hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
46,021 Commits 1,671 Branches 157 Tags
ad0b36a0c901b694ba5d4e1f586128305ebcd28b
Commit Graph

2836 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
ead0844174 Merge pull request #10998 from RasmusWL/essa-use-use-test 
Python: Add failing ESSA use-use test
 2022-10-31 10:38:26 +01:00
Rasmus Wriedt Larsen
a04c78ab94 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-10-28 15:31:42 +02:00
Rasmus Wriedt Larsen
dbd84b2d37 InlineExpectationsTest: Add quote around missing tag 
To aid with quickly scanning where the missing tag is. I just had to do
this myself looking over some test failures, and it all just blurred
into each other in the logs.

see https://github.com/github/codeql/actions/runs/3332266045/jobs/5512944867#step:5:467
 2022-10-27 09:02:28 +02:00
Rasmus Wriedt Larsen
76e84ef63a InlineExpectationsTest: Fail if missing getARelevantTag 2022-10-26 18:20:37 +02:00
Rasmus Wriedt Larsen
bfe9aa1225 InlineExpectationsTest: Add test showing what happens if you leave out getARelevantTag 2022-10-26 18:00:03 +02:00
Rasmus Wriedt Larsen
b3f29b0a53 Python: Add failing ESSA use-use test 
I initially created this as a dataflow test, but then realized it could
just be an ESSA test. I cound't find any existing ESSA tests though :|
so created a new dir for it.
 2022-10-26 17:49:33 +02:00
ALJI Mohamed
fdbed2a019 Add expected test results without considering inStdLib files. 2022-10-22 09:34:57 +01:00
ALJI Mohamed
0f44268038 Add expected test results 2022-10-21 22:14:55 +01:00
ALJI Mohamed
7d60f1f1c8 Modified the QL ref file and add TarSlip examples 2022-10-21 22:14:00 +01:00
ALJI Mohamed
31a6fb4181 Add TarSlip qlref for query-tests 2022-10-21 21:28:20 +01:00
Taus
f5b2eb94a6 Merge pull request #10783 from yoff/python/subscript-nodes 
Python: API graph improvements for subscripts
 2022-10-17 15:21:56 +02:00
sylwia-budzynska
0eb48969a0 Fix typo 2022-10-13 20:02:03 +02:00
Sylwia Budzynska
e291d61bc7 Add oracledb model 2022-10-13 18:08:47 +02:00
sylwia-budzynska
c33dd8fd4b Merge branch 'main' into python-db-models 2022-10-13 16:48:50 +02:00
Sylwia Budzynska
646c9b559b Add tests 2022-10-13 12:36:57 +02:00
Sylwia Budzynska
e41d79e37d Add python cx_oracle, phoenixdb, pyodbc models 2022-10-13 12:36:41 +02:00
Rasmus Lerchedahl Petersen
0b8e908823 Python: fix def nodes for subscript 
We were using `getMember` for dictionaries, these are now getIndex
Also add convenience predicate for string keys
 2022-10-12 20:13:48 +02:00
Jeroen Ketema
d389a183f0 Merge pull request #10743 from jsoref/spelling 
Spelling
 2022-10-12 12:48:22 +02:00
Rasmus Wriedt Larsen
b3f10311b3 Merge pull request #10752 from RasmusWL/pymssql 
Python: DB Modeling: Add `pymssql` and `executemany` in general
 2022-10-11 15:55:04 +02:00
erik-krogh
a826dbbdee fix capitalization in stack-trace-exposure 2022-10-11 13:59:10 +02:00
erik-krogh
4da0508dae Merge branch 'main' into py-last-msg 2022-10-11 10:49:19 +02:00
Josh Soref
21caa4b03f spelling: across 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-11 00:23:35 -04:00
Rasmus Wriedt Larsen
dba42d6bb8 Python: Model executemany on PEP-249 DB APIs 
Note: I kept the modeling using the old approach with type-trackers
instead of `DataFlow::MethodCallNode`.

