hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-06 10:11:07 +01:00
Code Issues Packages Projects Releases Wiki Activity
50,630 Commits 1,690 Branches 160 Tags
86fd21de452bb83850fea9182b3bbd2d78876e7a
Commit Graph

386 Commits

Author SHA1 Message Date
Taus
25043f51a4 Merge pull request #11376 from RasmusWL/call-graph-code 
Python: New type-tracking based call-graph
 2023-02-27 14:51:21 +01:00
Rasmus Wriedt Larsen
1c7fe97427 Python: Add modeling of hmac 2023-02-13 15:39:43 +01:00
Rasmus Wriedt Larsen
61151d4aa7 Merge branch 'main' into call-graph-code 2023-01-16 13:39:15 +01:00
Erik Krogh Kristensen
8a89849476 Merge pull request #11660 from erik-krogh/dynamic-useInstanceOf 
Py/JS/RB: Use instanceof in more places
 2022-12-13 21:50:13 +01:00
yoff
557a5b469f Merge pull request #11555 from pwntester/new_python_cmdi_sinks 
Added two new CMDi sinks for python's stdlib
 2022-12-13 09:00:34 +01:00
erik-krogh
b3a9c1ca06 Py/JS/RB: Use instanceof in more places 2022-12-12 16:06:57 +01:00
Rasmus Wriedt Larsen
a826c4f48b Merge branch 'main' into call-graph-code 2022-12-08 11:39:30 +01:00
Asger F
5af1b367c7 Support data extensions 2022-12-07 11:35:05 +01:00
Alvaro Muñoz
fc56843c04 improve predicate QLdoc 2022-12-03 16:34:14 +01:00
Alvaro Muñoz
7e0e56dadc Added two new CMDi sinks fot python's stdlib 2022-12-02 22:16:40 +01:00
Asger F
2d578c1a73 Merge branch 'main' into merge-package-type-columns 2022-12-02 10:00:44 +01:00
Asger F
abf0c0f296 Python: update more comments referring to the package column 2022-11-23 15:02:08 +01:00
Asger F
1c910550e6 Python: merge package/type columns 2022-11-23 11:17:42 +01:00
Rasmus Wriedt Larsen
39ce50fadc Python: Fix problems with sinks in pathlib 
This must mean that we did not have this flow with the old call-graph,
which means the new call-graph is doing a better job (yay).
 2022-11-22 14:46:32 +01:00
erik-krogh
468a879c1f Python: delete dead code. thanks QL-for-QL 2022-11-17 22:12:51 +01:00
erik-krogh
e491b61e09 Python: move the contents of PEP249Impl to PEP249, which is possible now that the deprecations have been deleted 2022-11-17 22:12:50 +01:00
erik-krogh
a7ba693ccb Python: delete old deprecations 2022-11-17 22:12:50 +01:00
Taus
f5b2eb94a6 Merge pull request #10783 from yoff/python/subscript-nodes 
Python: API graph improvements for subscripts
 2022-10-17 15:21:56 +02:00
Taus
fa2faeb77b Merge pull request #10802 from jsoref/spelling-python 
Spelling python
 2022-10-17 11:33:27 +02:00
Sylwia Budzynska
e291d61bc7 Add oracledb model 2022-10-13 18:08:47 +02:00
Josh Soref
8669de57e7 spelling: the 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-13 11:21:10 -04:00
Josh Soref
33bc3131f9 spelling: something 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-13 11:21:09 -04:00
Josh Soref
00cc3331ea spelling: request 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-13 11:21:09 -04:00
Josh Soref
c02b6b3151 spelling: qualified 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-13 11:21:09 -04:00
Josh Soref
6ac31517ac spelling: method 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-13 11:21:09 -04:00
Josh Soref
c527264198 spelling: execute 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-13 11:21:08 -04:00
Josh Soref
565543a61b spelling: elliptic 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-13 11:21:08 -04:00
Josh Soref
165514c4ab spelling: dispatcher 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-13 11:21:08 -04:00
Josh Soref
ac1c5221ef spelling: attribute 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-13 11:21:08 -04:00
Josh Soref
f2fee60486 spelling: access 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-13 11:21:08 -04:00
sylwia-budzynska
c33dd8fd4b Merge branch 'main' into python-db-models 2022-10-13 16:48:50 +02:00
Sylwia Budzynska
5f737c82a4 Resolve confilct 2022-10-13 12:43:47 +02:00
Sylwia Budzynska
e41d79e37d Add python cx_oracle, phoenixdb, pyodbc models 2022-10-13 12:36:41 +02:00
Rasmus Lerchedahl Petersen
fb90089973 python: rewrite model for Aiohttp 2022-10-12 20:15:49 +02:00
sylwia-budzynska
7bcd247128 Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-10-12 12:08:20 +02:00
Sylwia Budzynska
319923f445 Add python cx_oracle, phoenixdb, pyodbc models 2022-10-11 15:29:57 +02:00
Rasmus Wriedt Larsen
dba42d6bb8 Python: Model executemany on PEP-249 DB APIs 
Note: I kept the modeling using the old approach with type-trackers
instead of `DataFlow::MethodCallNode`.

