hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-22 09:53:41 +01:00
Code Issues Packages Projects Releases Wiki Activity
31,888 Commits 1,692 Branches 161 Tags
4338c06b0d90cb168a1abf9bcdfe7ba67d489970
Commit Graph

362 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
4338c06b0d Python: Support Django FileField.upload_to 2022-01-27 17:20:16 +01:00
Rasmus Wriedt Larsen
301318020f Merge pull request #7455 from haby0/py/add-shutil-module-path-injection-sinks 
Python: Add shutil module sinks for path injection query
 2022-01-24 20:06:36 +01:00
Erik Krogh Kristensen
a235f8f023 remove redundant inline type casts 2022-01-21 11:46:33 +01:00
Erik Krogh Kristensen
ddfc3bc00f use set literals instead of big disjunctions 2022-01-21 11:46:33 +01:00
yoff
5b9ae9cede Merge pull request #7659 from RasmusWL/move-regex-injection-files 
Python: Move regex injection configuration files
 2022-01-21 11:42:06 +01:00
yoff
4fd0ada9a8 Merge pull request #7652 from RasmusWL/cleartext-remove-fps 
Python: Remove usernames as sensitive source for cleartext queries
 2022-01-21 11:30:40 +01:00
Erik Krogh Kristensen
4e8e3a7420 simplify expressions that could be type-casts 2022-01-20 10:41:35 +01:00
Rasmus Wriedt Larsen
aa10ad6a8a Python: Fix RegexInjection query, add old deprecated versions 2022-01-19 17:22:44 +01:00
Rasmus Wriedt Larsen
e82ea7ad17 Python: move regex injection configuration files 
I did not notice that these went to the wrong location in
https://github.com/github/codeql/pull/6693. They should be in the
dataflow folder with the rest of the data-flow configurations files, the
injection folder is for old points-to based modeling.
 2022-01-19 17:21:46 +01:00
Rasmus Wriedt Larsen
e82e648ca1 Python: Remove usernames as sensitive source for cleartext queries 
Closes #6363, #6927, #6726, #7497, #7116
 2022-01-19 15:25:21 +01:00
Rasmus Wriedt Larsen
95e935e9c1 Python: Support SQLAlchemy scoped_session 2022-01-18 14:34:31 +01:00
Anders Schack-Mulligen
fff3b5c5b4 Dataflow: Add qldoc. 2022-01-18 10:39:55 +01:00
Anders Schack-Mulligen
71e39353ca Dataflow: Sync. 2022-01-18 10:36:52 +01:00
Anders Schack-Mulligen
dfa79f6119 Dataflow: Sync. 2022-01-18 10:30:09 +01:00
Chris Smowton
2c37885f6e Sync dataflow 2022-01-18 10:30:09 +01:00
Anders Schack-Mulligen
0b24af901d Merge pull request #7349 from aschackmull/dataflow/state 
Dataflow: Add support for flow state
 2022-01-14 09:12:38 +01:00
Anders Schack-Mulligen
c44cf29992 Merge pull request #7587 from owen-mc/add-default-taint-sanitizer-guard 
Dataflow: Add default taint sanitizer guard
 2022-01-13 14:44:55 +01:00
Anders Schack-Mulligen
f7cf327e71 Dataflow: Sync 2022-01-13 13:28:43 +01:00
Owen Mansel-Chan
8e8278764b Add predicate defaultTaintSanitizerGuard for each language 
This was done manually, as these files are not synced by sync-files.py.
 2022-01-12 14:44:56 +00:00
Owen Mansel-Chan
c112980b81 Sync TaintTrackingImpl.qll 
Done automatically using sync-files.py
 2022-01-12 14:44:55 +00:00
Erik Krogh Kristensen
f7a63d5ea0 remove duplicated line 2022-01-07 18:38:02 +01:00
Erik Krogh Kristensen
1a8b6d7414 recognize ranges without upper bounds 2022-01-07 18:38:01 +01:00
Erik Krogh Kristensen
acaf294bee support a limited number of regexp ranges 2022-01-07 18:36:30 +01:00
haby0
05b0daa0b7 Add the test of shutil module in FileSystemAccess.py 2022-01-06 14:14:42 +08:00
Anders Schack-Mulligen
ef714f7328 Dataflow: Sync 2022-01-05 14:25:35 +01:00
Erik Krogh Kristensen
fe1107ccac remove duplicated spaces in qldoc 2022-01-04 21:03:06 +01:00
Erik Krogh Kristensen
b9964799f3 Merge pull request #7458 from erik-krogh/modelling 
QL: add "modelling/modeling" to `ql/non-us-spelling`
 2022-01-04 13:33:54 +01:00
Alex Ford
3da98ecb73 Bump a date 2021-12-22 16:38:16 +00:00
Alex Ford
a2104de8a0 Move CryptoAlgorithms::AlgorithmsName into a separate internal/CryptoAlgorithmNames.qll 2021-12-22 16:38:15 +00:00
Alex Ford
f16d77615d Remove unused isStrongBlockMode predicate from CryptoAlgorithms.qll 2021-12-22 16:38:15 +00:00
Alex Ford
d3af687767 Add more encryption algorithms and modes to CryptoAlgorithms::AlgorithmNames 
Strong encryption algorithms: ARIA, IDEA, SEED, SM4
Strong block modes: CBC, CFB, CTR, OFB
 2021-12-22 16:38:15 +00:00
Alex Ford
bdb2d8ba16 Ruby: split OpenSSL parts from CryptoALgorithms.qll and sync with JS/Python version 2021-12-22 16:38:15 +00:00
Erik Krogh Kristensen
8019b52838 run the non-us patch with "modelled/modeled" 2021-12-20 17:47:15 +01:00
Erik Krogh Kristensen
d17879e1f9 run the non-us patch 2021-12-20 16:24:41 +01:00
Nick Rolfe
f18492e39b Merge pull request #7443 from github/nickrolfe/behavior 
QL4QL: catch behaviour/behavior in ql/non-us-spelling
 2021-12-20 13:23:53 +00:00
haby0
fed1d88268 Add shutil module path injection sinks 2021-12-20 16:09:06 +08:00
Tom Hvitved
ed006d7283 Merge pull request #7231 from hvitved/csharp/dataflow/consistency-queries 
C#: Enable data-flow consistency queries
 2021-12-20 08:46:19 +01:00
Nick Rolfe
28912c508f Fix non-US spelling of 'behavior' 2021-12-17 15:29:31 +00:00
Rasmus Wriedt Larsen
626009ea60 Python: Fix typo 2021-12-17 14:29:38 +01:00
Tom Hvitved
e4d9f5f29e Fix QL doc 2021-12-17 13:14:11 +01:00
Tom Hvitved
ab2e0fdb18 Data flow: Sync files 2021-12-17 13:13:36 +01:00
Rasmus Wriedt Larsen
e309d8227c Python: Remove debug predicate 
Accidentally committed :|
 2021-12-17 09:44:35 +01:00
Rasmus Wriedt Larsen
1d00730753 Python: Allow http[s]:// prefix for SSRF 2021-12-17 00:27:18 +01:00
Rasmus Wriedt Larsen
4b5599fe17 Python: Improve full/partial SSRF split 
Now full-ssrf will only alert if **all** URL parts are fully
user-controlled.
 2021-12-16 22:48:51 +01:00
Rasmus Wriedt Larsen
cb934e17b1 Python: Adjust SSRF location to request call 
Since that might not be the same place where the vulnerable URL part is.
 2021-12-16 22:48:51 +01:00
Rasmus Wriedt Larsen
5a7efd0fee Python: Minor adjustments to QLDoc of HTTP::Client::Request 2021-12-16 22:48:51 +01:00
Rasmus Wriedt Larsen
1cc5e54357 Python: Add SSRF queries 
I've added 2 queries:

- one that detects full SSRF, where an attacker can control the full URL,
  which is always bad
- and one for partial SSRF, where an attacker can control parts of an
  URL (such as the path, query parameters, or fragment), which is not a
  big problem in many cases (but might still be exploitable)

full SSRF should run by default, and partial SSRF should not (but makes
it easy to see the other results).

Some elements of the full SSRF queries needs a bit more polishing, like
being able to detect `"https://" + user_input` is in fact controlling
the full URL.
 2021-12-16 01:48:34 +01:00
Rasmus Wriedt Larsen
579de0c3f0 Python: Remove getResponse and do manual taint steps 2021-12-15 21:55:04 +01:00
Rasmus Wriedt Larsen
f8fc583af3 Python: client request: getUrl => getAUrlPart 
I think `getUrl` is a bit too misleading, since from the name, I would
only ever expect ONE result for one request being made.

`getAUrlPart` captures that there could be multiple results, and that
they might not constitute a whole URl.

Which is the same naming I used when I tried to model this a long time ago
a80860cdc6/python/ql/lib/semmle/python/web/Http.qll (L102-L111)
 2021-12-15 21:55:04 +01:00
Rasmus Wriedt Larsen
6f81685f48 Python: Add modeling of http.client.HTTPResponse 2021-12-15 21:55:04 +01:00