hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 04:39:29 +02:00
Code Issues Packages Projects Releases Wiki Activity
58,833 Commits 1,741 Branches 166 Tags
0b84dee65ee07128efcb5ddb87f82f0fec29d2a8
Commit Graph

1392 Commits

Author SHA1 Message Date
ALJI Mohamed
054c06be65 Update UnsafeUnpack.ql 2022-12-06 02:51:07 +01:00
Henry Mercer
5b040a9476 Python: Fix duplicate query IDs 2022-12-05 19:04:10 +00:00
ALJI Mohamed
68fd75ca34 UnpackUnsafe query and tests 2022-12-05 17:20:22 +01:00
Rasmus Wriedt Larsen
2e2cee06c3 Python: Adjust InsecureRandomnessCustomizations.qll 2022-11-22 14:46:29 +01:00
Daniel Santos
feece6f7b4 Merge branch 'github:main' into main 2022-10-25 10:43:20 -05:00
Daniel Santos
5b080481aa TokenBuiltFromUuid formatting 2022-10-25 09:51:48 -05:00
Daniel Santos
b8d60edb49 TokenBuiltFromUuid isAdditionalTaintStep refactor 2022-10-25 09:51:07 -05:00
Daniel Santos
375edf7455 TokenAssignmentValueSink refactor 2022-10-25 09:50:04 -05:00
Daniel Santos
5ab068a3cc Update python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql 
Co-authored-by: Taus <tausbn@github.com>
 2022-10-24 11:55:21 -05:00
Daniel Santos
be8780742b Update python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql 
You are totally right! I just scanned the module's document and assumed it would implement it all. Pasting the documentation here for future reference https://docs.python.org/3/library/uuid.html?highlight=uuid#uuid.UUID.

Co-authored-by: Taus <tausbn@github.com>
 2022-10-24 11:49:17 -05:00
Daniel Santos
a2ad924376 Minor formatting fixes 2022-10-24 09:38:17 -05:00
Daniel Santos
066ffb7520 Tokens built from predictable UUIDs 2022-10-22 11:15:43 -05:00
ALJI Mohamed
92a3846102 Fix query to omit sinks within std lib files 2022-10-22 09:35:55 +01:00
ALJI Mohamed
7319052495 Delete the examples/ 2022-10-21 21:47:00 +01:00
Sim4n6
925f9d09e5 Update python/ql/src/experimental/Security/CWE-022bis/TarSlipImprov.ql 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-10-21 21:06:51 +01:00
ALJI Mohamed
9163cbec09 Restrict the reach for an additional taint step 2022-10-19 16:08:49 +01:00
ALJI Mohamed
25a7fcffc0 Add an additional taint step 2022-10-19 16:01:34 +01:00
ALJI Mohamed
d6fa745279 Add TarSlip Improv query 2022-10-19 14:01:40 +01:00
Taus
f5b2eb94a6 Merge pull request #10783 from yoff/python/subscript-nodes 
Python: API graph improvements for subscripts
 2022-10-17 15:21:56 +02:00
Josh Soref
ad7dc81bdc spelling: sanitize 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-13 11:21:09 -04:00
Josh Soref
24f847a58c spelling: representing 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-13 11:21:09 -04:00
Rasmus Lerchedahl Petersen
db616a526a python: rewrite models using subscripts 
more rewrites could be done to these models
for instance, I think the extra taint configuration could be removed,
but here I just wanted to illustrate the benefits of the new API graph.
 2022-10-12 20:15:49 +02:00
Rasmus Lerchedahl Petersen
0b8e908823 Python: fix def nodes for subscript 
We were using `getMember` for dictionaries, these are now getIndex
Also add convenience predicate for string keys
 2022-10-12 20:13:48 +02:00
Jeroen Ketema
d389a183f0 Merge pull request #10743 from jsoref/spelling 
Spelling
 2022-10-12 12:48:22 +02:00
erik-krogh
4da0508dae Merge branch 'main' into py-last-msg 2022-10-11 10:49:19 +02:00
Josh Soref
704aba8c1c spelling: necessitates 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-11 03:59:17 -04:00
Rasmus Wriedt Larsen
4b1f6f0865 Merge pull request #10629 from RasmusWL/fix-flask-source 
Python: Fix flask request modeling
 2022-10-10 09:56:22 +02:00
erik-krogh
6fdfd40880 changes to address reviews 2022-10-07 22:31:00 +02:00
erik-krogh
944ca4a0da fix some more style-guide violations in the alert-messages 2022-10-07 11:23:34 +02:00
Rasmus Wriedt Larsen
d7be27a1c0 Python: Fix experimental py/ip-address-spoofing 
I realized the modeling was done in a non-recommended way, so I changed
the modeling. It was very nice that I could use API graphs for the flask
part, and a little sad when I couldn't for Django/Tornado.
 2022-10-03 21:19:30 +02:00
CodeQL CI
b66e5c5aee Merge pull request #10634 from yoff/python/rewrite-typetrackers 
Approved by tausbn
 2022-09-30 03:55:35 -07:00
Rasmus Lerchedahl Petersen
84ab860600 python: rewrite type tracker for ldap operations 
There are several other clean ups I would like to do in this file,
but this can wait until we promote the query.
 2022-09-29 20:32:19 +02:00
Rasmus Lerchedahl Petersen
63ee51a4e2 Python: inline mongoCollectionMethod 2022-09-28 11:40:06 +02:00
Rasmus Lerchedahl Petersen
441fc1bb28 Python: type trackers to API graph 
base on new subscript in the API graph

There are a few more uses of type tracking
through `SubscriptNode`s, but these start
from an instance given by a data flow node.
 2022-09-26 15:05:50 +02:00
Rasmus Lerchedahl Petersen
9b1ec03d70 Python: type tracking to API graph 
using the new subscript node
 2022-09-26 13:39:59 +02:00
erik-krogh
26d8553f6e ensure consistent casing of names 2022-09-09 10:34:14 +02:00
Ahmed Farid
64bb022adf Add www-authenticate to sensitiveheaders() 2022-09-07 11:12:53 +01:00
Ahmed Farid
23871b3f5a Update Concepts.qll 2022-09-05 18:26:56 +01:00
Ahmed Farid
f84331f5a5 Provides classes for modeling HTTP Header APIs 2022-09-05 00:53:10 +01:00
Ahmed Farid
94b91536f9 Replacing getParameter by getArg and getArgByName 2022-09-03 14:05:07 +01:00
Ahmed Farid
a50c226ca9 Autoformat 2022-09-03 12:10:55 +01:00
Ahmed Farid
0fd684cde8 Add more source of crypto call 2022-08-31 17:13:43 +01:00
Ahmed Farid
cf83b07aae Add more source of crypto call 2022-08-31 17:04:02 +01:00
Ahmed Farid
daff7775ca Update TimingAttack.qll 2022-08-31 16:09:22 +01:00
Ahmed Farid
a42cb20b86 Update TimingAttack.qll 2022-08-31 16:07:58 +01:00
Ahmed Farid
13d1a4fdc1 Update TimingAttackAgainstHeaderValue.ql 2022-08-31 12:46:17 +01:00
Ahmed Farid
12960fd00f Update TimingAttack.qll 2022-08-31 12:39:46 +01:00
Ahmed Farid
f2688c4a02 Update select statement 2022-08-31 12:39:00 +01:00
Ahmed Farid
275ed0d6e5 Update select statement 2022-08-31 12:37:36 +01:00
Ahmed Farid
740bf716cb Update TimingAttack.qll 2022-08-31 12:22:01 +01:00