hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
36,895 Commits 1,672 Branches 157 Tags
4f54bb66b807ee4b22f6be28cfbb71d21b901b10
Commit Graph

5487 Commits

Author SHA1 Message Date
Tom Hvitved
92fa0071bd Update python/ql/lib/semmle/python/pointsto/MRO.qll 
Co-authored-by: Taus <tausbn@github.com>
 2022-03-01 14:16:49 +01:00
Rasmus Wriedt Larsen
cd58c12bbe Merge branch 'main' into orm 2022-03-01 12:01:54 +01:00
Tamás Vajk
94cb5c2be4 Merge pull request #8296 from github/post-release-prep/codeql-cli-2.8.2 
Post-release preparation for codeql-cli-2.8.2
 2022-03-01 11:57:36 +01:00
Rasmus Wriedt Larsen
98c60a706e Python: Autoformat 
Oops
 2022-03-01 11:54:09 +01:00
Rasmus Wriedt Larsen
e32f8d98b0 Python: Always import ORM steps for data-flow 
For C#, see
fdd787b89c/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll (L16)

that import EntityFramework, which is ORM library.
 2022-03-01 11:32:36 +01:00
Rasmus Lerchedahl Petersen
ce3ee65f47 python: remove getTree for now 2022-03-01 10:49:21 +01:00
yoff
853857bd7e Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-03-01 10:26:29 +01:00
github-actions[bot]
980f822983 Post-release preparation for codeql-cli-2.8.2 2022-03-01 09:24:30 +00:00
Ahmed Farid
70c0c7e461 Update zipslip_bad.py 2022-03-01 00:24:33 +01:00
Ahmed Farid
85bcaa96ce Update Concepts.qll 2022-03-01 00:23:06 +01:00
Ahmed Farid
c22b032bbe Update Zip.qll 2022-03-01 00:11:33 +01:00
Ahmed Farid
67d3498891 Update ZipSlip.ql 2022-03-01 00:07:37 +01:00
Ahmed Farid
b29936716d Update Frameworks.qll 2022-03-01 00:06:22 +01:00
Ahmed Farid
76bd3317eb Create Zip.qll 2022-03-01 00:05:30 +01:00
Ahmed Farid
abe25da3df Create ZipSlip.qll 2022-03-01 00:04:02 +01:00
Ahmed Farid
3eae13161f Delete ZipSlipCheckLib.ql 2022-03-01 00:01:34 +01:00
Ahmed Farid
21f6ad5190 Update and rename ZipSlipCheck.ql to ZipSlip.ql 2022-03-01 00:01:06 +01:00
Arthur Baars
5ce6b847d1 Merge pull request #8166 from aibaars/regex-char-sequence-1 
Ruby/Python: regex parser: group sequences of 'normal' characters
 2022-02-28 17:47:53 +01:00
Rasmus Wriedt Larsen
8afd560c64 Python: ORM: Handle load of PolymorphicModels 2022-02-28 16:38:41 +01:00
Rasmus Wriedt Larsen
48fba87273 Python: ORM: add flow to base-class 2022-02-28 16:38:40 +01:00
Rasmus Wriedt Larsen
6b9dd49499 Python: ORM: Model polymorphic.models.PolymorphicModel as Django ORM class 2022-02-28 16:38:40 +01:00
Rasmus Wriedt Larsen
e1191cf63c Python: ORM: Add tests for inheritance 2022-02-28 16:38:40 +01:00
Rasmus Wriedt Larsen
092cfceb18 Python: Add dataflow consistency checks to ORM tests 
Luckily they passed :phew:
 2022-02-28 16:38:40 +01:00
Rasmus Wriedt Larsen
d7ff00e615 Python: Add change-note 2022-02-28 16:38:40 +01:00
Rasmus Wriedt Larsen
ed36ff1570 Python: ORM: Handle <Model>.objects.[<QuerySet>].update() 2022-02-28 16:38:40 +01:00
Rasmus Wriedt Larsen
fea46b642d Python: ORM: Handle <Model>.objects.create and friends 2022-02-28 16:38:40 +01:00
Rasmus Wriedt Larsen
9b458b54aa Python: ORM: Add flow to collection/dict queries 2022-02-28 16:38:40 +01:00
Rasmus Wriedt Larsen
9cff4cbd1c Python: ORM: Add a few more tests 
There were a few methods I had overlooked
 2022-02-28 16:38:40 +01:00
Rasmus Wriedt Larsen
ae057c74cc Python: ORM: Store step for constructor 2022-02-28 16:38:40 +01:00
Rasmus Wriedt Larsen
f8a51bb994 Python: ORM: Add data-flow steps for Django ORM 
Added dummy-whitespace to `orm_security_tests.py` so it would be
possible to see what the reflected XSS results are in the diff
 2022-02-28 16:38:40 +01:00
Rasmus Wriedt Larsen
ef39968a56 Python: ORM: Add data-flow plumbing for ORM modeling 
The idea is that we will do `save ==> synthetic`
and `synthetic ==> load`, so we don't need to do CP between save/load.

