hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-15 18:01:10 +02:00
Code Issues Packages Projects Releases Wiki Activity
16,884 Commits 1,785 Branches 169 Tags
6a3aed337f858ab3441bea55ddf72761ef3cbb3c
Commit Graph

329 Commits

Author SHA1 Message Date
Rasmus Lerchedahl Petersen
352418cb5d Python: track safe loaders 2020-10-14 16:33:55 +02:00
Rasmus Lerchedahl Petersen
b8cba381cf Merge branch 'main' of github.com:github/codeql into python-port-unsafe-deserialization 2020-10-14 15:01:30 +02:00
Rasmus Lerchedahl Petersen
3a281a1bd6 Python: Adjust comments and tests 2020-10-14 14:40:11 +02:00
yoff
ffe79f688d Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2020-10-14 14:08:16 +02:00
Taus
92ccb795fd Merge pull request #4415 from RasmusWL/python-flask-routed-parameter 
Python: Add support for routed parameters in flask
 2020-10-14 13:29:51 +02:00
Rasmus Wriedt Larsen
61ecec7d17 Merge pull request #4467 from tausbn/python-fix-import-type-tracking 
Python: Fix unwanted module type tracking
 2020-10-14 13:08:57 +02:00
Taus Brock-Nannestad
f3c07e3849 Python: Fix up import helper tests 2020-10-14 11:58:14 +02:00
Rasmus Wriedt Larsen
4597ba64d0 Merge branch 'main' into python-model-invoke 2020-10-14 10:41:37 +02:00
Rasmus Wriedt Larsen
49d2e68d12 Merge branch 'main' into python-flask-routed-parameter 2020-10-14 10:16:00 +02:00
Rasmus Lerchedahl Petersen
b0ebb5b6d1 Python: Adjust tag format 2020-10-14 09:51:24 +02:00
Rasmus Lerchedahl Petersen
93383747bd Python: Use more common name for concept 2020-10-14 09:28:58 +02:00
Rasmus Lerchedahl Petersen
a76d276b48 Python: Adjust getARelevantTag 2020-10-14 08:44:04 +02:00
yoff
3b9ea3a958 Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2020-10-14 08:24:26 +02:00
Taus Brock-Nannestad
7d86b53b71 Python: Fix unwanted module type tracking 2020-10-13 22:47:57 +02:00
Taus Brock-Nannestad
76e5b59dab Python: Add test case for unwanted module type tracking 2020-10-13 22:47:03 +02:00
Rasmus Wriedt Larsen
76c9b8c49f Python: Expose importNode instead of importModule/importMember 
Since predicate name `import` is not allowed, I adopted `importNode` as it sort
of matches what `exprNode` does.

---

Due to only using `importMember` in `os_attr` we previously didn't handle
`import os.path as alias` :|

I did creat a hotfix for this (https://github.com/github/codeql/pull/4446), but
in doing so I realized the core of the problem: We're exposing ourselves to
making these kinds of mistakes by having BOTH importModule and importMember, and
we don't really gain anything from doing this!

We do loose the ability to easily only modeling `from mod import val` and not
`import mod.val`, but I don't think that will ever be relevant.

This change will also make us to recognize some invalid code, for example in

    import os.system as runtime_error

we would now model that `runtime_error` is a reference to the `os.system`
function (although the actual import would result in a runtime error).

Overall these are tradeoffs I'm willing to make, as it does makes things simpler
from a QL modeling point of view, and THAT sounds nice 👍
 2020-10-13 15:03:22 +02:00
Rasmus Wriedt Larsen
4bfd55f1af Python: Show problem with os.path modeling 
This is not a very good test for showing that we don't handle direct imports,
but it was the best I had available without inventing something new. It's very
fragile, since any of these would propagate taint (due to handling all `join`
calls as if the qualifier was a string):

    ospath_alias.join(ts)
    ospath_alias.join(ts, "foo", "bar")

