hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
17,676 Commits 1,671 Branches 157 Tags
yo-h/java15
Commit Graph

2409 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
0b0763953e Python: Update description of CodeInjection 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2020-10-08 11:15:36 +02:00
yoff
7d086b23ff Update python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2020-10-08 10:53:52 +02:00
Rasmus Lerchedahl Petersen
19796a4c9c Python: Improve tests and make validTest happy 2020-10-08 10:35:01 +02:00
Rasmus Lerchedahl Petersen
cc0661bce1 Python: More/better comments 2020-10-08 10:11:00 +02:00
Rasmus Wriedt Larsen
46ec7fbf6e Python: Make builtin compile function additional taint step 2020-10-07 21:17:39 +02:00
Rasmus Wriedt Larsen
c69a61bac5 Python: Model exec and eval calls as CodeExecution 2020-10-07 21:14:19 +02:00
Rasmus Wriedt Larsen
73971cff76 Python: Model exec statement (Python 2 only) as CodeExecution 2020-10-07 21:12:35 +02:00
Rasmus Wriedt Larsen
453c391bb0 Python: Add CodeExecution tests for stdlib 2020-10-07 21:12:31 +02:00
Rasmus Wriedt Larsen
0af86cba50 Python: Port CodeInjection query 
and the dummy test-case we already have
 2020-10-07 18:47:23 +02:00
Rasmus Wriedt Larsen
5f6e4d47ca Python: Add CodeExecution concept 2020-10-07 18:22:45 +02:00
Rasmus Lerchedahl Petersen
8196cfd21a Python: Attempt at clearer naming of parameters 2020-10-07 15:56:35 +02:00
yoff
35b0b6b472 Update python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2020-10-07 15:48:44 +02:00
Rasmus Lerchedahl Petersen
27a75c0bd1 Merge branch 'main' of github.com:github/codeql into SharedDataflow_ArgumentPassing 2020-10-07 15:43:31 +02:00
yoff
7e6f0b0bc3 Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2020-10-07 15:11:15 +02:00
Rasmus Wriedt Larsen
bec33b745e Python: Use range instead of self for ::Range pattern 
Following the suggestions from https://github.com/github/codeql/pull/4357
 2020-10-07 14:54:51 +02:00
Rasmus Wriedt Larsen
c09695af7d Python: Properly handle invoke.task decorator 2020-10-07 12:29:19 +02:00
Rasmus Wriedt Larsen
67c5c590d2 Python: Expose getParameter on ParameterNode 2020-10-07 12:28:35 +02:00
Rasmus Wriedt Larsen
6d7f4a048b Python: Attempt to model invoke.task decorator 2020-10-07 12:26:49 +02:00
Rasmus Wriedt Larsen
c9219b3744 Clean module imports 2020-10-07 12:21:30 +02:00
Rasmus Wriedt Larsen
ebff1794fc Python: Model invoke.context.Context 2020-10-07 12:16:53 +02:00
Rasmus Wriedt Larsen
4ef5202382 Python: Add simple model for invoke.run and invoke.sudo 
and I sorted the list in Frameworks.qll, that kinda makes sense :)
 2020-10-07 12:13:59 +02:00
Rasmus Wriedt Larsen
300a8cdf7d Python: Add tests for the 'invoke' package 2020-10-07 11:55:26 +02:00
Rasmus Wriedt Larsen
7721db206e Python: Don't double report paths for platform.popen and popen2.* 
I was a bit surprised that we hadn't double reported for popen2, but it turns
out that the implementation (at least on unix) looks like:

```
def popen2(cmd, bufsize=-1, mode='t'):
    ... = Popen3(cmd, False, bufsize)
    ...
```

but since the modeling I did only considers calls to `Popen3` only if it has
been imported from the `popen2` module, we don't consider that call as a sink.
