Rasmus Lerchedahl Petersen
8e51b2fed8
Python: refactor test for global flow
2020-06-17 16:43:11 +02:00
Rasmus Lerchedahl Petersen
71f364eef3
Python: Implement OutNode
...
Also, fix test for local flow
2020-06-17 16:24:44 +02:00
Rasmus Lerchedahl Petersen
52898f16f5
Python: update paths after move
2020-06-17 08:34:45 +02:00
Rasmus Lerchedahl Petersen
47f5b04e87
Python: fix identical-files.json after move
...
also more grouping
2020-06-17 07:08:46 +02:00
Rasmus Lerchedahl Petersen
e192b66116
Python: move shared dataflow to experimental
2020-06-17 06:46:46 +02:00
Rasmus Lerchedahl Petersen
0f77403f0e
Python: small start on global flow
...
need to actually have `OutNode`s
2020-06-16 15:36:03 +02:00
Rasmus Lerchedahl Petersen
f3e879a5ab
Python: small test of local flow
2020-06-16 14:31:22 +02:00
Rasmus Lerchedahl Petersen
0abba238cc
Python: bit more local flow and fix ql docs
2020-06-16 08:21:32 +02:00
Rasmus Lerchedahl Petersen
ad04ec554a
Python: group related predicates
...
also restore accidentally removed comment
2020-06-16 07:30:44 +02:00
Rasmus Lerchedahl Petersen
f8eb5839cd
Python: start on local flow
2020-06-15 16:25:41 +02:00
Rasmus Lerchedahl Petersen
6dfb3a5df8
Python: Address QL docs
2020-06-15 11:50:07 +02:00
Rasmus Lerchedahl Petersen
1af2e56894
Summary of recent meeting.
...
Perhaps a not-python-specific version of this
could go into the shared implementation.
2020-06-15 08:01:02 +02:00
Rasmus Lerchedahl Petersen
375da38765
Python: Minimal compilation of shared dataflow
2020-06-12 11:48:41 +02:00
semmle-qlci
4cdb3c13df
Merge pull request #3658 from RasmusWL/python-3.8-dict-ismapping
...
Approved by tausbn
2020-06-10 17:19:49 +01:00
semmle-qlci
f7c6b1364b
Merge pull request #3640 from RasmusWL/python-handle-3.8-enum-convert
...
Approved by tausbn
2020-06-10 17:19:22 +01:00
Rasmus Wriedt Larsen
48b2d2cc5c
Python: Make isSequence() and isMapping() tests version specific
...
Since unicode/bytes difference, output can't match between Python 2 and Python 3.
2020-06-10 16:43:56 +02:00
Rasmus Wriedt Larsen
721713b9e1
Python: Minor fixes from code review
...
Co-authored-by: Taus <tausbn@gmail.com >
2020-06-10 16:14:21 +02:00
Taus
5b0d92d72b
Merge pull request #3464 from yoff/UnicodeEscape
...
Python: Handle more escapes in regexes
2020-06-10 15:47:09 +02:00
Rasmus Wriedt Larsen
f73876e6ce
Python: Modernise ShouldBeContextManager
2020-06-10 11:53:11 +02:00
Rasmus Wriedt Larsen
37cfb5400d
Python: Modernise RatioOfDefinitions
2020-06-10 11:51:41 +02:00
Rasmus Wriedt Larsen
bacd491875
Python: Fix isSequence() and isMapping()
2020-06-09 14:21:02 +02:00
Rasmus Wriedt Larsen
846101d295
Python: Extend isSequence/isMapping test with custom classes
2020-06-09 14:04:14 +02:00
Rasmus Wriedt Larsen
65ce6d27ff
Python: Update isSequence() and isMapping() for Python 3.8
2020-06-09 11:57:00 +02:00
Rasmus Wriedt Larsen
958763edc2
Python: Add test for ClassValue.isSequence() and isMapping()
...
For Python 3.6
2020-06-09 11:55:22 +02:00
semmle-qlci
1a7570ebbe
Merge pull request #3563 from RasmusWL/python-fabric-execute
...
Approved by tausbn
2020-06-08 16:00:49 +01:00
Rasmus Wriedt Larsen
baa415fec8
Python: Add points-to regression for metaclass
2020-06-08 15:03:46 +02:00
Rasmus Wriedt Larsen
7c037cd2ab
Python: Handle Enum._convert in Python 3.8
2020-06-08 14:49:58 +02:00
Rasmus Wriedt Larsen
1ff369f62d
Python: Update test results for fabric.api.execute
2020-06-04 16:30:03 +02:00
Rasmus Wriedt Larsen
551420401a
Python: Fix typo
...
Co-authored-by: Taus <tausbn@gmail.com >
2020-05-29 14:27:07 +02:00
Rasmus Wriedt Larsen
48be57c8fd
Python: Improve QLDoc for ExternalStringDictKind
2020-05-29 12:06:57 +02:00
Rasmus Wriedt Larsen
b083c01520
Python: Deprecate StringDictKind
...
