hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity
18,336 Commits 1,740 Branches 165 Tags
175e43d6f2f94a1d2cb35bbde589b39807d67e7b
Commit Graph

908 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
551420401a Python: Fix typo 
Co-authored-by: Taus <tausbn@gmail.com>
 2020-05-29 14:27:07 +02:00
Rasmus Wriedt Larsen
48be57c8fd Python: Improve QLDoc for ExternalStringDictKind 2020-05-29 12:06:57 +02:00
Rasmus Wriedt Larsen
b083c01520 Python: Deprecate StringDictKind 
This QL

```codeql
import python
import semmle.python.dataflow.TaintTracking
import semmle.python.security.strings.Untrusted

from CollectionKind ck
where
    ck.(DictKind).getMember() instanceof StringKind
    or
    ck.getMember().(DictKind).getMember() instanceof StringKind
select ck, ck.getAQlClass(), ck.getMember().getAQlClass()
```

generates these 6 results.

```
1	{externally controlled string}          ExternalStringDictKind	UntrustedStringKind
2	{externally controlled string}	        StringDictKind	        UntrustedStringKind
3	[{externally controlled string}]	SequenceKind	        ExternalStringDictKind
4	[{externally controlled string}]	SequenceKind	        StringDictKind
5	{{externally controlled string}}	DictKind	        ExternalStringDictKind
6	{{externally controlled string}}	DictKind	        StringDictKind
```

StringDictKind was only used in *one* place in our library code. As illustrated
above, it pollutes our set of TaintKinds. Effectively, every time we make a
flow-step for dictionaries with tainted strings as values, we do it TWICE --
once for ExternalStringDictKind, and once for StringDictKind... that is just a
waste.
 2020-05-29 12:06:57 +02:00
Rasmus Wriedt Larsen
87bc8ae28d Python: Don't use UntrustedStringKind in web lib 
If I wanted to use my own TaintKind and not have any interaction with
`UntrustedStringKind` that wouldn't be possible today since these standard http
libraries import it directly. (also, I wouldn't get any sources of my custom
TaintKind from turbogears or bottle). I changed them to use the same pattern of
`ExternalStringKind` as everything else does.
 2020-05-29 12:06:57 +02:00
Rasmus Wriedt Larsen
21d531f81e Python: Add QLDoc for FunctionValue.getQualifiedName 
Matching the one for Function.getQualifiedName
 2020-05-27 16:59:18 +02:00
Rasmus Wriedt Larsen
6cba2fe4f8 Python: Model Django response sinks that are not vuln to XSS 
Since HttpResponse is not *only* used for XSS, it is still valuable to know the
content is send as part of the response.

The *proper* solution to this problem of not all HttpResponses being vulnerable
to XSS is probably to define a new abstract class in Http.qll called
HttpResponseXSSVulnerableSink (or similar). I would like to model a few more
libraries/frameworks before fully comitting to an approach though.
 2020-05-26 16:45:46 +02:00
Jonas Jensen
5deeda0337 Merge pull request #3387 from geoffw0/tostringperf 
C++: Eliminate recursion from toString().
 2020-05-26 13:24:43 +02:00
Rasmus Lerchedahl Petersen
6b168de7fc Python: re, handle \Z 2020-05-26 11:42:21 +02:00
Rasmus Wriedt Larsen
c78ca2616c Merge branch 'master' into python-keyword-only-args 2020-05-26 11:20:04 +02:00
Rasmus Wriedt Larsen
9c75a39b81 Python: Extend command-injection to handle fabric.api.execute 2020-05-26 10:22:27 +02:00
Taus
7716cff3d8 Merge pull request #3551 from RasmusWL/python-fix-upcoming-deprecation 
Python: Fix (upcoming) deprecation compiler-warnings
 2020-05-25 16:17:57 +02:00
semmle-qlci
8146073c74 Merge pull request #3553 from RasmusWL/python-fix-tainttracking-import 
Approved by tausbn
 2020-05-25 14:18:54 +01:00
Rasmus Wriedt Larsen
f602f3e1c7 Python: Use proper import for semmle.python.dataflow.TaintTracking 
It was moved in 637677d515, but imports were not
updated.
 2020-05-25 13:45:49 +02:00
semmle-qlci
ac1a338390 Merge pull request #3407 from RasmusWL/python-add-BoundMethodValue-v2 
Approved by tausbn
 2020-05-25 12:00:45 +01:00
Rasmus Wriedt Larsen
32c8dd0491 Python: Fix (upcoming) deprecation compiler-warnings 
In a near-future release overriding a deprecated predicate without making as
deprecated would give a compiler warning.

Not fixing the XML one. [I can see that this shouldn't be reported
anymore](https://github.com/github/codeql/pull/3520#issuecomment-631552943), and
it's not safe to remove since it was only marked as deprecated in
e6425bb4cf.
 2020-05-25 11:05:30 +02:00
Rasmus Wriedt Larsen
49d7e12acd Python: Remove unnecessary restriction from getNamedArgumentForCall 
As agreed in https://github.com/github/codeql/pull/3407
 2020-05-25 10:17:37 +02:00
Rasmus Wriedt Larsen
87ee6ae101 Python: Add a bit of docs to CallableObjectInternal 
As requested :)
 2020-05-25 09:53:28 +02:00
Rasmus Wriedt Larsen
9e0d57c610 Python: Fix grammar in QLDoc 
Co-authored-by: Taus <tausbn@gmail.com>
 2020-05-25 09:47:01 +02:00
Rasmus Lerchedahl Petersen
712513916c Python: Address review 2020-05-25 07:44:00 +02:00
Rasmus Wriedt Larsen
712d4bd150 Python: Fix typo in docs 
Co-authored-by: Taus <tausbn@gmail.com>
 2020-05-20 13:06:24 +02:00
Rasmus Wriedt Larsen
3774310985 Python: Reduce FPs in Django due to bad XSS taint-sinks 
Fixes https://github.com/github/codeql-python-team/issues/38
 2020-05-18 19:14:43 +02:00
Rasmus Wriedt Larsen
fa08676a1d Python: Proper redirect taint sinks for Django 
Also a major restructuring of the code. A bit controversial since it
renames/moves classes that are already public.

