hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-09 04:30:21 +01:00
Code Issues Packages Projects Releases Wiki Activity
17,823 Commits 1,680 Branches 157 Tags
a330cae2f9c4a00569f40da6e6ccb377a4e0bb64
Commit Graph

119 Commits

Author SHA1 Message Date
Mark Shannon
e14f7ef466 Python: Tarslip query; track info objects and handle sanitization. 2019-06-19 11:48:31 +01:00
Mark Shannon
ea4e263060 Python: Initial version and help of tar-slip (CWE-022) query. 2019-06-19 11:48:31 +01:00
Mark Shannon
8d4a8a6c6b Python: Reduce the number of strings and ints identified and possible hard-coded credentials. 2019-06-03 12:22:15 +01:00
Mark Shannon
28799441af Python: Fix false positive in 'Incomplete URL substring sanitization' query. 2019-04-25 18:11:01 +01:00
Taus
adf8cdcde5 Merge pull request #1203 from markshannon/python-taint-tracking-configuration-2 
Python: Use taint tracking configuration for queries.
 2019-04-09 10:01:35 +02:00
Mark Shannon
52b3f77f4f Fix typo. 2019-04-08 15:47:49 +01:00
Mark Shannon
2ba122373a Merge pull request #1128 from taus-semmle/python-paramiko-unsafe-host-key-validation 
Python: Add query for insecure SSH host key policies in Paramiko.
 2019-04-04 16:57:13 +01:00
Mark Shannon
c2e814a11a Fix CWE tag for Code injection query. 2019-04-04 15:09:12 +01:00
Mark Shannon
3bcd445a32 Python change 'SimpleHttpResponseTaintSink' to 'HttpResponseTaintSink'. 2019-04-04 14:45:37 +01:00
Mark Shannon
8b01bac900 Python: make sure unsafe deserialization query is using correct sources and that pickle is included in sinks. 2019-04-04 10:56:45 +01:00
Mark Shannon
bc19769e6d Python: make sure code injection query is using correct sources. 2019-04-04 10:56:45 +01:00
Mark Shannon
35e82dca68 Python revert .getNode() to .getSink()/.getSource() to keep expected test output the same. 2019-04-04 10:56:45 +01:00
Mark Shannon
f8c43ca40b Python: make sure all django and flask request sources conform to interface. 2019-04-04 10:56:45 +01:00
Mark Shannon
61e6ae7c4a Python: Use new taint-tracking query in unsafe deserialization query. 2019-04-04 10:56:45 +01:00
Mark Shannon
3c1a5bb046 Python: Use new taint-tracking query in code-injection query. 2019-04-04 10:56:44 +01:00
Mark Shannon
64e8be6ed1 Python: Use new taint-tracking query in reflected-xss query. 2019-04-04 10:56:44 +01:00
Mark Shannon
7fc5d690cd Python: Use new taint-tracking query in SQL-injection query. 2019-04-04 10:56:44 +01:00
Mark Shannon
058ae7befc Merge pull request #1142 from taus-semmle/python-use-new-moduleobject-api 
Python: Use new `ModuleObject` API more widely.
 2019-03-26 15:02:44 +00:00
Taus Brock-Nannestad
5eb63ae048 Fix false positive and add test. 2019-03-21 14:10:05 +01:00
Taus Brock-Nannestad
9cb35a8ca9 Use correct named argument for ssl.SSLContext. 2019-03-21 14:09:25 +01:00
Taus Brock-Nannestad
391e111189 Use attr instead of getAttribute. 2019-03-20 17:41:23 +01:00
Taus Brock-Nannestad
f14f7b50ed Python: Use ModuleObject::named more consistently. 2019-03-20 17:41:23 +01:00
Taus Brock-Nannestad
c7c6c83627 Address review comments. 2019-03-19 15:44:11 +01:00
Taus Brock-Nannestad
52278b25d9 Python: Add query for insecure SSH host key policies in Paramiko. 2019-03-18 16:45:54 +01:00
Mark Shannon
38a5fb715a Python: Avoid cross-talk between unrelated sources in py/stack-trace-exposure query. 2019-03-05 16:52:28 +00:00
Taus Brock-Nannestad
63893fe52c Python: Add missing @kind for py/insecure-temporary-file. 2019-03-04 11:20:39 +01:00
Taus Brock-Nannestad
e47b391329 Fix interpolation. 2019-02-26 16:27:04 +01:00
Taus Brock-Nannestad
7daaf77183 Make query alert refer to AST nodes rather than CFG nodes. 2019-02-26 15:56:37 +01:00
Taus Brock-Nannestad
504cb648d1 Change query description. 2019-02-26 13:26:20 +01:00
Taus Brock-Nannestad
8d774cd354 Merge branch 'master' into python-unsafe-use-of-mktemp 2019-02-26 13:23:38 +01:00
Mark Shannon
98be27a73e Python: Add 'attr' predicate as a synomnym for 'getAttribute' to help readability. 2019-02-20 11:08:44 +00:00
Mark Shannon
35fa5d8f60 Python move various theXXX() predicates into the appropriate module. 2019-02-20 10:34:08 +00:00
Taus
08fcb984a8 Implement getACall suggestion. 2019-01-29 17:59:45 +01:00
Taus
6f7c96db54 Merge branch 'master' into python-unsafe-use-of-mktemp 2019-01-29 16:12:53 +01:00
Taus Brock-Nannestad
9a9d902cfb Add support for os.tempnam and os.tmpnam. 2019-01-29 16:08:32 +01:00
Taus
9adb19f3a9 Merge branch 'master' into python-incomplete-url-sanitize 2019-01-29 14:17:37 +01:00
Mark Shannon
6d553ae2be Python: Check os.open as well as os.chmod for weak file permissions. 2019-01-28 14:26:16 +00:00
Mark Shannon
3850f87879 Make qhelp for 'Incomplete URL substring sanitization' consistent across languages. 2019-01-25 16:47:23 +00:00
Mark Shannon
6ddbed7d95 Python: Minor tweaks to qldoc and release note. 2019-01-25 11:34:41 +00:00
Mark Shannon
88d8cb514c Python: Two new queries for URL and hostname sanitization (CWE-020). 2019-01-24 12:57:14 +00:00
Mark Shannon
a3b5769c2c Python: Weak file permissions query. 2019-01-22 11:33:19 +00:00
Taus Brock-Nannestad
7c3dc929ac Add query and qhelp. 2019-01-17 14:45:25 +01:00
Taus Brock-Nannestad
9ac50186f6 Add a few more insecure versions 2019-01-07 15:24:15 +01:00
Taus Brock-Nannestad
1af503ab84 Address documentation comments. 2019-01-07 15:24:15 +01:00
Taus Brock-Nannestad
46973f4305 Support from ssl import PROTOCOL_.... 2019-01-07 15:24:15 +01:00
Taus Brock-Nannestad
e8a41f719c Add documentation. 2019-01-07 15:24:15 +01:00
Taus Brock-Nannestad
dfe3fc6d5c Pass pyOpenSSL method as parameter instead of keyword argument. 2019-01-07 15:24:15 +01:00
Taus Brock-Nannestad
d604f5c9c9 Fix insecure_version_name comments. 2019-01-07 15:24:15 +01:00
Taus Brock-Nannestad
a893dca06e Add support for ssl.SSLContext. 2019-01-07 15:24:15 +01:00
Taus Brock-Nannestad
0a839f8468 Python: Check for insecure versions of SSL and TLS. 2019-01-07 15:24:15 +01:00