hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-28 06:36:33 +01:00
Code Issues Packages Projects Releases Wiki Activity
52,959 Commits 1,673 Branches 157 Tags
a8a6913512e84bc0c047faf06d46292e6c841d24
Commit Graph

132 Commits

Author SHA1 Message Date
Tom Hvitved
404ead8a18 Python: Update expected test output 2023-03-16 08:40:53 +01:00
Rasmus Wriedt Larsen
dad6221b61 Python: Accept dataflow-consistency.expected changes for now 
As highlighted in the configuration file, there are some things to catch
up on, and we also need to apply the same fix as Ruby for **kwargs
handling.
 2023-01-17 13:58:40 +01:00
Rasmus Wriedt Larsen
61151d4aa7 Merge branch 'main' into call-graph-code 2023-01-16 13:39:15 +01:00
Tom Hvitved
39fea378b8 Python: Update expected test output 2022-12-13 09:53:01 +01:00
Rasmus Wriedt Larsen
a826c4f48b Merge branch 'main' into call-graph-code 2022-12-08 11:39:30 +01:00
Tom Hvitved
8f701cf1cb Python: Update expected test output 2022-12-05 14:33:06 +01:00
Rasmus Wriedt Larsen
ee2f7401e8 Python: Add generator-flow/dataflow-consistency.ql 2022-11-22 14:46:33 +01:00
Rasmus Wriedt Larsen
c0ad870949 Python: Exclude synthetic generator functions from DataFlowCallable 2022-11-22 14:46:33 +01:00
Rasmus Wriedt Larsen
aa382ac042 Python: Add test for strange generator taint flow 
I did check, and this was not a problem with the old call-graph on main!

I'm absolutely baffled!
 2022-11-22 14:46:33 +01:00
Rasmus Wriedt Larsen
c4122275dc Python: Bring back support for flow-summaries 
Also needed to fix up `TestUtil/UnresolvedCalls.qll` after a bad merge
conflict resolution. Since all calls are now DataFlowCall, and not JUST
the ones that can be resolved, we need to put in the restriction that
the callable can also be resolved.
 2022-11-22 14:46:32 +01:00
Rasmus Wriedt Larsen
eb600f07b7 Python: Use config for dataflow-consistency.ql 
And ignore post-update nodes for `**kwargs` arguments
 2022-11-22 14:46:30 +01:00
Rasmus Wriedt Larsen
88f703af1f DataFlow: Accept changes to .expected 2022-11-10 22:13:34 +01:00
Tom Hvitved
f4b82cb2e8 Python: Update expected test output 2022-09-22 15:01:40 +02:00
Rasmus Lerchedahl Petersen
a1fe8a5b2b python: handle not in BarrierGuard 
in the program
```python
if not is_safe(path):
  return
```
the last node in the `ConditionBlock` is `not is_safe(path)`,
so it would never match "a call to is_safe".
Thus, guards inside `not` would not be part of `GuardNode`
(nor `BarrierGuard`). Now they can.
 2022-06-27 20:10:47 +00:00
Rasmus Lerchedahl Petersen
882000afb3 python: not is confusing our logic 
- added `is_unsafe`
- added "negated version" of two tests.
These versions do not use `not` and the analysis gets the taint right.
 2022-06-27 20:10:47 +00:00
Anders Schack-Mulligen
f473a0a961 Python: Deprecate and replace BarrierGuard class. 2022-06-20 15:46:38 +02:00
yoff
d953382df9 Merge pull request #7807 from RasmusWL/dataflow-improvements 
Python: Dataflow improvements
 2022-02-28 16:24:00 +01:00
Rasmus Wriedt Larsen
9d81fd3b95 Python: Improve sanitizer/guards tests 
Based on review conversation
 2022-02-18 14:12:41 +01:00
Rasmus Wriedt Larsen
b276b2d48c Python: Clean up taint steps for attributes 2022-02-07 13:12:31 +01:00
Rasmus Wriedt Larsen
59160eeb24 Python: Add test showing taint for attr store 
In `x.arg = TAINTED_STRING` there is a store step to the attribute `arg`
of `x`. In our taint modeling, we allow _any_ store step with the code
below. This means that we also say there is a taint-step directly from
`TAINTED_STRING` to `x` :|

```codeql
  // construction by literal
  // TODO: Not limiting the content argument here feels like a BIG hack, but we currently get nothing for free :|
  DataFlowPrivate::storeStep(nodeFrom, _, nodeTo)
```
 2022-02-07 13:12:28 +01:00
Rasmus Wriedt Larsen
1394b38032 Python: Improve customSanitizer tests 
Before we didn't show how we treated the value _after_ the check. But we
do actually handle this nicely 💪
 2022-02-01 15:09:29 +01:00
Rasmus Wriedt Larsen
baafd9f8ba Python: Add an other path injection FP 
Along with the root cause, which is the `StringConstCompare`
BarrierGuard, that does only allows `in <iterable literal>` and not
`in <variable referencing iterable literal>`
 2021-11-23 12:59:15 +01:00
Rasmus Lerchedahl Petersen
ac5a46f24f Python: split test as suggested in review 2021-11-09 13:04:52 +01:00
Rasmus Lerchedahl Petersen
624b794980 Python: separate taint sources in with 2021-11-04 17:06:36 +01:00
Rasmus Lerchedahl Petersen
05aa314ac9 Python: Add tests for non-async constructs 2021-11-03 10:54:36 +01:00
Rasmus Lerchedahl Petersen
768932d7b3 Python: Add tainttracking step that was removed 
when the correpsonding datadlow step was removed.
 2021-11-02 15:01:47 +01:00
Rasmus Lerchedahl Petersen
07d5086b07 Python: support user defined taint source 2021-11-02 15:00:23 +01:00
Rasmus Lerchedahl Petersen
cca675a161 Python: Add test for async taint 
(which we belive we have just broken)
 2021-10-28 09:47:04 +02:00
Rasmus Wriedt Larsen
6e9d9fcbbd Python: Improve taint steps in for & iterable unpacking 
These were written way before the ones in DataFlowPrivate, but
apparently didn't cover quite as much :|
 2021-07-22 14:16:17 +02:00
Rasmus Wriedt Larsen
d3163d8a76 Python: Add iterable-unpacking in for test 2021-07-22 11:59:46 +02:00
Rasmus Wriedt Larsen
e2d3fa7093 Python: Add list-comprehension taint test 2021-07-22 11:59:46 +02:00
Rasmus Wriedt Larsen
ce4b192caa Python: Improve usefulness of RemoteFlowSourcesReach meta query 
Before, results from `dca` would look something like

