hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-25 16:47:07 +02:00
Code Issues Packages Projects Releases Wiki Activity
58,350 Commits 1,759 Branches 168 Tags
6d210c5fe8ffffed3ce1f0ae215fdf846c93014a
Commit Graph

2001 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
6d210c5fe8 Python: auto model 2023-09-18 20:34:41 +02:00
Rasmus Wriedt Larsen
9249b529d7 Python: auto model 2023-09-18 17:31:15 +02:00
Rasmus Wriedt Larsen
ce2fd928f5 Python: Enable auto-model for cgi.FieldStorage 2023-09-18 17:01:34 +02:00
Rasmus Wriedt Larsen
a27c2e0603 Python: auto model 2023-09-18 16:37:56 +02:00
Rasmus Wriedt Larsen
db6509e3ac Python: auto model 2023-09-18 16:25:38 +02:00
Rasmus Wriedt Larsen
244346bc1c Python: auto model 2023-09-18 14:35:28 +02:00
Rasmus Wriedt Larsen
48cb075b3b Python: More import fixes 
:thinkies: turns out that .getASubclass*() had to be applied everywhere...
 2023-09-18 14:25:04 +02:00
Rasmus Wriedt Larsen
ec32de59a6 Python: More auto-modeling 2023-09-18 14:24:03 +02:00
Rasmus Wriedt Larsen
b93d470364 Python: Enable auto-model BaseHttpRequestHandler 2023-09-18 13:48:24 +02:00
Rasmus Wriedt Larsen
6d4b4d6838 Python: Modernize modeling of BaseHTTPRequestHandler 2023-09-18 13:40:41 +02:00
Rasmus Wriedt Larsen
af9b1e73f8 Python: Improve auto-model from better import alias handling 2023-09-18 12:11:10 +02:00
Rasmus Wriedt Larsen
ff069f345d Python: Improve SelfRefMixin 
This is important to model mixins correctly, for example when they help
handle incoming requests, and therefore need to know that `self.kwargs`
contains data controlled by a user.
 2023-09-18 12:05:40 +02:00
Rasmus Wriedt Larsen
3abfcc59ca Python: Improve import * handling 2023-09-18 11:32:29 +02:00
Rasmus Wriedt Larsen
b1cfe27d17 Python: More automatic modeling 2023-09-15 15:27:10 +02:00
Rasmus Wriedt Larsen
0bf1ca7550 Python: Automodel for WSGIServer 2023-09-15 14:58:42 +02:00
Rasmus Wriedt Larsen
1328bfd7d0 Python: Automodel for tornado 2023-09-15 14:58:23 +02:00
Rasmus Wriedt Larsen
8b82732040 Python: Make Django use auto-modeling 
Ooops
 2023-09-15 14:57:32 +02:00
Rasmus Wriedt Larsen
ab0313828c Python: Remove manual MaD modeling 
Everything is covered now 👍
 2023-09-14 11:52:41 +02:00
Rasmus Wriedt Larsen
975ed47c53 Python: Add more auto-generated models 
This time using old set of projects
 2023-09-14 11:52:41 +02:00
Rasmus Wriedt Larsen
523f7e2ed4 Python: Sort MaD rows 
(makes future diffing much easier)
 2023-09-14 11:52:41 +02:00
Rasmus Wriedt Larsen
0f1b120a03 Python: Add manual modeling still missing from auto modeling 2023-09-14 11:52:41 +02:00
Rasmus Wriedt Larsen
68985db3f6 Python: Add auto-modeling from current venv in MRVA top 1000 projects 2023-09-14 11:52:41 +02:00
Rasmus Wriedt Larsen
e96e67cdb9 Python: Add script to process results from MRVA (bqrs files) 
Also makes `empty.model.yml` empty once again
 2023-09-14 11:52:41 +02:00
Rasmus Wriedt Larsen
6024ca0167 Python: Remove query predicate annotation 2023-09-14 11:52:41 +02:00
Rasmus Wriedt Larsen
fb63e73142 Python: Streamline what modules to allow for now 2023-09-14 11:52:41 +02:00
Rasmus Wriedt Larsen
f29e8894bf Python: Adjust test-code predicate 2023-09-14 11:52:41 +02:00
Rasmus Wriedt Larsen
b980b82d59 Python: Improve docs/names around already modeled classes 2023-09-14 11:52:41 +02:00
Rasmus Wriedt Larsen
562d9c63b4 WIP rest of modeling done so far 2023-09-14 11:52:40 +02:00
Rasmus Wriedt Larsen
8e9636a6d8 WIP: Flask View class modeling for restplus 
Based on some DBs I had that contained dependencies
 2023-09-14 11:52:40 +02:00
github-actions[bot]
abf2b12b1c Release preparation for version 2.14.4 2023-09-05 16:56:14 +00:00
yoff
da64ea40b9 Merge pull request #13782 from jorgectf/jorgectf/shlex-quote 
Python: Add `shlex.quote` as `py/shell-command-constructed-from-input` sanitizer
 2023-08-31 21:08:58 +02:00
Tom Hvitved
253f932d2a Python: Use data flow consistency checks from shared pack 2023-08-30 15:29:41 +02:00
Rasmus Wriedt Larsen
62c2316124 Merge pull request #14084 from RasmusWL/flask-jsonify 
Python: Remove XSS FP from use of `flask.jsonify`
 2023-08-30 13:07:54 +02:00
yoff
ae4c76c788 Merge pull request #13975 from yoff/python/parsemodechars-not-chars 2023-08-29 14:05:57 +02:00
Rasmus Wriedt Larsen
0b2458d065 Python: Improve modeling of Flask jsonify 
I also tested whether `Flask.jsonify` or `Flask().jsonify` worked, but
they do not.