I would like a meta query for DCA to show sinks before doing this, so I
can be absolutely sure we don't loose out on any important sinks on
this... so will postpone this work to a small one-off task (added to my
todo list).
 2022-10-10 14:16:47 +02:00
Rasmus Wriedt Larsen
4ee71ae4a1 Python: Add support for pymssql package 
I also forgot to mention `PyMySQL` in frameworks.rst
 2022-10-10 14:02:40 +02:00
Rasmus Wriedt Larsen
4b1f6f0865 Merge pull request #10629 from RasmusWL/fix-flask-source 
Python: Fix flask request modeling
 2022-10-10 09:56:22 +02:00
erik-krogh
6fdfd40880 changes to address reviews 2022-10-07 22:31:00 +02:00
erik-krogh
944ca4a0da fix some more style-guide violations in the alert-messages 2022-10-07 11:23:34 +02:00
Rasmus Wriedt Larsen
05bca0249c Python: Expand test for py/flask-debug 
(I couldn't see one using positional argument)
 2022-10-04 20:39:08 +02:00
Rasmus Wriedt Larsen
d7be27a1c0 Python: Fix experimental py/ip-address-spoofing 
I realized the modeling was done in a non-recommended way, so I changed
the modeling. It was very nice that I could use API graphs for the flask
part, and a little sad when I couldn't for Django/Tornado.
 2022-10-03 21:19:30 +02:00
Rasmus Wriedt Larsen
b01a0ae696 Python: Adjust .expected after flask source change 
It's really hard to audit that this is all good.. I tried my best with
`icdiff` though -- and there is a problem with
ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
that needs to be fixed in the next commit
 2022-10-03 20:35:49 +02:00
Rasmus Wriedt Larsen
a0fcd4a9bf Merge pull request #10631 from RasmusWL/cleanup-options-files 
Python: Remove last `-p ../lib/` in `options` files
 2022-10-03 11:09:59 +02:00
Nick Rolfe
ed74e0aad1 JS/Python/Ruby: s/a HTML/an HTML/ 2022-09-30 10:37:52 +01:00
Rasmus Wriedt Larsen
ea27f4e20f Python: Remove last -p ../lib/ in options files 
These were only needed for points-to.

If they only contained `--max-import-depth`, I've removed the `options`
file entirely.
 2022-09-29 18:05:51 +02:00
erik-krogh
7675571daa fix RegExpEscape::getValue having multiple results for some escapes 2022-09-27 13:25:23 +02:00
Rasmus Wriedt Larsen
71da217b82 Merge pull request #10535 from RasmusWL/flask-jsonify 
Python: Model `flask.jsonify`
 2022-09-23 12:18:27 +02:00
Tom Hvitved
f4b82cb2e8 Python: Update expected test output 2022-09-22 15:01:40 +02:00
Rasmus Wriedt Larsen
d3f811cab3 Python: Accept any arg to flask.jsonify 
Thanks @tausbn 👍
 2022-09-22 14:59:06 +02:00
Rasmus Wriedt Larsen
8174120916 Python: Model flask.jsonify 2022-09-22 14:43:39 +02:00
Rasmus Wriedt Larsen
078d3d0062 Python: Add stacktrace exposure example 2022-09-22 14:27:49 +02:00
yoff
18a8a3332d Merge pull request #10494 from RasmusWL/tarslip-test-imports 
Python: Fix imports for tarslip tests
 2022-09-20 20:04:14 +02:00
Rasmus Wriedt Larsen
253d9cf39f Python: Fix imports for tarslip tests 
This doesn't change results, but makes the test-code more valid
 2022-09-20 17:25:46 +02:00
yoff
ea743173d5 Merge pull request #8781 from yoff/python-dataflow/flow-summaries-from-scratch 
Python dataflow: flow summaries restart
 2022-09-20 14:08:31 +02:00
Rasmus Wriedt Larsen
556e93ae68 Merge pull request #10384 from RasmusWL/callnode-getargbyname 
Python: Allow `CallNode.getArgByName` for keyword args after `**kwargs`
 2022-09-19 15:05:59 +02:00
Rasmus Lerchedahl Petersen
37fb27fa1c Python: change type of LibraryCallable::getACall 
The other callables return control flow nodes,
so it is slightly inconsistent for this to return a
data flow node, but it does make models based
on API graphs nicer.
 2022-09-19 14:02:52 +02:00
Erik Krogh Kristensen
a4cd913aea Merge pull request #10312 from erik-krogh/fix-caseDiff 
ensure consistent casing of names
 2022-09-19 10:43:12 +02:00
CodeQL CI
b48808778f Merge pull request #10264 from yoff/python/port-RaisesTuple 
Approved by tausbn
 2022-09-19 00:51:29 -07:00
CodeQL CI
ed4b64b1c4 Merge pull request #10265 from yoff/python/port-UnguardedNextInGenerator 
Approved by tausbn
 2022-09-19 00:50:52 -07:00
Rasmus Lerchedahl Petersen
33b508d6e6 Python: undo change to --max-import-depth 
This is not necessary as long as `LibraryCall` only
includes unresolved calls.
 2022-09-14 12:52:27 +02:00
Rasmus Lerchedahl Petersen
245baa51a3 Python: rename summary map -> list_map, 
since map resolves to a class call

also fix test expectation
 2022-09-14 11:21:16 +02:00
Rasmus Lerchedahl Petersen
f83158ff8b Python: do not stake out too much territory 2022-09-14 10:28:11 +02:00