codeql

mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00

Author	SHA1	Message	Date
Rasmus Wriedt Larsen	0439b83c60	Python: Taint when using unicode	2020-08-25 12:50:32 +02:00
Rasmus Wriedt Larsen	483bd0e863	Python: Fix shared taint tracking tests Since there was a .ql file, qltest tried to run a test in test/experimental/dataflow/taintracking/ which failed since there was no code.	2020-08-25 11:15:11 +02:00
Rasmus Wriedt Larsen	d96ef73033	Python: Handle taint for f-strings Which we seem to not handle in the current taint tracking :O f-strings needs to be Python 3 only, so enabled that test setup. I really liked the idea for having the version specific tests right next to the normal tests, so you don't have to look in test/experimental/3/dataflow/i/will/forget/to/look/here.	2020-08-24 16:46:00 +02:00
Rasmus Wriedt Larsen	cb4b4e91ab	Python: Taint for string multiplication	2020-08-24 14:54:06 +02:00
Rasmus Wriedt Larsen	5125c7a55c	Python: Add taint tests for encode/decode functions	2020-08-24 14:54:04 +02:00
Rasmus Wriedt Larsen	31b398937a	Python: Handle taint from `bytes(obj)`	2020-08-24 14:17:59 +02:00
Rasmus Wriedt Larsen	1e447c5ca2	Python: Handle taint for % formatting	2020-08-24 14:15:27 +02:00
Rasmus Wriedt Larsen	80745e8881	Python: Model string methods in shared taint tracking library	2020-08-24 13:58:42 +02:00
Rasmus Wriedt Larsen	a77f118b62	Python: Shared taint tracking: Handle string concat + subcript	2020-08-24 13:58:41 +02:00
Rasmus Wriedt Larsen	61f89ca3c3	Python: Add tests for shared taint tracking for strings I adopted the TestTaint testing setup that I made for the "old" taint tracking tests. This time around we should figure out if we can use .qlref or similar so it doesn't end up in multiple copies that are not kept up to date :\| The `repr` predicate could probably be placed somewhere better. For now I just wanted something that could help me. I considered just expanding the `repr` predicate in `ql/src/semmle/python/strings.qll`, but since it's currently used by queries, I didn't want to do anything about it. Anyway, the output it gives is much more useful than seeing this ;) ``` \| test.py:20 \| ok \| str_operations \| test.py:20:9:20:10 \| ts \| \| test.py:21 \| fail \| str_operations \| test.py:21:9:21:18 \| BinaryExpr \| \| test.py:22 \| fail \| str_operations \| test.py:22:9:22:18 \| BinaryExpr \| \| test.py:23 \| fail \| str_operations \| test.py:23:9:23:21 \| Subscript \| \| test.py:24 \| fail \| str_operations \| test.py:24:9:24:13 \| Subscript \| \| test.py:25 \| fail \| str_operations \| test.py:25:9:25:18 \| Subscript \| \| test.py:26 \| fail \| str_operations \| test.py:26:9:26:13 \| Subscript \| \| test.py:27 \| fail \| str_operations \| test.py:27:9:27:15 \| str() \| \| test.py:35 \| fail \| str_methods \| test.py:35:9:35:23 \| Attribute() \| \| test.py:36 \| fail \| str_methods \| test.py:36:9:36:21 \| Attribute() \| \| test.py:37 \| fail \| str_methods \| test.py:37:9:37:22 \| Attribute() \| \| test.py:38 \| fail \| str_methods \| test.py:38:9:38:23 \| Attribute() \| \| test.py:40 \| fail \| str_methods \| test.py:40:9:40:19 \| Attribute() \| \| test.py:41 \| fail \| str_methods \| test.py:41:9:41:23 \| Attribute() \| \| test.py:42 \| fail \| str_methods \| test.py:42:9:42:36 \| Attribute() \| \| test.py:44 \| fail \| str_methods \| test.py:44:9:44:25 \| Attribute() \| \| test.py:45 \| fail \| str_methods \| test.py:45:9:45:45 \| Attribute() \| \| test.py:47 \| fail \| str_methods \| test.py:47:9:47:21 \| Attribute() \| \| test.py:48 \| fail \| str_methods \| test.py:48:9:48:19 \| Attribute() \| \| test.py:49 \| fail \| str_methods \| test.py:49:9:49:18 \| Attribute() \| \| test.py:51 \| fail \| str_methods \| test.py:51:9:51:32 \| Attribute() \| \| test.py:52 \| fail \| str_methods \| test.py:52:9:52:34 \| Attribute() \| \| test.py:54 \| fail \| str_methods \| test.py:54:9:54:21 \| Attribute() \| \| test.py:55 \| fail \| str_methods \| test.py:55:9:55:19 \| Attribute() \| \| test.py:56 \| fail \| str_methods \| test.py:56:9:56:18 \| Attribute() \| \| test.py:57 \| fail \| str_methods \| test.py:57:9:57:21 \| Attribute() \| \| test.py:58 \| fail \| str_methods \| test.py:58:9:58:18 \| Attribute() \| \| test.py:59 \| fail \| str_methods \| test.py:59:9:59:18 \| Attribute() \| \| test.py:60 \| fail \| str_methods \| test.py:60:9:60:21 \| Attribute() \| \| test.py:62 \| fail \| str_methods \| test.py:62:9:62:26 \| Attribute() \| \| test.py:63 \| fail \| str_methods \| test.py:63:9:63:42 \| Attribute() \| \| test.py:65 \| fail \| str_methods \| test.py:65:9:65:26 \| Attribute() \| \| test.py:66 \| fail \| str_methods \| test.py:66:9:66:42 \| Attribute() \| \| test.py:69 \| fail \| str_methods \| test.py:69:9:69:25 \| Attribute() \| \| test.py:70 \| fail \| str_methods \| test.py:70:9:70:26 \| Attribute() \| \| test.py:71 \| fail \| str_methods \| test.py:71:9:71:22 \| Attribute() \| \| test.py:72 \| fail \| str_methods \| test.py:72:9:72:21 \| Attribute() \| \| test.py:73 \| fail \| str_methods \| test.py:73:9:73:23 \| Attribute() \| \| test.py:78 \| ok \| str_methods \| test.py:78:9:78:39 \| Attribute() \| ```	2020-08-24 13:58:39 +02:00
Rasmus Wriedt Larsen	7fb8e0e277	Python: Add basic shared taint tracking test	2020-08-20 14:49:17 +02:00

1 2 3

111 Commits