hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-24 00:16:49 +01:00
Code Issues Packages Projects Releases Wiki Activity
18,336 Commits 1,714 Branches 163 Tags
175e43d6f2f94a1d2cb35bbde589b39807d67e7b
Commit Graph

908 Commits

Author SHA1 Message Date
Rasmus Lerchedahl Petersen
175e43d6f2 Python: Slight refactor 2021-01-18 09:12:05 +01:00
Rasmus Lerchedahl Petersen
5f189a7e43 Python: Address reviews 2021-01-15 20:18:37 +01:00
yoff
1edad03622 Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-01-15 18:50:04 +01:00
yoff
48910d0597 Apply suggestions from code review 
Co-authored-by: Taus <tausbn@github.com>
 2021-01-15 14:02:27 +01:00
Rasmus Lerchedahl Petersen
dfdfd3c2b7 Python: FIx flow 2021-01-14 01:19:58 +01:00
Rasmus Lerchedahl Petersen
e3199fbbe2 Python: Fix inconsostencies to fix flow 
(and fix annotations again)
 2021-01-14 00:09:18 +01:00
Rasmus Lerchedahl Petersen
36a4a5081e Python: big refactor and fix tests 
Make sure tests are valid
Fix wrong test annotations
Big refactor to make code readable
Big comment to explain code
 2021-01-13 18:33:08 +01:00
Rasmus Lerchedahl Petersen
b10cf78e17 Python: start handling iterated unpacking 2021-01-13 08:40:47 +01:00
Rasmus Lerchedahl Petersen
4ee2f49f38 Python: model conversion during unpacking 2021-01-12 22:19:31 +01:00
Rasmus Lerchedahl Petersen
a1ab5cc2b8 Python: start support for nested unpacking 2021-01-12 13:09:12 +01:00
Rasmus Lerchedahl Petersen
289b9e62f9 Python: Add read step for unpacking assignment 2020-11-30 15:30:14 +01:00
Anders Schack-Mulligen
931322e4c5 Merge pull request #4668 from aschackmull/dataflow/refactor-pruning 
Dataflow: Refactor pruning stages.
 2020-11-30 09:37:04 +01:00
yoff
346a007bf6 Merge pull request #4720 from RasmusWL/python-better-open-models 
Python: better models of `open` function
 2020-11-27 14:47:10 +01:00
Anders Schack-Mulligen
fec9758252 Dataflow: Sync. 2020-11-27 12:16:43 +01:00
Cornelius Riemenschneider
3bfb398516 Autoformat XML.qll. 2020-11-25 18:20:50 +01:00
Cornelius Riemenschneider
7eec988fb5 XML.qll: Remove abstract from class hierarchy. 2020-11-25 17:22:03 +01:00
Rasmus Wriedt Larsen
cafe55f5c7 Merge pull request #4701 from yoff/python-fix-return-node-enclosing-callable 
Python: Use default `getEnclosingCallable` for `RetrunNode`
 2020-11-25 10:36:41 +01:00
Rasmus Lerchedahl Petersen
88643da01f Python: Use default getEnclosingCallable 
for `RetrunNode`
 2020-11-25 08:19:07 +01:00
Rasmus Wriedt Larsen
d88e5bdb3a Python: Model io.open as FileSystemAccess 2020-11-24 18:27:33 +01:00
Rasmus Wriedt Larsen
e39bb56078 Python: Model builtin open function better 2020-11-24 18:27:31 +01:00
Rasmus Wriedt Larsen
caf73e4b9b Python: Wrap all Stdlib modeling consistently 
Some of these predicates had fallen outside the `private module Stdlib`
 2020-11-24 18:27:29 +01:00
CodeQL CI
2277242196 Merge pull request #4692 from yoff/python-psycopg 
Approved by RasmusWL
 2020-11-24 10:59:04 +00:00
Rasmus Lerchedahl Petersen
777100f25c Python: rename file, package, and class 2020-11-23 09:17:40 +01:00
yoff
b478a51d4e Apply suggestions from code review 
Thanks for doing the work for me :-)

