573 Commits

Author	SHA1	Message	Date
Chris Smowton	5f31adc1f4	Update InsecureCookie.qhelp ... Gratuitous commit to nudge CI	2024-10-30 09:34:49 +00:00
Charmander	a97998811a	Fix typo and grammar in InsecureCookie.qhelp	2024-10-30 07:29:20 +00:00
Felicity Chapman	fcb2b5730f	Update CookieInjection.ql to remove period	2024-08-15 13:17:13 +01:00
Joe Farebrother	1127b08635	Merge branch 'main' into python-cookie-concept-promote	2024-07-29 10:26:03 +01:00
Joe Farebrother	8f714c631f	Code reveiw suggestions. correction in changenote + style in example ... Co-authored-by: yoff <lerchedahl@gmail.com>	2024-07-24 21:37:12 +01:00
Joe Farebrother	93f70b3ad9	Add unit tests	2024-07-23 10:15:23 +01:00
Joe Farebrother	226e4eb8a5	Use a 3-valued newtype for hasSameSiteAttribute	2024-07-23 10:14:45 +01:00
Joe Farebrother	df5569fda9	Add documentation	2024-07-23 10:14:40 +01:00
Joe Farebrother	033dd9f8a6	Promote insecure cookie query	2024-07-23 10:14:22 +01:00
Joe Farebrother	baf51334e4	Update documentation	2024-07-19 09:13:30 +01:00
Joe Farebrother	8d93c3a852	Move to cwe-20	2024-07-16 16:50:08 +01:00
Joe Farebrother	e885f1f8c4	Add documentation	2024-07-16 16:50:05 +01:00
Joe Farebrother	983bdb92a1	Add test cases + remove redundant import	2024-07-16 16:50:00 +01:00
Joe Farebrother	123214cb2b	Promoto cookie injection query	2024-07-16 16:49:56 +01:00
Mathew Payne	96048f962e	Update python/ql/src/Security/CWE-798/HardcodedCredentials.ql ... Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>	2024-07-01 14:29:00 +01:00
Mathew Payne	1cf9714272	feat(python): Add Hardcoded Credentials MaD support	2024-06-28 14:30:36 +01:00
Rasmus Wriedt Larsen	121ca129bc	Update qhelp with https:/example.com handling	2024-06-03 10:17:10 +02:00
Joe Farebrother	ab23d0ad23	Merge branch 'main' into python-promote-header-injection	2024-05-08 13:49:00 +01:00
erik-krogh	baa31e1469	delete outdated deprecations	2024-04-25 22:19:28 +02:00
Joe Farebrother	1dce2eb325	Rename to response splitting	2024-04-24 14:05:40 +01:00
Joe Farebrother	9d56f3eb68	Fix qldoc formatting	2024-04-24 14:05:39 +01:00
Joe Farebrother	daa31b5bb7	Add documentation	2024-04-24 14:05:38 +01:00
Joe Farebrother	6021d9238c	Move headers injection query and concept from experimental to main	2024-04-24 14:05:37 +01:00
Taus	1c68c987b0	Python: Change all remaining occurrences of StrConst ... Done using ``` git grep StrConst | xargs sed -i 's/StrConst/StringLiteral/g' ```	2024-04-22 12:00:09 +00:00
Anders Schack-Mulligen	a8fc100108	Python: Add alert provenance plumbing.	2024-04-12 09:20:08 +02:00
yoff	44ab36f238	Merge pull request #15729 from yoff/python/hardcoded-credentials-without-pointsto ... python: Rewrite `HardcodedCredentials` away from `PointsTo`	2024-03-18 20:48:30 +01:00
Rasmus Lerchedahl Petersen	3eb9491cb4	python: rewrite HardcodedCredentials away from PointsTo ... - `ModuleValue.attr` and `ClassValue.lookup` are approximated by `Function.getName` - `ClassValue.getName` is apprximated by `Class.getName` - `Module::named` is approximated by `Module.getName` - `Value::named` is approximated by `Builtins::likelyBuiltin` - `FunctionValue.getNamedArgumentForCall` is approximated by `ArgumentNode.argumentOf`	2024-02-26 17:18:40 +01:00
Rasmus Wriedt Larsen	1cfac50749	Python: Add precision to NoSQL query ... Due to this, it was not part of any query suite :O	2024-02-26 11:23:43 +01:00
Max Schaefer	a4639c7ff9	Update qhelp to mention solution using urlparse.	2024-01-22 13:36:12 +00:00
Max Schaefer	66fe32ab82	Python: Mention more sanitisation options in py/url-redirection qhelp.	2023-12-20 11:31:07 +00:00
Rasmus Wriedt Larsen	43d9d2ceb7	Merge pull request #14603 from github/max-schaefer/broken-crypto-algorithm-link ... JavaScript/Python/Ruby: Improve alert message for `*/weak-cryptographic-algorithm`.	2023-11-08 14:29:24 +01:00
Geoffrey White	e8a466a02c	Update dead link.	2023-11-07 09:26:07 +00:00
Max Schaefer	104700f6d3	Address review comment.	2023-10-27 10:19:28 +01:00
Max Schaefer	08cc8b8e80	Autoformat.	2023-10-26 15:36:06 +01:00
Max Schaefer	3939167ba2	Include more details in the message for py/weak-cryptographic-algorithm. ... Specifically, we add a link to the location where the cryptographic algorithm is configured, which can be far away from its use.	2023-10-26 11:28:09 +01:00
yoff	dbecb1bd0f	Merge pull request #14070 from yoff/python/promote-nosql-query ... Python: promote nosql query	2023-09-29 14:21:22 +02:00
Rasmus Wriedt Larsen	16e1a00e88	Python: NoSQLInjection -> NoSqlInjection	2023-09-29 13:52:51 +02:00
Rasmus Lerchedahl Petersen	d90630aa66	Python: fix query file	2023-09-28 12:34:10 +02:00
erik-krogh	bf3fe3cd66	add new qhelp for clear-text-logging	2023-09-07 12:39:13 +02:00
Rasmus Wriedt Larsen	c85ea9a0c0	Python: Fix typo in SSRF example	2023-09-07 09:45:02 +02:00
Rasmus Lerchedahl Petersen	087961d179	Python: Refactor to allow customizations ... Also use new DataFlow API	2023-09-07 09:28:30 +02:00
Rasmus Lerchedahl Petersen	db0459739f	Python: rename file	2023-09-07 09:28:30 +02:00
Rasmus Lerchedahl Petersen	55707d395e	Python: Make things compile in their new location ... - Move NoSQL concepts to the non-experimental concepts file - fix references	2023-09-07 09:28:30 +02:00
Rasmus Lerchedahl Petersen	60dc1afbc0	Python: prepare to promote NoSqlInjection ... Mostly move files, preserving authourship. This will not compile.	2023-09-07 09:28:29 +02:00
Rasmus Wriedt Larsen	acde1920e7	Python: Move UntrustedDataToExternalAPI to new dataflow API	2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen	657b1997cc	Python: Move FullServerSideRequestForgery and PartialServerSideRequestForgery to new dataflow API	2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen	dbfe517555	Python: Move HardcodedCredentials to new dataflow API	2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen	46322b717a	Python: Move XmlBomb to new dataflow API	2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen	add1077532	Python: Move RegexInjection to new dataflow API	2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen	c6caf83dfe	Python: Move PolynomialReDoS to new dataflow API	2023-08-28 15:27:50 +02:00