hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-28 06:36:33 +01:00
Code Issues Packages Projects Releases Wiki Activity
55,585 Commits 1,673 Branches 157 Tags
4b4b9bf9da0d8451e383065008dbf06b4735501b
Commit Graph

1518 Commits

Author SHA1 Message Date
Rasmus Lerchedahl Petersen
4b4b9bf9da python: add missing summaries 
For append/add:
The new results in the experimental tar slip query
show that we do not recognize the sanitisers.
 2023-06-13 20:22:21 +02:00
Rasmus Lerchedahl Petersen
b72c93ff4f python: remove remaining explicit taint steps 2023-06-13 20:22:20 +02:00
yoff
1d65284011 Merge pull request #13209 from yoff/python/container-summaries-2 
python: Container summaries, part 2
 2023-06-13 18:17:09 +02:00
Rasmus Lerchedahl Petersen
775f3eaf56 python: make copy a dataflow step 2023-06-13 17:07:41 +02:00
yoff
2a5173c331 Update python/ql/lib/semmle/python/frameworks/Stdlib.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-06-13 10:04:46 +02:00
Rasmus Wriedt Larsen
6526364045 Python: Add modeling of flask.render_template_string 2023-06-12 21:18:31 +02:00
erik-krogh
6dfeb2536b delete old deprecations 2023-06-09 15:12:23 +02:00
Anders Schack-Mulligen
d230509905 Dataflow: Address review comments. 2023-06-09 08:37:36 +02:00
Anders Schack-Mulligen
4399138c82 Dataflow: Fix QL4QL alert. 2023-06-09 08:37:36 +02:00
Anders Schack-Mulligen
53f2b8aab0 Dataflow: Sync. 2023-06-09 08:37:36 +02:00
Anders Schack-Mulligen
fd832416d8 Dataflow: Add empty type strengthening predicate for languages without type pruning. 2023-06-09 08:37:35 +02:00
Anders Schack-Mulligen
e8cea79f1d Dataflow: Sync. 2023-06-09 08:37:35 +02:00
Tom Hvitved
cee70883f0 Merge pull request #12964 from hvitved/ruby/remove-synth-returns 
Ruby: Remove canonical return nodes
 2023-06-08 10:07:48 +02:00
Tom Hvitved
48ac3e58ee Python: Use CallGraphConstruction in call graph construction 2023-06-07 09:02:03 +02:00
Tom Hvitved
4bf124bffe Ruby/Python: Add CallGraphConstruction module for recursive type-tracking based call graph construction 2023-06-07 09:02:03 +02:00
Rasmus Lerchedahl Petersen
6755bb32fb Python: do not add read steps for collections 2023-06-01 15:18:05 +02:00
Rasmus Lerchedahl Petersen
9cb83fcdc9 python: add summaries for 
copy, pop, get, getitem, setdefault

Also add read steps to taint tracking.