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2020-11-20 10:46:04 +01:00
Rasmus Lerchedahl Petersen
6cc8e5acf1 Python: support psycopg 2020-11-19 12:13:20 +01:00
Rasmus Wriedt Larsen
ab856d6c01 Python: Show getCallableForArgument can have multiple results 2020-11-18 10:44:32 +01:00
Rasmus Wriedt Larsen
abf2902a69 Python: Fix QLDoc 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2020-11-18 09:47:23 +01:00
Rasmus Wriedt Larsen
39590a39cb Python: Rename helper predicate based on review 2020-11-18 09:26:53 +01:00
Rasmus Wriedt Larsen
14136154d6 Python: Fix bad join order in TypeTracker::callStep 
From a local evaluation against flask DB, after
https://github.com/github/codeql/pull/4649 was merged we would get:

```
Tuple counts for TypeTracker::callStep#ff/2@a21b71:
9876     ~0%     {3} r1 = SCAN DataFlowPrivate::DataFlowCall::getArg_dispred#fff AS I OUTPUT I.<2>, I.<0>, I.<1>
9876     ~2%     {3} r2 = JOIN r1 WITH project#DataFlowPrivate::DataFlowCall::getArg_dispred#fff AS R ON FIRST 1 OUTPUT r1.<2>, R.<0>, r1.<1>
72388997 ~0%     {4} r3 = JOIN r2 WITH DataFlowPublic::ParameterNode::isParameterOf_dispred#fff_201#join_rhs AS R ON FIRST 1 OUTPUT r2.<2>, R.<2>, r2.<1>, R.<1>
4952     ~0%     {2} r4 = JOIN r3 WITH DataFlowPrivate::DataFlowCall::getCallable_dispred#ff AS R ON FIRST 2 OUTPUT r3.<2>, r3.<3>
                     return r4
```
 2020-11-18 09:17:31 +01:00
Anders Schack-Mulligen
f74fc0ff26 Dataflow: Fix bad join-orders. 2020-11-17 14:28:25 +01:00
Anders Schack-Mulligen
3dbd48063c Dataflow: Add Unit type for all languages. 2020-11-16 09:02:44 +01:00
Anders Schack-Mulligen
9e45f10c5d Dataflow: Remove headUsesContent. 2020-11-13 15:12:39 +01:00
Anders Schack-Mulligen
e0a6a485df Dataflow: Sync. 2020-11-13 15:12:16 +01:00
yoff
86fc9e62ef Merge pull request #4650 from RasmusWL/python-set-literal-formatting 
Python: Update set literal formatting
 2020-11-11 15:35:12 +01:00
Rasmus Wriedt Larsen
611398586d Merge pull request #4649 from yoff/python-dataflow-cfgparameters 
Python: Make `ParameterNode` a `CfgNode`
 2020-11-11 10:22:12 +01:00
Rasmus Wriedt Larsen
9ed15732ed Python: Update set literal formatting 
Now that auto-formatting rules have been updated
 2020-11-11 09:38:25 +01:00
Anders Schack-Mulligen
89ef6ea4eb C++/C#/Java/JavaScript/Python: Autoformat set literals. 2020-11-10 13:32:27 +01:00
Rasmus Lerchedahl Petersen
109d55eb25 Python: Make ParameterNode a CfgNode 
Add a step from that `CfgNode` to the corresponding `EssaNode`.
The intended effect is seen in `ImpliesDataflow.expected`.
The efeect seen in other `.expected`-files is that parameter nodes
change type, that the extra steps are seen, and that flow from
`EssaVar`s is mirrored in flow from `CfgNode`s.
There is one surprise, which is the `.0` node in
`coverage/localFlow.expected`.
 2020-11-10 11:35:50 +01:00
Rasmus Wriedt Larsen
fbe51c51bb Python: Add missing QLDoc 2020-11-09 09:05:08 +01:00
Rasmus Wriedt Larsen
ed0e4f8425 Python: reasoning about => detecting 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2020-11-09 09:01:04 +01:00
Rasmus Wriedt Larsen
9ebe59d393 Python: Move UnsafeDeserialization configuration to own file 2020-11-06 14:27:37 +01:00
Rasmus Wriedt Larsen
d38c48d2c8 Python: Move ReflectedXSS configuration to own file 2020-11-06 14:24:31 +01:00
Rasmus Wriedt Larsen
1897a0d59a Python: Move PathInjection configuration to own file 
This one required a bit more thought, but ended up pretty nicely. Had to write
some QLDoc, but I think it turned out OK.
 2020-11-06 14:21:23 +01:00
Rasmus Wriedt Larsen
0c6bd8401a Python: Move SqlInjection configuration to own file 2020-11-06 14:09:46 +01:00
Rasmus Wriedt Larsen
6299b73a46 Python: Move CommandInjection configuration to own file 2020-11-06 14:07:06 +01:00
Rasmus Wriedt Larsen
7c04c59456 Python: Move CodeInjection configuration to own file 
This makes it easy to extend the sources/sinks of the configuration and re-run
the query from the query console on LGTM.com.

File location in `semmle.<lang>.security.dataflow.<QueryName>.qll` is matching
what we currently do in other languages (JS and C# sampled).

I did not follow the pattern in other languages for wrapping all the code in a
`module CodeInjection`, since I didn't understand the value in doing so -- I
would like confirmation from the other teams if we _should_ actually do that,
before merging.
 2020-11-06 13:58:06 +01:00
yoff
79fcf598f3 Merge pull request #4608 from RasmusWL/patch-1 
Python: Remove unnecessary cached annotation from adjacentRefUse
 2020-11-04 16:08:30 +01:00
Rasmus Wriedt Larsen
31247739d7 Python: Remove unnecessary cached annotation from adjacentRefUse 
As discussed in https://github.com/github/codeql/pull/4544#pullrequestreview-516575676
 2020-11-04 15:16:08 +01:00
yoff
62cb4ec974 Merge pull request #4605 from RasmusWL/python-fix-django-response-modeling 
Python: fix django response modeling
 2020-11-04 15:00:52 +01:00
Rasmus Wriedt Larsen
5cf8285717 Python: Fix default mimetype for django FileResponse 2020-11-04 12:28:51 +01:00