hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-23 19:32:59 +01:00
Code Issues Packages Projects Releases Wiki Activity
61,403 Commits 1,686 Branches 158 Tags
ba0f3cf71884c8addb771c462a40cd06a63a4c71
Commit Graph

520 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
4e0cca9a41 Merge pull request #14353 from GeekMasher/py-restframework 
Python: support `*args` and `**kwargs` in request handlers
 2023-11-23 14:04:36 +01:00
Rasmus Wriedt Larsen
d056706af5 Merge pull request #14725 from RasmusWL/re-modeling 
Python: Add taint-flow modeling for `re` module
 2023-11-23 11:35:36 +01:00
Rasmus Wriedt Larsen
a0867b4f66 Python: More HTTP request handler *args/**kwargs modeling 
I looked through all `override Parameter getARoutedParameter() {` in our
codebase, and we now modeling *args/**kwargs for all of them 👍
 2023-11-21 16:02:40 +01:00
Rasmus Wriedt Larsen
1bc8a6de61 Python: Fixup mistaken modelling 2023-11-21 13:46:23 +01:00
Rasmus Wriedt Larsen
36a846ee32 Python: Fix django regex path handling 2023-11-21 13:08:45 +01:00
Rasmus Wriedt Larsen
5f26790b90 Merge branch 'main' into py-restframework 2023-11-21 11:57:48 +01:00
Rasmus Wriedt Larsen
df144f3a1e Merge pull request #14406 from amammad/amammad-python-FileSystemAccess 
Python: New FileSystem Access
 2023-11-16 10:25:34 +01:00
Rasmus Wriedt Larsen
e1c47f5584 Python: Reorganize taint tests of re 
Mostly to highlight that with flow-summary modeling, we don't expect
taint for a lot of these.

I aslo opted to make `finditer()` tainted for consistency.
 2023-11-13 10:56:29 +01:00
Rasmus Wriedt Larsen
c85d99d949 Merge branch 'main' into re-modeling 2023-11-10 16:32:50 +01:00
Rasmus Wriedt Larsen
4943fc5a57 Python: Model taint from re.<func> calls 2023-11-08 17:18:40 +01:00
Rasmus Wriedt Larsen
851c30e797 Python: Add taint modeling of re.Match objects 2023-11-08 17:18:09 +01:00
Rasmus Wriedt Larsen
43d9d2ceb7 Merge pull request #14603 from github/max-schaefer/broken-crypto-algorithm-link 
JavaScript/Python/Ruby: Improve alert message for `*/weak-cryptographic-algorithm`.
 2023-11-08 14:29:24 +01:00
amammad
ad756d59c8 put new frameworks in Frameworks.qll and fix some mistakes of Baize 2023-11-06 19:17:50 +01:00
amammad
637c52d10a separate each new FileSystemAccess packages. 2023-11-06 19:03:55 +01:00
Rasmus Wriedt Larsen
92b13c4259 Merge branch 'main' into amammad-python-FileSystemAccess 2023-11-06 11:30:09 +01:00
Harry Maclean
083be305e1 Shared: Add neutralModel extensible predicate 
The neutralModel extensible predicate already exists in Java and C#, so
this change brings the dynamic languages more in line with static
languages. The Model Editor uses this predicate to mark endpoints as
"not interesting" from a data flow perspective.
 2023-10-30 11:31:57 +00:00
Max Schaefer
3939167ba2 Include more details in the message for py/weak-cryptographic-algorithm. 
Specifically, we add a link to the location where the cryptographic algorithm is configured, which can be far away from its use.
 2023-10-26 11:28:09 +01:00
Rasmus Wriedt Larsen
e8f548ab52 Python: Model routed parameter flow to *args and **kwargs in Django + rest framework 2023-10-23 17:18:22 +02:00
amammad
1fe565a46f cherrypy framework file system access Sinks are added 2023-10-21 19:47:30 +02:00
Mathew Payne
a24e168ec0 Merge branch 'main' into py-restframework 2023-10-20 11:39:07 +01:00
Rasmus Wriedt Larsen
2d947a4f53 Merge pull request #13781 from maikypedia/maikypedia/python-unsafe-deserialization 
Python: Add unsafe deserialization sinks (CWE-502)
 2023-10-10 13:30:38 +02:00
erik-krogh
194f918c0b Python: delete various outdated deprecations 2023-10-09 09:14:55 +02:00
amammad
ad2631202d fix comments 2023-10-08 21:32:04 +02:00
amammad
6c8cc79b4d v1 2023-10-08 21:24:54 +02:00
Mathew Payne
3ab5fd5ca4 Add RestFramework handler kwargs 2023-10-02 14:58:21 +01:00
Mathew Payne
eb9b32473e Add support for ModelViewSet functions 2023-09-29 14:26:39 +01:00
yoff
dbecb1bd0f Merge pull request #14070 from yoff/python/promote-nosql-query 
Python: promote nosql query
 2023-09-29 14:21:22 +02:00
Rasmus Wriedt Larsen
9b73bbfc31 Python: Add keyword argument support 
and a fair bit of refactoring
 2023-09-29 13:54:21 +02:00
Rasmus Lerchedahl Petersen
e1708054a4 Python: fix QL alert 2023-09-29 12:06:51 +02:00
Rasmus Lerchedahl Petersen
2d845e3e55 Python: nicer paths 
turn "the long jump" that would end up
straight at the argument into a short jump
that ends up at the dictionary being written to.
Dataflow takes care of the rest of the path.
 2023-09-29 12:02:16 +02:00
yoff
2e028a41ee Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-09-29 11:32:51 +02:00
Rasmus Lerchedahl Petersen
2a7b593285 Python: Fix QL alerts 2023-09-28 13:35:29 +02:00
Rasmus Lerchedahl Petersen
eb1be08bce Python: split modelling 2023-09-28 12:54:06 +02:00
Rasmus Lerchedahl Petersen
2a739b3b7a Python: rename module 2023-09-28 12:54:05 +02:00
Rasmus Lerchedahl Petersen
9682c8218a Python: rename file 2023-09-28 12:54:05 +02:00
yoff
c2b63830f1 Apply suggestions from code review 
Claim conversions do not execute inputs in order to remove interaction with `py/unsafe-deserialization`.

