hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-20 22:46:47 +01:00
Code Issues Packages Projects Releases Wiki Activity
21,457 Commits 1,712 Branches 163 Tags
62f3e8d64a4f75fc6fdf21dbeafaa66685f91e39
Commit Graph

2977 Commits

Author SHA1 Message Date
thank_you
62f3e8d64a Add sanitizer for ObjectId 
ObjectId is a sanitizer used to sanitize strings into valid MongoDB ids. During research we've found that this method is used.

ObjectId returns a string representing an id. If at any time ObjectId can't parse it's input (like when a tainted dict in passed in), then ObjectId will throw an error preventing the query from running.
 2021-04-26 15:35:42 -04:00
thank_you
7773c53124 Replace any(string) with _ wildcard 2021-04-20 08:49:08 -04:00
thank_you
bbd3552392 Rename predicate to getQuery 2021-04-20 08:47:37 -04:00
jorgectf
5d25a27d62 Add .expected 2021-04-09 22:28:03 +02:00
jorgectf
4615927eeb Fix flask_mongoengine Call 2021-04-09 22:27:53 +02:00
jorgectf
166385755a Polish Calls naming 2021-04-09 21:49:41 +02:00
jorgectf
208b53e4d2 Polish query file 2021-04-09 21:36:21 +02:00
jorgectf
983af32ab5 Polish qhelp examples 2021-04-09 21:36:11 +02:00
jorgectf
fa5869afe7 Polish qhelp and examples 2021-04-09 21:31:45 +02:00
jorgectf
a6b3aefb0b Add flask_mongoengine sink 2021-04-09 21:30:17 +02:00
jorgectf
0e51dbec86 Polish tests 2021-04-09 21:29:56 +02:00
thank_you
83f28bfdda Catch any keyword argument passed to MongoEngine's objects method 
After some research, we discovered that any keyword argument passed to the objects method will result in NoSQL injection. This includes scenarios where we have the following:

objects(name_of_model_attribute=unsanitized_user_input)
 2021-04-07 16:45:48 -04:00
thank_you
719c30bd92 Fix file name and adjust where the test points to 2021-04-07 16:42:51 -04:00
thank_you
4e98348411 Remove comment 2021-04-06 13:57:03 -04:00
thank_you
dc274ecf36 Improve sentence structure and grammar 2021-04-06 13:51:59 -04:00
thank_you
520e65e3c3 Remove unnecessary example code 2021-04-06 13:46:51 -04:00
thank_you
ac31260fed Made grammar changes 2021-04-06 13:42:57 -04:00
thank_you
6ade120983 Add check for mongoengine raw queries 
After initial research on our end, we believe that the only vulnerability within the objects() method is passing a query into the __raw__ keyword argument. More info can be found below:

http://docs.mongoengine.org/guide/querying.html?highlight=inc__#raw-queries
 2021-04-05 20:44:16 -04:00
thank_you
759fa2cd01 Update query to search for more pymongo sink methods 2021-04-05 20:42:18 -04:00
thank_you
3f0c758622 Add required __raw__ keyword 
This __raw__ keyword is required for the actual mongoengine vulnerability. More info can be found below:

