hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
25,851 Commits 1,671 Branches 157 Tags
b51ce1d2b3e62b17d1cdc887b5e24c47aaad85ab
Commit Graph

3995 Commits

Author SHA1 Message Date
Taus
b51ce1d2b3 Merge pull request #6640 from yoff/python-add-parameter-default-value-flow-step 
Python: add parameter default value flow step
 2021-09-13 17:05:48 +02:00
Chris Smowton
38cc9bef02 ReDoS: fix unpaired surrogate test 
This actually does result in an FP, but this was previously hidden by non-interpretation of '\u' escapes within a raw string.
 2021-09-10 15:37:34 +01:00
Rasmus Lerchedahl Petersen
5d137ce9c5 Python: Update test expectations 2021-09-10 13:35:49 +02:00
Rasmus Wriedt Larsen
db78e3a7da Merge pull request #6274 from tausbn/python-api-graphs-import-star 
Python: Support `import *` in API graphs
 2021-09-10 13:25:41 +02:00
Rasmus Wriedt Larsen
b45743b562 Merge pull request #6312 from tausbn/python-deprecate-importnode 
Python: Deprecate `importNode`
 2021-09-10 13:12:56 +02:00
Tom Hvitved
649c2ce188 Merge pull request #6586 from hvitved/dataflow/stage2-precise-call-ctx-take2 
Data flow: Add precise call contexts to stage 2
 2021-09-10 11:34:35 +02:00
Tom Hvitved
296d10fe2a Data flow: Adjust callMayFlowThroughFwd pragmas 2021-09-10 09:21:24 +02:00
Rasmus Lerchedahl Petersen
baca9edbb1 Merge branch 'main' of github.com:github/codeql into python-add-parameter-default-value-flow-step 2021-09-08 14:48:13 +02:00
Anders Schack-Mulligen
1af39f0776 Dataflow: Sync. 2021-09-08 13:02:07 +02:00
Anders Schack-Mulligen
2b7882e6e5 Merge pull request #5032 from aschackmull/dataflow/subpaths 
Dataflow: Add subpaths query predicate.
 2021-09-08 11:52:41 +02:00
Rasmus Lerchedahl Petersen
4a5f70e6c8 Python: Reclassify defaultValueFlowStep 
as a `jumpStep`.
 2021-09-08 10:05:31 +02:00
Taus Brock-Nannestad
1ab86892a0 Merge branch 'main' into python-deprecate-importnode 2021-09-07 14:59:12 +02:00
Taus Brock-Nannestad
79c3ccd56e Python: Remove import-helper tests 
As discussed, these are all present in the `ApiGraphs` directory
already (except for the dataflow consistency test, which has been
moved there instead).
 2021-09-07 14:50:05 +02:00
Taus
51c0ceea38 Python: Update test_import_star.py 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-09-07 14:15:48 +02:00
Taus Brock-Nannestad
5f5285955b Merge branch 'main' into python-api-graphs-import-star 2021-09-07 14:13:56 +02:00
Taus
b99c075282 Merge pull request #6460 from yoff/python-regex-parsing-consistency-checks 
Python: Add regex parsing consistency checks
 2021-09-07 13:33:59 +02:00
Anders Schack-Mulligen
f30dad7705 Dataflow: Update test expected outputs. 2021-09-07 13:02:20 +02:00
Anders Schack-Mulligen
7ec1fa2ebe Dataflow: Sync. 2021-09-07 12:51:42 +02:00
Anders Schack-Mulligen
3c3d71d4a0 Dataflow: Sync 2021-09-07 12:51:42 +02:00
Rasmus Lerchedahl Petersen
fcd346c2af Python: Add flow from default values 
to their parameters.
This creates data-flow inconsistencies,
probably because the default values have incorrect enclosing callables
 2021-09-07 11:33:09 +02:00
yoff
138a7ae67f Merge pull request #6349 from RasmusWL/more-modeling 
Python: Improve various library modeling
 2021-09-06 17:01:45 +02:00
yoff
c7146ac10c Update python/ql/src/meta/alerts/RemoteFlowSourcesReach.ql 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswl@github.com>
 2021-09-06 16:00:58 +02:00
Andrew Eisenberg
6a47fcaf1f Packaging: Normalize all qlpack.yml files for all languages 
This commit ensures consistency among all of our qlpacks. Here are the
changes:

1. Ensure only modern references are used (codeql-{lang} is converted to
   codeql/{lang}-all or codeql/{lang}-queries where appropriate).
2. Use consistent version numbers. All languages are at 0.0.2 except
   javascript, which is 0.0.3.
3. Convert all `libraryPathDependencies` to `dependencies` with version
   constraints
4. Dependencies from query packs to other packs are always `"*"` since
   these dependencies are always from source and we should get the
   latest.
5. Dependencies from codeql/{lang}-lib to codeql/{lang}-upgrades must
   be strict since there is a tight connection between the libary
   and its relevant upgrades.
 2021-09-03 11:53:28 -07:00
Rasmus Wriedt Larsen
065075056b Python: Highlight how await taint-step works 2021-09-02 15:45:59 +02:00
Rasmus Wriedt Larsen
ad102e2746 Python: Minor cleanup to snippets 
As pointed out in review, we don't need this override any more!
 2021-09-02 15:40:32 +02:00
CodeQL CI
b4963c7538 Merge pull request #6558 from erik-krogh/redosCasing 
Approved by esbena, yoff
 2021-09-02 12:20:08 +01:00
Taus
e4fd749a46 Merge pull request #6547 from github/RasmusWL/cwe328-weak-hash 
Python: Add CWE-328 to `py/weak-sensitive-data-hashing`
 2021-09-02 11:42:31 +02:00
Erik Krogh Kristensen
1ad204d89e make after and TState private in ReDoSUtil 2021-09-02 09:15:43 +02:00
Erik Krogh Kristensen
df04c5044c use concat instead of strictconcat in RegexTreeView.qll 2021-09-02 08:54:39 +02:00
Tom Hvitved
c3ecae503b Data flow: Sync files 2021-09-01 19:58:47 +02:00
Erik Krogh Kristensen
a3289fabe1 sync ReDoSUtil with python 2021-09-01 12:47:06 +02:00
Rasmus Lerchedahl Petersen
a01fca5d48 Merge branch 'main' of github.com:github/codeql into python-regex-parsing-consistency-checks 
To fix conflicts
 2021-08-30 18:40:12 +02:00
yoff
13c5857241 Update python/ql/src/semmle/python/RegexTreeView.qll 
Co-authored-by: Taus <tausbn@github.com>
 2021-08-30 18:38:38 +02:00
Erik Krogh Kristensen
f5a1a12435 support case insensitive regexps in the ReDoS queries 2021-08-30 09:59:33 +02:00
Rasmus Wriedt Larsen
47377c7197 Merge branch 'main' into more-modeling 2021-08-26 13:40:17 +02:00
Erik Krogh Kristensen
0cc19d914e use toUnicode in ReDoSUtil.qll 2021-08-25 22:21:43 +02:00
Rasmus Wriedt Larsen
605bd19306 Python: Add CWE-328 to py/weak-sensitive-data-hashing 
Reading over the description at https://cwe.mitre.org/data/definitions/328.html:

> The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques.

For the data that does not require computationally expensive hashing, that will be the exactly problems that this query finds 👍 (that is, MD5, SHA1)
 2021-08-25 10:19:22 +02:00
Andrew Eisenberg
3660c64328 Packaging: Rafactor Python core libraries 
Extract the external facing `qll` files into the codeql/python-all
query pack.
 2021-08-24 13:23:45 -07:00
yoff
2f5ed03798 Merge pull request #6323 from RasmusWL/sec-test-layout 
Python: Restructure security tests to contain query name
 2021-08-24 16:50:08 +02:00
Rasmus Wriedt Larsen
ca341bde08 Merge pull request #5612 from jty-team/jty/python/nosqlInjection 
Python: CWE-943 - Add NoSQL injection query
 2021-08-24 11:29:25 +02:00
Erik Krogh Kristensen
38477d7d2e Merge pull request #6462 from erik-krogh/repeat 
JS: support more regular expressions in js/incomplete-multi-character-sanitization
 2021-08-23 15:39:31 +02:00
yoff
0c0f335b1c Merge pull request #6508 from github/RasmusWL-patch-1 
Python: Update comment for RegExpTreeView isExcluded
 2021-08-23 15:07:29 +02:00
yoff
467aa647da Merge pull request #6507 from tausbn/python-prevent-polynomial-redos-explosion 
Python: Prevent explosion in poly-ReDoS query
 2021-08-23 11:48:14 +02:00
Rasmus Lerchedahl Petersen
34d7772a0d Python: Move constraints into pranch charpreds 
For sequences and alternations, we require at least one child.
Otherwise, we wish to represent the term differently.
This avoids multiple representations.
 2021-08-23 11:44:00 +02:00
Rasmus Lerchedahl Petersen
c4554836ca Python: merge test.py into unittests.py 2021-08-19 10:24:32 +02:00
Rasmus Lerchedahl Petersen
3c647c65bf Python: update comment 2021-08-19 10:21:19 +02:00
Rasmus Lerchedahl Petersen
21f683d531 Python: clean up stray coments 2021-08-18 16:59:35 +02:00
Taus
021e5ff510 Python: Autoformat 2021-08-18 14:27:54 +00:00
Rasmus Wriedt Larsen
60eb81106a Python: Update comment for RegExpTreeView isExcluded 
I noticed after reading https://github.com/github/codeql/pull/6507, but didn't want to overload that PR.
 2021-08-18 16:16:26 +02:00
Taus
af91a2df00 Python: Prevent explosion in poly-ReDoS query 
I consider this to be a short-term solution to the performance problems
we identified. The choice of "at most ten occurrences of `.*`" is
somewhat arbitrary, and it's possible a higher limit would work just as
well.
 2021-08-18 13:21:46 +00:00