hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-23 16:06:47 +01:00
Code Issues Packages Projects Releases Wiki Activity
25,654 Commits 1,712 Branches 163 Tags
a9c409403c91efb1671e91cd3774267fdbadb289
Commit Graph

3830 Commits

Author SHA1 Message Date
Rasmus Lerchedahl Petersen
a9c409403c Python: more tests and comments 2021-09-08 14:44:36 +02:00
Rasmus Lerchedahl Petersen
9b198c6d0a Python: Add some module initialization tests 2021-09-08 10:37:28 +02:00
Taus
b99c075282 Merge pull request #6460 from yoff/python-regex-parsing-consistency-checks 
Python: Add regex parsing consistency checks
 2021-09-07 13:33:59 +02:00
yoff
138a7ae67f Merge pull request #6349 from RasmusWL/more-modeling 
Python: Improve various library modeling
 2021-09-06 17:01:45 +02:00
yoff
c7146ac10c Update python/ql/src/meta/alerts/RemoteFlowSourcesReach.ql 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswl@github.com>
 2021-09-06 16:00:58 +02:00
Andrew Eisenberg
6a47fcaf1f Packaging: Normalize all qlpack.yml files for all languages 
This commit ensures consistency among all of our qlpacks. Here are the
changes:

1. Ensure only modern references are used (codeql-{lang} is converted to
   codeql/{lang}-all or codeql/{lang}-queries where appropriate).
2. Use consistent version numbers. All languages are at 0.0.2 except
   javascript, which is 0.0.3.
3. Convert all `libraryPathDependencies` to `dependencies` with version
   constraints
4. Dependencies from query packs to other packs are always `"*"` since
   these dependencies are always from source and we should get the
   latest.
5. Dependencies from codeql/{lang}-lib to codeql/{lang}-upgrades must
   be strict since there is a tight connection between the libary
   and its relevant upgrades.
 2021-09-03 11:53:28 -07:00
Rasmus Wriedt Larsen
065075056b Python: Highlight how await taint-step works 2021-09-02 15:45:59 +02:00
Rasmus Wriedt Larsen
ad102e2746 Python: Minor cleanup to snippets 
As pointed out in review, we don't need this override any more!
 2021-09-02 15:40:32 +02:00
CodeQL CI
b4963c7538 Merge pull request #6558 from erik-krogh/redosCasing 
Approved by esbena, yoff
 2021-09-02 12:20:08 +01:00
Taus
e4fd749a46 Merge pull request #6547 from github/RasmusWL/cwe328-weak-hash 
Python: Add CWE-328 to `py/weak-sensitive-data-hashing`
 2021-09-02 11:42:31 +02:00
Erik Krogh Kristensen
1ad204d89e make after and TState private in ReDoSUtil 2021-09-02 09:15:43 +02:00
Erik Krogh Kristensen
df04c5044c use concat instead of strictconcat in RegexTreeView.qll 2021-09-02 08:54:39 +02:00
Erik Krogh Kristensen
a3289fabe1 sync ReDoSUtil with python 2021-09-01 12:47:06 +02:00
Rasmus Lerchedahl Petersen
a01fca5d48 Merge branch 'main' of github.com:github/codeql into python-regex-parsing-consistency-checks 
To fix conflicts
 2021-08-30 18:40:12 +02:00
yoff
13c5857241 Update python/ql/src/semmle/python/RegexTreeView.qll 
Co-authored-by: Taus <tausbn@github.com>
 2021-08-30 18:38:38 +02:00
Erik Krogh Kristensen
f5a1a12435 support case insensitive regexps in the ReDoS queries 2021-08-30 09:59:33 +02:00
Rasmus Wriedt Larsen
47377c7197 Merge branch 'main' into more-modeling 2021-08-26 13:40:17 +02:00
Erik Krogh Kristensen
0cc19d914e use toUnicode in ReDoSUtil.qll 2021-08-25 22:21:43 +02:00
Rasmus Wriedt Larsen
605bd19306 Python: Add CWE-328 to py/weak-sensitive-data-hashing 
Reading over the description at https://cwe.mitre.org/data/definitions/328.html:

> The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques.