http://docs.mongoengine.org/guide/querying.html?highlight=inc__#raw-queries
 2021-04-05 19:07:13 -04:00
Your Name
80216f6974 Rename classes 2021-04-05 14:41:08 -04:00
Your Name
be9a3a95b1 Add relevant PyMongo sink methods 2021-04-05 14:23:56 -04:00
Your Name
9072d19cda Update qhelp file 2021-04-05 13:56:43 -04:00
jorgectf
15e176a3b8 Polish query select 2021-04-01 13:00:12 +02:00
jorgectf
f980d0694b Fix taint configs 2021-04-01 12:50:25 +02:00
jorgectf
c8740a2031 Update naming 2021-04-01 12:41:11 +02:00
jorgectf
3a47a45e47 Attempt to apply TaintTracking2 2021-03-31 18:49:41 +02:00
jorgectf
f0a50eb67a Polish up configs 2021-03-31 17:58:18 +02:00
jorgectf
017a826b30 Remove unused class variables 2021-03-31 17:52:03 +02:00
jorgectf
5a1dc48e48 Fix Mongoengine test 2021-03-31 17:50:31 +02:00
jorgectf
7a4dc46341 Fix Sinks 2021-03-31 17:50:05 +02:00
jorgectf
01f9d4a1b0 Fix MongoEngine Sink 2021-03-31 15:50:45 +02:00
jorgectf
ccd57bea7a Fix imports 2021-03-30 21:17:11 +02:00
jorgectf
4579132f22 Add left tests 2021-03-30 21:14:33 +02:00
jorgectf
d856f160c8 Adapt query configs and custom classes 2021-03-30 21:14:21 +02:00
jorgectf
bd5ff01ebb PyMongo and Mongoengine sinks 2021-03-30 21:13:43 +02:00
jorgectf
aea7546cf9 Add Concepts 2021-03-30 21:13:15 +02:00
jorgectf
517a9202ce PR init 2021-03-30 17:51:17 +02:00
yoff
208d5157fa Merge pull request #5500 from RasmusWL/django-forms 
Python: Model RemoteFlowSources on Django forms/fields
 2021-03-25 20:43:19 +01:00
yoff
716e0f1404 Merge pull request #5517 from tausbn/python-prevent-potentially-bad-join-order 
Python: Prevent potentially bad join order
 2021-03-25 18:14:47 +01:00
Taus Brock-Nannestad
0ae8b69102 Python: Prevent joining on scope in PointsToContext::appliesTo 
One of those cases where I _wish_ `pragma[inline]` also meant "don't
join on the stuff inside this predicate -- it's inlined for a reason".

Unsurprisingly, joining on the scope first works poorly.
 2021-03-24 23:12:48 +01:00
Taus Brock-Nannestad
28d6cad3d0 Python: Prevent joining on name as the first thing 
Many instances of `lookup` are restricted by the presence of
`attributeRequired`, but this does not work well if we join on
`name`. A few instances of `only_bind_into` prevents this.
 2021-03-24 23:11:09 +01:00
Taus Brock-Nannestad
ed8ffab356 Python: Prevent potentially bad join order 
This has no effect on the current compilation (indeed,
`ssa_filter_definition_bool` is not currently inlined), but will
prevent this from ever occurring, should the heuristics for inlining
ever change...
 2021-03-24 19:20:19 +01:00
yoff
8d15680af4 Merge pull request #5506 from tausbn/python-allow-absolute-imports-from-source-directory 
Python: Allow absolute imports in directories with scripts
 2021-03-24 14:42:14 +01:00
yoff
b023d73016 Merge pull request #5504 from RasmusWL/type-tracking-first-predicate-private 
Python: Ensure first type-tracking predicate is private
 2021-03-24 14:23:27 +01:00
Rasmus Wriedt Larsen
1473778bb8 Merge pull request #5493 from yoff/python-add-experimental-structure 
Python: Add stub structure to `experimental` for external contributions
 2021-03-24 14:11:13 +01:00
Rasmus Wriedt Larsen
70974ea197 Python: Fix grammar in QLDoc 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-03-24 14:06:06 +01:00
Taus Brock-Nannestad
47686a6e4c Python: Disregard all files matching .py% 2021-03-24 14:03:00 +01:00
Taus Brock-Nannestad
8d30ee5c3c Python: Include unmarked Python file in snapshot 
Sadly, it seems we're not interpreting this as Python code, even if we
explicitly ask to have it included.
 2021-03-24 14:01:13 +01:00
Rasmus Wriedt Larsen
59200386a7 Python: Fix mistake in refactor 2021-03-24 13:51:29 +01:00