hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-23 10:23:41 +01:00
Code Issues Packages Projects Releases Wiki Activity
86,066 Commits 1,693 Branches 161 Tags
480ae619e6e499dfe9da2bbdc512a30d3f481b00
Commit Graph

9801 Commits

Author SHA1 Message Date
Taus
480ae619e6 Merge pull request #21116 from github/tausbn/python-add-dataflow-overlay-annotations 
Add `overlay[local]` annotations
 2026-02-21 13:44:09 +01:00
Taus
6b6d8862b0 Merge pull request #21288 from microsoft/azure_python_sanitizer_upstream2 
Azure python sanitizer upstream2
 2026-02-18 14:59:59 +01:00
Taus
3d4785f29f Python: Add change note 2026-02-18 12:51:35 +00:00
Ben Rodes
a1eaf42cbf Update python/ql/lib/change-notes/2026-02-09-ssrf_test_case_cleanup_and_new_ssrf_barriers.md 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-02-17 13:05:51 -05:00
Ben Rodes
ceb3b21e0f Update python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll 
Co-authored-by: Taus <tausbn@github.com>
 2026-02-17 10:28:43 -05:00
github-actions[bot]
b5898c5a30 Post-release preparation for codeql-cli-2.24.2 2026-02-16 17:07:45 +00:00
Taus
cd62cdadff Python: Fix bad join in returnStep 2026-02-16 16:48:08 +00:00
Taus
304cd12fff Python: Fix bad join in missing_imported_module 
This caused a ~30x blowup in intermediate tuples, now back to baseline.
 2026-02-16 13:48:33 +00:00
Taus
987b10ab3e Python: Fix bad join in OutgoingRequestCall 
On `keras-team/keras`, this was producing ~200 million intermediate
tuples in order to produce a total of ... 2 tuples.