    ## + py/meta/alerts/remote-flow-sources-reach

    - django/django@c2250cf_cb8f: tests/messages_tests/urls.py:38:16:38:48
        reachable with taint-tracking from RemoteFlowSource
    - django/django@c2250cf_cb8f: tests/messages_tests/urls.py:38:9:38:12
        reachable with taint-tracking from RemoteFlowSource

now it should make it easier to spot _what_ it is that actually changed,
since we pretty-print the node.
 2021-07-21 16:35:09 +02:00
Rasmus Wriedt Larsen
cc311ac4cd Python: Re-introduce syntactic handling of str/bytes/unicode (again) 
This reverts commit 870389addb.
 2021-06-14 14:23:12 +02:00
Rasmus Wriedt Larsen
870389addb Revert "Python: Re-introduce syntactic handling of str/bytes/unicode" 
This reverts commit c4987e94e0.

Hoping that our new handling of builtins would solve this problem... but
it did not :|
 2021-06-14 14:22:40 +02:00
Rasmus Wriedt Larsen
af13064f6a Merge branch 'main' into pr/RasmusWL/5926 2021-06-14 14:17:33 +02:00
Rasmus Wriedt Larsen
9dbb364cca Python: Move json tests to be part of stdlib 
This is better, since the modeling is also part of Stdlib.qll
 2021-05-19 17:10:33 +02:00
Rasmus Wriedt Larsen
f66dccafda Python: Rename prettyExp => prettyExpr 
So we're consistenly using `expr` and not leaving our the `r`.
 2021-05-19 17:10:33 +02:00
Rasmus Wriedt Larsen
c4987e94e0 Python: Re-introduce syntactic handling of str/bytes/unicode 
I don't want to loose results on this, so until type-tracking/API graphs
can handle this, I want to keep our syntactic handling.
 2021-05-19 13:00:11 +02:00
Rasmus Wriedt Larsen
aa8b7306a3 Python: Use more API graphs in TaintTrackingPrivate 
But now we suddenly don't handle the call to `unicode` :O -- at least
not when I run the test locally (using Python 3).
 2021-05-19 12:59:58 +02:00
Rasmus Wriedt Larsen
72d08f4d6e Python: Model json load/dump 2021-05-10 15:10:30 +02:00
Rasmus Wriedt Larsen
63f28d7d9b Python: Model keyword args to json loads/dumps 2021-05-10 15:10:29 +02:00
Rasmus Wriedt Larsen
784e0cdb96 Python: Improve tests of json module 
Inspired by the work on previous commit
 2021-05-10 15:10:28 +02:00
Rasmus Lerchedahl Petersen
5a4e661e60 Merge branch 'main' of github.com:github/codeql into python-support-pathlib 2021-04-22 15:04:21 +02:00
Rasmus Lerchedahl Petersen
a8280f9b12 Python: update test expectation 2021-04-16 08:25:29 +02:00
Rasmus Wriedt Larsen
3e7dc12246 Python: Port taint tests to use inline expectations 
The meat of this PR is described in the new python/ql/test/experimental/meta/InlineTaintTest.qll file:

> Defines a InlineExpectationsTest for checking whether any arguments in
> `ensure_tainted` and `ensure_not_tainted` calls are tainted.
>
> Also defines query predicates to ensure that:
> - if any arguments to `ensure_not_tainted` are tainted, their annotation is marked with `SPURIOUS`.
> - if any arguments to `ensure_tainted` are not tainted, their annotation is marked with `MISSING`.
>
> The functionality of this module is tested in `ql/test/experimental/meta/inline-taint-test-demo`.
 2021-04-15 18:00:33 +02:00
Rasmus Lerchedahl Petersen
3eb1813584 Python: update test expectations 2021-04-15 10:47:49 +02:00
Rasmus Lerchedahl Petersen
6730396ad6 Python: Remove tests from non-test directory 2021-02-01 08:52:00 +01:00
Rasmus Lerchedahl Petersen
f6fa1276a6 Python: Add consistency checks 
to all data-flow test floders
 2021-01-29 21:28:43 +01:00
Rasmus Lerchedahl Petersen
23d3343bfb Merge branch 'main' of github.com:github/codeql into python-dataflow-modernize-tests 2021-01-19 18:24:52 +01:00
Rasmus Wriedt Larsen
e5e8ec6ecc Python: Add a few test-cases for barrier guards and references 
I'm not sure references is the best name, but it's the best I could come up with
jsut now
 2020-12-07 15:27:20 +01:00