Update python/ql/src/Classes/SubclassShadowing/examples/SubclassShadowingBad.py 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2025-07-31 06:05:25 +01:00
Joe Farebrother
1efc09bbba Update integration tests 2025-07-30 15:54:39 +01:00
Joe Farebrother
63577f0cca Add extra example 2025-07-30 15:52:26 +01:00
Joe Farebrother
2516f9452e Move to subfolder 2025-07-30 15:17:19 +01:00
Joe Farebrother
34317d2d4a Update documentation 2025-07-30 13:56:28 +01:00
Joe Farebrother
796a6060b2 Exclude setters and update tests 2025-07-30 13:56:05 +01:00
Joe Farebrother
af94ebe1fc Modernize attribute shadows subclass, Add cases for properties 2025-07-30 13:55:11 +01:00
Joe Farebrother
c0da9c407e Fix typo in test dir name + update examples 2025-07-25 13:15:46 +01:00
Joe Farebrother
958fddb638 cleanup order and remove duplicates for arithmetic methods 2025-07-25 10:57:19 +01:00
Joe Farebrother
d7b855c4e3 qhelp fix 2025-07-25 10:24:58 +01:00