hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-26 12:52:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
41,753 Commits 1,686 Branches 158 Tags
554aea1bb816029bb1b699ea305114d5c8242601
Commit Graph

300 Commits

Author SHA1 Message Date
alexet
f9b6ca76e5 Python: Fix binding incorrect predicate. 2022-07-18 16:28:19 +01:00
Asger F
3a669a8d21 Python: getAValueReachingRhs -> getAValueReachingSink 2022-06-21 12:44:06 +02:00
Asger F
b096f9ec72 Python: Rename getAUse -> getAValueReachableFromSource 2022-06-21 12:44:06 +02:00
Asger F
181a53bd03 Python: Rename getAnImmediateUse -> asSource 2022-06-21 12:44:06 +02:00
Asger F
60fde3c031 Python: Rename getARhs -> asSink 2022-06-21 12:44:06 +02:00
yoff
9dbb451f41 Merge pull request #9463 from RasmusWL/req-wo-cert-validation 
Python: Rewrite `py/request-without-cert-validation`
 2022-06-15 13:00:57 +02:00
Alex Ford
8d195e3188 Merge pull request #9157 from alexrford/crypto-op-block-mode 
Ruby/Python: Add a `BlockMode` concept for `CryptographicOperations`
 2022-06-13 21:32:36 +02:00
Rasmus Wriedt Larsen
5b2d799fde Python: Model certificate disabling in urllib3 2022-06-08 17:41:45 +02:00
Rasmus Wriedt Larsen
0d02ca07d7 Python: Add certificate disable test of urllib/urllib2 2022-06-08 17:41:45 +02:00
Rasmus Wriedt Larsen
049e87201c Python: Model certificate disabling in httpx 2022-06-08 17:41:45 +02:00
Rasmus Wriedt Larsen
1a2a4232a8 Python: Refactor httpx tests 
and improve QLDocs a bit
 2022-06-08 17:41:45 +02:00
Rasmus Wriedt Larsen
f72a1d98bb Python: Model certificate disabling in aiohttp.client 2022-06-08 17:41:45 +02:00
Rasmus Wriedt Larsen
4b07a7b7be Python: Add missing QLDoc for requests 
Also fix links
 2022-06-08 17:41:42 +02:00
Rasmus Wriedt Larsen
c21e05aa44 Python: Use HTTP::Client::Request request for py/request-without-cert-validation 
This is very much like the Ruby query, except we also have the origin
that does the disabling.

976daddd36/ruby/ql/src/queries/security/cwe-295/RequestWithoutValidation.ql (L18-L20)
 2022-06-08 15:42:32 +02:00
Rasmus Wriedt Larsen
729cf79be7 Merge pull request #9351 from RasmusWL/django-file-read 
Python: Support `read` on Django file
 2022-06-01 10:45:26 +02:00
Rasmus Wriedt Larsen
4861a980be Python: Fix cryptography modeling 
The old code was my own suggestion, that I thought would just work, but
was also slightly skeptical about.

I tested out whether it works with the code below

```codeql
predicate foo(int input, string res) {
  input = 1 and res = "that was one"
}

from int input, string res
where
  input in [1, 2] and
  if foo(input, res)
  then any()
  else res = "not one"
select input, res
```

