hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
29,908 Commits 1,671 Branches 157 Tags
z80coder/ATM-feature-optimisation
Commit Graph

4539 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
e962a7c77c Update python/ql/src/semmle/python/RegexTreeView.qll 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-08-16 11:24:05 +02:00
Rasmus Lerchedahl Petersen
6be78d442c Python: fix compilation 2021-08-16 10:35:33 +02:00
Rasmus Lerchedahl Petersen
2df846ee4b Merge branch 'python-regex-parsing-consistency-checks' of github.com:yoff/codeql into python-regex-parsing-consistency-checks 2021-08-12 13:34:11 +02:00
Rasmus Lerchedahl Petersen
54e65ce765 Python: Add consistency tests 
for all the projects that went out of disk as a result of ReDoS
 2021-08-12 13:33:44 +02:00
yoff
61bbddeb0c Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2021-08-12 09:39:04 +02:00
Rasmus Lerchedahl Petersen
c08f94ec04 Python: Fix parsing of octal escapes 2021-08-11 15:01:26 +02:00
Rasmus Lerchedahl Petersen
34b054ff53 Python: Add consistency checks 2021-08-11 14:58:27 +02:00
jorgectf
e6ce10b5c5 Merge remote-tracking branch 'origin/main' into jty/python/nosqlInjection 2021-08-10 20:01:08 +02:00
Tom Hvitved
ea6d51f123 Python: Avoid bad join in AstExtended::AstNode::containsInScope 2021-08-09 11:20:57 +02:00
jorgectf
8d0386b049 Split into getNameArg and getValueArg 2021-07-25 04:35:22 +02:00
jorgectf
f9b244ecad Polish documentation 2021-07-24 01:06:05 +02:00
Taus
74f1992aaf Merge pull request #6352 from tausbn/mergeback-rc/3.2-to-main 
Mergeback `rc/3.2` to `main`
 2021-07-22 19:58:29 +02:00
Jorge
f02b6d60a5 Merge branch 'github:main' into jorgectf/python/ldapinsecureauth 2021-07-22 18:49:51 +02:00
jorgectf
b03e75e3d1 Extend ldap3's start_tls and fix tests 2021-07-22 18:42:41 +02:00
jorgectf
a34d6d390e Port to ApiGraphs and finish the query 2021-07-22 18:34:57 +02:00
Rasmus Wriedt Larsen
42a997cbcb Python: Fix deprecation warning 2021-07-22 15:59:13 +02:00
Rasmus Wriedt Larsen
71e6db8a01 Merge branch 'main' into jorgectf/python/ldapimproperauth 2021-07-22 15:57:43 +02:00
Taus
6ea8ef5d16 Merge branch 'rc/3.2' into mergeback-rc/3.2-to-main 2021-07-22 13:52:56 +00:00
Rasmus Wriedt Larsen
802d9bda83 Merge pull request #5680 from mrthankyou/python-use-sqlalchemy 
Python: Add SqlAlchemy model
 2021-07-22 15:31:39 +02:00
Taus
020c6e3b3b Python: Update change note 2021-07-22 13:11:29 +00:00
Taus
badf6311c9 Python: Remove flow between globals... 
... in a local scope. Or rather, remove these from the `hasLocalSource`
relation.

This prevents a quadratic blowup when the same global is mentioned
_a lot_ of times within a single function scope.
 2021-07-22 13:10:40 +00:00
Taus
ed794f42b5 Python: Soft revert TypeTrackingNode 
Temporarily instates `TypeTrackingNode` as an alias of `LocalSourceNode`
as having it as a separate class lead to performance regressions.

In the hopes that this will be resolved in the near future, I have left
the current `TypeTrackingNode` implementation in situ, but hidden inside
a `FutureWork` private module.
 2021-07-22 13:10:07 +00:00
Mathias Vorreiter Pedersen
e34261accf Merge branch 'rc/3.2' into mergeback-2021-07-22 2021-07-22 14:40:22 +02:00
Rasmus Wriedt Larsen
38875ca0c7 Python: Improve handling of async methods 2021-07-22 14:17:07 +02:00
Rasmus Wriedt Larsen
c3f942f899 Python: Provide internal InstanceTaintStepsHelper 
I realized that if you ever wanted to the way taint-steps works again,
you would have to go to all the 117 places it has been implemented, and
change EVERY ONE OF THEM :( so trying to solve that problem here.

