hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-28 14:46:33 +01:00
Code Issues Packages Projects Releases Wiki Activity
56,659 Commits 1,673 Branches 157 Tags
3f36d3244bb74cb3db78d661af754ddd3ca37137
Commit Graph

1340 Commits

Author SHA1 Message Date
Tony Torralba
8f6d2ed2f9 Adjust ZipSlip query description according to review suggestions. 2023-06-19 10:27:41 +02:00
Tony Torralba
3c4d938cf1 Apply code review suggestions. 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-19 10:20:19 +02:00
Tony Torralba
3e96fe60c5 Go/Java/JS/Python/Ruby: Update the description and qhelp of the ZipSlip query 
All filesystem operations, not just writes, with paths built from untrusted archive entry names are dangerous
 2023-06-16 08:52:44 +02:00
Erik Krogh Kristensen
798f3880c9 Merge pull request #13402 from erik-krogh/deps-some-py 
Py: delete some old deprecations
 2023-06-12 11:29:44 +02:00
erik-krogh
6dfeb2536b delete old deprecations 2023-06-09 15:12:23 +02:00
Rasmus Wriedt Larsen
0c8b4251cf Python: Avoid duplicated query-id 2023-06-07 10:07:01 +02:00
Rasmus Wriedt Larsen
c1b90c8f05 Python: Apply suggested change 2023-05-22 11:58:32 +02:00
Rasmus Wriedt Larsen
44d806507d Merge branch 'main' into python-UBV 2023-05-22 11:53:56 +02:00
Sim4n6
be3f59afab Replaced StringMethod() with a restrained String method calls 2023-05-20 12:17:33 +01:00
Sim4n6
21e99d52c7 Fix a redundant import 2023-05-20 10:23:04 +01:00
Sim4n6
b8969707c5 Delete the vulnerability flow image from the QHelp file. 2023-05-20 10:21:38 +01:00
Sim4n6
16ce024429 Update python/ql/src/experimental/Security/CWE-176/UnicodeBypassValidation.qhelp 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-05-20 10:13:23 +01:00
Sim4n6
8462b14b54 Update python/ql/src/experimental/Security/CWE-176/UnicodeBypassValidation.qhelp 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-05-20 10:12:55 +01:00
Sim4n6
2a8645c447 Fix 'Singleton set literal' warning 2023-05-20 10:11:26 +01:00
Sim4n6
58be109a70 Moved UnicodeBypassValidation Customizations & Query.qll to src/experimental 2023-05-20 10:08:56 +01:00
Kasper Svendsen
3eb5a95ee3 Python: Make implicit this receivers explicit 2023-05-03 12:16:21 +02:00
Sim4n6
1fa1a4e268 Add Unicode Bypass Validation query tests and help 2023-05-02 15:09:16 +01:00
amammad
b3669b818b v1.3 change name according to camelCase 2023-04-28 04:56:47 +02:00
amammad
a541fdf5e5 v1.2 code quality improvements including commnets too 2023-04-27 08:30:46 +02:00
amammad
1bf159e9a9 Merge branch 'github:main' into amammad-python-paramiko 2023-04-26 23:28:29 -07:00
Luke Cartey
a47778c22e Update SimpleXmlRpcServer.ql to avoid av detection 
This file was being flagged by McAfee as an `Exploit-Generic.src`
trojan. We have attempted to report this to Mcafee without success so
far. This commit therefore adjusts the file to avoid detection.
 2023-04-20 11:59:18 +01:00
Raul Garcia
cf8a683d7d Merge branch 'main' into main 2023-03-29 20:27:03 -07:00
Rasmus Wriedt Larsen
34cbaf10c2 Python: Use PostUpdateNode in py/azure-storage/unsafe-client-side-encryption-in-use 2023-03-29 13:22:21 +02:00
Rasmus Wriedt Larsen
86333e3ba5 Python: Remove duplicate results from azure blob query 2023-03-29 11:47:29 +02:00
Rasmus Wriedt Larsen
32d52c023e Python: Allow any order for azure blob query 
By only allowing the sink in the state where encryption v1 is used, we
can handle the new case where the order of attribute assignment is
flipped.