 2020-10-07 10:57:31 +02:00
Rasmus Wriedt Larsen
36812af2c2 Python: Add test for Python2 specific command injection 2020-10-07 10:54:03 +02:00
Rasmus Wriedt Larsen
737b2b896f Python: Fix QLDoc for popen2 module 2020-10-07 10:49:22 +02:00
Rasmus Wriedt Larsen
d8a9eacd02 Python: Remove TODO comment for popen2 module 2020-10-07 10:47:28 +02:00
Rasmus Wriedt Larsen
6c4fd7c1ff Python: Model Python 2 only platform.popen command execution 2020-10-06 20:25:03 +02:00
Rasmus Wriedt Larsen
12e4e07cae Python: Model Python 2 only module popen2 2020-10-06 20:25:02 +02:00
Rasmus Wriedt Larsen
8c2f55fbd0 Python: Model Python 2 only os.popen2, popen3, popen4 functions 2020-10-06 20:25:01 +02:00
Rasmus Wriedt Larsen
6ec7ab2fd9 Python: Add test of Python 2 specific SystemCommandExecution 2020-10-06 20:25:00 +02:00
Taus Brock-Nannestad
b905a3d5e3 Python: Attribute access API 2020-10-06 16:36:29 +02:00
CodeQL CI
5bc7e19c44 Merge pull request #4414 from yoff/SharedDataflow_Conditionals 
Approved by RasmusWL
 2020-10-06 05:46:24 -07:00
Rasmus Lerchedahl Petersen
f9c5b864bb Python: Fix test of parenthesized form 2020-10-06 13:12:12 +02:00
Rasmus Wriedt Larsen
d26a89b95e Python: Fix QLDoc for RouteSetup 2020-10-06 11:35:18 +02:00
Rasmus Wriedt Larsen
b82727d0b8 Python: Consider routed parameter if URL pattern unknown 2020-10-06 11:03:25 +02:00
Rasmus Wriedt Larsen
16bad003a0 Python: Add test for routed params with unknown url pattern 2020-10-06 10:58:46 +02:00
Rasmus Lerchedahl Petersen
0f077f5d7d Python: Add flow inside IfExprNodes 2020-10-06 10:54:23 +02:00
Rasmus Lerchedahl Petersen
8f13d586b7 Python: More tests of conditonals 
Also use better formatter
(better because comments are close to what they comment)
 2020-10-06 10:49:15 +02:00
Rasmus Wriedt Larsen
fbe115c046 Python: Show TypeTracking doesn't work for module members 2020-10-06 03:12:39 +02:00
Rasmus Wriedt Larsen
f03a8a838b Python: Make any routed parameter a RemoteFlowSource 
I'm not 100% sure whether this approach makes everything too magic, but I like
the fact that you can't _forget_ to make routed params remove-flow sources.
 2020-10-06 03:03:14 +02:00
Rasmus Wriedt Larsen
b78c665f34 Python: Model RouteSetup for flask 2020-10-06 03:03:13 +02:00
Rasmus Wriedt Larsen
d27e6955b4 Python: Add test setup for HTTP::Server::RouteSetup 2020-10-06 03:03:06 +02:00
Rasmus Wriedt Larsen
ebc3d32ff1 Python: Add concept for HTTP server modeling 
If we want to separate out into a file, we can always do this with

```
import experimental.semmle.python.HTTP as HTTP
```
 2020-10-06 03:02:32 +02:00
Rasmus Wriedt Larsen
9f1aa8ca0c Python: Expose getParameter on ParameterNode 2020-10-06 03:02:31 +02:00
Rasmus Wriedt Larsen
d7526c40ba Python: Copy old flask tests to new dataflow setup 2020-10-06 03:02:30 +02:00
Rasmus Lerchedahl Petersen
478cfd7310 Python: Small clean-up 2020-10-05 12:43:30 +02:00
Rasmus Lerchedahl Petersen
f449da2fdb Python: Write explanatory examples. 2020-10-05 11:39:18 +02:00
Rasmus Lerchedahl Petersen
8e27904f65 Python: Add explanatory comment. 2020-10-04 15:34:25 +02:00
Rasmus Lerchedahl Petersen
3463889010 Python: Add comments 2020-10-04 09:40:06 +02:00
Rasmus Lerchedahl Petersen
385e213fcf Python: Fix comments 2020-10-04 09:33:30 +02:00