But this test DOES serve the purpose of illustrating that my fix works :D
 2020-10-13 14:50:00 +02:00
Rasmus Lerchedahl Petersen
b7e8b48e9e Python: Move concept tests out 
These tests should be fleshed out at some point, but currently
they test all that we model.
 2020-10-13 13:06:47 +02:00
Rasmus Lerchedahl Petersen
4685f2d5f2 Python: Address many review comments 
still need to move concept tests
 2020-10-13 12:03:23 +02:00
CodeQL CI
d3f8fb5e53 Merge pull request #4423 from tausbn/python-add-attribute-access-interface 
Approved by RasmusWL
 2020-10-13 02:56:21 -07:00
Rasmus Wriedt Larsen
ce85ac3ce1 Python: Remove solved TODO 2020-10-13 10:15:03 +02:00
Anders Schack-Mulligen
091e3a2931 Dataflow: Adjust test output. 2020-10-09 16:25:14 +02:00
Rasmus Lerchedahl Petersen
4bd56fdbe4 Python: Implement framework sinks 2020-10-09 16:13:47 +02:00
Rasmus Lerchedahl Petersen
0d8bd01e10 Python: Port query and add test 2020-10-09 16:11:37 +02:00
Taus Brock-Nannestad
d46453caaa Python: Support named imports as attribute reads 
Required a small change in `DataFlow::importModule` to get the desired
behaviour (cf. the type trackers defined in `moduleattr.ql`, but this
should be harmless. The node that is added doesn't have any flow
anywhere.
 2020-10-08 18:08:55 +02:00
Rasmus Wriedt Larsen
c09695af7d Python: Properly handle invoke.task decorator 2020-10-07 12:29:19 +02:00
Rasmus Wriedt Larsen
ebff1794fc Python: Model invoke.context.Context 2020-10-07 12:16:53 +02:00
Rasmus Wriedt Larsen
4ef5202382 Python: Add simple model for invoke.run and invoke.sudo 
and I sorted the list in Frameworks.qll, that kinda makes sense :)
 2020-10-07 12:13:59 +02:00
Rasmus Wriedt Larsen
300a8cdf7d Python: Add tests for the 'invoke' package 2020-10-07 11:55:26 +02:00
Taus Brock-Nannestad
b905a3d5e3 Python: Attribute access API 2020-10-06 16:36:29 +02:00
CodeQL CI
5bc7e19c44 Merge pull request #4414 from yoff/SharedDataflow_Conditionals 
Approved by RasmusWL
 2020-10-06 05:46:24 -07:00
Rasmus Lerchedahl Petersen
f9c5b864bb Python: Fix test of parenthesized form 2020-10-06 13:12:12 +02:00
Rasmus Wriedt Larsen
b82727d0b8 Python: Consider routed parameter if URL pattern unknown 2020-10-06 11:03:25 +02:00
Rasmus Wriedt Larsen
16bad003a0 Python: Add test for routed params with unknown url pattern 2020-10-06 10:58:46 +02:00
Rasmus Lerchedahl Petersen
0f077f5d7d Python: Add flow inside IfExprNodes 2020-10-06 10:54:23 +02:00
Rasmus Lerchedahl Petersen
8f13d586b7 Python: More tests of conditonals 
Also use better formatter
(better because comments are close to what they comment)
 2020-10-06 10:49:15 +02:00
Rasmus Wriedt Larsen
fbe115c046 Python: Show TypeTracking doesn't work for module members 2020-10-06 03:12:39 +02:00
Rasmus Wriedt Larsen
f03a8a838b Python: Make any routed parameter a RemoteFlowSource 
I'm not 100% sure whether this approach makes everything too magic, but I like
the fact that you can't _forget_ to make routed params remove-flow sources.
 2020-10-06 03:03:14 +02:00
Rasmus Wriedt Larsen
b78c665f34 Python: Model RouteSetup for flask 2020-10-06 03:03:13 +02:00
Rasmus Wriedt Larsen
d27e6955b4 Python: Add test setup for HTTP::Server::RouteSetup 2020-10-06 03:03:06 +02:00
Rasmus Wriedt Larsen
d7526c40ba Python: Copy old flask tests to new dataflow setup 2020-10-06 03:02:30 +02:00
Taus
fce76e2799 Merge pull request #4354 from RasmusWL/python-command-execution-modeling 
Python: Better command execution modeling
 2020-10-02 16:14:34 +02:00
Taus
2e4a61428d Merge pull request #4346 from RasmusWL/python-add-implicit-init-test 
Python: add test for implicit __init__.py files
 2020-10-02 16:13:25 +02:00
Rasmus Wriedt Larsen
e5b9ac8d9c Python: Use getCommand as tag in ConceptsTest 2020-10-02 14:12:41 +02:00
Rasmus Wriedt Larsen
de07d9e5d9 Python: Highlight that os.popen is not only problem for extra alerts 2020-10-02 13:34:33 +02:00
Rasmus Wriedt Larsen
3247b300ae Python: Fix problem with missing use-use flow 2020-10-01 12:55:11 +02:00
Rasmus Wriedt Larsen
9b3509f0ba Python: Highlight problem with missing use-use flow 2020-10-01 12:51:44 +02:00
Rasmus Wriedt Larsen
428c2a3fda Merge branch 'main' into python-command-execution-modeling 2020-09-30 17:38:59 +02:00
Rasmus Wriedt Larsen
4adc26eb62 Python: Fix command injection example code 
`subprocess.Popen(["ls", "-la"], shell=True)` correspond to running `sh -c "ls" -la`

So it doesn't follow the pattern of the rest of the test file.
 2020-09-30 13:38:37 +02:00
Rasmus Wriedt Larsen
9c1253c8af Python: Remove flow out of CommandInjection sinks 2020-09-30 13:29:40 +02:00