This QL
```codeql
import python
import semmle.python.dataflow.TaintTracking
import semmle.python.security.strings.Untrusted
from CollectionKind ck
where
ck.(DictKind).getMember() instanceof StringKind
or
ck.getMember().(DictKind).getMember() instanceof StringKind
select ck, ck.getAQlClass(), ck.getMember().getAQlClass()
```
generates these 6 results.
```
1 {externally controlled string} ExternalStringDictKind UntrustedStringKind
2 {externally controlled string} StringDictKind UntrustedStringKind
3 [{externally controlled string}] SequenceKind ExternalStringDictKind
4 [{externally controlled string}] SequenceKind StringDictKind
5 {{externally controlled string}} DictKind ExternalStringDictKind
6 {{externally controlled string}} DictKind StringDictKind
```
StringDictKind was only used in *one* place in our library code. As illustrated
above, it pollutes our set of TaintKinds. Effectively, every time we make a
flow-step for dictionaries with tainted strings as values, we do it TWICE --
once for ExternalStringDictKind, and once for StringDictKind... that is just a
waste.
2020-05-29 12:06:57 +02:00
Rasmus Wriedt Larsen
87bc8ae28d
Python: Don't use UntrustedStringKind in web lib
...
If I wanted to use my own TaintKind and not have any interaction with
`UntrustedStringKind` that wouldn't be possible today since these standard http
libraries import it directly. (also, I wouldn't get any sources of my custom
TaintKind from turbogears or bottle). I changed them to use the same pattern of
`ExternalStringKind` as everything else does.
2020-05-29 12:06:57 +02:00
Jonas Jensen
5deeda0337
Merge pull request #3387 from geoffw0/tostringperf
...
C++: Eliminate recursion from toString().
2020-05-26 13:24:43 +02:00
Rasmus Wriedt Larsen
9c75a39b81
Python: Extend command-injection to handle fabric.api.execute
2020-05-26 10:22:27 +02:00
Rasmus Wriedt Larsen
e04d1ffcd2
Python: Add test for fabric.api.execute
2020-05-26 10:20:22 +02:00
Taus
7716cff3d8
Merge pull request #3551 from RasmusWL/python-fix-upcoming-deprecation
...
Python: Fix (upcoming) deprecation compiler-warnings
2020-05-25 16:17:57 +02:00
semmle-qlci
8146073c74
Merge pull request #3553 from RasmusWL/python-fix-tainttracking-import
...
Approved by tausbn
2020-05-25 14:18:54 +01:00
semmle-qlci
6f1f926e0c
Merge pull request #3552 from RasmusWL/python-fix-filename-example
...
Approved by tausbn
2020-05-25 14:17:05 +01:00
Rasmus Wriedt Larsen
f602f3e1c7
Python: Use proper import for semmle.python.dataflow.TaintTracking
...
It was moved in 637677d515
2020-05-25 13:45:49 +02:00
Rasmus Wriedt Larsen
74167923bc
Python: Fix filename example
...
I got my eyes on this one since it was using a deprecated method, BUT it was
also doing the thing, since File.getName() is the same as
File.getAbsolutePath(), and that doesn't match the description :\
2020-05-25 13:17:32 +02:00
Rasmus Wriedt Larsen
6ce1b9f7fa
Python: Fix use of StrConst.strValue()
2020-05-25 13:12:56 +02:00
semmle-qlci
ac1a338390
Merge pull request #3407 from RasmusWL/python-add-BoundMethodValue-v2
...
Approved by tausbn
2020-05-25 12:00:45 +01:00
Rasmus Wriedt Larsen
32c8dd0491
Python: Fix (upcoming) deprecation compiler-warnings
...
In a near-future release overriding a deprecated predicate without making as
deprecated would give a compiler warning.
Not fixing the XML one. [I can see that this shouldn't be reported
anymore](https://github.com/github/codeql/pull/3520#issuecomment-631552943 ), and
it's not safe to remove since it was only marked as deprecated in
e6425bb4cf
2020-05-25 11:05:30 +02:00
Taus
a2308771a3
Merge pull request #3489 from yoff/DeprecateObject
...
Python: Modernise `py/missing-equals`.
2020-05-25 10:56:16 +02:00
Rasmus Wriedt Larsen
49d7e12acd
Python: Remove unnecessary restriction from getNamedArgumentForCall
...
As agreed in https://github.com/github/codeql/pull/3407
2020-05-25 10:17:37 +02:00
Rasmus Wriedt Larsen
4fc3cae646
Python: Add test for how arguments to *args and **kwargs are handled
2020-05-25 10:16:10 +02:00
Rasmus Wriedt Larsen
87ee6ae101
Python: Add a bit of docs to CallableObjectInternal
...
As requested :)
2020-05-25 09:53:28 +02:00
Rasmus Wriedt Larsen
9e0d57c610
Python: Fix grammar in QLDoc
...
Co-authored-by: Taus <tausbn@gmail.com >
2020-05-25 09:47:01 +02:00
Rasmus Lerchedahl Petersen
3e712be431
Python: Modernise
2020-05-25 09:00:34 +02:00
Rasmus Lerchedahl Petersen
712513916c
Python: Address review
2020-05-25 07:44:00 +02:00
