hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,275 Commits 1,671 Branches 157 Tags
tausbn/python-refine-location-of-flask-request-sources
Commit Graph

2968 Commits

Author SHA1 Message Date
Tom Hvitved
84aa9f17a0 Python/Ruby: Use SummaryTypeTracker from typetracking pack 2023-12-14 13:25:18 +01:00
Tom Hvitved
3b1146bf98 Python: Adopt shared type tracking library 2023-12-14 13:22:44 +01:00
Tom Hvitved
c8b4a215bc Merge pull request #14573 from hvitved/flow-summary-impl-param 
Move `FlowSummaryImpl.qll` to `dataflow` pack
 2023-12-14 12:24:15 +01:00
Rasmus Lerchedahl Petersen
479d81fb75 Python: fix nonlocal captured variables 
This depends on the extractor fix
 2023-12-14 10:37:27 +01:00
Rasmus Lerchedahl Petersen
efcdb3e67e Python: filter local flow from a node to itself 2023-12-14 10:28:26 +01:00
Rasmus Lerchedahl Petersen
061fd014a6 Python: further restrict LibraryLambdaMethod 
On the small test project, this reduces the number
of instances from 285 to 22.
 2023-12-14 10:27:15 +01:00
Rasmus Lerchedahl Petersen
453ab9ca7b Python: restrict LibraryLambdaMethod 2023-12-14 10:27:15 +01:00
Rasmus Lerchedahl Petersen
17a0029585 Python: support callbacks to library calls 
TODO:
The member predicate `LibraryLambdaMethod::getACall` is
currently too permissive.
Ideally, we would have `libraryCallHasLambdaArg`
as in Ruby. But even a more precise
`libraryCall` predicate might be fine.
 2023-12-14 10:27:15 +01:00
Rasmus Lerchedahl Petersen
b513871b9b Python: add consistency exclusions 2023-12-14 10:27:15 +01:00
Rasmus Lerchedahl Petersen
c054ba6a97 python: instantiate module for variable capture 
This provides variable capture in standard situations:
- nested functions
- lambdas
There are some deficiencies:
- we do not yet handle objects capturing variables.
- we do not handle variables captured via the `nonlocal` keyword.
  This should be solved at the AST level, though, and then it
  should "just work".

There are still inconsistencies in the case where
a `SynthesizedCaptureNode` has a comprehensions
as its enclosing callable. In this case,
`TFunction(cn.getEnclosingCallable())` is not
defined and so getEnclosingCallable does not exist
for the `CaptureNode`.
 2023-12-14 10:25:39 +01:00
fossilet
1cc2f073c4 Fix typo in qll. 2023-12-14 16:05:14 +08:00
Jeroen Ketema
99e65df6ce Merge remote-tracking branch 'upstream/rc/3.12' into mb12 2023-12-13 15:43:39 +01:00
yoff
a39eb5efc9 Merge pull request #15051 from yoff/python/slightly-improve-tarslip 
Python: slightly improve tarslip logic
 2023-12-12 14:43:43 +01:00
Tom Hvitved
a46964dfe8 Address review comments 2023-12-12 13:55:52 +01:00
Rasmus Wriedt Larsen
419130be21 Merge pull request #15030 from yoff/python/remove-module-entry-definitions 
Python: Remove control flow nodes for module entry definitions from the dataflow graph.
 2023-12-11 11:40:17 +01:00
Tom Hvitved
faaa558ed9 Python: Use FlowSummaryImpl from dataflow pack 2023-12-10 11:25:44 +01:00
Rasmus Lerchedahl Petersen
d9c0c8c26d Python: Update comment. 2023-12-08 17:32:23 +01:00
Rasmus Lerchedahl Petersen
2539e2ec1a Python: slightly improve tarslip logic 2023-12-08 17:18:25 +01:00
Anders Schack-Mulligen
64eb4ff753 Merge pull request #14983 from aschackmull/dataflow/deprecate-old-api 
Data Flow: Deprecate old data flow api.
 2023-12-08 14:27:25 +01:00
Rasmus Wriedt Larsen
dc90411809 Python: Don't include docs/ folder 2023-12-08 11:27:53 +01:00
Rasmus Wriedt Larsen
004bb50ef2 Python: Disallow invalid path component 2023-12-08 11:27:53 +01:00
Rasmus Wriedt Larsen
6ce8cd38d8 Python: Disallow examples 2023-12-08 11:27:53 +01:00
Rasmus Wriedt Larsen
b24e565128 SubclassFinder: don't include site-packages 2023-12-08 11:27:53 +01:00
Rasmus Wriedt Larsen
aa5eee1eac Python: Revert manual pickle modeling 
This reverts commit 62910f0cab525ca4d4901c4c27f6e6b22c3375fc.
This reverts commit 75a8197879ec47094d9b18f3dab7bcc1c1cdba28.

