hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-24 20:02:58 +01:00
Code Issues Packages Projects Releases Wiki Activity
43,504 Commits 1,686 Branches 158 Tags
b545bbb477cbf7fb3d67d44ec65ae8bb69730313
Commit Graph

3601 Commits

Author SHA1 Message Date
Taus
3ce7d47b5b Merge pull request #7452 from jorgectf/python_jwt 
Python: Add Python_JWT to JWT security query
 2022-02-23 15:23:20 +01:00
Jorge
0216798cb9 Apply suggestions from code review 
Co-authored-by: Taus <tausbn@github.com>
 2022-02-22 20:55:51 +01:00
Rasmus Wriedt Larsen
b59ab7f5f3 Merge branch 'main' into python/promote-log-injection 2022-02-21 09:59:31 +01:00
jorgectf
c5f30d99d5 Create an extendable AdditionalTaintStep class in customizations 2022-02-20 17:34:12 +01:00
Arthur Baars
ebb87c4b36 Merge pull request #7975 from github/post-release-prep/codeql-cli-2.8.1 
Post-release preparation for codeql-cli-2.8.1
 2022-02-15 20:17:35 +01:00
Rasmus Wriedt Larsen
5a90214ece Merge pull request #7783 from yoff/python/promote-ldap-injection 
Python: promote LDAP injection query
 2022-02-15 10:24:18 +01:00
yoff
de5b3a272d Merge pull request #7660 from RasmusWL/deprecate-old-modeling 
Python: Deprecate old points-to based modeling
 2022-02-14 19:48:03 +01:00
Rasmus Lerchedahl Petersen
d1200d0cd5 python: fix change-note formatting 2022-02-14 12:22:29 +01:00
Rasmus Lerchedahl Petersen
84447e4710 python: more detailed alert message 2022-02-14 11:55:07 +01:00
root
5ed5e0b105 Add query to detect ZipSlip 2022-02-13 16:44:27 -05:00
github-actions[bot]
21bf29353f Post-release preparation for codeql-cli-2.8.1 2022-02-11 11:07:31 +00:00
github-actions[bot]
f25fc70b7c Release preparation for version 2.8.1 2022-02-10 22:08:24 +00:00
Rasmus Wriedt Larsen
94f9656e8e Python: Solve deprecation warnings for old experimental queries 2022-02-10 00:09:43 +01:00
Rasmus Lerchedahl Petersen
aa010e420b python: update qhelp 2022-02-09 15:27:39 +01:00
Rasmus Lerchedahl Petersen
75a2f92ce4 pthon: add change note 2022-02-09 15:23:36 +01:00
jorgectf
85b5ef36ae XmlInjection -> XmlEntityInjection 2022-02-09 13:28:56 +01:00
Tom Hvitved
9440a45015 Merge branch 'main' into post-release-prep/codeql-cli-2.8.0 2022-02-09 09:40:33 +01:00
jorgectf
c6d8b97871 Make verifyCall() a private predicate 2022-02-08 23:37:17 +01:00
jorgectf
ed60d16367 Refactor the way to check the verifying call 2022-02-08 23:33:30 +01:00
Jorge
f1fab98ea2 Merge branch 'github:main' into python_jwt 2022-02-08 23:12:58 +01:00
jorgectf
01ad25f3f0 Apply .getALocalSource() and fix xmltodict's vulnerable predicate 2022-02-08 17:51:09 +01:00
jorgectf
8f9cd16806 Update 2022-02-08 17:23:18 +01:00
Rasmus Lerchedahl Petersen
103b5761f3 python: remove superfluous configuration 
this also removes duplicated nodes and edges
in the path results
 2022-02-08 11:34:11 +01:00
Rasmus Lerchedahl Petersen
a9cfc60ea1 python: move supporting libraries 
and update reference in query
 2022-02-08 11:27:45 +01:00
Rasmus Lerchedahl Petersen
88efcff818 python: move query 
and update reference in query test
 2022-02-08 11:24:09 +01:00
Rasmus Wriedt Larsen
eb109828c0 Merge pull request #7252 from museljh/feature/cwe-338 
Python: CWE-338 insecureRandomness
 2022-02-07 19:30:06 +01:00
github-actions[bot]
b4ab86c020 Post-release preparation for codeql-cli-2.8.0 2022-02-06 23:34:07 +00:00
Jorge
d96eb01b9c Merge branch 'github:main' into jorgectf/python/deserialization 2022-02-04 16:32:01 +01:00
Erik Krogh Kristensen
