hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
17,676 Commits 1,671 Branches 157 Tags
yo-h/java15
Commit Graph

2409 Commits

Author SHA1 Message Date
Mathias Vorreiter Pedersen
6ac740a490 Python: Sync identical file 2020-10-30 16:53:17 +01:00
Rasmus Lerchedahl Petersen
e7c9bc388b Python: support some custom subclasses 2020-10-30 14:16:48 +01:00
Rasmus Lerchedahl Petersen
e69349791a Python: django.http.response.HttpRequest.write 2020-10-30 12:51:23 +01:00
Rasmus Lerchedahl Petersen
ffe10d1b7c Python: test HttpResponse.write 2020-10-30 12:16:12 +01:00
Rasmus Lerchedahl Petersen
fa3a7e6686 Python: Known subclasses of HttpResponse 2020-10-30 11:53:24 +01:00
Rasmus Lerchedahl Petersen
c962377ef4 Python: test for subclasses 2020-10-30 10:37:40 +01:00
Rasmus Lerchedahl Petersen
08af839757 Python: django.http.response.HttpResponseRedirect 2020-10-30 01:29:49 +01:00
Rasmus Lerchedahl Petersen
52be896666 Python: django.http.response.JsonResponse 
It s possible this class is not relevant to XSS
 2020-10-30 01:05:36 +01:00
Rasmus Lerchedahl Petersen
0f9b8595d1 Python: rename functions by vulnerability 2020-10-30 00:51:09 +01:00
Rasmus Lerchedahl Petersen
97153b56ad Python: add false negatives to test 2020-10-30 00:48:19 +01:00
Rasmus Lerchedahl Petersen
2ca86f5ea7 Python: django.http.response.HttpResponse 2020-10-30 00:22:53 +01:00
Mathias Vorreiter Pedersen
acf6ffb990 Python: Sync identical file 2020-10-29 19:07:10 +01:00
Rasmus Lerchedahl Petersen
96e79a2702 Python: restrict to python files 2020-10-29 15:00:47 +01:00
Rasmus Lerchedahl Petersen
6658ee9dc8 Merge branch 'python-port-reflected-xss' of https://github.com/RasmusWL/codeql into RasmusWL-python-port-reflected-xss 2020-10-29 12:46:44 +01:00
Rasmus Lerchedahl Petersen
cf97a56844 Merge remote-tracking branch 'upstream/main' into python-port-path-injection 2020-10-28 14:43:33 +01:00
yoff
c8bb0509e5 Merge pull request #4563 from tausbn/python-remove-refersto-from-regex-libs 
Python: Remove `refersTo` from `regex.qll`
 2020-10-28 13:37:14 +01:00
Taus Brock-Nannestad
1503c5ea16 Python: Remove refersTo from regex.qll 
This was causing the old `Object` API stuff to be evaluated when using
our new library models (specifically the Django model).
 2020-10-28 12:41:17 +01:00
Rasmus Lerchedahl Petersen
9fd1bf60fa Merge branch 'main' of github.com:github/codeql into python-port-path-injection 2020-10-28 10:24:23 +01:00
Rasmus Lerchedahl Petersen
164acf4055 Python: test that aliasing is not a problem 2020-10-27 11:25:58 +01:00
Rasmus Lerchedahl Petersen
2baed20067 Python: Test false negative from review 2020-10-27 08:30:16 +01:00
Rasmus Lerchedahl Petersen
b6313dddb9 Python: Add concept tests 2020-10-27 08:26:00 +01:00
Rasmus Lerchedahl Petersen
8350d64763 Python: Add concept test definitions 2020-10-27 08:00:53 +01:00
Rasmus Lerchedahl Petersen
601a803ee2 Python: DataFlow/TaintTrackin 3/4 2020-10-26 14:42:18 +01:00
Rasmus Lerchedahl Petersen
d89e985246 Python: Test showing chaining FP 2020-10-24 09:20:30 +02:00
Rasmus Lerchedahl Petersen
022cf0b2cc Python: Add test from tracking issue 
All tests pass, but there are spurious paths
due to configuration chaining.
 2020-10-24 09:07:43 +02:00
Rasmus Lerchedahl Petersen
c4d1affaf8 Python: Suggestions from reviewer 2020-10-23 16:57:11 +02:00
yoff
15167753c6 Apply suggestions from code review 
Co-authored-by: Taus <tausbn@github.com>
 2020-10-23 16:52:13 +02:00
Rasmus Lerchedahl Petersen
d6e9b351e5 Python: Add qldocs 2020-10-23 16:39:38 +02:00
Rasmus Lerchedahl Petersen
821b0c918a Python: Additional taintstep for normpath 
Is it ok to have this in general?
 2020-10-23 16:35:10 +02:00
CodeQL CI
6218a48e88 Merge pull request #4545 from RasmusWL/python-model-django-v1 
Approved by tausbn
 2020-10-23 15:27:42 +01:00
Rasmus Lerchedahl Petersen
6317db1622 Python: Reword explanation (slightly) 2020-10-23 15:54:52 +02:00
Rasmus Wriedt Larsen
aa9f15af76 Python: Fix typo 
Co-authored-by: Taus <tausbn@github.com>
 2020-10-23 15:39:38 +02:00
Rasmus Lerchedahl Petersen
9eda84debb Python: PathCheck -> Path::SafeAccessCheck 2020-10-23 15:01:43 +02:00
Rasmus Lerchedahl Petersen
cf8462fa58 Python: Simplify chained configs 2020-10-23 14:52:47 +02:00
Rasmus Lerchedahl Petersen
f87845b1ec Python: Copy old test 2020-10-23 14:52:07 +02:00
Rasmus Wriedt Larsen
7993a83750 Merge pull request #4544 from tausbn/python-fix-bad-join-in-use-use-ssa 
Python: Fix bad join order in `adjacentUseUseSameVar`
 2020-10-23 14:37:27 +02:00
Rasmus Wriedt Larsen
d295c64ccd Python: Add example of flask response .set_data 2020-10-23 14:31:36 +02:00
Rasmus Wriedt Larsen
eb545204ec Python: Show that reflected XSS works now 
Also did autoformatting, but the important part is the change to the .expected file
 2020-10-23 14:31:35 +02:00
Rasmus Wriedt Larsen
d2cfa91155 Python: Add some tricky tests of return in flask route handler 
In these cases the `return` might end up creating a new HTTP response, so they
need to be modeled as such.