Not super happy with the name, but that was just the best I could come up with :D
 2021-07-22 14:16:50 +02:00
Rasmus Wriedt Larsen
6e9d9fcbbd Python: Improve taint steps in for & iterable unpacking 
These were written way before the ones in DataFlowPrivate, but
apparently didn't cover quite as much :|
 2021-07-22 14:16:17 +02:00
Taus
bfe42ae146 Python: Update change note 2021-07-22 11:10:08 +00:00
Taus
e9a4114c04 Python: Hotfix: Disable ReDoS queries 2021-07-22 10:58:49 +00:00
Rasmus Wriedt Larsen
d3163d8a76 Python: Add iterable-unpacking in for test 2021-07-22 11:59:46 +02:00
Rasmus Wriedt Larsen
e2d3fa7093 Python: Add list-comprehension taint test 2021-07-22 11:59:46 +02:00
Rasmus Wriedt Larsen
f5ae5a581b Python: A bit more additional taint clean up 
A few stragglers that did not have the same TODO comments as the others
 2021-07-22 11:59:46 +02:00
Rasmus Wriedt Larsen
d2efe0b84d Python: Normalize additional taint steps for modeled classes 
Such that it should be next to the other class-related predicates (such
as `instance()`), the class is called `AdditionalTaintStep`, and it
marked private.

I also moved any modeling of attributes as well, while I was at it.
 2021-07-22 11:59:46 +02:00
Rasmus Wriedt Larsen
be1cad864b Python: Resolve all meth = obj.meth; meth() TODOs 
It would probably have been easier to do this as the _first_ thing...
but that's too late now 😓
 2021-07-22 11:59:46 +02:00
Rasmus Wriedt Larsen
6f63c03558 Python: Model http.cookies.Morsel and usage in Tornado 2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
7e09a1cbfd Python: Model tornado.httputil.HTTPHeaders 2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
7020e4132b Python: Model BaseHTTPRequestHandler.rfile as file-like object 2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
d388dd547e Python: Model HTTPMessage from Stdlib 2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
f3ce3933d1 Python: Add AdditionalTaintStep to type-tracking class snippet 
I know that the TODO about not having the tools to handling
`meth = obj.meth; meth()` is outdated now that we `DataFlow::MethodCallNode`,
but I'm planning to deal with that later on ;)
 2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
dac71ded9d Python: Add Authorization modeling in Flask 2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
133632119d Python: Model werkzeug Headers 
Also removed a misleading comment link to method on wrong class :D
 2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
4d9c86a252 Python: Model Werkzeug FileStorage.save as FileSystemAccess 2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
9cb4899c5c Python: Add FileStorage modeling in Flask 2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
09b0c300d9 Python: Rewrite werkzeug to avoid InstanceSourceApiNode 
InstanceSourceApiNode is a really good idea, but it just happened too
soon. I can't do what I need if I have to supply an API-node. So to
avoid confusion between deprecating to/from InstanceSource in those
classes, I opted to do some major reorganizing as well 👍

Due to aliasing restrictions, I had to use a little trick with the
`WerkzeugOld` module.
 2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
04190ea308 Python: Add file-like modeling to werkzeug FileStorage 2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
5f5c0b11c7 Python: Refactor Werkzeugmodeling 
Having the additional taint step just next to the other definitions, so
everything is together.
 2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
4f4dec50f2 Python: Model ResovlerMatch in Django 
Like before, omitted ClassInstantiation
 2021-07-22 10:43:13 +02:00
jorgectf
edb273ace5 Merge remote-tracking branch 'origin/jorgectf/python/ldapimproperauth' into jorgectf/python/ldapinsecureauth 2021-07-22 02:51:19 +02:00
jorgectf
68f79f054b Update .expected 2021-07-21 21:32:08 +02:00
jorgectf
8d84d63b94 Add Python-Jose modeling and tests 2021-07-21 21:31:53 +02:00
jorgectf
ce507beed4 Add Authlib modeling and tests 2021-07-21 21:31:35 +02:00