hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
23,343 Commits 1,672 Branches 157 Tags
2dd862661bfa62080e68f4ac8281da5d901b6986
Commit Graph

3550 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
b11703cc74 Python: all_dybamic2 => all_indirect 2021-04-06 11:49:55 +02:00
Rasmus Lerchedahl Petersen
c777f1d8d7 Merge branch 'main' of github.com:github/codeql into python-api-enhancements 2021-04-06 09:31:26 +02:00
yoff
a23d8deb10 Merge pull request #5483 from RasmusWL/minor-fixup-django 
Python: Better text for getSourceType in Django
 2021-04-06 08:30:58 +02:00
jorgectf
9b430310b4 Improve Sanitizer calls 2021-03-31 23:19:56 +02:00
jorgectf
4328ff3981 Remove attrs feature 2021-03-31 22:26:08 +02:00
Rasmus Wriedt Larsen
95ac2c8edd Python: Add another dynamic __all__ test 2021-03-31 17:31:55 +02:00
Rasmus Wriedt Larsen
ab3edf37d7 Python: Handle __all__ assigned to a tuple 
Examples where this is used in real code:

- 76c0b32f82/django/core/files/temp.py (L24)
- 76c0b32f82/django/contrib/gis/gdal/__init__.py (L44-L49)
 2021-03-31 17:25:19 +02:00
Rasmus Wriedt Larsen
43306f4700 Python: Add tests for Module.declaredInAll 2021-03-31 17:24:17 +02:00
Rasmus Wriedt Larsen
51c27de049 Merge branch 'main' into revert-import-change 2021-03-30 21:51:53 +02:00
jorgectf
8faafb6961 Update Sink 2021-03-30 16:58:02 +02:00
jorgectf
3cda2e5207 Polish up ldap3 tests 2021-03-29 23:39:49 +02:00
jorgectf
8223539f0c Add a test without attributes 2021-03-29 23:28:28 +02:00
Calum Grant
c26d05b1d5 Merge pull request #5532 from RasmusWL/python-cleanup 
Python: Delete filter queries, code duplication library, and precision tag from metric queries
 2021-03-29 17:16:43 +01:00
Rasmus Wriedt Larsen
96a66fa4ee Python: Apply suggestions from code review 2021-03-29 17:02:56 +02:00
CodeQL CI
3613ceb07f Merge pull request #5535 from tausbn/python-prevent-bad-TCs 
Approved by yoff
 2021-03-29 12:03:08 +01:00
jorgectf
ad36bea9d4 Refactor LDAP3 stuff (untested) 2021-03-29 09:14:35 +02:00
jorgectf
85ec82a389 Refactor in progress 2021-03-28 21:07:08 +02:00
jorgectf
95a1dae315 Precision warn and Remove CWE reference 2021-03-28 18:33:17 +02:00
jorgectf
719b48cbaf Move to experimental folder 2021-03-28 18:33:17 +02:00
jorgectf
799d509f26 Upload LDAP Injection query, qhelp and tests 2021-03-28 18:33:16 +02:00
Rasmus Wriedt Larsen
92e0e195a4 Revert "Merge pull request #5506 from tausbn/python-allow-absolute-imports-from-source-directory" 
This reverts commit 8d15680af4, reversing
changes made to 63831cc62b.

