hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,275 Commits 1,671 Branches 157 Tags
tausbn/python-refine-location-of-flask-request-sources
Commit Graph

556 Commits

Author SHA1 Message Date
erik-krogh
cf094c2f4f adjust which folders are seen as exported to remove an FP 2023-02-03 14:47:55 +01:00
erik-krogh
ef44cb86c2 remove FPs related to parameters that are meant to be commands 2023-02-03 14:47:55 +01:00
erik-krogh
e9ebba3350 assume shell=False for subprocess calls, fixes FPs in e.g. youtube-dl 2023-02-03 14:47:55 +01:00
erik-krogh
d228cf0e7b use more API-nodes to model subprocess.run (and friends) 2023-02-03 14:47:55 +01:00
erik-krogh
bce83bfc4e add failing test for indirectly setting the shell=true flag for subprocess.run 2023-02-03 14:47:55 +01:00
erik-krogh
0a2c7d062c add Fabric test, and add tracking of the shell flag in Fabric 2023-02-03 14:47:55 +01:00
erik-krogh
6bbc4f4a48 add more tests 2023-02-03 14:47:55 +01:00
erik-krogh
33c506d7fe add minimal test for Array join as a sink, and learn that the order is flipped compared to JS. Thanks Copilot! 2023-02-03 14:47:55 +01:00
erik-krogh
5bddfc0d79 add test for f-strings as sink 2023-02-03 14:47:55 +01:00
erik-krogh
47a06d2824 add library inputs as a source, and get minimal test to work 2023-02-03 14:47:55 +01:00
erik-krogh
6e712b293a add tracking of strings to compile-sites for poly-redos, in the style of Ruby 2023-02-02 22:56:20 +01:00
erik-krogh
52959d7c0a add failing test for not tracking strings to re.compile 2023-02-02 19:10:32 +01:00
Rasmus Wriedt Larsen
db114bb104 Merge branch 'main' into call-graph-code 2023-02-02 11:56:55 +01:00
Erik Krogh Kristensen
01f6862965 Merge pull request #11833 from erik-krogh/trackPyReg 
PY: track string-constants to regular expression uses
 2023-02-01 11:40:42 +01:00
Rasmus Wriedt Larsen
80324735bb Python: Fixup annotation for CWE-022-PathInjection/pathlib_use.py 2023-01-23 17:40:24 +01:00
Rasmus Wriedt Larsen
61151d4aa7 Merge branch 'main' into call-graph-code 2023-01-16 13:39:15 +01:00
yoff
006eaf3e2a Merge pull request #11088 from yoff/python/inline-query-tests 
Python: Inline query tests
 2023-01-12 10:32:26 +01:00
Rasmus Lerchedahl Petersen
03bd6cb414 python: Allow optional result=OK 
Also add a further test case
 2023-01-06 13:33:12 +01:00
erik-krogh
10308f5875 track string-constants to regular expression uses 2023-01-06 13:17:31 +01:00
Rasmus Lerchedahl Petersen
d42bb119fe python: align annotations with Ruby 
use `result=BAD` for expected alert
and `result=OK` on sinks where alerts are not wanted.
 2023-01-05 21:41:28 +01:00
Rasmus Wriedt Larsen
d684dbdf5c Merge pull request #10656 from porcupineyhairs/PyPamImprove 
Python: Improve the PAM authentication bypass query
 2022-12-08 11:59:10 +01:00
Rasmus Wriedt Larsen
a826c4f48b Merge branch 'main' into call-graph-code 2022-12-08 11:39:30 +01:00
Jami Cogswell
25f0a13e15 update python test cases 2022-12-01 11:56:44 -05:00
Rasmus Wriedt Larsen
544de5232c Python: Use ' instead of ` in select text 2022-11-29 14:47:45 +01:00
Rasmus Wriedt Larsen
4e67ec19d0 Python: Adjust alert text of py/pam-auth-bypass 2022-11-28 16:14:38 +01:00
Rasmus Wriedt Larsen
f8442ccb0e Python: Adjust PAM Auth bypass test slightly 2022-11-28 16:08:44 +01:00
Rasmus Wriedt Larsen
fef06679e5 Python: Remove options file for PAM Auth Bypass 
Should not be needed
 2022-11-28 16:03:32 +01:00
Rasmus Wriedt Larsen
479a9e4156 Python: Update .expected 2022-11-28 16:01:42 +01:00
Rasmus Wriedt Larsen
04a68f8d52 Merge pull request #11372 from RasmusWL/getpass 
Python: Model `getpass.getpass` as source of passwords
 2022-11-22 14:49:04 +01:00
Rasmus Wriedt Larsen
