Rasmus Lerchedahl Petersen
6c5596d17e
Python: rewrite test
2021-09-09 13:45:44 +02:00
Rasmus Lerchedahl Petersen
e27b3162e5
Python: rewrite simpleLocalFlowStep
...
to take into account the split between
import time and runtime.
2021-09-09 12:43:08 +02:00
Rasmus Lerchedahl Petersen
a9c409403c
Python: more tests and comments
2021-09-08 14:44:36 +02:00
Rasmus Lerchedahl Petersen
9b198c6d0a
Python: Add some module initialization tests
2021-09-08 10:37:28 +02:00
Taus
b99c075282
Merge pull request #6460 from yoff/python-regex-parsing-consistency-checks
...
Python: Add regex parsing consistency checks
2021-09-07 13:33:59 +02:00
yoff
138a7ae67f
Merge pull request #6349 from RasmusWL/more-modeling
...
Python: Improve various library modeling
2021-09-06 17:01:45 +02:00
Andrew Eisenberg
6a47fcaf1f
Packaging: Normalize all qlpack.yml files for all languages
...
This commit ensures consistency among all of our qlpacks. Here are the
changes:
1. Ensure only modern references are used (codeql-{lang} is converted to
codeql/{lang}-all or codeql/{lang}-queries where appropriate).
2. Use consistent version numbers. All languages are at 0.0.2 except
javascript, which is 0.0.3.
3. Convert all `libraryPathDependencies` to `dependencies` with version
constraints
4. Dependencies from query packs to other packs are always `"*"` since
these dependencies are always from source and we should get the
latest.
5. Dependencies from codeql/{lang}-lib to codeql/{lang}-upgrades must
be strict since there is a tight connection between the libary
and its relevant upgrades.
2021-09-03 11:53:28 -07:00
Rasmus Lerchedahl Petersen
a01fca5d48
Merge branch 'main' of github.com:github/codeql into python-regex-parsing-consistency-checks
...
To fix conflicts
2021-08-30 18:40:12 +02:00
Rasmus Wriedt Larsen
47377c7197
Merge branch 'main' into more-modeling
2021-08-26 13:40:17 +02:00
Andrew Eisenberg
3660c64328
Packaging: Rafactor Python core libraries
...
Extract the external facing `qll` files into the codeql/python-all
query pack.
2021-08-24 13:23:45 -07:00
yoff
2f5ed03798
Merge pull request #6323 from RasmusWL/sec-test-layout
...
Python: Restructure security tests to contain query name
2021-08-24 16:50:08 +02:00
Rasmus Wriedt Larsen
ca341bde08
Merge pull request #5612 from jty-team/jty/python/nosqlInjection
...
Python: CWE-943 - Add NoSQL injection query
2021-08-24 11:29:25 +02:00
Rasmus Lerchedahl Petersen
c4554836ca
Python: merge test.py into unittests.py
2021-08-19 10:24:32 +02:00
Rasmus Wriedt Larsen
b649f5f38c
Merge branch 'main' into peewee-modeling
2021-08-17 12:03:18 +02:00
Rasmus Lerchedahl Petersen
dee5535fbb
Python: condense tests
...
This also avoids potential licensing issues.
2021-08-17 11:24:39 +02:00
Erik Krogh Kristensen
46959234b7
Merge pull request #6288 from erik-krogh/emptyRedos
...
JS/Python: Fix FP in redos related to empty lookaheads
2021-08-16 13:48:22 +02:00
Rasmus Lerchedahl Petersen
54e65ce765
Python: Add consistency tests
...
for all the projects that went out of disk as a result of ReDoS
2021-08-12 13:33:44 +02:00
Rasmus Lerchedahl Petersen
c08f94ec04
Python: Fix parsing of octal escapes
2021-08-11 15:01:26 +02:00
Rasmus Lerchedahl Petersen
34b054ff53
Python: Add consistency checks
2021-08-11 14:58:27 +02:00
jorgectf
e6ce10b5c5
Merge remote-tracking branch 'origin/main' into jty/python/nosqlInjection
2021-08-10 20:01:08 +02:00
Rasmus Wriedt Larsen
71e6db8a01
Merge branch 'main' into jorgectf/python/ldapimproperauth
2021-07-22 15:57:43 +02:00
Rasmus Wriedt Larsen
802d9bda83
Merge pull request #5680 from mrthankyou/python-use-sqlalchemy
...
