Commit Graph

134 Commits

Author SHA1 Message Date
Josh Soref
474aef438b spelling: connection
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2022-10-20 08:18:23 -04:00
Josh Soref
08f688d240 spelling: without
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2022-10-13 11:21:10 -04:00
Josh Soref
7ad24f3121 spelling: recommendation
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2022-10-13 11:21:09 -04:00
Josh Soref
7883263375 spelling: printing
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2022-10-13 11:21:09 -04:00
Josh Soref
6e905ce96f spelling: connection
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2022-10-13 11:21:08 -04:00
erik-krogh
944ca4a0da fix some more style-guide violations in the alert-messages 2022-10-07 11:23:34 +02:00
Rasmus Wriedt Larsen
5f6e3dcc2e Python: Revert changes to sensitive data query alert messages
This partly reverts the changes from https://github.com/github/codeql/pull/10252

Although consistency is nice, the new messages didn't sound as natural.

New alert message would read

> Insecure hashing algorithm (md5) depends on sensitive data (password). (...)

I'm not sure what it means that a hashing algorithm depends on data. So
for me, the original text below is much easier to understand.

> Sensitive data (password) is used in a hashing algorithm (md5) that is insecure (...)

Same goes for the other sensitive data queries.
2022-09-06 12:01:24 +02:00
erik-krogh
089ce5a8a4 change alert messages of path queries to use the same template 2022-09-02 14:45:40 +02:00
Erik Krogh Kristensen
7704a9eeac apply suggestions from Python review
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2022-08-23 10:38:10 +02:00
erik-krogh
e89e0eb7fb make some acronyms camelCase 2022-08-22 21:22:35 +02:00
Asger F
b096f9ec72 Python: Rename getAUse -> getAValueReachableFromSource 2022-06-21 12:44:06 +02:00
Alex Ford
bc073eb460 python: update py/weak-cryptographic-algorithm to flag use of ECB block mode 2022-05-13 16:32:36 +01:00
Rasmus Wriedt Larsen
695553ba9f Python: Deprecate old non-Query.qll dataflow defs 2022-03-21 15:03:22 +01:00
Taus
af7f532212 Python: Fix up a bunch of function QLDoc 2022-03-07 18:59:49 +00:00
Erik Krogh Kristensen
fe1107ccac remove duplicated spaces in qldoc 2022-01-04 21:03:06 +01:00
Erik Krogh Kristensen
6ff8d4de5c add all remaining explicit this 2021-11-26 13:50:10 +01:00
Rasmus Wriedt Larsen
605bd19306 Python: Add CWE-328 to py/weak-sensitive-data-hashing
Reading over the description at https://cwe.mitre.org/data/definitions/328.html:

> The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques.