However, we get a few too many paths because we can have multiple
sources reaching the same sink... let's fix in next commit.
 2023-03-29 11:42:01 +02:00
Rasmus Wriedt Larsen
683985a00a Python: Expand azure blob modeling 
Now we can differentiate between the classes
 2023-03-29 11:24:36 +02:00
Rasmus Wriedt Larsen
8ea6b6f256 Python: Update py/azure-storage/unsafe-client-side-encryption-in-use to use datafow 2023-03-28 10:09:22 +02:00
Rasmus Wriedt Larsen
7a17cd2a9e Python: Rewrite azure query to more idiomatic ql 2023-03-28 10:06:00 +02:00
Taus
a3c40a3ae4 Python: Add experimental tags 2023-03-27 14:23:36 +00:00
Taus
700eb04487 Python: Lower precision of non-header queries 
cf. https://github.com/github/securitylab/issues/691#issuecomment-1387391014
 2023-03-27 12:22:17 +00:00
Taus
0b4c85f8d2 Python: Autoformat and fix broken module reference 2023-03-27 12:16:44 +00:00
Taus
11c89adbe3 Merge branch 'main' into timing-attack-py 2023-03-24 15:40:33 +01:00
Raul Garcia
8b4826c0b4 Singleton set literal fix 
Fixing auto-code scanning recommendation
 2023-03-21 08:02:30 -07:00
Raul Garcia
1400b4b520 Update UnsafeUsageOfClientSideEncryptionVersion.ql 
*  predicate `isUnsafeClientSideAzureStorageEncryptionViaObjectCreation` was not useful (it was meant to detect the SDK code, not its usage)
* fixed & simplified `isUnsafeClientSideAzureStorageEncryptionViaAttributes`, the original query was not finding the right code.
NOTE: tested with a real project: https://github.com/wastore/azure-storage-samples-for-python/tree/master/ClientSideEncryptionToServerSideEncryptionMigrationSamples/ClientSideEncryptionV1ToV2
 2023-03-20 18:52:58 -07:00
Anders Schack-Mulligen
21d5fa836b Python: Autoformat 2023-03-10 09:41:17 +01:00
Ahmed Farid
6a578c62b0 Update TimingAttack.qll 2023-02-27 22:16:09 +01:00
Taus
25043f51a4 Merge pull request #11376 from RasmusWL/call-graph-code 
Python: New type-tracking based call-graph
 2023-02-27 14:51:21 +01:00
Rasmus Lerchedahl Petersen
9e97877938 python: lower precision as discussed 2023-02-20 12:06:19 +01:00
amammad
54582031d8 v1 2023-02-16 17:14:32 +01:00
Ahmed Farid
ccbb58966f Update TimingAttack.qll 2023-02-16 14:15:04 +01:00
Ahmed Farid
a421e3a3a3 Update TimingAttackAgainstHeaderValue.ql 2023-02-16 14:14:43 +01:00
Ahmed Farid
f57861b6a3 Update TimingAttack.qll 2023-02-16 14:14:13 +01:00
Ahmed Farid
f70f5c7935 Update TimingAttackAgainstHeaderValue.ql 2023-02-16 14:03:26 +01:00
Ahmed Farid
4b3efa87dc Update TimingAttack.qll 2023-02-16 14:01:29 +01:00
Ahmed Farid
005839b462 Update TimingAttack.qll 2023-02-16 12:49:40 +01:00
Ahmed Farid
01b865f75b Update TimingAttack.qll 2023-02-16 01:36:06 +01:00
Ahmed Farid
fbfe23b7c4 Update TimingAttack.qll 2023-02-16 01:21:50 +01:00
Ahmed Farid
b8f9b2b424 Update TimingAttackAgainstHeaderValue.ql 2023-02-16 01:11:41 +01:00
Ahmed Farid
016136a2e3 Update TimingAttack.qll 2023-02-16 01:10:36 +01:00
Sim4n6
eed19a3e15 Fix autoformatting issues 2023-02-10 21:58:29 +01:00