hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
29,908 Commits 1,671 Branches 157 Tags
z80coder/ATM-feature-optimisation
Commit Graph

2201 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
350f79e1e1 Python: Model sensitive data based on variable names 2021-06-04 11:28:07 +02:00
Rasmus Wriedt Larsen
f5fd0f8d1c Python: Model sensitive data based on parameter names 2021-06-04 11:28:07 +02:00
Rasmus Wriedt Larsen
925e67d734 Python: Model sensitive data from subscripts 2021-06-04 11:28:07 +02:00
Rasmus Wriedt Larsen
00a71a1c41 Python: Port sensitive data modeling 
No longer using points-to 🎉
 2021-06-04 11:28:07 +02:00
Rasmus Wriedt Larsen
3b68c87b6c Python: Add sensitive data test-cases 2021-06-03 13:38:29 +02:00
Rasmus Wriedt Larsen
e9acea8643 Python: Improve multidict modeling 2021-06-03 11:50:49 +02:00
Rasmus Wriedt Larsen
2e851cd5f0 Python: Improve yarl.URL modeling 2021-06-03 11:38:15 +02:00
Rasmus Wriedt Larsen
3c47e583d8 Python: Add test for missing data-flow step in aiohttp.web 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
2dbbf52903 Python: Model HTTP responses in aiohttp.web 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
735df4597f Python: Aiohttp add response tests 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
5d4140d3e2 Python: Handle more complicated route-setup in aiohttp 
Since we want to be able to easy select request-handlers that are not
set up as part of a view-class, we need to easily be able to identify
those. To handle cases like the one below, we _can't_ just define these
to be all the async functions that are not methods on a class :(

```py
    # see https://docs.aiohttp.org/en/stable/web_quickstart.html#organizing-handlers-in-classes

    class MyCustomHandlerClass:

        async def foo_handler(self, request):  # $ MISSING: requestHandler
            return web.Response(text="MyCustomHandlerClass.foo")

    my_custom_handler = MyCustomHandlerClass()
    app.router.add_get("/MyCustomHandlerClass/foo", my_custom_handler.foo_handler)   # $ routeSetup="/MyCustomHandlerClass/foo"
```

So it seemed easiest to narrow down the route-setups, but that means we
want both refinement and extensibility... so `::Range` pattern to the
rescue 🎉

The important piece of code that still works after this commit, but
which hasn't been changed, is the one below:

```codeql
  /**
   * A parameter that will receive a `aiohttp.web.Request` instance when a request
   * handler is invoked.
   */
  class AiohttpRequestHandlerRequestParam extends Request::InstanceSource, RemoteFlowSource::Range,
    DataFlow::ParameterNode {
    AiohttpRequestHandlerRequestParam() {
      exists(Function requestHandler |
        requestHandler = any(AiohttpCoroutineRouteSetup setup).getARequestHandler() and
```
 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
919a0b6b84 Python: aiohttp route setup is more complicated than expected 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
c69b857662 Python: Add self.request as RemoteFlowSource for aiohttp View 
Just like we do for Django in
7393443f8c/python/ql/src/semmle/python/frameworks/Django.qll (L1786-L1804)
 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
c4b618dcf5 Python: Model view-classes in aiohttp.web 
No taint modeling of them yet though
 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
8c039d5688 Python: Add more aiohttp view routing tests 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
1aa222d7cc Python: Add taint-test for class-based view 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
fb21bc04fa Python: Add taint-steps for yarl.URL 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
72e6a1489c Python: Add taint-steps for MultiDictProxy 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
dd131e6bf7 Python: Add taint-step for methods on aiohttp.web.Request 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
63c7fa0c2c Python: aiohttp match_info should be tainted 
Whoops
 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
597a9dfc80 Python: Don't consider has_body tainted 
Although it technically is, I think it belong in the section of things
that are unlikely to be exploitable
 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
d953ea47d4 Python: Basic handling of tainted attributes in aiohttp 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
88158e7414 Python: Add basic model setup for aiohttp.web.Request 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
2b992a635a Python: Add aiohttp taint tests 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
3cbb909a3a Python: Add modeling of coroutine routes in aiohttp.web 2021-06-03 10:55:33 +02:00
Rasmus Wriedt Larsen
85d9483c7b Python: Add basic aiohttp tests 2021-06-03 10:55:33 +02:00
Taus
d9911a016e Merge pull request #5933 from RasmusWL/expand-use-of-input-test 
Python: Expand test of py/use-of-input
 2021-05-31 11:39:33 +02:00
Rasmus Wriedt Larsen
d5f2846394 Merge branch 'main' into jorgectf/python/ldapInjection 2021-05-26 11:01:48 +02:00
Rasmus Wriedt Larsen
1b3f857a2f Python: Promote ClickHouse SQL models 2021-05-25 16:27:23 +02:00
Rasmus Wriedt Larsen
eb1da152a0 Python: Rewrite ClickHouse SQL lib modeling 
This did turn into a few changes, that maybe could have been split into
separate PRs 🤷

