hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
34,490 Commits 1,672 Branches 157 Tags
405480c41045f943e025aa7d21a33b971b231cf2
Commit Graph

5198 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
405480c410 Python: Rename sink definitions for XXE/XML bomb 2022-04-07 15:37:56 +02:00
Rasmus Wriedt Larsen
7728b6cf1b Python: Change XmlBomb vulnerability kind 2022-04-07 10:56:35 +02:00
Rasmus Wriedt Larsen
f2f0873d91 Python: Use new API::CallNode for XML constant check 
This also means that the detection of the values passed to these keyword
arguments will no longer just be from a local scope, but can also be
across function boundaries.
 2022-04-06 15:49:06 +02:00
Rasmus Wriedt Larsen
c784f15762 Python: Rename more XML classes to follow convention 
- `XMLEtree` to `XmlEtree`
- `XMLSax` to `XmlSax`
- `LXML` to `Lxml`
- `XMLParser` to `XmlParser`
 2022-04-06 15:44:54 +02:00
Rasmus Wriedt Larsen
23637fd691 Merge branch 'main' into promote-xxe 2022-04-06 12:56:31 +02:00
Rasmus Wriedt Larsen
b99767ef52 Merge pull request #8668 from RasmusWL/use-instanceof 
Python: Rewrite concepts to use `extends ... instanceof ...`
 2022-04-06 12:09:12 +02:00
Rasmus Wriedt Larsen
4d2a3b38d2 Merge pull request #8511 from RasmusWL/use-query-suffix 
Python: Use `Query.qll` suffix for dataflow configuration definitions
 2022-04-06 11:59:29 +02:00
Rasmus Wriedt Larsen
5b96db26b3 Python: Rewrite concepts to use extends ... instanceof ... 
This solved performance problems experienced in
https://github.com/github/codeql/pull/8634, and this commit+PR is to
ensure we get this change in as fast as possible.
 2022-04-05 12:34:15 +02:00
Rasmus Wriedt Larsen
b7f56dd17e Python: Rewrite concepts to use extends ... instanceof ... 
This caused compilation time for `ConceptsTest.ql` to go from 1m24s to
7s
 2022-04-05 12:31:09 +02:00
Rasmus Wriedt Larsen
a7dab53ed2 Python: Add change-note 2022-04-05 11:46:49 +02:00
Rasmus Wriedt Larsen
1f285b8983 Python: Rename to XmlParsingVulnerabilityKind 
To keep up with style guide
 2022-04-05 11:07:12 +02:00
Rasmus Wriedt Larsen
ab59d5c786 Python: Rename to XmlParsing 
To follow our style guide
 2022-04-05 11:06:22 +02:00
Tom Hvitved
50dc3820c6 Merge pull request #8589 from hvitved/regex/speedup-concretise 2022-04-03 17:56:07 +02:00
Chris Smowton
3119885a9b Merge pull request #8638 from smowton/smowton/docs/additional-flow-step-description 
Improve wording of isAdditionalFlow/TaintStep qldoc
 2022-04-01 16:41:04 +01:00
Chris Smowton
28fa49dcd6 dataflow -> data-flow 2022-04-01 13:22:58 +01:00
Rasmus Wriedt Larsen
ba011fb13f Merge pull request #8601 from zbazztian/recognize-flask-named-body-param 
Python: Flask: Identify body contents passed via named response parameter in invocations of Response constructor
 2022-04-01 14:19:28 +02:00
Sebastian Bauersfeld
504e7e4a55 Update python/ql/lib/change-notes/2022-03-30-flask-recognize-body-param.md 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-04-01 18:41:27 +07:00
Erik Krogh Kristensen
eae2a6af36 update expected output for Locations.ql 2022-04-01 12:58:00 +02:00
Erik Krogh Kristensen
ed7e1206ff rename isBeforeCode to isCommentAfterCode 2022-04-01 12:55:00 +02:00
Chris Smowton
3b0bd3bc0f Improve wording 2022-04-01 11:31:31 +01:00
Chris Smowton
99026a6071 Improve wording of isAdditionalFlow/TaintStep qldoc 2022-04-01 11:07:27 +01:00
