hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-12 14:10:21 +01:00
Code Issues Packages Projects Releases Wiki Activity
16,866 Commits 1,680 Branches 158 Tags
5d0c30db6691d90535ed58b060dd98439afe96f4
Commit Graph

1494 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
4d9d2155fc Python: Make "..Call" modeling classes extend DataFlow::CfgNode 2020-10-14 10:44:58 +02:00
Rasmus Wriedt Larsen
b0e79890e6 Python: Use new importNode 2020-10-14 10:43:22 +02:00
Rasmus Wriedt Larsen
4597ba64d0 Merge branch 'main' into python-model-invoke 2020-10-14 10:41:37 +02:00
Taus
83937bacae Merge pull request #4448 from RasmusWL/python-simplify-import-modeling 
Python: simplify import modeling
 2020-10-13 18:08:07 +02:00
Rasmus Wriedt Larsen
2c5996f694 Python: Refactor subprocess_attr type-tracker 
Co-authored-by: Taus <tausbn@github.com>
 2020-10-13 17:21:21 +02:00
Rasmus Wriedt Larsen
76c9b8c49f Python: Expose importNode instead of importModule/importMember 
Since predicate name `import` is not allowed, I adopted `importNode` as it sort
of matches what `exprNode` does.

---

Due to only using `importMember` in `os_attr` we previously didn't handle
`import os.path as alias` :|

I did creat a hotfix for this (https://github.com/github/codeql/pull/4446), but
in doing so I realized the core of the problem: We're exposing ourselves to
making these kinds of mistakes by having BOTH importModule and importMember, and
we don't really gain anything from doing this!

We do loose the ability to easily only modeling `from mod import val` and not
`import mod.val`, but I don't think that will ever be relevant.

This change will also make us to recognize some invalid code, for example in

    import os.system as runtime_error

we would now model that `runtime_error` is a reference to the `os.system`
function (although the actual import would result in a runtime error).