which gave the 3 results

```
1 |	that was one
1 |	not one
2 |	not one
```

only by rewriting the code to be the one below, did I get down to the 2
results I actually wanted. So I've done the same kind of rewrite in the
commit.

```codeql
predicate foo(int input, string res) {
  input = 1 and res = "that was one"
}

from int input, string res
where
  input in [1, 2] and
  if foo(input, _)
  then foo(input, res)
  else res = "not one"
select input, res
```
 2022-05-30 14:37:27 +02:00
Erik Krogh Kristensen
e557d8839b have the Instance token just be an alias for ReturnValue 2022-05-30 12:21:42 +02:00
Rasmus Wriedt Larsen
5924e88a86 Python: Support read on Django file 2022-05-27 11:18:26 +02:00
Erik Krogh Kristensen
a5b11e88b4 update doc to make it clear that moduleImport(..) does not refer to PyPI names 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-05-19 20:00:43 +02:00
Alex Ford
f8576fb05b Python: avoid missing cryptography uses due to unhandled encryption modes 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-05-19 15:22:49 +01:00
Erik Krogh Kristensen
03da62713c fix typo identified by QL-for-QL 2022-05-17 12:32:40 +02:00
Erik Krogh Kristensen
818975dc56 sync upstream typo fixes 2022-05-17 12:25:52 +02:00
Erik Krogh Kristensen
5d1c41c269 Merge branch 'main' into pyMaD 2022-05-17 12:23:03 +02:00
Erik Krogh Kristensen
55ffdb4aa1 make most imports in ApiGraphModelsSpecific.qll private 2022-05-17 10:34:17 +02:00
Erik Krogh Kristensen
1f8e7c39f4 fix typo in comment 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-05-17 10:32:31 +02:00
Alex Ford
9f2c59cd6d python: implement getBlockMode for CryptographicOperations 2022-05-13 16:32:36 +01:00
Nick Rolfe
2efa38aaa6 Python: fix typos in comments 2022-05-12 16:02:20 +01:00
Erik Krogh Kristensen
fb077bec66 sync AccessPathSyntax changes 2022-05-12 14:46:54 +02:00
Erik Krogh Kristensen
31e9876de7 Merge branch 'main' into pyMaD 2022-05-12 14:43:16 +02:00
yoff
6c3e2db7fd Merge branch 'main' into python/simple-csrf 2022-05-10 10:55:28 +02:00
yoff
b6605bc330 Merge pull request #8634 from RasmusWL/promote-xxe 
Python: Promote XXE and XML-bomb queries
 2022-05-09 21:54:55 +02:00
Rasmus Wriedt Larsen
4a6789182d Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-05-09 16:37:12 +02:00
Rasmus Wriedt Larsen
36349222a9 Python: Fix casing of XMLDomParsing 2022-05-09 11:00:25 +02:00
Rasmus Wriedt Larsen
f22bd039f3 Python: Slight refactor of LxmlParsing 2022-05-09 10:56:39 +02:00
Erik Krogh Kristensen
efe306733e move path-injection MaD to PathInjectionCustomizations.qll 2022-05-05 16:51:39 +02:00
yoff
6169ac6122 Merge pull request #7776 from RasmusWL/django-filefield-uploadto 
Python: Support Django FileField.upload_to
 2022-05-05 14:25:08 +02:00
Erik Krogh Kristensen
571fc3e73b Revert "deprecate SqlConstruction" 
This reverts commit c0eca0d09a.
 2022-05-04 10:59:02 +02:00
Erik Krogh Kristensen
ead978187d adjust the source-type for remote-flow from MaD 2022-05-03 22:53:41 +02:00
Rasmus Wriedt Larsen
de4390cdf6 Python: Improve Flask request.files handling even more 2022-05-02 14:19:45 +02:00
Rasmus Wriedt Larsen
fb0133d276 Python: Fix Flask request.files modeling 2022-05-02 14:14:58 +02:00
Erik Krogh Kristensen
c0eca0d09a deprecate SqlConstruction 2022-05-02 12:58:21 +02:00
Erik Krogh Kristensen
a8790412dd add support for the Argument[any] and Argument[any-named] tokens 2022-05-02 12:58:21 +02:00
Erik Krogh Kristensen
b1fa7f86a8 add support for the any argument tokens 2022-05-02 12:58:15 +02:00
Erik Krogh Kristensen
413d182bcf add support for named parameters 2022-05-02 12:56:44 +02:00
Erik Krogh Kristensen
547047ef19 add self parameters to API-graphs, and add support for self parameters in MaD 2022-05-02 12:50:31 +02:00
Erik Krogh Kristensen
dc38aa8a96 add support for the Method[name] token 2022-05-02 12:50:29 +02:00
Erik Krogh Kristensen
ea01bcf5ec have the Instance token be an alias for Subclass.ReturnValue 2022-05-02 12:45:21 +02:00
Erik Krogh Kristensen
46acce0ad4 add support for the Subclass token 2022-05-02 12:45:21 +02:00
Erik Krogh Kristensen
d4b882519a convert most of the asyncpg model to MaD 2022-05-02 12:45:21 +02:00
Erik Krogh Kristensen
1c2c9159a9 initial MaD implementation for Python 2022-05-02 12:45:19 +02:00