* Rename `ClickHouseDriver` => `ClickhouseDriver`, to better follow
  import name in `.qll` name
* Rewrote modeling to use API graphs
* Split modeling of `aioch` into separate `.qll` file, which does re-use
  the `getExecuteMethodName` predicate. I feel that sharing code between
  the modeling like this was the best approach, and stuck the
  `INTERNAL: Do not use.` labels on both modules.
* I also added handling of keyword arguments (see change in .py files)
 2021-05-25 16:13:31 +02:00
Rasmus Wriedt Larsen
c9a9535dbc Python: Use ConceptsTests for ClickHouse SQL libs 
This did reveal a few places where we do not detect the incoming SQL
 2021-05-25 16:10:06 +02:00
Rasmus Wriedt Larsen
35793a10bb Merge pull request #5889 from japroc/python-clickhouse-driver 
Python: Implement module ClickHouseDriver.qll
 2021-05-25 14:25:28 +02:00
jorgectf
37d6ff76a3 Update tests and .expected 2021-05-21 17:47:53 +02:00
Rasmus Wriedt Larsen
c4e244eb80 Python: Add getAwaited to API::Node 
I _really_ wanted to call this `.await()`, but that did not fit in with
the convention, or the corresponding `getPromised` in JS.

54f191cfe3/javascript/ql/src/semmle/javascript/ApiGraphs.qll (L184)
 2021-05-21 17:11:20 +02:00
Rasmus Wriedt Larsen
2408573a0a Python: Add API graph test for calling coroutines 2021-05-21 16:08:15 +02:00
Rasmus Wriedt Larsen
7a5fd02442 Python: API graph tests: add --max-import-depth=1 
Before this, I ended up extracting 454 modules locally 😱
 2021-05-21 15:58:15 +02:00
Rasmus Wriedt Larsen
9a4709c134 Python: API graph tests: Disallow results outside project 
Running the tests locally would result in thousands of results before
this 😱
 2021-05-21 15:57:10 +02:00
Evgenii Protsenko
1e40213abb use <class> instead of <class>::Range 2021-05-20 22:56:08 +03:00
Rasmus Wriedt Larsen
f17fe442a2 Python: Expand test of py/use-of-input 2021-05-20 14:52:10 +02:00
Rasmus Wriedt Larsen
0292ca6b67 Merge pull request #5880 from tausbn/python-limit-builtins 
Python: Limit set of globals that may be built-ins
 2021-05-20 14:47:22 +02:00
CodeQL CI
17afbdf258 Merge pull request #5635 from RasmusWL/port-weak-crypto-algorithm 
Approved by yoff
 2021-05-20 01:22:32 -07:00
Rasmus Wriedt Larsen
61ad5d0673 Python: Allow printing PostUpdateNode in ConceptsTest.qll 
See how this works in `test_json.py`
 2021-05-19 17:10:33 +02:00
Rasmus Wriedt Larsen
9dbb364cca Python: Move json tests to be part of stdlib 
This is better, since the modeling is also part of Stdlib.qll
 2021-05-19 17:10:33 +02:00
Rasmus Wriedt Larsen
51a25e45fe Python: Use shared prettyExpr in ConceptsTest.qll 
This required quite some changes in the expected output. I think it's much more
clear what the selected nodes are now 👍 (but it was a bit boring work to fix
this up)
 2021-05-19 17:10:33 +02:00
Rasmus Wriedt Larsen
1af6d97c51 Python: Remove straggling f-: annotations 2021-05-19 17:10:33 +02:00
Rasmus Wriedt Larsen
f66dccafda Python: Rename prettyExp => prettyExpr 
So we're consistenly using `expr` and not leaving our the `r`.
 2021-05-19 17:10:33 +02:00
Rasmus Wriedt Larsen
c4987e94e0 Python: Re-introduce syntactic handling of str/bytes/unicode 
I don't want to loose results on this, so until type-tracking/API graphs
can handle this, I want to keep our syntactic handling.
 2021-05-19 13:00:11 +02:00
Rasmus Wriedt Larsen
aa8b7306a3 Python: Use more API graphs in TaintTrackingPrivate 
But now we suddenly don't handle the call to `unicode` :O -- at least
not when I run the test locally (using Python 3).
 2021-05-19 12:59:58 +02:00
CodeQL CI
23e8092452 Merge pull request #5864 from RasmusWL/some-framework-modeling 
Approved by tausbn
 2021-05-19 02:31:06 -07:00
Evgenii Protsenko
af75d85b2e ClickHouseSQLInjection.qll : add tests 2021-05-18 22:49:11 +03:00