hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-04 14:48:20 +02:00
Code Issues Packages Projects Releases Wiki Activity
86,710 Commits 1,732 Branches 164 Tags
503c15334a6545eaa3167ee8d35a80fd65d155df
Commit Graph

850 Commits

Author SHA1 Message Date
Joe Farebrother
9edfd7a6fb Use generator script directly 2025-08-21 14:12:26 +01:00
Joe Farebrother
f24f7d5146 Add builtin subclass models, incorporate into query 2025-08-21 13:50:26 +01:00
Napalys Klicius
638f6498f0 Removed lxml.etree.XMLParser from xml bomb sinks 2025-07-15 13:43:00 +02:00
Jeroen Ketema
cbde11ddc9 Properly share ConceptsShared.qll 2025-07-14 16:30:45 +02:00
Sylwia Budzynska
e66659276b Fix formatting 2025-05-27 13:51:03 +02:00
Sylwia Budzynska
8a1c323a98 Change naming to PascalCase 2025-05-27 13:45:40 +02:00
Sylwia Budzynska
84228e0ec8 Add Pandas SQLi sinks 2025-05-27 13:10:39 +02:00
Napalys Klicius
f652686607 Merge pull request #19444 from Napalys/python/hdbcli 
Python: modeling of `hdbcli`
 2025-05-01 17:58:31 +02:00
Napalys Klicius
e1fc0ca051 Added implementation hdbcli as part of PEP249::PEP249ModuleApiNode 2025-05-01 14:18:02 +02:00
yoff
cf45e771f3 python: remove copied comment 2025-04-30 20:01:43 +02:00
yoff
531f2a15a4 python: model send_header from http.server 2025-04-30 19:58:14 +02:00
erik-krogh
34f5f61a10 all: use my script to delete outdated deprecations 2025-01-27 22:16:48 +01:00
Joe Farebrother
d248fbfe57 Merge pull request #18301 from joefarebrother/python-model-missing-builtins 
Python: Add models for builtins `map`, `filter`, `zip`, and `enumerate`.
 2025-01-20 16:39:37 +00:00
Joe Farebrother
344dd2dab5 Qldoc fix 2025-01-15 10:26:37 +00:00
Joe Farebrother
460de3f7d5 Reduce generality of map and zip for performance 2025-01-14 09:39:57 +00:00
Joe Farebrother
4e36008ed9 Add tests 2025-01-14 09:39:56 +00:00
Joe Farebrother
642f9dcbea Model missing builtins 2025-01-14 09:39:54 +00:00
Joe Farebrother
a7fb73a2b2 Merge pull request #18185 from joefarebrother/python-lxml 
Python: Model additional flow steps for the lxml framework
 2025-01-10 13:40:16 +00:00
Joe Farebrother
8b174ea07c Apply suggestions from code review - update doc comments 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2025-01-07 15:21:19 +00:00
Rasmus Wriedt Larsen
34631a8784 Python: Model FastAPI requests 
Co-authored-by: Joe Farebrother <joefarebrother@github.com>
 2024-12-18 15:58:51 +01:00
Joe Farebrother
2019ddfa7f Qldoc improvements + add a few extra tests 2024-12-11 12:25:40 +00:00
Joe Farebrother
5c8ef28d12 Add missing qldoc and revert accidentilly commited threat model change 2024-12-11 12:04:16 +00:00
Joe Farebrother
29a90235e8 Improve tests and use API graphs 2024-12-10 19:09:45 +00:00
Joe Farebrother
d2b0d7a743 Add missing qldoc 2024-12-10 19:07:53 +00:00
Joe Farebrother
89167da177 Model flow steps for lxml 2024-12-10 19:01:14 +00:00
Joe Farebrother
ef1d898b0d Add qldoc 2024-12-09 19:57:39 +00:00
Joe Farebrother
55557f8dd3 Use API graohs directly 2024-12-09 19:57:07 +00:00
Joe Farebrother
cea196ec61 Add concepts tests + some fixes 2024-12-09 19:55:42 +00:00
Joe Farebrother
71ab82dee0 Fix qldoc, formatting, and redundant import warnings 2024-12-09 19:55:21 +00:00
Joe Farebrother
b2c13fe351 Promote template injection sinks for each framework covered 
`Cheetah` was excluded as it was last updated 15 years ago and its documentation links are dead.
 2024-12-09 19:55:17 +00:00
Joe Farebrother
60d8a85a9c Promote jinja sinks 2024-12-09 19:54:57 +00:00
Joe Farebrother
8647073433 Copy template injection to standard pack + add jinja sinks 2024-12-09 19:47:06 +00:00
yoff
22287be5d1 Merge pull request #17370 from Kwstubbs/Bottle/Tornado-HeaderSupport 
Python: Bottle Framework Support
 2024-11-19 15:34:26 +01:00
Kevin Stubbings
ac411f1254 Second round feedback 2024-10-30 13:52:38 -07:00
Kevin Stubbings
0483b8004c Feedback 2024-10-29 15:45:11 -07:00
yoff
c78aeec2ec Update python/ql/lib/semmle/python/frameworks/Pycurl.qll 2024-10-24 11:44:16 +02:00
Porcupiney Hairs
c74f6f587f Merge branch 'main' into pyloadSsl 2024-10-21 20:09:05 +05:30
Porcupiney Hairs
f6369a6ed7 Include changes from review 2024-10-21 20:01:44 +05:30
Porcupiney Hairs
7ef2d79b3f Include changes from review 2024-10-21 03:28:19 +05:30
Arthur Baars
08af7d0007 Merge pull request #17810 from github/post-release-prep/codeql-cli-2.19.2 
Post-release preparation for codeql-cli-2.19.2
 2024-10-18 18:28:07 +02:00
Rasmus Lerchedahl Petersen
30053da70d Python: extra modelling of stdlib 
as a reaction to the latest QA run
 2024-10-18 13:49:33 +02:00
Taus
eaef783f4b Python: Add partial model for copy.replace 
Extends our modelling to partially cover the behaviour of
`copy.replace`. In particular, we model this in two ways:

Firstly, we extend the existing Models-as-Data row for `copy` and
`deepcopy` to also cover `replace`. This means that we treat the result
of `replace` as containing all of the fields of the original object.
This is somewhat _more_ than we want, as strictly speaking the fields
that are overwritten should _not_ propagate flow through the `replace`
call, but currently we don't have a good way of modelling this blocking
of flow.

Secondly, we add a flow summary that adds flow from named arguments of
the `replace` call to the corresponding fields on the base object. This
ensures that we at least have the new flow arising from the `replace`
call.

Note that the flow summary adds this flow for _all_ named arguments of
_all_ `replace` calls throughout the codebase. However, since any
particular `replace` call will only populate a subset of these (the
subset consisting of exactly those named arguments that are in that
particular call), this does not cause any unwanted crosstalk between
different `replace` calls.§
 2024-10-15 12:14:19 +00:00
Taus
6f2cfa0ba8 Python: Update CopySummary to use getMaDRepresentation 
Demonstrates the somewhat more ergonomic way to use
`getMaDRepresentation` when specifying summaries.

Note that this slightly extends the previous definition, in that
`DictionaryContentAny` is now _also_ propagated by a call to the
`.copy()` method, but I think this is correct.
 2024-10-15 11:52:37 +00:00
Rasmus Lerchedahl Petersen
0ac4a10345 Python: model that finditer returns iterable of re.Match objects 2024-10-09 12:42:38 +02:00
Rasmus Lerchedahl Petersen
494b8bd7e1 python: model string property of resultof finditer 2024-10-09 12:40:47 +02:00
Rasmus Lerchedahl Petersen
6f5b949ec8 Python: adjust test expectations 
note that we do retain precision in
`test_dict_from_keyword()`
 2024-10-04 15:30:02 +02:00
Rasmus Lerchedahl Petersen
a4c1a622b7 Merge branch 'main' of https://github.com/github/codeql into python/add-comprehension-capture-flow 2024-10-04 14:53:03 +02:00
yoff
306b087b6e Merge pull request #17566 from yoff/python/dict-can-take-multiple-args 
Python: All dict constructor args are relevant
 2024-10-04 14:30:10 +02:00
yoff
c064a9e092 Update python/ql/lib/semmle/python/frameworks/Stdlib.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2024-10-04 14:01:18 +02:00
Rasmus Lerchedahl Petersen
768d866e72 python: model urllib.parse.parse_qs 2024-10-03 12:20:40 +02:00