Fixes https://github.com/github/codeql/issues/3466
 2020-05-18 19:14:29 +02:00
Rasmus Lerchedahl Petersen
b56545b236 Python: Regexp: Handle repetions {n} (with no ,) 2020-05-18 14:44:11 +02:00
Rasmus Lerchedahl Petersen
81a5692935 Python: handle \uxxxx and refactor 2020-05-14 21:22:21 +02:00
Rasmus Lerchedahl Petersen
c7ddd2c20c Python: make test for unicode names pass 2020-05-14 07:31:03 +02:00
Rasmus Lerchedahl Petersen
4c7cf2ac2d Python: Make test pass 
Also checked that the OP's snapshot no longer has alerts from
`duplicate_char_in_class`
 2020-05-14 07:06:59 +02:00
Rasmus Wriedt Larsen
8150c78ae0 Python: In flask, taint routed prameters for variable rules 
Fixes https://github.com/github/codeql-python-team/issues/79
 2020-05-12 15:02:32 +02:00
Rasmus Wriedt Larsen
6488714758 Python: Autoformat 2020-05-05 11:38:17 +02:00
Rasmus Wriedt Larsen
07ae40206f Python: Don't allow getParameter(-1) for BoundMethodValue 
As per discussion in the PR
 2020-05-05 11:37:10 +02:00
Geoffrey White
a70f534458 Sync identical files. 2020-05-05 09:18:05 +01:00
Rasmus Wriedt Larsen
dfe7c8270b Python: Clean up trailing whitespace 2020-05-05 09:55:09 +02:00
Rasmus Wriedt Larsen
87d7738b6e Python: Expand QLDoc for get[Named]ArgumentForCall 2020-05-05 09:54:54 +02:00
Rasmus Wriedt Larsen
061bbb82f5 Python: Restructure getNamedArgumentForCall 
So it matches the structure of getArgumentForCall -- call.getArgByName first!
 2020-05-05 09:00:55 +02:00
Rasmus Wriedt Larsen
838106d49c Python: Refactor get[Named]ArgumentForCall 
Also fixed a bug for BoundMethodValue, as highlighted in the expected diff 👍
 2020-05-04 20:51:23 +02:00
Rasmus Wriedt Larsen
bc92c26e12 Python: Add BoundMethodValue 2020-05-04 20:51:12 +02:00
Rasmus Wriedt Larsen
e9859ad96d Python: Fix getArgumentForCall when using keyword arguments 
Yikes :|
 2020-05-04 20:50:56 +02:00
Rasmus Wriedt Larsen
16e9d76e22 Merge branch 'master' into python-keyword-only-args 2020-05-04 11:49:00 +02:00
Rasmus Wriedt Larsen
e569d7ae41 Merge branch 'master' into python-parse_qs 2020-04-30 17:05:17 +02:00
Rasmus Wriedt Larsen
e0b4518a3e Merge branch 'master' into python-improve-file-taint 2020-04-30 11:24:29 +02:00
Rasmus Wriedt Larsen
c5e14f5c0d Python: Handle defaults and annotations for keyword-only arguments 
This commit is based on a change to the extractor
 2020-04-27 17:24:10 +02:00
Rasmus Wriedt Larsen
5f6058363f Python: Improve QLdoc for Parameter.getPosition 2020-04-27 17:22:56 +02:00
Rasmus Wriedt Larsen
8c1cfe52f6 Python: Use getAKeywordOnlyArg instead of getAKwonlyarg 
The result is the same, but `getAKeywordOnlyArg` is the method used everywhere
else in the code.
 2020-04-27 17:22:56 +02:00
Rasmus Wriedt Larsen
c508e89a00 Python: Handle keyword-only arguments properly 2020-04-27 17:22:56 +02:00
Rasmus Wriedt Larsen
4185edc087 Python: Expand parameters/functions test 
I want to ensure we handle when only _some_ parameters have default/annotations
 2020-04-27 17:22:56 +02:00
Rasmus Wriedt Larsen
96b36a7f0f Python: Clean up some QLdocs 2020-04-27 17:22:56 +02:00
Rasmus Wriedt Larsen
ce2d7fe04c Python: Improve QLDoc for Arguments 2020-04-27 17:22:56 +02:00
Taus
de08433bd3 Merge pull request #3212 from RasmusWL/python-fix-tests-filter 
Python: Fix (some) shortcomings of tests filter
 2020-04-27 11:26:35 +02:00
Taus
bcb980b3d5 Merge pull request #3302 from RasmusWL/python-str-taint-add-methods 
Python: Add taint for string methods
 2020-04-24 16:29:11 +02:00
semmle-qlci
4c7a5007d8 Merge pull request #3314 from RasmusWL/python-model-stdlib-http.server 
Approved by tausbn
 2020-04-24 15:27:21 +01:00
Rasmus Wriedt Larsen
2b3025265b Python: Clean up QLdoc 
Co-Authored-By: Taus <tausbn@gmail.com>
 2020-04-24 14:05:02 +02:00