hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
45,584 Commits 1,672 Branches 157 Tags
530b29ccdfb42bcb8173f270e2f89d76bc20c2bc
Commit Graph

6243 Commits

Author SHA1 Message Date
Tom Hvitved
ffb2b1c15e Data flow: Sync files 2022-10-10 15:39:13 +02:00
Rasmus Wriedt Larsen
13cb4f9241 Merge pull request #10750 from RasmusWL/pyhton-typo 
Python: Fix typo in qldoc
 2022-10-10 15:11:09 +02:00
Rasmus Wriedt Larsen
dba42d6bb8 Python: Model executemany on PEP-249 DB APIs 
Note: I kept the modeling using the old approach with type-trackers
instead of `DataFlow::MethodCallNode`.

I would like a meta query for DCA to show sinks before doing this, so I
can be absolutely sure we don't loose out on any important sinks on
this... so will postpone this work to a small one-off task (added to my
todo list).
 2022-10-10 14:16:47 +02:00
Rasmus Wriedt Larsen
669f4f38b9 Python: Update QLDocs on PEP249Impl.qll 2022-10-10 14:13:01 +02:00
Rasmus Wriedt Larsen
4ee71ae4a1 Python: Add support for pymssql package 
I also forgot to mention `PyMySQL` in frameworks.rst
 2022-10-10 14:02:40 +02:00
Tom Hvitved
60fe370f2a Merge pull request #10744 from hvitved/dataflow/has-flow-to-no-fast-tc 
Data flow: Avoid call to `pathSuccPlus` in `Configuration::hasFlowTo(Expr)`
 2022-10-10 14:02:39 +02:00
Rasmus Wriedt Larsen
b1d33a404c Python: Sort Frameworks.qll 2022-10-10 13:55:10 +02:00
Rasmus Wriedt Larsen
584ccf1992 Python: clean up Mysql.qll 2022-10-10 13:49:26 +02:00
Rasmus Wriedt Larsen
08d6b2f30a Python: Fix typo in qldoc 2022-10-10 13:46:18 +02:00
Rasmus Wriedt Larsen
4b1f6f0865 Merge pull request #10629 from RasmusWL/fix-flask-source 
Python: Fix flask request modeling
 2022-10-10 09:56:22 +02:00
Tom Hvitved
296ec94a2a Data flow: Sync files 2022-10-09 19:48:45 +02:00
erik-krogh
6fdfd40880 changes to address reviews 2022-10-07 22:31:00 +02:00
github-actions[bot]
b8ef9e0ddc Post-release preparation for codeql-cli-2.11.1 2022-10-07 15:59:45 +00:00
erik-krogh
10a014f18c add change-note 2022-10-07 13:46:48 +02:00
erik-krogh
944ca4a0da fix some more style-guide violations in the alert-messages 2022-10-07 11:23:34 +02:00
github-actions[bot]
a02dcdc5e1 Release preparation for version 2.11.1 2022-10-07 02:20:28 +00:00
Henry Mercer
7a7d164b07 Merge pull request #10698 from github/henrymercer/successfully-extracted-files-tag 
Tag successfully extracted files queries
 2022-10-06 13:21:52 +01:00
Tom Hvitved
0e6735b804 Merge pull request #10691 from hvitved/dataflow/conjunctive-clears 
Data flow: Take conjunctive `With(out)Contents` into account in `prohibitsUseUseFlow`
 2022-10-06 09:03:30 +02:00
Henry Mercer
d80d39504f Tag successfully extracted files queries 
Tag the successfully extracted files queries with
`successfully-extracted-files` to make them easier to identify
programmatically in a language-independent way.
This follows the prior art for lines of code queries, which are tagged
`lines-of-code`.
 2022-10-05 19:19:43 +01:00
Tom Hvitved
0beea9fd1a Fix typos 2022-10-05 15:54:52 +02:00
Tom Hvitved
6f518c1996 Data flow: Sync files 2022-10-05 12:58:29 +02:00
Asger F
ab6e488efe Python: sync 2022-10-05 11:10:35 +02:00
Asger F
8b7ec20573 Merge branch 'main' into rb/summarize-more 2022-10-05 09:43:52 +02:00
Rasmus Wriedt Larsen
2541af6587 Python: Rewrite py/flask-debug 2022-10-04 20:41:18 +02:00
Rasmus Wriedt Larsen
05bca0249c Python: Expand test for py/flask-debug 
(I couldn't see one using positional argument)
 2022-10-04 20:39:08 +02:00
Rasmus Wriedt Larsen
60527dfc17 Python: Fix py/meta/alerts/remote-flow-sources-reach 2022-10-04 14:42:51 +02:00
Asger F
28f4dff1d3 Python: sync 2022-10-04 11:15:11 +02:00
Rasmus Wriedt Larsen
d7be27a1c0 Python: Fix experimental py/ip-address-spoofing 
I realized the modeling was done in a non-recommended way, so I changed
the modeling. It was very nice that I could use API graphs for the flask
part, and a little sad when I couldn't for Django/Tornado.
 2022-10-03 21:19:30 +02:00
Rasmus Wriedt Larsen
b01a0ae696 Python: Adjust .expected after flask source change 
It's really hard to audit that this is all good.. I tried my best with
`icdiff` though -- and there is a problem with
ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
that needs to be fixed in the next commit
 2022-10-03 20:35:49 +02:00
Tom Hvitved
e57c3bec63 Sync files 2022-10-03 20:29:39 +02:00
Tom Hvitved
d52d3d7b75 Merge pull request #10644 from hvitved/ruby/prevent-reevaluation 
Ruby: Prevent reevaluation of expensive predicates
 2022-10-03 13:10:39 +02:00
Rasmus Wriedt Larsen
a0fcd4a9bf Merge pull request #10631 from RasmusWL/cleanup-options-files 
Python: Remove last `-p ../lib/` in `options` files
 2022-10-03 11:09:59 +02:00
Tom Hvitved
dc432c7774 Sync shared files 2022-09-30 14:56:56 +02:00
Asger F
6e1914ad01 Merge pull request #10375 from asgerf/rb/summarize-loads-v2 
Ruby: type-tracking and API edges through simple library callables
 2022-09-30 14:25:17 +02:00
Nick Rolfe
ef8ec0878a Merge pull request #10641 from github/nickrolfe/a_an 
JS/Python/Ruby: s/a HTML/an HTML/
 2022-09-30 12:17:15 +01:00
CodeQL CI
b66e5c5aee Merge pull request #10634 from yoff/python/rewrite-typetrackers 
Approved by tausbn
 2022-09-30 03:55:35 -07:00
Nick Rolfe
ed74e0aad1 JS/Python/Ruby: s/a HTML/an HTML/ 2022-09-30 10:37:52 +01:00
yoff
8ab5617b51 Merge pull request #10539 from yoff/python/improve-API-graphs 
Python: add subscript to API graphs
 2022-09-29 21:05:22 +02:00
Rasmus Lerchedahl Petersen
84ab860600 python: rewrite type tracker for ldap operations 
There are several other clean ups I would like to do in this file,
but this can wait until we promote the query.
 2022-09-29 20:32:19 +02:00
Rasmus Lerchedahl Petersen
0654e39e72 python: rewrite type tracker for compiled regexes 
we have the option to use `regex.getAValueReachingSink`
rather than `regex.asSink`, but it will likely be used as a
sink for data flow.
 2022-09-29 20:30:29 +02:00
Rasmus Wriedt Larsen
ea27f4e20f Python: Remove last -p ../lib/ in options files 
These were only needed for points-to.