After the refactor, max intermediate tuple count is ~80k for the
charpred (and 4 for the new helper predicate).
 2026-02-16 13:48:33 +00:00
Taus
72f5109ec2 Python: Add more overlay[caller] to Flow.qll 
These were causing the repo `gufolabs/noc` to spend ~30 seconds
evaluating `ControlFlowNode.strictlyDominates`. Just in case, I added
`overlay[caller] to the other instances of `pragma[inline]` as well.
 2026-02-16 13:48:33 +00:00
Taus
248932db7a Python: Fix frameworks/data/warnings.ql 2026-02-16 13:48:32 +00:00
Taus
306d7d1b5d Python: DataFlowDispatch.qll annotations 2026-02-16 13:48:32 +00:00
Taus
7ea96c43ec Python: DataFlowPrivate.qll annotations 2026-02-16 13:48:32 +00:00
Taus
bd71db87be Python: DataFlowPublic.qll annotations 2026-02-16 13:48:32 +00:00
Taus
c46c662b72 Python: LocalSources.qll annotations 2026-02-16 13:48:32 +00:00
Taus
df0f2f8ce4 Python: Simple dataflow annotations 
None of these required any changes to the dataflow libraries, so it
seemed easiest to put them in their own commit.
 2026-02-16 13:48:32 +00:00
Taus
51ebec9164 Python: Fix broken queries 2026-02-16 13:48:32 +00:00
Taus
fd7b123ee3 Python: Add overlay annotations to AST classes 
... and everything else that it depends on.
 2026-02-16 13:48:32 +00:00
github-actions[bot]
ef04f927fb Release preparation for version 2.24.2 2026-02-16 13:29:25 +00:00
REDMOND\brodes
4d4e7a1b5c Pretty print for tests. 2026-02-12 08:28:08 -05:00
Taus
7d17454a3b Merge pull request #21138 from github/tausbn/python-prepare-for-overlay-annotations 
Prepare dataflow for local annotations
 2026-02-12 14:23:45 +01:00
Chris Smowton
5f970d9f2f Rewordings per copilot 2026-02-12 12:01:33 +00:00
Chris Smowton
bed1ec8981 Enhance path validation recommendations 
Expanded recommendations for validating user input when constructing file paths, including normalization and using allowlists.
 2026-02-11 12:10:08 +00:00
REDMOND\brodes
9f9c353806 Update expected files. Copilot suggestions broke unit test expected results (column numbers). 2026-02-10 11:47:23 -05:00
REDMOND\brodes
4bb110beb8 More copilot suggestions. 2026-02-10 11:46:16 -05:00
REDMOND\brodes
a91cf6b7cb Applying copilot PR suggestions. 2026-02-10 11:37:11 -05:00
Ben Rodes
9f8ed710e2 Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-02-10 11:09:25 -05:00
REDMOND\brodes
23bab81855 Added change log 2026-02-09 13:22:35 -05:00
REDMOND\brodes
df54459552 Restore prior PR change log (accidentally removed) 2026-02-09 13:19:02 -05:00
Ben Rodes
85ae4045c5 Merge branch 'main' into azure_python_sanitizer_upstream2 2026-02-09 13:12:38 -05:00
yoff
5ad42f8bcc Merge pull request #20563 from microsoft/azure_python_sdk_url_summary_upstream 
Azure python sdk url summary upstream
 2026-02-09 18:34:36 +01:00
REDMOND\brodes
f6c302b68c Removing commented out test cases. 2026-02-06 11:28:48 -05:00
REDMOND\brodes
4f11913ee5 removing SSRFSink.qll 2026-02-06 11:23:58 -05:00
REDMOND\brodes
42f6e6a19c Fixing inefficiently passed variable in nested existential quantification. 2026-02-06 11:20:15 -05:00
REDMOND\brodes
97f19d03ad Updating test case expected alerts. 2026-02-06 11:20:13 -05:00
REDMOND\brodes
97ddab0724 Added support for new URIValidator in AntiSSRF library. Updated test caes to use postprocessing results. Currently results for partial ssrf still need work, it is flagging cases where the URL is fully controlled, but is sanitized. I'm not sure if this should be flagged yet. 2026-02-06 11:20:11 -05:00
REDMOND\brodes
27e19813be Removing an upstream change log, not needed for local fork update. 2026-02-06 11:20:10 -05:00
REDMOND\brodes
88adb05d4b Adjusting acryonym for SSRF for casing standards. 2026-02-06 11:20:08 -05:00
REDMOND\brodes
265922d2e5 Adding docs. 2026-02-06 11:20:01 -05:00
REDMOND\brodes
7db97799c1 Moved change log to correct location. 2026-02-06 11:19:22 -05:00
Ben Rodes
08b72d0a86 Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-02-06 11:18:51 -05:00
Ben Rodes
46a2a249f9 Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-02-06 11:18:49 -05:00
REDMOND\brodes
b8ba905253 Added change logs. 2026-02-06 11:18:23 -05:00
REDMOND\brodes
9912aaaf1a Adding azure sdk test cases and updated test expected file. 2026-02-06 11:18:16 -05:00
REDMOND\brodes
8459eec239 Moving the SsrfSink concept into Concepts.qll, and renaming to HttpClientRequestFromModel as suggested in PR review. 2026-02-06 09:26:49 -05:00
Ben Rodes
ac1987f264 Update python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-02-05 15:44:44 -05:00
Taus
8c27437628 Python: Bump extractor version and add change note 2026-02-05 13:50:54 +00:00
Taus
12ee93042b Python: Add tests 2026-02-05 13:47:24 +00:00
Taus
bac356c9a1 Python: Regenerate parser files 2026-02-05 13:46:59 +00:00
Taus
68c1a3d389 Python: Fix syntax error when = is used as a format fill character 
An example (provided by @redsun82) is the string `f"{x:=^20}"`. Parsing
this (with unnamed nodes shown) illustrates the problem:

```
module [0, 0] - [2, 0]
  expression_statement [0, 0] - [0, 11]
    string [0, 0] - [0, 11]
      string_start [0, 0] - [0, 2]
      interpolation [0, 2] - [0, 10]
        "{" [0, 2] - [0, 3]
        expression: named_expression [0, 3] - [0, 9]
          name: identifier [0, 3] - [0, 4]
          ":=" [0, 4] - [0, 6]
          ERROR [0, 6] - [0, 7]
            "^" [0, 6] - [0, 7]
          value: integer [0, 7] - [0, 9]
        "}" [0, 9] - [0, 10]
      string_end [0, 10] - [0, 11]
```
Observe that we've managed to combine the format specifier token `:` and
the fill character `=` in a single token (which doesn't match the `:` we
expect in the grammar rule), and hence we get a syntax error.

If we change the `=` to some other character (e.g. a `-`), we instead
get

```
module [0, 0] - [2, 0]
  expression_statement [0, 0] - [0, 11]
    string [0, 0] - [0, 11]
      string_start [0, 0] - [0, 2]
      interpolation [0, 2] - [0, 10]
        "{" [0, 2] - [0, 3]
        expression: identifier [0, 3] - [0, 4]
        format_specifier: format_specifier [0, 4] - [0, 9]
          ":" [0, 4] - [0, 5]
        "}" [0, 9] - [0, 10]
      string_end [0, 10] - [0, 11]
```
and in particular no syntax error.

To fix this, we want to ensure that the `:` is lexed on its own, and the
`token(prec(1, ...))` construction can be used to do exactly this.

Finally, you may wonder why `=` is special here. I think what's going on
is that the lexer knows that `:=` is a token on its own (because it's
used in the walrus operator), and so it greedily consumes the following
`=` with this in mind.
 2026-02-05 13:45:54 +00:00