hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-23 18:33:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
85,714 Commits 1,693 Branches 161 Tags
97ddab0724bc37dec318f02ff79d091423236db5
Commit Graph

948 Commits

Author SHA1 Message Date
REDMOND\brodes
97ddab0724 Added support for new URIValidator in AntiSSRF library. Updated test caes to use postprocessing results. Currently results for partial ssrf still need work, it is flagging cases where the URL is fully controlled, but is sanitized. I'm not sure if this should be flagged yet. 2026-02-06 11:20:11 -05:00
Ben Rodes
08b72d0a86 Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-02-06 11:18:51 -05:00
Ben Rodes
46a2a249f9 Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-02-06 11:18:49 -05:00
REDMOND\brodes
9912aaaf1a Adding azure sdk test cases and updated test expected file. 2026-02-06 11:18:16 -05:00
REDMOND\brodes
0a88425170 Python: Altering SSRF MaD to use 'request-forgery' tag. Update to test cases expected results, off by one line. Changed to using ModelOutput::sinkNode. 2026-02-04 09:04:22 -05:00
Ben Rodes
7ddfa80399 Merge branch 'main' into azure_python_sdk_url_summary_upstream 2026-02-02 09:00:35 -05:00
Owen Mansel-Chan
ad6f800022 Pretty print model numbers in tests 2026-01-30 09:21:24 +00:00
yoff
3dbfb9fa4b python: add machinery for MaD barriers 
and reinstate previously removed barrier
now as a MaD row
 2026-01-22 17:30:24 +01:00
yoff
699ed50432 python: remove barrier that can be expressed in MaD 2026-01-22 17:30:24 +01:00
Taus
1b519384d7 Merge pull request #20739 from github/tausbn/python-remove-top-level-points-to-imports 
Python: Hide points-to imports in `python.qll`
 2025-12-05 14:24:41 +01:00
Taus
24a29f46be Python: Fix all metrics-related compilation failures 
In hindsight, having a `.getMetrics()` method that just returns `this`
is somewhat weird. It's possible that it predates the existence of the
inline cast, however.
 2025-11-26 21:28:51 +00:00
yoff
ebe29dd143 python: model urllib.ParseResult 2025-11-26 13:36:05 +01:00
yoff
d59f721341 python: add test for header injection 2025-11-26 13:32:54 +01:00
Joe Farebrother
8c277bd1d9 Merge pull request #20494 from joefarebrother/python-insecure-cookie-split 
Python: Split Insecure Cookie query into multiple queries
 2025-10-24 11:10:20 +01:00
Ben Rodes
d790c6df57 Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2025-09-30 14:00:25 -04:00
Ben Rodes
fab96d9539 Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2025-09-30 14:00:16 -04:00
REDMOND\brodes
704e2966cb Adding azure sdk test cases and updated test expected file. 2025-09-30 13:32:56 -04:00
Taus
e592fd60ff Merge pull request #20495 from github/tausbn/python-fix-unmatchable-dollar-in-lookahead 
Python: Fix false positive for unmatchable dollar/caret
 2025-09-25 15:27:32 +02:00
Joe Farebrother
cb7b1efe81 Update alert message 2025-09-25 09:52:27 +01:00
Joe Farebrother
9f5bfeb7f4 Update test output 2025-09-24 15:03:40 +01:00
Joe Farebrother
2cffb21604 Update and fix tests 2025-09-23 15:41:09 +01:00
Joe Farebrother
d28e8004fd Add sensitive data heuristic 2025-09-23 10:08:08 +01:00
Joe Farebrother
463f79bed2 Merge pull request #20263 from joefarebrother/python-qual-exceptions 
Python: Modernize the Unreachable Except Block query
 2025-09-22 09:42:09 +01:00
Taus
95a84ad655 Python: Fix false positive for unmatchable dollar/caret 
Our previous modelling did not account for the fact that a lookahead can
potentially extend all the way to the end of the input (and similarly,
that a lookbehind can extend all the way to the beginning).