 2023-08-29 11:11:32 +02:00
Rasmus Wriedt Larsen
26319bfc04 Python: Fix Flask jsonify XSS regression 
The reason the result was found before, is that `jsonify(data)` was
modeled as TWO separate subclasses of `Http::Server::HttpResponse`, one
because of the implicit construction in return
(FlaskRouteHandlerReturn), and one from the `jsonify` call
(FlaskJsonifyCall). Due to the QL evaluation, we got a combination from
the two, meaning mime-type from FlaskRouteHandlerReturn and body from
FlaskJsonifyCall...
 2023-08-29 11:11:32 +02:00
Dave Bartolomeo
3343b78015 Merge pull request #14074 from github/post-release-prep/codeql-cli-2.14.3 
Post-release preparation for codeql-cli-2.14.3
 2023-08-28 13:34:10 -04:00
github-actions[bot]
3eba77421a Post-release preparation for codeql-cli-2.14.3 2023-08-28 15:53:49 +00:00
yoff
2e981e330b Merge pull request #14059 from RasmusWL/fix-loginjection-tests 
Python: Fix stdlib sinks in LogInjection query
 2023-08-28 14:44:51 +02:00
yoff
6e05246daa Merge pull request #13935 from yoff/python/mad-on-externals 
Python: MaD on externals
 2023-08-28 14:04:54 +02:00
Rasmus Wriedt Larsen
c807ab4216 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2023-08-28 14:04:22 +02:00
Rasmus Wriedt Larsen
bf9a0dab2a Python: Fix stdlib sinks in LogInjection query 2023-08-25 17:04:48 +02:00
Rasmus Lerchedahl Petersen
137f9e7234 Python: Adress review comments 
- make qldoc accurate
- fix ql4ql alert
 2023-08-24 21:28:07 +02:00
Rasmus Lerchedahl Petersen
7ad1a21c2d Python: make mode characters not be characters 
They are simply considered part of the group start.
 2023-08-24 21:21:49 +02:00
yoff
a834703195 Merge pull request #13779 from geoffw0/pythonparsemode 
Python: Understand multiple parse mode flags specified in a regular expression string
 2023-08-24 21:20:45 +02:00
yoff
00c0ebe9e4 Merge pull request #13738 from RasmusWL/path-steps 
Python: Include all assignments in data flow paths
 2023-08-22 11:58:11 +02:00
Michael Nebel
ce6fd8ac5f Merge pull request #13432 from michaelnebel/updateissupported 
Java/C#: Update telemetry queries to report callables with sink/source neutrals as being supported.
 2023-08-22 08:39:38 +02:00
Jeroen Ketema
2d0f73d7c2 Merge pull request #13881 from jketema/shared-taint-tracking 
Introduce shared taint tracking library
 2023-08-21 12:45:49 +02:00
Rasmus Wriedt Larsen
c8c69aac9b Merge pull request #13561 from amammad/amammad-python-WebAppsConstatntSecretKeys 
Python: Flask & Django Constant Secret Key initialization
 2023-08-21 11:39:19 +02:00
Michael Nebel
106ba11e10 Address review comments. 2023-08-21 09:59:02 +02:00