hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
23,969 Commits 1,672 Branches 157 Tags
5028fccee5edce4ad95f1569ca9ab45d1d408ede
Commit Graph

3672 Commits

Author SHA1 Message Date
Taus
e4af14638b Merge pull request #6175 from yoff/python-port-ReDoS 
Python: port ReDoS queries from Javascript
 2021-06-30 16:26:07 +02:00
yoff
6a77b890af Merge pull request #6155 from RasmusWL/port-cleartext-queries 
Python: Port cleartext queries
 2021-06-30 15:52:34 +02:00
Rasmus Lerchedahl Petersen
a176e6ac30 Python: comment out temporarily unused predicate 2021-06-30 15:28:31 +02:00
Rasmus Lerchedahl Petersen
45e30b0c06 Python: comment out temporarily unused predicate 2021-06-30 15:04:37 +02:00
Rasmus Lerchedahl Petersen
c306cee04e Python: mimic JS file hierarchy 2021-06-30 15:03:22 +02:00
Rasmus Lerchedahl Petersen
651f8abba0 Python: Avoid multiple results for toString 2021-06-30 14:39:49 +02:00
Rasmus Wriedt Larsen
c2708176b1 Python: Support %-style formatting for MarkupSafe 2021-06-30 14:15:41 +02:00
Rasmus Wriedt Larsen
0a4efd0e86 Python: Add %-style formatting tests for MarkupSafe 2021-06-30 14:13:59 +02:00
Rasmus Wriedt Larsen
c84658dff1 Python: Use MethodCallNode for MarkupSafe string-format 2021-06-30 13:58:09 +02:00
Rasmus Wriedt Larsen
d6e8fafdbd Python: Proper sorting in Frameworks.qll 2021-06-30 13:55:26 +02:00
Rasmus Wriedt Larsen
075953860b Merge branch 'main' into markupsafe-modeling 2021-06-30 13:55:08 +02:00
Rasmus Lerchedahl Petersen
72986e1e28 Python: Add some comments on the booelan sweep 
pattern
 2021-06-30 12:50:36 +02:00
Rasmus Lerchedahl Petersen
52d91917aa Merge branch 'python-port-ReDoS' of github.com:yoff/codeql into python-port-ReDoS 2021-06-30 12:25:59 +02:00
Rasmus Lerchedahl Petersen
09e71cfdfd Python: update test expectations 2021-06-30 12:25:29 +02:00
Rasmus Lerchedahl Petersen
6dfbf80494 Python: Disable use of toUnicode 
until supporting CLI is released
 2021-06-30 12:21:52 +02:00
Rasmus Wriedt Larsen
e5d65992b4 Python: Use DefinitionNode instead of Assign 
Based on https://github.com/github/codeql/pull/6155#discussion_r660964666:

