hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-29 15:16:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,978 Commits 1,673 Branches 157 Tags
2b42d84ccdf867dee35781195212d00cf82fccdd
Commit Graph

346 Commits

Author SHA1 Message Date
Arthur Baars
79cd7bf8ed Python: create semmle/python/dataflow/new/Regex.qll 2022-03-21 15:57:19 +01:00
Arthur Baars
9412b331db Revert "Revert "Python: switch to shared implementation of IncompleteHostnameRegExp.ql"" 
This reverts commit 6d24591416.
 2022-03-18 16:31:22 +01:00
Arthur Baars
6d24591416 Revert "Python: switch to shared implementation of IncompleteHostnameRegExp.ql" 
This reverts commit ce50f35dda.
 2022-03-18 13:02:55 +01:00
Arthur Baars
ab93b3784b Merge remote-tracking branch 'upstream/main' into incomplete-hostname 2022-03-16 12:31:12 +01:00
Arthur Baars
cf4b834536 Address comments 2022-03-11 14:25:34 +01:00
Erik Krogh Kristensen
69353bb014 patch upper-case acronyms to be PascalCase 2022-03-11 11:10:33 +01:00
Taus
7b877fb317 Merge pull request #8336 from tausbn/python-fix-a-bunch-of-ql-warnings 
Python: Fix a bunch of QL warnings
 2022-03-09 16:31:28 +01:00
Taus
af7f532212 Python: Fix up a bunch of function QLDoc 2022-03-07 18:59:49 +00:00
Arthur Baars
ce50f35dda Python: switch to shared implementation of IncompleteHostnameRegExp.ql 2022-03-07 16:10:08 +01:00
Arthur Baars
9e8930c192 Ruby: IncompleteHostnameRegExp.ql 2022-03-07 16:10:08 +01:00
Rasmus Lerchedahl Petersen
143e9ee954 Merge branch 'main' of github.com:github/codeql into python/promote-xpath-injection 2022-03-02 13:14:08 +01:00
yoff
853857bd7e Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-03-01 10:26:29 +01:00
Rasmus Wriedt Larsen
b59ab7f5f3 Merge branch 'main' into python/promote-log-injection 2022-02-21 09:59:31 +01:00
Rasmus Wriedt Larsen
5a90214ece Merge pull request #7783 from yoff/python/promote-ldap-injection 
Python: promote LDAP injection query
 2022-02-15 10:24:18 +01:00
Rasmus Lerchedahl Petersen
84447e4710 python: more detailed alert message 2022-02-14 11:55:07 +01:00
Rasmus Lerchedahl Petersen
aa010e420b python: update qhelp 2022-02-09 15:27:39 +01:00
Rasmus Lerchedahl Petersen
103b5761f3 python: remove superfluous configuration 
this also removes duplicated nodes and edges
in the path results
 2022-02-08 11:34:11 +01:00
Rasmus Lerchedahl Petersen
a9cfc60ea1 python: move supporting libraries 
and update reference in query
 2022-02-08 11:27:45 +01:00
Rasmus Lerchedahl Petersen
88efcff818 python: move query 
and update reference in query test
 2022-02-08 11:24:09 +01:00
Rasmus Lerchedahl Petersen
c2cd58edc4 python: rewrite to separate configurations 
source nodes get duplicated, so perhaps flow states
are actually better for performance?
 2022-02-01 14:36:11 +01:00
Rasmus Wriedt Larsen
f7a0b17ed6 Merge pull request #7687 from yoff/python/PathInjection-FlowState 
python: Rewrite path injection query to use flow state
 2022-02-01 11:33:37 +01:00
yoff
b120721942 Update python/ql/src/Security/CWE-090/LdapInjection.ql 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-02-01 11:02:47 +01:00
Rasmus Lerchedahl Petersen
ecea392a08 python: rewrite qhelp overview 
(combining the Java version and the JS version)
 2022-02-01 10:47:18 +01:00
Rasmus Lerchedahl Petersen
26befebfc2 python: drop precision and add severity score 
Given both the original FP score and our concerns
regarding sanitizers, `@precision medium`, which
is aligned with other languages, feels appropriate.
 2022-02-01 10:34:36 +01:00
Rasmus Lerchedahl Petersen
8b5114d10e python: Add standard customization setup 
- modernize the sanitizer, but do not make it less specific
 2022-01-31 11:27:55 +01:00
Rasmus Lerchedahl Petersen
20d54543fd python: move log injection out of experimental 
- move from custom concept `LogOutput` to standard concept `Logging`
- remove `Log.qll` from experimental frameworks
  - fold models into standard models (naively for now)
    - stdlib:
      - make Logger module public
      - broaden definition of instance
      - add `extra` keyword as possible source
   - flak: add app.logger as logger instance
   - django: `add django.utils.log.request_logger` as logger instance
     (should we add the rest?)
- remove LogOutput from experimental concepts
 2022-01-31 11:27:55 +01:00
Rasmus Lerchedahl Petersen
ab43f041c3 python: rename files 2022-01-28 11:00:17 +01:00
Rasmus Lerchedahl Petersen
4c3c4deb34 python: Move over query and tests 2022-01-28 09:19:11 +01:00
Rasmus Lerchedahl Petersen
a5bc5373d0 python: Rewrite path injection to use flow state 
This removes the FP cause by chaining
This PR also removes `ChainedConfigs12.qll`,
as we hope to solve future problems via flow states.
 2022-01-21 09:26:48 +01:00
Rasmus Wriedt Larsen
aa10ad6a8a Python: Fix RegexInjection query, add old deprecated versions 2022-01-19 17:22:44 +01:00
Erik Krogh Kristensen
fe1107ccac remove duplicated spaces in qldoc 2022-01-04 21:03:06 +01:00
yoff
5ba70ff3b6 Merge pull request #7369 from RasmusWL/filter-tag-cwe 
JS/Py/Ruby: Add more CWEs to bad-tag-filter queries
 2022-01-04 10:11:03 +01:00
Rasmus Wriedt Larsen
83f1b2ca5d Python: Add SSRF qhelp 
I included examples of both types in the qhelp of both queries, to
provide context of what each of them actually are.
 2021-12-17 11:48:26 +01:00
Rasmus Wriedt Larsen
4b5599fe17 Python: Improve full/partial SSRF split 
Now full-ssrf will only alert if **all** URL parts are fully
user-controlled.
 2021-12-16 22:48:51 +01:00
Rasmus Wriedt Larsen
cb934e17b1 Python: Adjust SSRF location to request call 
Since that might not be the same place where the vulnerable URL part is.
 2021-12-16 22:48:51 +01:00
Rasmus Wriedt Larsen
1cc5e54357 Python: Add SSRF queries 
I've added 2 queries:

