hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-21 06:37:10 +02:00
Code Issues Packages Projects Releases Wiki Activity
26,541 Commits 1,759 Branches 167 Tags
80000cd8909cd28497d694e9f338ba54e0b76598
Commit Graph

2956 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
987b573709 Fix hasLocationInfo URL reference 
Follow up to https://github.com/github/codeql/pull/5830
 2021-09-29 13:47:58 +02:00
Rasmus Wriedt Larsen
547cbb6322 Merge pull request #6331 from porcupineyhairs/pythonXpath 
Python : Improve Xpath Injection Query
 2021-09-24 18:11:08 +02:00
Rasmus Wriedt Larsen
26d2fbd217 Python: Fix new XPath injection query 
Fixes the typo `ETXpath` => `ETXPath`
 2021-09-24 15:11:34 +02:00
Rasmus Wriedt Larsen
913a679ef5 Python: Replace old XPath injection query 2021-09-24 15:10:41 +02:00
Rasmus Wriedt Larsen
c9640ffdbc Python: Minor adjustments to XPath Injection 2021-09-24 15:02:39 +02:00
Rasmus Wriedt Larsen
289660067c Merge branch 'main' into pythonXpath 2021-09-24 13:53:38 +02:00
Rasmus Wriedt Larsen
70489b2fc2 Merge branch 'main' into jorgectf/python/ldapinsecureauth 2021-09-23 10:05:56 +02:00
Rasmus Wriedt Larsen
d44f279339 Python: Fix .qhelp 2021-09-21 20:35:03 +02:00
Rasmus Wriedt Larsen
a83bb39d0f Python: Merge SQLAlchemy TextClause injection into py/sql-injection 
As discussed in a meeting today, this will end up presenting an query
suite that's easier to use for customers.

Since https://github.com/github/codeql/pull/6589 has JUST been merged,
if we get this change in fast enough, no end-user will ever have run
`py/sqlalchemy-textclause-injection` as part of LGTM.com or Code
Scanning.
 2021-09-21 20:21:42 +02:00
yoff
4adb0c75bd Merge pull request #6589 from RasmusWL/promote-sqlalchemy 
Python: Promote modeling of SQLAlchemy
 2021-09-21 11:08:41 +02:00
Rasmus Wriedt Larsen
4a16be2cba Merge pull request #6557 from yoff/python/port-modification-of-default-value 
Python: port modification of default value
 2021-09-21 10:12:12 +02:00
Rasmus Wriedt Larsen
c7c8e2f3e3 Merge branch 'main' into promote-sqlalchemy 2021-09-21 09:36:07 +02:00
Rasmus Wriedt Larsen
97c0f1c7b7 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-09-20 12:04:46 +02:00
Rasmus Lerchedahl Petersen
8ea7a28a77 Python: Unexpose fields as suggested. 2021-09-15 12:32:21 +02:00
yoff
758b6bd4dd Update python/ql/src/semmle/python/functions/ModificationOfParameterWithDefaultCustomizations.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-09-15 12:25:27 +02:00
Rasmus Wriedt Larsen
49f5f1e2c2 Merge pull request #6336 from tausbn/python-make-annotated-assignment-a-definitionnode 
Python: Two fixes regarding annotated assignments
 2021-09-14 13:37:53 +02:00
jorgectf
2ccc6dc092 Merge branch 'main' into jorgectf/python/ldapinsecureauth 2021-09-14 09:32:19 +02:00
Rasmus Wriedt Larsen
f402475dd3 Python: Fix globals() == locals() FP 2021-09-13 20:03:11 +02:00
jorgectf
353c0a9ee7 Add missing comment 2021-09-12 20:44:04 +02:00
jorgectf
3cf28ad6ce Merge remote-tracking branch 'origin/main' into jorgectf/python/ldapinsecureauth 2021-09-12 20:36:25 +02:00
jorgectf
18b05bc56e Fix tests and add global option 2021-09-12 20:35:57 +02:00
jorgectf
54012eba23 Optimize getFullHostRegex 2021-09-12 20:13:08 +02:00
Rasmus Lerchedahl Petersen
7cfa08abc8 Python: Do not use BarrierGuards 
They are simply not right for this problem.
We should not even make them available as an extension point.
 2021-09-10 12:48:24 +02:00
Rasmus Lerchedahl Petersen
b20232db3c Python: Simplify guards as suggested 2021-09-10 10:31:48 +02:00
jorgectf
4e261c61ae Optimize concatAndCompareAgainstFullHostRegex 2021-09-07 19:05:03 +02:00
jorgectf
800801177d Fix taint tracking comment 2021-09-07 19:02:32 +02:00
jorgectf
b802d7903a Fix OPT_X_TLS_ mandatory options 2021-09-07 19:01:46 +02:00
jorgectf
ee98c0c587 Add start_tls_s() comment and use DataFlow::MethodCallNode instead 2021-09-07 19:00:14 +02:00
Jorge
1bc16fb31e Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-09-07 18:37:33 +02:00
yoff
43effd2b40 Update python/ql/src/semmle/python/functions/ModificationOfParameterWithDefault.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-09-07 15:08:50 +02:00
Taus Brock-Nannestad
bea8a457a2 Merge branch 'main' into python-make-annotated-assignment-a-definitionnode 2021-09-07 15:01:01 +02:00
Rasmus Lerchedahl Petersen
8729701b66 Merge branch 'main' of github.com:github/codeql into python/port-modification-of-default-value 
Files have moved around, specifically PrintNode.qll.
 2021-09-07 10:13:51 +02:00
Rasmus Lerchedahl Petersen
ae8408bcab Python: Add missing qldoc 2021-09-07 10:09:02 +02:00
Rasmus Lerchedahl Petersen
4998a48f99 Python: Fix simple guards 2021-09-06 22:40:30 +02:00
yoff
138a7ae67f Merge pull request #6349 from RasmusWL/more-modeling 
Python: Improve various library modeling
 2021-09-06 17:01:45 +02:00
yoff
c7146ac10c Update python/ql/src/meta/alerts/RemoteFlowSourcesReach.ql 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswl@github.com>
 2021-09-06 16:00:58 +02:00
Andrew Eisenberg
6a47fcaf1f Packaging: Normalize all qlpack.yml files for all languages 
This commit ensures consistency among all of our qlpacks. Here are the
changes:

1. Ensure only modern references are used (codeql-{lang} is converted to
   codeql/{lang}-all or codeql/{lang}-queries where appropriate).
2. Use consistent version numbers. All languages are at 0.0.2 except
   javascript, which is 0.0.3.
3. Convert all `libraryPathDependencies` to `dependencies` with version
   constraints
4. Dependencies from query packs to other packs are always `"*"` since
   these dependencies are always from source and we should get the
   latest.
5. Dependencies from codeql/{lang}-lib to codeql/{lang}-upgrades must
   be strict since there is a tight connection between the libary
   and its relevant upgrades.
 2021-09-03 11:53:28 -07:00
Rasmus Lerchedahl Petersen
913990bc62 Python: Add suggested comments and test case 2021-09-03 14:40:16 +02:00
yoff
c6eb795e76 Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-09-03 14:23:57 +02:00
Rasmus Wriedt Larsen
88c6d4bb20 Python: Fix .qhelp 2021-09-02 16:02:04 +02:00
Taus
e4fd749a46 Merge pull request #6547 from github/RasmusWL/cwe328-weak-hash 
Python: Add CWE-328 to `py/weak-sensitive-data-hashing`
 2021-09-02 11:42:31 +02:00
Rasmus Wriedt Larsen
c34d6d1162 Python: Add query to handle SQLAlchemy TextClause Injection 
instead of doing this via taint-steps. See description in code/tests.
 2021-09-02 10:19:57 +02:00
Rasmus Wriedt Larsen
81dbe36e99 Python: Promote SQLAlchemy modeling 
Due to the split between `src/` and `lib/`, I was not really able to do
the next step without having moved the SQLAlchemy modeling over to be in
`lib/` as well.
 2021-09-02 10:19:57 +02:00
Rasmus Wriedt Larsen
ba99e21875 Python: Remove modeling of sqlescapy PyPI package 
I've never seen this being used in real code, and this library doesn't
have a lot of traction, so I would rather not commit to supporting it
(which includes verifying that it actually makes things safe).

Personally I don't think this is the right approach for avoiding SQL
injection either.
 2021-09-02 10:19:57 +02:00
Rasmus Wriedt Larsen
91442e100c Python: Model sessionmaker().begin() 2021-09-02 10:19:57 +02:00
Rasmus Wriedt Larsen
feb2303e1f Python: Model the underlying DB-API connection 2021-09-02 10:19:57 +02:00
Rasmus Wriedt Larsen
1ab04a7276 Python: Model Connection.execution_options 2021-09-02 10:19:57 +02:00
Rasmus Wriedt Larsen
2acf518037 Python: Model exec_driver_sql 2021-09-02 10:19:57 +02:00
Rasmus Wriedt Larsen
fe143c7dfa Python: Rewrite most of SQLAlchemy modeling 2021-09-02 10:19:57 +02:00
Rasmus Lerchedahl Petersen
0de621edf9 Python: Add qldoc 2021-08-30 15:03:58 +02:00