This PR caused performance problems, so reverting now to clear up immediate
problems.
 2021-03-27 18:08:20 +01:00
Rasmus Lerchedahl Petersen
6d72b4fd39 Python: Limit pretty printing to relevant nodes 2021-03-27 03:10:43 +01:00
Rasmus Lerchedahl Petersen
16902c2f56 Python: handle default argument 2021-03-27 02:40:13 +01:00
Rasmus Lerchedahl Petersen
7a511c5682 Python: update naming 2021-03-27 02:20:59 +01:00
Rasmus Lerchedahl Petersen
bd86388447 Python: Add typetracker to constrain attribute. 2021-03-27 01:07:15 +01:00
Rasmus Lerchedahl Petersen
bf81122fc6 Python: fix typo and add linebreaks 2021-03-26 23:37:19 +01:00
Rasmus Lerchedahl Petersen
e0352fe763 Python: remove deprecated section of qhelp file 2021-03-26 23:26:24 +01:00
Rasmus Lerchedahl Petersen
44d62df3f7 Python: Fix model of TLS and add reference 2021-03-26 17:51:18 +01:00
Rasmus Lerchedahl Petersen
470b4d8658 Python: Add missing qldoc 2021-03-26 17:35:36 +01:00
Rasmus Lerchedahl Petersen
98dfe1a00a Python: Elaborate qldoc and renames to match 2021-03-26 17:27:43 +01:00
Taus Brock-Nannestad
f17bbd9982 Python: Fix another bad TC. 
This one is a bit awkward, since the previous version was supposed to
improve indexing. Unfortunately this is vastly outweighed by the slow
convergence of the TC. Right now we pay the cost of inverting the
`hasFlowSource` relation, but this is still cheaper.
 2021-03-26 16:38:13 +01:00
Rasmus Lerchedahl Petersen
8155334fa7 Python: More elaborate qldoc 
also refactor code to match
 2021-03-26 15:57:07 +01:00
Rasmus Lerchedahl Petersen
7d7cbc49db Fix comments. 
This induced fixing the code, since things were wired up wrongly.
Currently the only implementation of `insecure_connection_creation`
is `ssl.wrap_socket`,
which is also the sole target of  py/insecure-default-protocol`,
so perhaps this part should be turned off?
 2021-03-26 14:20:38 +01:00
Rasmus Lerchedahl Petersen
2e948da3b4 Python: suggested refactor 2021-03-26 13:08:45 +01:00
Rasmus Lerchedahl Petersen
1be2be843d Python: update test expectations 2021-03-26 13:08:23 +01:00
Rasmus Lerchedahl Petersen
e936540863 Python: remove internal import 2021-03-26 08:22:09 +01:00
Rasmus Lerchedahl Petersen
f1619f1ee8 Python: "source" -> "contextOrigin" 2021-03-26 08:18:11 +01:00
Rasmus Lerchedahl Petersen
f14fb3bf9e Merge branch 'python-port-insecure-protocol' of github.com:yoff/codeql into python-port-insecure-protocol 2021-03-26 08:06:51 +01:00
yoff
936757b4bf Update python/ql/src/Security/CWE-327/FluentApiModel.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-03-26 08:05:51 +01:00
Rasmus Lerchedahl Petersen
9488b8bb18 Python: actually rename 2021-03-26 00:31:56 +01:00
Rasmus Lerchedahl Petersen
554404575d Python: fix typo and name. 2021-03-26 00:29:40 +01:00
Rasmus Lerchedahl Petersen
c93e0c08fd Merge branch 'python-port-insecure-protocol' of github.com:yoff/codeql into python-port-insecure-protocol 2021-03-26 00:26:33 +01:00
yoff
54dad57cf4 Update python/ql/test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-03-26 00:25:40 +01:00
Rasmus Lerchedahl Petersen
2b257318f1 Python: more precise comment 2021-03-25 23:22:24 +01:00
yoff
62a0775cf6 Update python/ql/src/Security/CWE-327/examples/secure_protocol.py 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-03-25 23:09:11 +01:00
yoff
208d5157fa Merge pull request #5500 from RasmusWL/django-forms 
Python: Model RemoteFlowSources on Django forms/fields
 2021-03-25 20:43:19 +01:00
Taus Brock-Nannestad
c2f112cb92 Python: Filter _before_ the cartesian product 
It's always a sad thing to see a good plan go wrong:

86860032 ~0%      {4} r26 = JOIN r19 WITH DataFlowPublic::TupleElementContent#class#ff CARTESIAN PRODUCT OUTPUT Lhs.0 'nodeFrom', Lhs.1 'nodeTo', Rhs.0, Rhs.1
129256   ~3%      {4} r27 = SELECT r26 ON In.3 <= 7
129256   ~0%      {3} r28 = SCAN r27 OUTPUT In.0 'nodeFrom', In.2 'c', In.1 'nodeTo'

Happily, now it looks like this:

129256  ~0%      {3} r20 = JOIN r19 WITH DataFlowPrivate::small_tuple#f CARTESIAN PRODUCT OUTPUT Lhs.0 'nodeFrom', Rhs.0, Lhs.1 'nodeTo'
 2021-03-25 19:06:05 +01:00
Taus Brock-Nannestad
8734df334b Python: Slight cleanup 2021-03-25 18:35:16 +01:00
Taus Brock-Nannestad
229250dc54 Python: Limit size of TupleElementContent 
A more principled approach is possible here, but in the short term
this will prevent an explosion.

For reference, openstack/cinder has roughly 19000 `ForTarget`s and
tuples of size up to 5300, and we were calculating the cartesian
product of these.
 2021-03-25 18:28:49 +01:00
yoff
716e0f1404 Merge pull request #5517 from tausbn/python-prevent-potentially-bad-join-order 
Python: Prevent potentially bad join order
 2021-03-25 18:14:47 +01:00