> Hmm... Would it be better to do this using DefinitionNode instead of
> Assign? The latter is fairly limited in what it can represent, and also
> raises questions of whether this definition is sound with regard to
> control-flow splitting.
 2021-06-30 12:08:32 +02:00
yoff
c19522e921 Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-06-30 11:49:45 +02:00
Rasmus Wriedt Larsen
94bcda3bae Python: Highlight problem picking DataFlow::Node for Assign 2021-06-29 15:32:16 +02:00
Rasmus Lerchedahl Petersen
e778a65464 Python: Adjust test expectations 
so we can see the light go green.
But we should perhaps do something about those duplicate results.
 2021-06-29 11:29:42 +02:00
Rasmus Lerchedahl Petersen
fbfe415162 Python: Limit test files 2021-06-29 11:18:24 +02:00
Rasmus Lerchedahl Petersen
6f2cdbf59e Python: Give up on providing values for form feeds 2021-06-29 11:14:27 +02:00
Rasmus Lerchedahl Petersen
ffb8938e52 Python: undo autoformat character mangling 2021-06-29 11:06:17 +02:00
Rasmus Lerchedahl Petersen
135b71b649 Python: Apply performance fix by @hvitved 2021-06-29 11:01:33 +02:00
Rasmus Lerchedahl Petersen
c7992f6c6e Python: add change note 2021-06-28 17:24:37 +02:00
Rasmus Lerchedahl Petersen
40ac91eecd Python: Add some tests for exponential ReDoS 
- `KnownCVEs` contain the currently triaged Python CVEs
- `unittest.py` contains some tests constructed by @erik-krogh
- `redos.py` contains a port of `tst.js` from javascript
The expected file has been ported as well with some fixups by @tausbn
 2021-06-28 17:04:49 +02:00
Rasmus Lerchedahl Petersen
591b6ef69c Python: Add ReDoS as identical files from JS 
The library specific file is `RegExpTreeView`.
The files are recorded as identical via the mapping
in `identical-files.json`.
 2021-06-28 17:04:48 +02:00
Rasmus Lerchedahl Petersen
2c27ce7aa5 Python: Make ast viewer see regexes 
This work is due to @erik-krogh who also
 - made corresponding fixes to `RegexTreeView.qll`
 - implemented `toUnicode` so it is available on `String`s
 2021-06-28 17:04:48 +02:00
Rasmus Lerchedahl Petersen
d953ba8dd4 Python: A parse-tree-view of regular expressions 
This contains several contributions from @erik-krogh
and also some fixes from @nickrolfe
 2021-06-28 17:04:48 +02:00
Rasmus Lerchedahl Petersen
21007d21f4 Python: track if qualifiers allow unbounded 
repeats. This in preparation for ReDoS
 2021-06-28 17:04:48 +02:00
Rasmus Lerchedahl Petersen
74ca1d00b9 Python: More precise regex parsing 2021-06-28 17:04:48 +02:00
Rasmus Lerchedahl Petersen
e5f07cc4d3 Python: inline test of regex components 
- Added naive implementation of `charRange` so the test can run.
- Made predicates public as needed.
 2021-06-28 17:04:48 +02:00
Rasmus Wriedt Larsen
9573048ee8 Python: Port py/clear-text-logging-sensitive-data 2021-06-25 14:35:31 +02:00
Rasmus Wriedt Larsen
68cfeb0b5c Python: Model logging from the logging module 2021-06-25 14:26:35 +02:00
Rasmus Wriedt Larsen
c05e375401 Python: Fix indentation of hashlib modeling 2021-06-25 14:26:35 +02:00
Rasmus Wriedt Larsen
36c9ceb13b Python: Add Logging concept 2021-06-25 14:26:35 +02:00
Rasmus Wriedt Larsen
a7eb1b3a12 Python: Minor QLDoc fixup 2021-06-25 14:26:35 +02:00
Anders Schack-Mulligen
2d24387e9e Merge pull request #6149 from edoardopirovano/fix-java-regression 
Performance: Fix bad join order in Java dataflow library
 2021-06-25 10:42:05 +02:00
Rasmus Wriedt Larsen
a9469b73d9 Python: Port py/clear-text-storage-sensitive-data 2021-06-24 17:39:08 +02:00
Rasmus Wriedt Larsen
8926b3edc7 Python: Add change-note for CookieWrite 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
7017beca47 Python: Model CookieWrite for twisted 
Had to split the call to `request.cookies.append` since inline
expectation tests didn't like the expectation that contained `=` :(
 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
4606444b85 Python: Model CookieWrite for flask 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
65c526df86 Python: Model CookieWrite for tornado 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
9340d658a4 Python: Model CookieWrite for django 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
930ed0a712 Python: Minor django fixup 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
226425e831 Python: Model CookieWrite for aiohttp 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
e1af1f11ee Python: Add HTTP::Server::CookieWrite concept 
along with tests, but no implementations (to ease reviewing).

---

I've put quite some thinking into what to call our concept for this.

[JS has `CookieDefinition`](581f4ed757/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll (L148-L187)), but I couldn't find a matching concept in any other languages.

We used to call this [`CookieSet`](f07a7bf8cf/python/ql/src/semmle/python/web/Http.qll (L76)) (and had a corresponding `CookieGet`).

But for headers, [Go calls this `HeaderWrite`](cd1e14ed09/ql/src/semmle/go/concepts/HTTP.qll (L97-L131)) and [JS calls this `HeaderDefinition`](581f4ed757/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll (L23-L46))

I think it would be really cool if we have a naming scheme that means the name for getting the value of a header on a incoming request is obvious. I think `HeaderWrite`/`HeaderRead` fulfils this best. We could go with `HeaderSet`/`HeaderGet`, but they feel a bit too vague to me. For me, I'm so used to talking about def-use, that I would immediately go for `HeaderDefinition` and `HeaderUse`, which could work, but is kinda strange.

So in the end that means I went with `CookieWrite`, since that allows using a consistent naming scheme for the future :)
 2021-06-24 17:34:43 +02:00
Anders Schack-Mulligen
95ad8b55fe Merge pull request #6107 from aschackmull/dataflow/implicit-reads 
Dataflow: Add support for implicit reads
 2021-06-24 15:38:35 +02:00
Anders Schack-Mulligen
01fc3e6559 C++/C#/Java/Python: Add change notes. 2021-06-24 14:29:34 +02:00
Anders Schack-Mulligen
cd0efbe7ce Dataflow: Sync. 2021-06-24 14:19:17 +02:00
Rasmus Wriedt Larsen
686638a65f Merge pull request #6049 from RasmusWL/jmespath 
Python: Add modeling of `jmespath`
 2021-06-24 11:13:19 +02:00