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-09-28 12:40:37 +02:00
Rasmus Wriedt Larsen
05ab28f11d autoformat 2023-09-25 10:35:18 +02:00
Rasmus Wriedt Larsen
db7b1eea55 Merge branch 'main' into maikypedia/python-unsafe-deserialization 2023-09-25 10:29:18 +02:00
Rasmus Wriedt Larsen
56d99fbd8a Add numpy reference 2023-09-25 10:24:53 +02:00
Rasmus Wriedt Larsen
d1caa75053 Python: Fix format for pandas.read_pickle 2023-09-25 10:24:27 +02:00
Rasmus Lerchedahl Petersen
12dab88ec7 Python: rename concept 
`NoSqlQuery` -> `NoSqlExecution`
 2023-09-20 15:49:35 +02:00
Rasmus Lerchedahl Petersen
4ec8b3f02f Python: Model map_reduce 2023-09-20 15:44:12 +02:00
Rasmus Lerchedahl Petersen
30c37ca8cb Python: model §accumulator 
also slightly rearrange the modelling
 2023-09-19 22:21:14 +02:00
Rasmus Wriedt Larsen
ad1743ecde Python: Modernize modeling of BaseHTTPRequestHandler 2023-09-18 14:13:27 +02:00
Maiky
1764aa0caf Fixing NumpyLoadCall 2023-09-17 19:44:48 +02:00
Maiky
8254d0dd10 Naming error 
Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com>
 2023-09-17 18:53:48 +02:00
Maiky
70103967ef Doc changes 
Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com>
 2023-09-17 18:47:19 +02:00
Maiky
cada523031 Remove unnecessary import 
Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com>
 2023-09-17 18:46:13 +02:00
Erik Krogh Kristensen
cd5973764b Merge pull request #14112 from erik-krogh/pyAllowedHosts 
Py: add sanitizer guard for `url_has_allowed_host_and_scheme`
 2023-09-13 12:59:38 +02:00
Rasmus Wriedt Larsen
f62c4108ef Python: Move url_has_allowed_host_and_scheme to Django.qll 2023-09-13 11:55:44 +02:00