6646e98d20 Python: Fix results outside DB for StackTraceExposure 2022-11-22 14:46:32 +01:00
Rasmus Wriedt Larsen
972cfa5cf6 Python: Accept bad StackTraceExposure.expected 
This is only Python 2 though
 2022-11-22 14:46:32 +01:00
Rasmus Wriedt Larsen
a301c93ebf Python: Fix results outside DB for CleartextLogging 2022-11-22 14:46:32 +01:00
Rasmus Wriedt Larsen
0a41d8d2c1 Python: Accept bad CleartextLogging.expected 2022-11-22 14:46:32 +01:00
Rasmus Wriedt Larsen
39ce50fadc Python: Fix problems with sinks in pathlib 
This must mean that we did not have this flow with the old call-graph,
which means the new call-graph is doing a better job (yay).
 2022-11-22 14:46:32 +01:00
Rasmus Wriedt Larsen
edcaff26af Python: Add path-injection test using pathlib 
Since it has the same problem of showing sinks inside the extracted
stdlib
 2022-11-22 14:46:32 +01:00
Rasmus Wriedt Larsen
9d29a0a044 Python: Accept changes to .expected from more pathlib flow 
But we don't want to keep this, this commit is just to show why we need a fix :)
 2022-11-22 14:46:32 +01:00
Rasmus Wriedt Larsen
70cc986d5f Python: Suppress None.json.dumps from ExternalAPI queries 2022-11-22 14:46:29 +01:00
Rasmus Wriedt Larsen
0bdc808a7a Python: Add ExternalAPI test None.json.dumps 2022-11-22 14:46:29 +01:00
Rasmus Wriedt Larsen
7648462f98 Python: Fix ExternalAPIs queries 
The output might end up being slightly more noisy since we don't
collapse positional and keyword arguments when the external target
function is included in the database, but this aligns with our long-term
goal of not doing that anymore, so I think it's fine.
 2022-11-22 14:46:29 +01:00
Rasmus Wriedt Larsen
9195b73d84 Python: Model getpass.getpass as source of passwords 2022-11-22 14:11:52 +01:00
Rasmus Wriedt Larsen
80e71b202a Python: Cleartext queires: Remove flow from getpass.py 2022-11-22 14:08:00 +01:00
Rasmus Wriedt Larsen
9342e3ba76 Python: Enable new test 
But look at all those elements from getpass.py implementation :(
 2022-11-22 13:59:59 +01:00
Rasmus Wriedt Larsen
e01df3ea7c Python: Prepare for new test 
.expected line changes 😠
 2022-11-22 13:52:50 +01:00
Rasmus Wriedt Larsen
1b30cf8eca Merge branch 'main' into call-graph-tests 2022-11-22 13:39:27 +01:00
Porcupiney Hairs
db231a111c Python : Improve the PAM authentication bypass query 
The current PAM auth bypass query which was contributed by me a few months back, alert on a vulenrable function but does not check if the function is actually function. This leads to a lot of fasle positives.

With this PR, I add a taint-tracking configuration to check if the username parameter can actually be supplied by an attacker.

This should bring the FP's significantly down.
 2022-11-19 01:29:25 +05:30
erik-krogh
618438642a update expected output of the queries (some sorting changed due to locations being used slightly differently in the shared pack) 2022-11-07 14:31:52 +01:00
erik-krogh
4f11e2d25f port the Python regex/redos queries to use the shared pack 2022-11-07 14:31:51 +01:00
Rasmus Lerchedahl Petersen
0a7cfad048 python: inline query tests for command injection 
note how the test file is partially annotated
and those annotations can now be expressed

In this particular test file, absolute line numbers
might have been better than relative ones.
We might remove line numbers altogether,
but should check more querries to see how it looks.
 2022-11-02 16:21:59 +01:00
Rasmus Wriedt Larsen
e8fdff7a3b Python: Expand ExternalAPIs test 
We never had a showcase of how keyword arguments were handled
 2022-10-28 09:38:02 +02:00
erik-krogh
a826dbbdee fix capitalization in stack-trace-exposure 2022-10-11 13:59:10 +02:00