Overall these are tradeoffs I'm willing to make, as it does makes things simpler
from a QL modeling point of view, and THAT sounds nice 👍
 2020-10-13 15:03:22 +02:00
Taus Brock-Nannestad
1829126230 Python: Get rid of DataFlowCfgNode 
Should make modelling data flow nodes that are also specific
subclasses of `ControlFlowNode` a bit smoother.
 2020-10-13 13:04:59 +02:00
Rasmus Wriedt Larsen
662235bad8 Python: Use classRef instead of class_ 
Discussed offline with Taus
 2020-10-13 11:56:37 +02:00
CodeQL CI
d3f8fb5e53 Merge pull request #4423 from tausbn/python-add-attribute-access-interface 
Approved by RasmusWL
 2020-10-13 02:56:21 -07:00
Taus Brock-Nannestad
3288cf1a75 Python: Hopefully final changes to documentation. 2020-10-12 16:38:21 +02:00
Taus Brock-Nannestad
b07c7abacc Python: Clear up attribute name access QLDoc 2020-10-12 13:49:08 +02:00
Anders Schack-Mulligen
1c043447e8 Dataflow: Introduce consistency check for flow targeting PostUpdateNodes. 2020-10-09 14:29:52 +02:00
Taus
60eec7b136 Python: Update python/ql/src/experimental/dataflow/internal/Attributes.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2020-10-08 18:14:20 +02:00
Taus Brock-Nannestad
d46453caaa Python: Support named imports as attribute reads 
Required a small change in `DataFlow::importModule` to get the desired
behaviour (cf. the type trackers defined in `moduleattr.ql`, but this
should be harmless. The node that is added doesn't have any flow
anywhere.
 2020-10-08 18:08:55 +02:00
Taus Brock-Nannestad
df447c0af9 Python: Remove flow from getAttributeName 2020-10-08 15:01:24 +02:00
Taus Brock-Nannestad
ceb249680e Python: Reuse existing node fields 
Also changes `x = TCfgNode(y)` to `x.asCfgNode() = y` where applicable.
 2020-10-08 15:00:14 +02:00
Taus Brock-Nannestad
31596ef569 Python: Clean up and extend built-in call node classes 2020-10-08 14:57:39 +02:00
Taus Brock-Nannestad
e9ecc00b37 Python: Implement and use mayHaveAttributeName 2020-10-08 14:53:54 +02:00
Rasmus Wriedt Larsen
c09695af7d Python: Properly handle invoke.task decorator 2020-10-07 12:29:19 +02:00
Rasmus Wriedt Larsen
67c5c590d2 Python: Expose getParameter on ParameterNode 2020-10-07 12:28:35 +02:00
Rasmus Wriedt Larsen
6d7f4a048b Python: Attempt to model invoke.task decorator 2020-10-07 12:26:49 +02:00
Rasmus Wriedt Larsen
c9219b3744 Clean module imports 2020-10-07 12:21:30 +02:00
Rasmus Wriedt Larsen
ebff1794fc Python: Model invoke.context.Context 2020-10-07 12:16:53 +02:00
Rasmus Wriedt Larsen
4ef5202382 Python: Add simple model for invoke.run and invoke.sudo 
and I sorted the list in Frameworks.qll, that kinda makes sense :)
 2020-10-07 12:13:59 +02:00
Taus Brock-Nannestad
b905a3d5e3 Python: Attribute access API 2020-10-06 16:36:29 +02:00
Rasmus Lerchedahl Petersen
0f077f5d7d Python: Add flow inside IfExprNodes 2020-10-06 10:54:23 +02:00
Arthur Baars
78c58c2415 Merge pull request #4384 from tausbn/python-fix-package-locations 
Python: Fix `hasLocationInfo` for packages
 2020-10-02 20:48:43 +02:00
Alexander Eyers-Taylor
30ed6a0dac Merge pull request #4385 from aibaars/drop-queries 
Drop 'tech-inventory' and 'code duplication' queries from the standard query suites
 2020-10-02 18:31:25 +01:00
Arthur Baars
daa1bcc06e Also mark 'tech inventory' queries as deprecated 2020-10-02 17:23:11 +02:00
Arthur Baars
fc45b6cd3c Drop 'tech-inventory' and 'code duplication' queries from the standard query suites 2020-10-02 17:22:04 +02:00
Taus
fce76e2799 Merge pull request #4354 from RasmusWL/python-command-execution-modeling 
Python: Better command execution modeling
 2020-10-02 16:14:34 +02:00
Rasmus Wriedt Larsen
eb67986916 Python: Exlucde only command injection sinks in os and subprocess 2020-10-02 14:11:07 +02:00
Rasmus Wriedt Larsen
68eacef23c Python: Refactor OsExecCall and friends for better readability 2020-10-02 13:38:54 +02:00
Rasmus Wriedt Larsen
de07d9e5d9 Python: Highlight that os.popen is not only problem for extra alerts 2020-10-02 13:34:33 +02:00
Taus Brock-Nannestad
75f4051cb5 Python: Fix hasLocationInfo for packages 2020-10-01 17:21:53 +02:00
Chris Smowton
578ea1ae43 Fix OWASP broken links 2020-10-01 13:09:52 +01:00
Rasmus Wriedt Larsen
3247b300ae Python: Fix problem with missing use-use flow 2020-10-01 12:55:11 +02:00
Rasmus Wriedt Larsen
428c2a3fda Merge branch 'main' into python-command-execution-modeling 2020-09-30 17:38:59 +02:00
Rasmus Wriedt Larsen
c4a2e1d6d1 Python: Rewrite attribute lookup helpers for better performance 
Not that they actually had a huge problem right now, just that using the old
pattern HAS lead to bad performance in the past. See
https://github.com/github/codeql/pull/4361
 2020-09-30 17:31:20 +02:00
Taus
32bf7d6bdf Merge pull request #4256 from fatenhealy/Noblowfish 
CWE-327 BrokenCryptoAlgorithm recommendation to AES instead of Blowfish
 2020-09-30 16:15:46 +02:00
Faten Healy
03d8fc7296 changed to AES 2020-09-30 22:18:36 +10:00
Rasmus Wriedt Larsen
9c1253c8af Python: Remove flow out of CommandInjection sinks 2020-09-30 13:29:40 +02:00
Rasmus Wriedt Larsen
0542c3b91e Python: Model os.path.join and add taint-step 2020-09-30 11:42:36 +02:00
Rasmus Wriedt Larsen
efa2484718 Python: Add taint test for os.path.join 
Surprisingly the first two just worked, due to our very general handling of any
`join` methods :D
 2020-09-30 11:35:21 +02:00
Rasmus Wriedt Larsen
b3efa28277 Merge branch 'main' into python-command-execution-modeling 2020-09-30 10:24:11 +02:00
Rasmus Wriedt Larsen
fee279f952 Python: Hotfix performance problem with flask methods 
This improves runtime for command injection query on
https://lgtm.com/projects/g/alibaba/funcraft from +200 seconds (I did not care
to wait more) down to ~55 seconds on my machine.

This type of tracking predicate with string as additional argument apparently
causes trouble :|
 2020-09-29 11:00:57 +02:00
Rasmus Wriedt Larsen
f7f6564189 Python: Model subprocess.Popen (and helpers) 2020-09-28 11:13:04 +02:00
Rasmus Wriedt Larsen
62dc0dd263 Python: Model os.exec* os.spawn* and os.posix_spawn* 
I also had to exclude the inline expectation tests from files outside the test
repo.
 2020-09-28 11:05:33 +02:00
Taus
fc84286b56 Merge pull request #3830 from yoff/SharedDataflow_FieldFlow 
Python: Shared dataflow: Field flow
 2020-09-25 14:53:57 +02:00
yoff
c56ff986d4 Apply suggestions from code review 
Co-authored-by: Taus <tausbn@github.com>
 2020-09-25 11:56:50 +02:00