5e23da813f rename named-parameters to keyword-parameters 2022-02-03 23:10:39 +01:00
Erik Krogh Kristensen
e434f075fa introduce, and use, API::APICallNode 2022-02-03 23:10:39 +01:00
Rasmus Wriedt Larsen
8386b36217 Python: Apply suggestions from code review 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2022-02-03 15:00:04 +01:00
Rasmus Wriedt Larsen
cf68148316 Python: Add change-note 2022-02-03 14:29:02 +01:00
liangjinhuang
1dd15fa235 style:auto format 2022-02-02 01:30:54 +08:00
liangjinhuang
976e484c57 style:move all source files under src/experimental & feat:modify source regular matching rules 2022-02-02 01:14:51 +08:00
liangjinhuang
1885b683f7 style:formatDocument 2022-02-02 00:21:26 +08:00
Rasmus Lerchedahl Petersen
c2cd58edc4 python: rewrite to separate configurations 
source nodes get duplicated, so perhaps flow states
are actually better for performance?
 2022-02-01 14:36:11 +01:00
Rasmus Lerchedahl Petersen
bec8c0daea python: update change note 2022-02-01 13:39:03 +01:00
museljh
012434b152 Update python/ql/src/experimental/Security/CWE-338/InsecureRandomness.ql 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-02-01 19:00:06 +08:00
museljh
a6002186bd Update python/ql/src/experimental/Security/CWE-338/InsecureRandomness.ql 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-02-01 18:59:12 +08:00
Rasmus Wriedt Larsen
f7a0b17ed6 Merge pull request #7687 from yoff/python/PathInjection-FlowState 
python: Rewrite path injection query to use flow state
 2022-02-01 11:33:37 +01:00
yoff
b120721942 Update python/ql/src/Security/CWE-090/LdapInjection.ql 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-02-01 11:02:47 +01:00
Rasmus Lerchedahl Petersen
ecea392a08 python: rewrite qhelp overview 
(combining the Java version and the JS version)
 2022-02-01 10:47:18 +01:00
Rasmus Lerchedahl Petersen
26befebfc2 python: drop precision and add severity score 
Given both the original FP score and our concerns
regarding sanitizers, `@precision medium`, which
is aligned with other languages, feels appropriate.
 2022-02-01 10:34:36 +01:00
Jorge
a1f8acc9bb Merge branch 'github:main' into jorgectf/python/deserialization 2022-01-31 17:48:35 +01:00
Rasmus Lerchedahl Petersen
9d416664a1 python: modern change note 
I set the category to newQuery since that is what users will see.
When we have tags, it would be nice to tag it as a query promotion.
 2022-01-31 11:27:55 +01:00
Rasmus Lerchedahl Petersen
8b5114d10e python: Add standard customization setup 
- modernize the sanitizer, but do not make it less specific
 2022-01-31 11:27:55 +01:00
Rasmus Lerchedahl Petersen
20d54543fd python: move log injection out of experimental 
- move from custom concept `LogOutput` to standard concept `Logging`
- remove `Log.qll` from experimental frameworks
  - fold models into standard models (naively for now)
    - stdlib:
      - make Logger module public
      - broaden definition of instance
      - add `extra` keyword as possible source
   - flak: add app.logger as logger instance
   - django: `add django.utils.log.request_logger` as logger instance
     (should we add the rest?)
- remove LogOutput from experimental concepts
 2022-01-31 11:27:55 +01:00
Rasmus Lerchedahl Petersen
68d18ead34 python: add change note 2022-01-28 14:00:07 +01:00
Rasmus Lerchedahl Petersen
ab43f041c3 python: rename files 2022-01-28 11:00:17 +01:00
Rasmus Lerchedahl Petersen
4c3c4deb34 python: Move over query and tests 2022-01-28 09:19:11 +01:00