722 Commits

Author	SHA1	Message	Date
erik-krogh	759854991a	fix various nits based on feedback	2023-02-15 11:10:43 +01:00
Rasmus Wriedt Larsen	23144f584a	Merge branch 'main' into call-graph-code	2023-02-08 16:17:34 +01:00
erik-krogh	cf094c2f4f	adjust which folders are seen as exported to remove an FP	2023-02-03 14:47:55 +01:00
erik-krogh	ef44cb86c2	remove FPs related to parameters that are meant to be commands	2023-02-03 14:47:55 +01:00
erik-krogh	e9ebba3350	assume shell=False for subprocess calls, fixes FPs in e.g. youtube-dl	2023-02-03 14:47:55 +01:00
erik-krogh	d228cf0e7b	use more API-nodes to model subprocess.run (and friends)	2023-02-03 14:47:55 +01:00
erik-krogh	bce83bfc4e	add failing test for indirectly setting the shell=true flag for subprocess.run	2023-02-03 14:47:55 +01:00
erik-krogh	0a2c7d062c	add Fabric test, and add tracking of the shell flag in Fabric	2023-02-03 14:47:55 +01:00
erik-krogh	6bbc4f4a48	add more tests	2023-02-03 14:47:55 +01:00
erik-krogh	33c506d7fe	add minimal test for Array join as a sink, and learn that the order is flipped compared to JS. Thanks Copilot!	2023-02-03 14:47:55 +01:00
erik-krogh	5bddfc0d79	add test for f-strings as sink	2023-02-03 14:47:55 +01:00
erik-krogh	47a06d2824	add library inputs as a source, and get minimal test to work	2023-02-03 14:47:55 +01:00
erik-krogh	6e712b293a	add tracking of strings to compile-sites for poly-redos, in the style of Ruby	2023-02-02 22:56:20 +01:00
erik-krogh	52959d7c0a	add failing test for not tracking strings to re.compile	2023-02-02 19:10:32 +01:00
Rasmus Wriedt Larsen	db114bb104	Merge branch 'main' into call-graph-code	2023-02-02 11:56:55 +01:00
Erik Krogh Kristensen	01f6862965	Merge pull request #11833 from erik-krogh/trackPyReg ... PY: track string-constants to regular expression uses	2023-02-01 11:40:42 +01:00
Rasmus Wriedt Larsen	80324735bb	Python: Fixup annotation for CWE-022-PathInjection/pathlib_use.py	2023-01-23 17:40:24 +01:00
Rasmus Wriedt Larsen	61151d4aa7	Merge branch 'main' into call-graph-code	2023-01-16 13:39:15 +01:00
yoff	006eaf3e2a	Merge pull request #11088 from yoff/python/inline-query-tests ... Python: Inline query tests	2023-01-12 10:32:26 +01:00
erik-krogh	538adb47a3	update expected output for DuplicateCharacterInSet	2023-01-06 15:41:57 +01:00
Rasmus Lerchedahl Petersen	03bd6cb414	python: Allow optional result=OK ... Also add a further test case	2023-01-06 13:33:12 +01:00
erik-krogh	10308f5875	track string-constants to regular expression uses	2023-01-06 13:17:31 +01:00
Rasmus Lerchedahl Petersen	d42bb119fe	python: align annotations with Ruby ... use `result=BAD` for expected alert and `result=OK` on sinks where alerts are not wanted.	2023-01-05 21:41:28 +01:00
Calum Grant	ad55706527	Merge branch 'main' into calumgrant/remove-lgtm	2023-01-03 10:27:30 +00:00
Arthur Baars	2f16d8d86a	AlertSuppression: fix python test cases	2022-12-21 11:26:16 +01:00
Arthur Baars	0f313231bc	AlertSuppression: add more tests	2022-12-19 16:43:11 +01:00
Calum Grant	a1d229e445	Python: Remove references to LGTM	2022-12-19 15:15:32 +00:00
Arthur Baars	c9739b21cb	AlertSuppression: add support for //codeql comments	2022-12-19 16:10:28 +01:00
Arthur Baars	c176606be5	AlertSuppression: allow //lgtm comments to scope over the next line	2022-12-19 16:10:26 +01:00
Arthur Baars	f68e18cd9c	Python: move AlertSuppression.ql	2022-12-19 12:39:01 +01:00
Arthur Baars	acb5d6e163	Python: use shared AlertSuppression.qll	2022-12-19 12:26:12 +01:00
Rasmus Wriedt Larsen	d684dbdf5c	Merge pull request #10656 from porcupineyhairs/PyPamImprove ... Python: Improve the PAM authentication bypass query	2022-12-08 11:59:10 +01:00
Rasmus Wriedt Larsen	a826c4f48b	Merge branch 'main' into call-graph-code	2022-12-08 11:39:30 +01:00
Jami Cogswell	25f0a13e15	update python test cases	2022-12-01 11:56:44 -05:00
Rasmus Wriedt Larsen	544de5232c	Python: Use ' instead of ` in select text	2022-11-29 14:47:45 +01:00
Rasmus Wriedt Larsen	4e67ec19d0	Python: Adjust alert text of py/pam-auth-bypass	2022-11-28 16:14:38 +01:00
Rasmus Wriedt Larsen	f8442ccb0e	Python: Adjust PAM Auth bypass test slightly	2022-11-28 16:08:44 +01:00
Rasmus Wriedt Larsen	fef06679e5	Python: Remove options file for PAM Auth Bypass ... Should not be needed	2022-11-28 16:03:32 +01:00
Rasmus Wriedt Larsen	479a9e4156	Python: Update .expected	2022-11-28 16:01:42 +01:00
Rasmus Lerchedahl Petersen	91198524cd	Python: port py/super-not-enclosing-class	2022-11-23 14:37:45 +01:00
Rasmus Wriedt Larsen	04a68f8d52	Merge pull request #11372 from RasmusWL/getpass ... Python: Model `getpass.getpass` as source of passwords	2022-11-22 14:49:04 +01:00
Rasmus Wriedt Larsen	6646e98d20	Python: Fix results outside DB for StackTraceExposure	2022-11-22 14:46:32 +01:00
Rasmus Wriedt Larsen	972cfa5cf6	Python: Accept bad StackTraceExposure.expected ... This is only Python 2 though	2022-11-22 14:46:32 +01:00
Rasmus Wriedt Larsen	a301c93ebf	Python: Fix results outside DB for CleartextLogging	2022-11-22 14:46:32 +01:00
Rasmus Wriedt Larsen	0a41d8d2c1	Python: Accept bad CleartextLogging.expected	2022-11-22 14:46:32 +01:00
Rasmus Wriedt Larsen	39ce50fadc	Python: Fix problems with sinks in pathlib ... This must mean that we did not have this flow with the old call-graph, which means the new call-graph is doing a better job (yay).	2022-11-22 14:46:32 +01:00
Rasmus Wriedt Larsen	edcaff26af	Python: Add path-injection test using pathlib ... Since it has the same problem of showing sinks inside the extracted stdlib	2022-11-22 14:46:32 +01:00
Rasmus Wriedt Larsen	9d29a0a044	Python: Accept changes to .expected from more pathlib flow ... But we don't want to keep this, this commit is just to show why we need a fix :)	2022-11-22 14:46:32 +01:00
Rasmus Wriedt Larsen	70cc986d5f	Python: Suppress None.json.dumps from ExternalAPI queries	2022-11-22 14:46:29 +01:00
Rasmus Wriedt Larsen	0bdc808a7a	Python: Add ExternalAPI test None.json.dumps	2022-11-22 14:46:29 +01:00