I would like a meta query for DCA to show sinks before doing this, so I
can be absolutely sure we don't loose out on any important sinks on
this... so will postpone this work to a small one-off task (added to my
todo list).
 2022-10-10 14:16:47 +02:00
Rasmus Wriedt Larsen
669f4f38b9 Python: Update QLDocs on PEP249Impl.qll 2022-10-10 14:13:01 +02:00
Rasmus Wriedt Larsen
4ee71ae4a1 Python: Add support for pymssql package 
I also forgot to mention `PyMySQL` in frameworks.rst
 2022-10-10 14:02:40 +02:00
Rasmus Wriedt Larsen
584ccf1992 Python: clean up Mysql.qll 2022-10-10 13:49:26 +02:00
Rasmus Wriedt Larsen
4b1f6f0865 Merge pull request #10629 from RasmusWL/fix-flask-source 
Python: Fix flask request modeling
 2022-10-10 09:56:22 +02:00
Rasmus Wriedt Larsen
d7be27a1c0 Python: Fix experimental py/ip-address-spoofing 
I realized the modeling was done in a non-recommended way, so I changed
the modeling. It was very nice that I could use API graphs for the flask
part, and a little sad when I couldn't for Django/Tornado.
 2022-10-03 21:19:30 +02:00
Tom Hvitved
dc432c7774 Sync shared files 2022-09-30 14:56:56 +02:00
CodeQL CI
b66e5c5aee Merge pull request #10634 from yoff/python/rewrite-typetrackers 
Approved by tausbn
 2022-09-30 03:55:35 -07:00
yoff
8ab5617b51 Merge pull request #10539 from yoff/python/improve-API-graphs 
Python: add subscript to API graphs
 2022-09-29 21:05:22 +02:00
Rasmus Lerchedahl Petersen
0654e39e72 python: rewrite type tracker for compiled regexes 
we have the option to use `regex.getAValueReachingSink`
rather than `regex.asSink`, but it will likely be used as a
sink for data flow.
 2022-09-29 20:30:29 +02:00
Rasmus Wriedt Larsen
0cb8e121e9 Python: Fix flask request modeling 
This takes us part of the way. We still get multiple paths for the same
alert, but that will be fixed in a different PR.
 2022-09-29 17:41:21 +02:00
Asger F
24f2a3cdff Sync ApiGraphModels.qll 2022-09-28 12:17:44 +02:00
Rasmus Lerchedahl Petersen
b1ae3bfdb2 Python: less eager tracking of flow 2022-09-28 11:46:26 +02:00
Rasmus Lerchedahl Petersen
441fc1bb28 Python: type trackers to API graph 
base on new subscript in the API graph

There are a few more uses of type tracking
through `SubscriptNode`s, but these start
from an instance given by a data flow node.
 2022-09-26 15:05:50 +02:00