For the data that does not require computationally expensive hashing, that will be the exactly problems that this query finds 👍 (that is, MD5, SHA1)
2021-08-25 10:19:22 +02:00
Rasmus Wriedt Larsen
c0964617d7 Merge pull request #6111 from tausbn/python-a-few-minor-cleanups
Python: A few minor bits of cleanup
2021-06-23 10:42:41 +02:00
Taus
317c6867aa Python: Fix sneaky semantic change
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2021-06-22 16:46:54 +02:00
Rasmus Wriedt Larsen
e05d6e71b8 Merge pull request #6064 from tausbn/python-add-get-method-call
Python: Add `getAMethodCall` to `LocalSourceNode`
2021-06-22 11:16:39 +02:00
Taus
768cab3642 Python: Address review comments
- changes `getReceiver` to `getObject`
- fixes `calls` to avoid unwanted cross-talk
- adds some more documentation to highlight the above issue
2021-06-21 14:57:19 +00:00
Taus
3aea270e10 Python: Autoformat 2021-06-18 18:30:27 +00:00
Taus
348b20ca9d Merge branch 'main' of https://github.com/github/codeql into python-a-few-minor-cleanups 2021-06-18 17:38:43 +00:00
Taus
9351688da8 Python: asCfgNode cleanup 2021-06-18 17:22:42 +00:00
Taus
c386f4a009 Python: Clean up py/insecure-protocol
Going all the way to the AST layer seemed excessive to me, so I rewrote
it to do most of the logic at the data-flow layer. In principle this
_could_ result in more names being computed (due to splitting), but in
practice I don't expect this make a big difference.
2021-06-18 17:22:42 +00:00
Taus
359bc5eff9 Python: Autoformat 2021-06-15 15:56:40 +00:00
Taus
e90ec807ef Python: Clean up Ssl.qll 2021-06-15 15:04:29 +00:00
Calum Grant
771e686946 Update security-severity scores 2021-06-15 13:25:17 +01:00
Calum Grant
a594afb828 Add security-severity metadata 2021-06-10 20:11:08 +01:00
Rasmus Wriedt Larsen
753dca91b1 Python: weak-crypto: Make algorithm selection less brittle
As discussed in https://github.com/github/codeql/pull/5635#discussion_r633477154
2021-05-19 17:47:09 +02:00
Rasmus Wriedt Larsen
97fadd9970 Merge branch 'main' into port-weak-crypto-algorithm 2021-05-18 14:04:18 +02:00
Rasmus Wriedt Larsen
9156316b14 Python: Apply suggestions from code review
Co-authored-by: yoff <lerchedahl@gmail.com>
2021-05-18 11:53:11 +02:00
Rasmus Wriedt Larsen
f9383a31bf Python: Fix BrokenCryptoAlgorithm.qhelp 2021-04-22 15:58:28 +02:00
Rasmus Wriedt Larsen
fc1a6d0e32 Python: Say salting is not part of py/weak-sensitive-data-hashing 2021-04-22 15:23:41 +02:00
Rasmus Wriedt Larsen
ac83c695ad Python: Add py/weak-sensitive-data-hashing query 2021-04-22 15:23:41 +02:00
Rasmus Wriedt Larsen
56c409737d Python: Port py/weak-cryptographic-algorithm
The other query (py/weak-sensitive-data-hashing) is added in future commit
2021-04-22 15:23:38 +02:00
Rasmus Lerchedahl Petersen
6408ee2eaf Python: Fix bad join 2021-04-20 20:03:06 +02:00
Rasmus Lerchedahl Petersen
fc2c62350e Python: Fix bad join
Also fixed up the QLDoc
2021-04-20 18:54:03 +02:00
Rasmus Lerchedahl Petersen
30fbb8f1e7 Python: clean up interface 2021-04-13 11:34:47 +02:00
Rasmus Lerchedahl Petersen
178cb6c90f Python: Bit too eager with the modernisation...
Lift type restrictions to recover results.
2021-04-13 11:26:05 +02:00
Rasmus Lerchedahl Petersen
7c0b0642c8 Python: Add imports to make code compile 2021-04-13 11:09:27 +02:00
Rasmus Lerchedahl Petersen
b6bd782746 Python: Modernize via CallCfgNode 2021-04-12 23:55:59 +02:00
yoff
e4d74cf098 Apply suggestions from code review
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2021-04-12 23:47:54 +02:00
Rasmus Lerchedahl Petersen
3ff8e010b2 Python: Refactor based on review
- more natural handling of default arguments
- do not assume default construction gives a family
- simplifies `UnspecificSSLContextCreation`
2021-04-12 10:00:07 +02:00
Rasmus Lerchedahl Petersen
036fddfdb5 Python: Namable -> Nameable 2021-04-12 08:18:24 +02:00
yoff
02d6de81a7 Apply suggestions from code review
Co-authored-by: Taus <tausbn@github.com>
2021-04-12 08:16:36 +02:00
yoff
38daeb4df2 Apply suggestions from code review
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2021-04-07 15:50:51 +02:00
Rasmus Lerchedahl Petersen
a006a92f8d Python: Expand commentary 2021-04-07 08:32:40 +02:00
Rasmus Lerchedahl Petersen
f22db2a30b Python: One family to rule them all... 2021-04-07 08:32:21 +02:00
Rasmus Lerchedahl Petersen
fb95c488e8 Python: format 2021-04-07 08:20:52 +02:00