For the data that does not require computationally expensive hashing, that will be the exactly problems that this query finds 👍 (that is, MD5, SHA1)
 2021-08-25 10:19:22 +02:00
Andrew Eisenberg
3660c64328 Packaging: Rafactor Python core libraries 
Extract the external facing `qll` files into the codeql/python-all
query pack.
 2021-08-24 13:23:45 -07:00
yoff
2f5ed03798 Merge pull request #6323 from RasmusWL/sec-test-layout 
Python: Restructure security tests to contain query name
 2021-08-24 16:50:08 +02:00
Rasmus Wriedt Larsen
ca341bde08 Merge pull request #5612 from jty-team/jty/python/nosqlInjection 
Python: CWE-943 - Add NoSQL injection query
 2021-08-24 11:29:25 +02:00
Erik Krogh Kristensen
38477d7d2e Merge pull request #6462 from erik-krogh/repeat 
JS: support more regular expressions in js/incomplete-multi-character-sanitization
 2021-08-23 15:39:31 +02:00
yoff
0c0f335b1c Merge pull request #6508 from github/RasmusWL-patch-1 
Python: Update comment for RegExpTreeView isExcluded
 2021-08-23 15:07:29 +02:00
yoff
467aa647da Merge pull request #6507 from tausbn/python-prevent-polynomial-redos-explosion 
Python: Prevent explosion in poly-ReDoS query
 2021-08-23 11:48:14 +02:00
Rasmus Lerchedahl Petersen
34d7772a0d Python: Move constraints into pranch charpreds 
For sequences and alternations, we require at least one child.
Otherwise, we wish to represent the term differently.
This avoids multiple representations.
 2021-08-23 11:44:00 +02:00
Rasmus Lerchedahl Petersen
c4554836ca Python: merge test.py into unittests.py 2021-08-19 10:24:32 +02:00
Rasmus Lerchedahl Petersen
3c647c65bf Python: update comment 2021-08-19 10:21:19 +02:00
Rasmus Lerchedahl Petersen
21f683d531 Python: clean up stray coments 2021-08-18 16:59:35 +02:00
Taus
021e5ff510 Python: Autoformat 2021-08-18 14:27:54 +00:00
Rasmus Wriedt Larsen
60eb81106a Python: Update comment for RegExpTreeView isExcluded 
I noticed after reading https://github.com/github/codeql/pull/6507, but didn't want to overload that PR.
 2021-08-18 16:16:26 +02:00
Taus
af91a2df00 Python: Prevent explosion in poly-ReDoS query 
I consider this to be a short-term solution to the performance problems
we identified. The choice of "at most ten occurrences of `.*`" is
somewhat arbitrary, and it's possible a higher limit would work just as
well.
 2021-08-18 13:21:46 +00:00
Andrew Eisenberg
03d6b15401 Merge branch 'main' into aeisenberg/pack/cpp 2021-08-17 15:28:47 -07:00
Rasmus Wriedt Larsen
3231ae77ef Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-08-17 15:17:10 +02:00
Erik Krogh Kristensen
3f7f5d2418 performance improvements in ReDoSUtil 2021-08-17 15:10:33 +02:00
Erik Krogh Kristensen
49e47641e4 sync ReDoSUtil.qll with python 2021-08-17 15:10:33 +02:00
Rasmus Wriedt Larsen
15d483d56c Python: Use TypeTrackingNode in new PEP249 modeling 2021-08-17 12:03:40 +02:00
Rasmus Wriedt Larsen
b649f5f38c Merge branch 'main' into peewee-modeling 2021-08-17 12:03:18 +02:00
Rasmus Lerchedahl Petersen
dee5535fbb Python: condense tests 
This also avoids potential licensing issues.
 2021-08-17 11:24:39 +02:00
Andrew Eisenberg
e566fb9c5a Packaging: Update suite-helpers qlpack 
Uses new style naming scheme.
 2021-08-16 17:51:33 -07:00
Erik Krogh Kristensen
46959234b7 Merge pull request #6288 from erik-krogh/emptyRedos 
JS/Python: Fix FP in redos related to empty lookaheads
 2021-08-16 13:48:22 +02:00
Erik Krogh Kristensen
e962a7c77c Update python/ql/src/semmle/python/RegexTreeView.qll 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-08-16 11:24:05 +02:00
Rasmus Lerchedahl Petersen
6be78d442c Python: fix compilation 2021-08-16 10:35:33 +02:00
Rasmus Lerchedahl Petersen
2df846ee4b Merge branch 'python-regex-parsing-consistency-checks' of github.com:yoff/codeql into python-regex-parsing-consistency-checks 2021-08-12 13:34:11 +02:00
Rasmus Lerchedahl Petersen
54e65ce765 Python: Add consistency tests 
for all the projects that went out of disk as a result of ReDoS
 2021-08-12 13:33:44 +02:00
yoff
61bbddeb0c Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2021-08-12 09:39:04 +02:00
Rasmus Lerchedahl Petersen
c08f94ec04 Python: Fix parsing of octal escapes 2021-08-11 15:01:26 +02:00
Rasmus Lerchedahl Petersen
34b054ff53 Python: Add consistency checks 2021-08-11 14:58:27 +02:00
jorgectf
e6ce10b5c5 Merge remote-tracking branch 'origin/main' into jty/python/nosqlInjection 2021-08-10 20:01:08 +02:00
Tom Hvitved
ea6d51f123 Python: Avoid bad join in AstExtended::AstNode::containsInScope 2021-08-09 11:20:57 +02:00