Reading from a tainted collection can be done in two situations:
1. There is an acces path
    In this case a read step (possibly from a flow summary)
    gives rise to a taint step.
2. There is no access path
    In this case an explicit taint step (possibly via a flow
    summary) should exist.
 2023-05-26 14:04:15 +02:00
Rasmus Lerchedahl Petersen
144df9a39e python: remove explicit dataflow steps 2023-05-26 13:24:22 +02:00
Rasmus Lerchedahl Petersen
8d4f9447b1 python: remove explicit steps 
copy, pop, get, popitem
 2023-05-26 13:22:54 +02:00
Michael Nebel
915042a881 Minor cleanup and sync files. 2023-05-26 12:25:00 +02:00
Michael Nebel
811eee1f0d Python: Re-factor getComponent. 2023-05-26 12:24:59 +02:00
Tom Hvitved
1788c54bd8 Python: Avoid calling TypeTracker::step in call graph construction 2023-05-24 11:11:54 +02:00
Tom Hvitved
deee314370 Python/Ruby: Optimize join-order in TypeTracker::[small]step 2023-05-24 11:11:07 +02:00
Rasmus Lerchedahl Petersen
5b4f98d6c4 python: Add summaries for container constructors 
Also:
- turn on flow summaries for taint
- do not restrict node type
  (as now we need summary nodes)
 2023-05-16 14:38:51 +02:00
Rasmus Lerchedahl Petersen
145eaf3947 python: remove steps for container constructors 2023-05-16 10:35:10 +02:00
Tom Hvitved
9dede31c0d Merge pull request #13077 from hvitved/ruby/track-regexp-improvements 
Ruby: Improvements to `RegExpTracking`
 2023-05-15 16:02:00 +02:00
yoff
72c6919f4e Merge pull request #13095 from yoff/python/interpret-summary-content 
Python: Interpret summary content
 2023-05-12 13:09:14 +02:00
Rasmus Wriedt Larsen
62f0c64a03 Merge pull request #12552 from erik-krogh/py-type-trackers 
Py: refactor regex tracking to type-trackers
 2023-05-11 16:18:34 +02:00
Tom Hvitved
211a1e188c Sync files 2023-05-10 09:36:00 +02:00
Rasmus Lerchedahl Petersen
064877140e Python: interpret remaining content 2023-05-09 21:40:01 +02:00
Rasmus Lerchedahl Petersen
c1110666b5 Python: remaining content-based summary components 2023-05-09 21:40:01 +02:00
yoff
1a57f81aca Merge pull request #12537 from yoff/python/captured-variables-for-typetracking 
Python: Captured variables for type tracking and the API graph
 2023-05-09 12:34:22 +02:00
Michael Nebel
4ac0396b67 Go/Python/Ruby/Swift: Sync files and make dummy implementation. 2023-05-08 16:18:59 +02:00
yoff
42090b55fa Merge branch 'main' into python/captured-variables-for-typetracking 2023-05-04 13:52:23 +02:00
Mathias Vorreiter Pedersen
77001a070b Merge branch 'main' into identity-consistency-check 2023-05-03 22:01:06 +01:00
Rasmus Lerchedahl Petersen
64068f1c88 python: longer name and longer comment 2023-05-03 18:23:08 +02:00
yoff
a905917123 Merge pull request #12937 from RasmusWL/fix-module-variable-node 
Python: Hide `ModuleVariableNode` in data-flow paths
 2023-05-03 17:58:26 +02:00
Erik Krogh Kristensen
f29db40371 Merge pull request #13011 from kaspersv/kaspersv/explicit-this-receivers-shared2 
JS, Python, Ruby: Make implicit this receivers explicit
 2023-05-03 15:34:59 +02:00
Kasper Svendsen
aca2ace843 JS, Python, Ruby: Make implicit this receivers explicit 2023-05-03 13:51:51 +02:00
Kasper Svendsen
3eb5a95ee3 Python: Make implicit this receivers explicit 2023-05-03 12:16:21 +02:00
Anders Schack-Mulligen
ca09649679 Dataflow: Forward hasLocationInfo. 2023-05-02 10:48:32 +02:00
Anders Schack-Mulligen
5927bb2030 Dataflow: Replace "extends Node" with "instanceof Node". 2023-05-02 09:48:34 +02:00
Anders Schack-Mulligen
6c8cb0dc5e Merge pull request #12930 from aschackmull/dataflow/split-typedcontent 
Dataflow: Refactor access paths to split TypedContent into an explicit pair
 2023-05-01 14:58:15 +02:00
erik-krogh
18f8c69261 satisfy the signature of HostnameRegexpSig, which doesn't understand RegExpSink 2023-05-01 10:49:51 +02:00
erik-krogh
d5029c94b6 changes based on review 2023-05-01 10:42:15 +02:00
erik-krogh
a7f733ab8c move RegExpInterpretation into Concepts.qll 2023-05-01 10:42:15 +02:00
erik-krogh
2fad406b5c move StdLibRegExpInterpretation to Stdlib.qll 2023-05-01 10:42:15 +02:00
erik-krogh
a64848c022 simplify StdLibRegExpInterpretation to only consider re.compile, because the rest is handled by RegexExecution 2023-05-01 10:42:14 +02:00
erik-krogh
113ce61d40 fix nit in qldoc 2023-05-01 10:42:14 +02:00
erik-krogh
2d2602b668 use that strings are local-source-nodes in regex-tracking 2023-05-01 10:42:14 +02:00