This setup with synthetic node in the middle, also allows for a limited
amount of the field-flow we can do with real flow-summary support.
 2022-02-28 16:38:40 +01:00
Rasmus Wriedt Larsen
d3f07cdc10 Python: ORM: Add qltests 
Which shows that there is no flow yet, which is not really a surprise :D
 2022-02-28 16:38:40 +01:00
Rasmus Wriedt Larsen
c78fed6594 Python: ORM: Add raw python test files 
no ql test files yet though, will come in next commit.
 2022-02-28 16:38:40 +01:00
Rasmus Wriedt Larsen
f89fb50eb5 Python: ORM: Add boilerplate django project 
By doing

```
django-admin startproject testproj
django-admin startapp testapp
```
 2022-02-28 16:38:40 +01:00
yoff
d953382df9 Merge pull request #7807 from RasmusWL/dataflow-improvements 
Python: Dataflow improvements
 2022-02-28 16:24:00 +01:00
Erik Krogh Kristensen
5130929358 remove comment suggesting that the receiver is parameter -1 2022-02-28 15:25:34 +01:00
Erik Krogh Kristensen
843ed8fca5 rename pw to aw 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-02-28 15:25:25 +01:00
haby0
be40b54b9f add test 2022-02-28 20:34:58 +08:00
Rasmus Wriedt Larsen
0e0f159891 Python: Use Python 3 for investigation tests 
Apparently there are minor differences with `test-6-max-import-depth-2`
where under Python 2 `isfile_no_problem.py` still works as before
 2022-02-28 11:33:31 +01:00
Rasmus Wriedt Larsen
01d426dc58 Python: Replace rest of from testlib import * 
I think we should write our tests in a way that puts points-to in the
best condition to resolve calls. Although this specific change did not
change much, it should help set us up for success in the future 👍
 2022-02-28 10:58:44 +01:00
Rasmus Wriedt Larsen
ead0b658d2 Python: Fix fieldflow tests by increasing max-import-depth 2022-02-28 10:58:44 +01:00
Rasmus Wriedt Larsen
a0d1cea490 Python: Add investigation of field-flow problem 
TL;DR; we used a too low value for `--max-import-depth` :(
 2022-02-28 10:58:44 +01:00
haby0
b23e28a1e6 add Server-side Request Forgery sinks 2022-02-28 15:24:02 +08:00
Ahmed Farid
c207294dfc Update zipslip_good.py 2022-02-26 18:31:22 +01:00
Ahmed Farid
d0d14be693 Update ZipSlip.qhelp 2022-02-26 18:25:13 +01:00
Arthur Baars
0c23f5815f Add change note 2022-02-25 18:43:43 +01:00
Arthur Baars
5044f89105 Ruby/Python re-introduce normalCharacterSequence 2022-02-25 18:43:43 +01:00
Rasmus Wriedt Larsen
f988e1f0d8 Python: Improve field-flow by removing import * 
Since that apparently impacts call graph resolution with points-to :O

Also interesting that global flow was only not working for those cases
because of the tricky ifs... still need to 100% figure out how those ifs
are messing up the analysis :|
 2022-02-25 16:01:08 +01:00
Rasmus Wriedt Larsen
999af15bd5 Python: Show unresolved calls for field-flow tests 2022-02-25 15:58:07 +01:00
Taus
622b32692b Python: Prevent magic/inlining in getCase 
This is a simplified version of
https://github.com/github/codeql/pull/8028
consisting of just the `nomagic` fix.
 2022-02-25 14:32:59 +00:00