We don't find `kombu.serialization.pickle_load` since we respect
`__all__`. I think that was an attempt to not flood the captured
modeling with useless re-exports, but I think we've ended up doing that
anyway... we should consider to remove that restriction!

see 21d7df29c7/kombu/serialization.py (L29)
 2023-12-08 11:27:53 +01:00
Rasmus Wriedt Larsen
f74581ad09 Revert "Python: Model owslib.etree.etree directly" 
This reverts commit 1213e786519a11142746fd3a725c874181f3a42b.

By fixing a few bugs in the SubclassFinder + manually running Find.ql on the geonode DB from DCA, I found that the installed version of owslib had both: https://github.com/geopython/OWSLib/blob/0.27.2/owslib/etree.py
 2023-12-08 11:27:53 +01:00
Rasmus Wriedt Larsen
6ef9a2b11e Python: Fix problem if import is used 
I fixed it in both predicates... I think we might still be able to remove
`newDirectAlias` -- but with it being better, it will allow us to better test if `newImportAlias` actually cover everything we need!
 2023-12-08 11:27:52 +01:00
Rasmus Wriedt Larsen
f1fd9b4c7a Python: Fix underlying problem of not using Alias 2023-12-08 11:27:52 +01:00
Taus
fa6aec7ae2 Python: Model owslib.etree.etree directly 
Somehow, this alias did not get picked up by the tooling.
 2023-12-08 11:27:52 +01:00
Taus
6d40e7e0fc Python: Add extensible modelling for lxml.etree 2023-12-08 11:27:52 +01:00
Taus
5b9d56774b Python: Refactor references to ElementTree 
This would probably be better as a module, but I wanted to verify
first that this would yield the right results.
 2023-12-08 11:27:52 +01:00
Taus
d29879a844 Python: Model kombu.serialization 
More `pickle` wrappers.
 2023-12-08 11:27:52 +01:00
Taus
a6dc6f3e42 Python: Add model for flask.restful 
Not subclass-related -- just an alias.
 2023-12-08 11:27:52 +01:00
Taus
6261a94986 Python: Add cloudpickle model 
This one didn't seem to fit into the subclass approach, so I just modeled
it manually.
 2023-12-08 11:27:52 +01:00
Taus
43fe9ca31d Python: Model rest_framework.exceptions.APIException 
Only models the subclasses of `APIException` that share the same interface as
`APIException` itself with regard to the `getBody` predicate.
 2023-12-08 11:27:52 +01:00
Taus
1f66659ff2 Python: Add Django FileField model 2023-12-08 11:27:52 +01:00
Taus
aa3f1cf3e1 Python: extend aiohttp model 2023-12-08 11:27:52 +01:00
Taus
b5bffb2220 Python: Add aioch model 2023-12-08 11:27:52 +01:00
Taus
875fa0b8f0 Python: Add Peewee model 2023-12-08 11:27:52 +01:00
Taus
5e3bdb8701 Python: Add Pydantic model 2023-12-08 11:27:51 +01:00
Taus
9d93afe128 Python: Add logging.Logger model 2023-12-08 11:27:51 +01:00
Taus
dea61e14d1 Python: Add Urllib3 model 2023-12-08 11:27:51 +01:00
Taus
1269a98d2b Python: Add Tornado models 2023-12-08 11:27:51 +01:00
Taus
6093bb9fd4 Python: add some stdlib models 2023-12-08 11:27:51 +01:00
Taus
4879a931eb Python: Add starlette.requests.URL model 2023-12-08 11:27:51 +01:00
Taus
a3f7885787 Python: Add SqlAlchemy model 2023-12-08 11:27:51 +01:00
Taus
422733f32a Python: Add rest_framework model 2023-12-08 11:27:51 +01:00
Taus
5afead5896 Python: Add Pycurl model 2023-12-08 11:27:51 +01:00
Taus
f1a72311ed Python: add MultiDict model 2023-12-08 11:27:51 +01:00
Taus
62db8cc633 Python: Add MarkupSafe model 2023-12-08 11:27:51 +01:00
Taus
cdb0ac524d Python: Add invoke model 2023-12-08 11:27:51 +01:00