Initially I created a very naive solution that didn't handle either
tricky_return1 or tricky_return2.

The interaction in tricky_return2/helper highlighted for me that to handle this
properly, due to the fact that the flow is across functions, we either need to
use a global dataflow/taint-tracking configuration, or some clever use of
type-trackers.

In the end, this extra effort for not modeling all returns in a flask route
handler as a creation of a HTTP response doesn't really seem to be worth it (at
least not right now). Sicne we use it with taint-tracking for the Reflected XSS
query, and use a HTTP response _creation_ as the sink (without propagating taint
to the HTTP response), we won't get into trouble where we report a path to BOTH
`make_response(...)` and the `return`

```
resp = make_response(...)
return resp
```

If we change this setup in the future, we will probably need to do something to
avoid this double-path reporting.
 2020-10-23 14:31:35 +02:00
Rasmus Wriedt Larsen
d60221b168 Python: Model return from flask handler as HTTP response 
When dealing with

```
resp = make_response(...)
return resp
```

ideally we don't want to mark the return as a creation of a HTTP response. I'll
deal with this in a second commit, to show off how annoying it looks in the
tests right now :D
 2020-10-23 14:31:34 +02:00
Rasmus Wriedt Larsen
44ba3469db Python: Model response_class attribute of Flask class 2020-10-23 14:31:34 +02:00
Rasmus Wriedt Larsen
082e35c2c7 Python: Model mimetype instead of content-type for HTTP Response 
Since that's really what we're after (at least for now)
 2020-10-23 14:31:33 +02:00
Rasmus Wriedt Larsen
81a42b73a8 Python: Model flask.Response 
I think I'll rework how we model content-type, since what we _actually_ want to
know is the mimetype
 2020-10-23 14:31:32 +02:00
Rasmus Wriedt Larsen
1f99bbf744 Python: Model flask.Response 
I kept `Response::instance()` predicate even though we don't need it for
anything right now, I thought it could be nice to keep for the future.
 2020-10-23 14:31:32 +02:00
Rasmus Wriedt Larsen
7894d01248 Python: Add test for mimetype/headers priority 2020-10-23 14:31:31 +02:00
Rasmus Wriedt Larsen
35334cf630 Python: Remove status code modeling 
I'm not even trying to model it properly right now, and don't have a specific
use-case for it RIGHT NOW. I think we could want this in the future, but I think
it's probably better to model it when we know what we want to use it for.
 2020-10-23 14:31:31 +02:00
Rasmus Wriedt Larsen
19dc04de3c Python: Handle make_response on flask app 2020-10-23 14:31:30 +02:00
Rasmus Wriedt Larsen
e38ac18e46 Python: Add (only) basic $HttpResponse tag to other tests files 
This seems really nice to me, but you might disagree
 2020-10-23 14:31:30 +02:00
Rasmus Wriedt Larsen
8b0b87ae62 Python: Model flask.make_response 2020-10-23 14:31:29 +02:00
Rasmus Wriedt Larsen
e93c20a7a8 Python: You can supply defaults for HTTP Response properties 2020-10-23 14:31:28 +02:00