If they only contained `--max-import-depth`, I've removed the `options`
file entirely.
 2022-09-29 18:05:51 +02:00
Rasmus Wriedt Larsen
0cb8e121e9 Python: Fix flask request modeling 
This takes us part of the way. We still get multiple paths for the same
alert, but that will be fixed in a different PR.
 2022-09-29 17:41:21 +02:00
Asger F
ed36f1983b Python: sync TypeTracker.qll 2022-09-29 15:57:09 +02:00
Asger F
dc03557aea Merge branch 'main' into rb/summarize-loads-v2 2022-09-29 12:07:30 +02:00
Rasmus Lerchedahl Petersen
a11948bea0 Python: make toString follow member predicate name 2022-09-28 16:13:04 +02:00
Rasmus Lerchedahl Petersen
d122a64e74 Python: do not commit to CfgNode 2022-09-28 16:12:29 +02:00
Asger F
24f2a3cdff Sync ApiGraphModels.qll 2022-09-28 12:17:44 +02:00
Rasmus Lerchedahl Petersen
05102f9007 Python: add change note 2022-09-28 12:06:05 +02:00
Rasmus Lerchedahl Petersen
b1ae3bfdb2 Python: less eager tracking of flow 2022-09-28 11:46:26 +02:00
Rasmus Lerchedahl Petersen
63ee51a4e2 Python: inline mongoCollectionMethod 2022-09-28 11:40:06 +02:00