Python: Add SqlAlchemy model
2021-07-22 15:31:39 +02:00
Rasmus Wriedt Larsen
38875ca0c7
Python: Improve handling of async methods
2021-07-22 14:17:07 +02:00
Rasmus Wriedt Larsen
6e9d9fcbbd
Python: Improve taint steps in for & iterable unpacking
...
These were written way before the ones in DataFlowPrivate, but
apparently didn't cover quite as much :|
2021-07-22 14:16:17 +02:00
Taus
e9a4114c04
Python: Hotfix: Disable ReDoS queries
2021-07-22 10:58:49 +00:00
Rasmus Wriedt Larsen
d3163d8a76
Python: Add iterable-unpacking in for test
2021-07-22 11:59:46 +02:00
Rasmus Wriedt Larsen
e2d3fa7093
Python: Add list-comprehension taint test
2021-07-22 11:59:46 +02:00
Rasmus Wriedt Larsen
6f63c03558
Python: Model http.cookies.Morsel and usage in Tornado
2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
7e09a1cbfd
Python: Model tornado.httputil.HTTPHeaders
2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
7020e4132b
Python: Model BaseHTTPRequestHandler.rfile as file-like object
2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
d388dd547e
Python: Model HTTPMessage from Stdlib
2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
dac71ded9d
Python: Add Authorization modeling in Flask
2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
133632119d
Python: Model werkzeug Headers
...
Also removed a misleading comment link to method on wrong class :D
2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
4d9c86a252
Python: Model Werkzeug FileStorage.save as FileSystemAccess
2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
9cb4899c5c
Python: Add FileStorage modeling in Flask
2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
04190ea308
Python: Add file-like modeling to werkzeug FileStorage
2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen
4f4dec50f2
Python: Model ResovlerMatch in Django
...
Like before, omitted ClassInstantiation
2021-07-22 10:43:13 +02:00
Rasmus Wriedt Larsen
7dc6518350
Python: Add FileLikeObject modeling
...
Such that the result of `request.FILES["key"].file.read()` is tainted
2021-07-21 16:35:09 +02:00
Rasmus Wriedt Larsen
18c0d13efd
Python: Model most of UploadedFile in Django
2021-07-21 16:35:09 +02:00
Rasmus Wriedt Larsen
5ec5557203
Python: Model MultiValueDict in Django
2021-07-21 16:35:09 +02:00
Rasmus Wriedt Larsen
51b543c67c
Python: Model taint for django request methods
2021-07-21 16:35:09 +02:00
Rasmus Wriedt Larsen
ce4b192caa
Python: Improve usefulness of RemoteFlowSourcesReach meta query
...
Before, results from `dca` would look something like
## + py/meta/alerts/remote-flow-sources-reach
- django/django@c2250cf_cb8f: tests/messages_tests/urls.py:38:16:38:48
reachable with taint-tracking from RemoteFlowSource
- django/django@c2250cf_cb8f: tests/messages_tests/urls.py:38:9:38:12
reachable with taint-tracking from RemoteFlowSource
now it should make it easier to spot _what_ it is that actually changed,
since we pretty-print the node.
2021-07-21 16:35:09 +02:00
Rasmus Wriedt Larsen
5249591747
Python: Fix test folder for InsecureProtocol
2021-07-19 16:57:00 +02:00
Rasmus Wriedt Larsen
5939128a76
Python: Fix test folder for InsecureDefaultProtocol
...
it was named wrong before. whoops.
2021-07-19 16:56:07 +02:00
Rasmus Wriedt Larsen
77021ae119
Python: Restructure security tests to contain query name
...
We were mixing between things, so this is just to keep things
consistent. Even though it's not strictly needed for all queries,
it does look nice I think
2021-07-19 16:54:34 +02:00
Rasmus Wriedt Larsen
da021feb8b
Python: Move py/incomplete-hostname-regexp tests to own folder
2021-07-19 16:48:21 +02:00
Rasmus Wriedt Larsen
7939a1372e
Python: Move Jinja2WithoutEscaping tests to own folder
2021-07-19 16:44:41 +02:00
Rasmus Wriedt Larsen
a07de3faae
Merge branch 'main' into emptyRedos
2021-07-15 18:21:29 +02:00
jorgectf
6f09b95019
Update .expected
2021-07-15 17:16:29 +02:00
CodeQL CI
d282f6a356
Merge pull request #6218 from tausbn/python-add-typetrackingnode
...
Approved by RasmusWL
2021-07-15 07:04:50 -07:00