Rasmus Wriedt Larsen
d2b03bb480 Python: Fix SimpleXmlRpcServer.ql 2022-03-31 20:37:28 +02:00
Rasmus Wriedt Larsen
4abab22066 Python: Promote XXE and XML-bomb queries 
Need to write a change-note as well, but will do that tomorrow
 2022-03-31 18:47:50 +02:00
Rasmus Wriedt Larsen
b8d3c5e96f Python: Remove last bits of experimental XML modeling 2022-03-31 18:40:26 +02:00
Rasmus Wriedt Larsen
5083023aa8 Python: Move XML parsing PoC 
Since the folder where it used to live is now empty otherwise :O
 2022-03-31 18:37:47 +02:00
Rasmus Wriedt Larsen
673220b231 Python: Minor cleanup of XmlParsingTest 2022-03-31 18:18:35 +02:00
Rasmus Wriedt Larsen
b4c0065aeb Python: Extend FileSystemAccess for xml.sax and xml.dom.* parsing 2022-03-31 18:08:47 +02:00
Rasmus Wriedt Larsen
1d7cec60ae Python: xml.sax.parse is not a method call 
And it's not possible to provide a parser argument either
 2022-03-31 17:50:23 +02:00
Rasmus Wriedt Larsen
e11269715d Python: Promote xml.sax and xml.dom.* modeling 2022-03-31 17:44:00 +02:00
Rasmus Wriedt Larsen
05bb0ef976 Python: Align xml.etree.ElementTree modeling 
I didn't find a good way to actually share the stuff, so we kinda just
have 2 things that look very similar :|
 2022-03-31 17:24:16 +02:00
Rasmus Wriedt Larsen
70b3eecdd5 Python: Merge xml.etree.ElementTree models 
I forgot about the existing ones when I promoted it
 2022-03-31 17:13:11 +02:00
Tom Hvitved
46d69cf544 Regex: Further tweaks to concretise computations 2022-03-31 12:52:43 +02:00
Tom Hvitved
5181544790 Sync shared files 2022-03-31 12:52:42 +02:00
Tom Hvitved
0fb28f4bc9 Sync shared files 2022-03-31 12:52:42 +02:00
Rasmus Wriedt Larsen
db43d043c4 Python: Add test showing misalignment of xml.etree modeling 2022-03-31 11:55:46 +02:00
Rasmus Wriedt Larsen
543454eff2 Python: Model file access from XML parsing 2022-03-31 11:47:29 +02:00
Rasmus Wriedt Larsen
386ff53614 Python: Model lxml.iterparse 2022-03-31 11:32:22 +02:00
Rasmus Wriedt Larsen
12cbdcde28 Python: Model lxml.etree.XMLID 2022-03-31 11:21:24 +02:00
Rasmus Wriedt Larsen
6774085e7a Python: Add note about parseid/XMLID 2022-03-31 11:19:25 +02:00
Rasmus Wriedt Larsen
a315aa84b2 Python: Add some links in QLDocs 2022-03-31 11:16:50 +02:00
Rasmus Wriedt Larsen
64aa503cc3 Python: Promote xml.etree modeling 2022-03-31 11:12:02 +02:00
Rasmus Wriedt Larsen
7f5f7679f8 Python: Promote xmltodict modeling 2022-03-31 10:28:34 +02:00
Rasmus Wriedt Larsen
80b5cde3a2 Python: Promote lxml parsing modeling 2022-03-31 10:19:08 +02:00
Rasmus Wriedt Larsen
3040adfd9b Python: Handle XMLParser().close() for XPath 2022-03-31 10:08:26 +02:00
Rasmus Wriedt Larsen
c4473c5f65 Python: Rename lxml XPath tests 2022-03-31 10:08:02 +02:00
Rasmus Wriedt Larsen
1ea4bcc59f Python: Make XMLParsing a Decoding subclass 2022-03-31 09:52:55 +02:00
Rasmus Wriedt Larsen
35ccba2ec1 Python: Promote XMLParsing concept test 2022-03-31 09:52:55 +02:00
Rasmus Wriedt Larsen
e45288e812 Python: => XMLParsingVulnerabilityKind 
Since there are other XML vulnerabilities that are not about parsing,
this is more correct.
 2022-03-31 09:52:55 +02:00
Rasmus Wriedt Larsen
e005a5c0ab Python: Promote XMLParsing concept 2022-03-31 09:52:55 +02:00
Rasmus Wriedt Larsen
9caf4be21b Python: Add PortSwigger link to Xxe.qhelp 
I found this resource quite good myself at least :)
 2022-03-31 09:52:55 +02:00