hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-04 14:46:48 +01:00
Code Issues Packages Projects Releases Wiki Activity
74,533 Commits 1,699 Branches 161 Tags
2e3d3494de013950721becd32ff7c84021d7be0b
Commit Graph

2331 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
333367c07d Python: Add threat-modeling of raw_input 2024-09-10 14:32:39 +02:00
Rasmus Wriedt Larsen
8d8cd05b94 Python: Add basic support for database threat-model 2024-09-10 14:32:37 +02:00
Rasmus Wriedt Larsen
7483075b7e Python: Fixup modeling of os.open 2024-09-10 14:32:37 +02:00
Rasmus Wriedt Larsen
d245db54a1 Python: Model file threat-model 2024-09-10 14:32:37 +02:00
Rasmus Wriedt Larsen
66f389a4b6 Python: Model stdin thread-model 2024-09-10 14:32:36 +02:00
Rasmus Wriedt Larsen
e1801f3a29 Python: Proper threat-model handling for argparse 2024-09-10 14:32:36 +02:00
Rasmus Wriedt Larsen
56c85ffe54 Python: Fixup threat-models for os.environ.get() 
Since using `.DictionaryElementAny` doesn't actually do a store on the
source, (so we can later follow any dict read-steps).

I added the ensure_tainted steps to highlight that the result of the
WHOLE expression ends up "tainted", and that we don't just mark
`os.environ` as the source without further flow.
 2024-09-10 14:32:36 +02:00
Rasmus Wriedt Larsen
b9239d7101 Python: Add basic support for environment/commandargs threat-models 2024-09-10 14:32:36 +02:00
Rasmus Wriedt Larsen
528f08fb83 Python: Make queries use ActiveThreatModelSource 2024-09-10 14:32:35 +02:00
Joe Farebrother
d1cca13563 Merge pull request #17314 from joefarebrother/python-x509-cert 
Python: Exclude certificate classification fo sensitive data queries
 2024-09-09 10:48:36 +01:00
Kevin Stubbings
6efb3c69ef QLformatting 2024-09-03 15:54:06 -07:00
Kevin Stubbings
bd2564ee44 Formatting 2024-09-03 14:34:25 -07:00
Kevin Stubbings
581e7f5d3c Bottle 2024-09-03 14:00:27 -07:00
erik-krogh
20dfdc9661 delete some deprecated files 2024-09-03 20:30:59 +02:00
erik-krogh
0fdd06fff5 use my script to delete outdated deprecations 2024-09-03 20:30:58 +02:00
Porcupiney Hairs
e2dd126962 Python: Pycurl SSL Disabled 2024-09-03 03:41:23 +05:30
Kevin Stubbings
326eb6946e Added 2024-08-30 18:17:38 -07:00
Kevin Stubbings
5c8c99d31f Add header support for bottle and tornado 2024-08-30 18:16:01 -07:00
Joe Farebrother
ec7ad84cd1 Update formatting 2024-08-30 13:51:33 +01:00
Joe Farebrother
5360192a58 Apply review suggestions - change = to in 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2024-08-30 13:25:59 +01:00
Joe Farebrother
1cb23e7e86 Exclude certificates from being cinsidered sensitive data by cleartext-storage and cleartext-logging queries 2024-08-27 14:18:39 +01:00
Kevin Stubbings
812abea0de change-notes 2024-08-26 22:25:00 -07:00
Kevin Stubbings
0420d25c13 refactor 2024-08-26 22:09:24 -07:00
Kevin Stubbings
1db7865d49 Corrections 2024-08-26 22:06:12 -07:00
Kevin Stubbings
8bf8893307 Add support for vulnerable CORS middlewares 2024-08-26 21:30:48 -07:00
Anders Schack-Mulligen
8470e91c16 Legacy Dataflow: Sync. 2024-08-20 10:07:57 +02:00
Rasmus Wriedt Larsen
5ec8e5dd30 Python: Setup support for threat-models 
Naming in other languages:
- `SourceNode` (for QL only modeling)
- `ThreatModelFlowSource` (for active sources from QL or data-extensions)

However, since we use `LocalSourceNode` in Python, and `SourceNode` in
JS (for local source nodes), it seems a bit confusing to follow the same
naming convention as other languages, and instead I came up with new names.
 2024-08-19 10:54:47 +02:00
Tom Hvitved
0fcfb47423 Sync shared files 2024-08-13 13:34:45 +02:00
Joe Farebrother
62c2fe6b17 Merge pull request #16933 from joefarebrother/python-cookie-concept-promote 
Python: Promote the insecure cookie query from experimental
 2024-08-07 09:06:05 +01:00
Joe Farebrother
24df54804a Review suggestion - Add link to qldoc 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2024-08-06 22:59:14 +01:00
yoff
251036c6b4 Merge pull request #17080 from sylwia-budzynska/streamlit 
Python: Add Streamlit models
 2024-07-31 18:20:11 +02:00
yoff
123dcc75d1 Merge pull request #16971 from RasmusWL/mad-dict-source 
Python: Add MaD support for DictionaryElement/DictionaryElementAny for sources
 2024-07-31 13:40:07 +02:00
Sylwia Budzynska
2a6ad00a2f Fix typo 2024-07-31 13:22:27 +02:00
Sylwia Budzynska
72e7b6c872 Update python/ql/lib/semmle/python/frameworks/Streamlit.qll 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2024-07-31 13:20:01 +02:00
Sylwia Budzynska
81f3609c4b Formatting 2024-07-30 17:49:20 +02:00
Sylwia Budzynska
dfc51922ba Change regex 2024-07-30 17:39:34 +02:00
Sylwia Budzynska
ef2b225144 Fix PascalCase 2024-07-30 17:36:55 +02:00
Sylwia Budzynska
f796efe470 Add Streamlit SQLAlchemy models 2024-07-30 17:20:52 +02:00
Sylwia Budzynska
bfd2e4350b Add StreamlitConnection model 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2024-07-30 12:58:49 +02:00
Joe Farebrother
82da8b95a7 Fix typo 2024-07-29 23:29:19 +01:00
Joe Farebrother
ef3bbeacd6 Add check for kwargs in cookie attribute predicates 2024-07-29 11:17:42 +01:00
Joe Farebrother
90e87a1752 Factor each framework implementation of the cookie parameters to a common concept 2024-07-29 10:51:24 +01:00
Joe Farebrother
c7f9095739 Apply similar changes to httponly 2024-07-29 10:29:59 +01:00
Joe Farebrother
1127b08635 Merge branch 'main' into python-cookie-concept-promote 2024-07-29 10:26:03 +01:00
Joe Farebrother
d997eee6e6 Code review suggestions - make definitions clearer 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2024-07-29 10:22:33 +01:00
Joe Farebrother
58689c90fb Merge pull request #16893 from joefarebrother/python-cookie-injectio-promote 
Python: Promote cookie injection query from experimental
 2024-07-29 10:17:01 +01:00
Sylwia Budzynska
a05266c236 Formatting 2024-07-26 14:55:58 +02:00
Sylwia Budzynska
6d1c00742f Add tests and change note 2024-07-26 14:15:43 +02:00
Sylwia Budzynska
221c18934c Add models 2024-07-26 13:23:39 +02:00
Anders Schack-Mulligen
7a48fe1102 Dataflow: Replace ppReprType with DataFlowType.toString. 2024-07-25 13:08:47 +02:00