To fix this, I extended `firstPart` and `lastPart` to handle lookbehinds
and lookaheads correctly, and added some test cases (all of which yield
no new results).

Fixes #20429.
 2025-09-19 15:06:46 +00:00
Joe Farebrother
2e95c2b3c2 Split test cases for insecure cookie queries 2025-09-19 14:41:02 +01:00
Joe Farebrother
2cd1d2fd2f Merge pull request #20392 from joefarebrother/python-qual-file-not-closed 
Python: Improve File Not Closed query to reduce false positives and provide clearer alerts
 2025-09-18 09:33:08 +01:00
Joe Farebrother
f3802ec60f Merge pull request #20217 from joefarebrother/python-qual-signature-mismatch 
Python: Modernize the Signature Mismatch query
 2025-09-17 13:29:33 +01:00
Napalys Klicius
e60d0c88f1 Python: Add global variable nested field jump steps 2025-09-16 18:08:53 +02:00
Napalys Klicius
6c779c7fa5 Python: Added extra test cases for path injection with FastAPI 2025-09-16 18:08:53 +02:00
Napalys Klicius
f209e3a0fe Python: Updated PathInjection tests to use inline test expectations 2025-09-16 18:08:53 +02:00
Joe Farebrother
ea562de3e6 Fix tests 2025-09-09 15:17:16 +01:00
Joe Farebrother
b01b40b51b Update test output 2025-09-09 13:44:03 +01:00
Joe Farebrother
e382f7cd43 Improve check for containment in with statement 2025-09-09 11:26:17 +01:00
Joe Farebrother
ff4c11f503 Update test output. Accepting some FNs due to dataflow issue. 2025-09-06 00:45:15 +01:00
Joe Farebrother
0b293eaba5 Update test output 2025-09-05 22:43:21 +01:00
Joe Farebrother
bd3fa7fb21 Switch to dataflow check for guards exceptions 
This reduces some confusing FPs, though appears to introduce another
 2025-09-05 16:03:55 +01:00
Joe Farebrother
cd6a151d9b Add missing predicate + update test output 2025-09-03 09:48:07 +01:00
Joe Farebrother
318d1cd392 Increase precision in detecting call matches signature 2025-09-02 12:02:08 +01:00
Joe Farebrother
502ea82c91 Updae other test output 2025-09-01 16:31:04 +01:00
Joe Farebrother
2bbf24b3ea Add additional test cases 2025-09-01 16:30:53 +01:00
Joe Farebrother
f429b9038c Update tests, update alert messages 2025-09-01 16:30:44 +01:00
Joe Farebrother
f7097136f1 Rank multiple calls so only the first 2 calls are alerted 2025-09-01 16:23:42 +01:00
Joe Farebrother
ba8658491a Update qhelp + alert messages 2025-09-01 14:11:01 +01:00
Joe Farebrother
daa5525a10 Update tests and add an additional test 2025-09-01 14:10:55 +01:00
Joe Farebrother
9619ae8a2d Add additional test case + update missing del tests 2025-09-01 14:10:47 +01:00
Joe Farebrother
c9932e187a Update tests for calls to init + fixes 2025-09-01 14:10:44 +01:00
Joe Farebrother
99a05ed5a4 Update test outputs + fix semantics 2025-09-01 14:10:36 +01:00
Joe Farebrother
732c818916 Move tests and add inline expectation postprocessing 2025-09-01 14:10:33 +01:00
Napalys Klicius
bafe22c50c Merge pull request #20048 from Napalys/js/xml_bomb_sinks 
JS: Exclude patched libraries from `xml-bomb` sink
 2025-08-29 08:10:55 +02:00
Joe Farebrother
7ef2b01119 Merge pull request #20142 from joefarebrother/python-qual-subclass-shadow 
Python: Modernise Superclass attribute shadows subclass method query
 2025-08-28 13:40:26 +01:00