- one that detects full SSRF, where an attacker can control the full URL,
  which is always bad
- and one for partial SSRF, where an attacker can control parts of an
  URL (such as the path, query parameters, or fragment), which is not a
  big problem in many cases (but might still be exploitable)

full SSRF should run by default, and partial SSRF should not (but makes
it easy to see the other results).

Some elements of the full SSRF queries needs a bit more polishing, like
being able to detect `"https://" + user_input` is in fact controlling
the full URL.
 2021-12-16 01:48:34 +01:00
Rasmus Wriedt Larsen
1e45fa9ed4 JS/Py/Ruby: Add more CWEs to bad-tag-filter queries 
CWE-185: Incorrect Regular Expression

The software specifies a regular expression in a way that causes data to
be improperly matched or compared.

https://cwe.mitre.org/data/definitions/185.html

CWE-186: Overly Restrictive Regular Expression

> A regular expression is overly restrictive, which prevents dangerous values from being detected.
>
> (...) [this CWE] is about a regular expression that does not match all
> values that are intended. (...)

https://cwe.mitre.org/data/definitions/186.html

From my understanding,
CWE-625: Permissive Regular Expression, is not applicable. (since this
is about accepting a regex match where there should not be a match).
 2021-12-13 10:23:24 +01:00
Erik Krogh Kristensen
3c59aa319e Merge pull request #7245 from erik-krogh/explicit-this-all-the-places 
All langs: apply the explicit-this patch to all remaining code
 2021-12-07 10:40:26 +01:00
Rasmus Wriedt Larsen
d557f6fd2e Merge pull request #7101 from RasmusWL/python-ids 
Python: Fix some query-ids
 2021-11-29 16:12:57 +01:00
yoff
41b7922c7d Merge pull request #7089 from RasmusWL/redos-cwe-1333 
Python/C#: Add CWE-1333 to redos queries
 2021-11-29 16:09:39 +01:00
Erik Krogh Kristensen
6ff8d4de5c add all remaining explicit this 2021-11-26 13:50:10 +01:00
Rasmus Wriedt Larsen
651a76c9ce Python: Add CWE-532 to CleartextLogging 
Relevant for this query:

CWE-532: Insertion of Sensitive Information into Log File

> While logging all information may be helpful during development
> stages, it is important that logging levels be set appropriately
> before a product ships so that sensitive user data and system
> information are not accidentally exposed to potential attackers.

See https://cwe.mitre.org/data/definitions/532.html

JS also did this recently: https://github.com/github/codeql/pull/7103
 2021-11-24 14:59:52 +01:00
Rasmus Wriedt Larsen
c05ffd4d00 JS/PY: Remove CWE-315 form CleartextLogging 
Since it is not relevant for this query:

CWE-315: Cleartext Storage of Sensitive Information in a Cookie

See https://cwe.mitre.org/data/definitions/315.html
 2021-11-24 14:59:18 +01:00
Rasmus Wriedt Larsen
2a5e0a3b77 Merge pull request #7145 from RasmusWL/remove-owasp-tags 
Python/Ruby: Remove owasp tags
 2021-11-24 13:56:48 +01:00
Rasmus Wriedt Larsen
b2611fe198 Merge branch 'main' into redos-cwe-1333 2021-11-24 10:42:43 +01:00
Taus
8cccee6eba Merge pull request #6972 from yoff/python/promote-redos 
Python: Promote ReDoS queries
 2021-11-23 14:02:09 +01:00
Erik Krogh Kristensen
1cca377e7d Merge pull request #6561 from erik-krogh/htmlReg 
JS/Py/Ruby: add a bad-tag-filter query
 2021-11-18 09:39:13 +01:00
Rasmus Wriedt Larsen
98e6fc8a88 Python/Ruby: Remove owasp tags 
These are no longer correct, since the A1 category changed from 2017 to
2021, see https://owasp.org/Top10/#whats-changed-in-the-top-10-for-2021

Since only a very few queries had these tags, I think we're much better
off having them removed.
 2021-11-16 12:03:50 +01:00
Rasmus Wriedt Larsen
1f90dcadf1 Python: Use backtracker for verify arg 2021-11-10 12:54:23 +01:00
Rasmus Wriedt Larsen
77099fe9d0 Python: Always use @id py/ 
The two queries in CWE-020 are used for manual evaluation (is my
understanding), and the two IDE queries should work based on their tags,
and not on the query-id.
 2021-11-10 10:40:17 +01:00