hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-11 20:51:06 +01:00
Code Issues Packages Projects Releases Wiki Activity
34,728 Commits 1,689 Branches 160 Tags
bb6969a1753e18f997cfde4e055efe5cc92a9856
Commit Graph

5286 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
bb6969a175 Merge branch 'main' into promote-xxe 2022-04-20 13:42:02 +02:00
yoff
0c7130602a Merge pull request #8731 from RasmusWL/delete-old-readme 
Python: Delete old dataflow readme
 2022-04-20 10:36:12 +02:00
yoff
a66153d73e Merge pull request #8733 from RasmusWL/split-dataflow-private 
Python: Split `DataFlowPrivate`
 2022-04-20 10:21:05 +02:00
Mathias Vorreiter Pedersen
91b413d59f Dataflow: Sync identical files. 2022-04-19 09:57:21 +01:00
Rasmus Wriedt Larsen
a271e17f04 Python: Move dataflow call-graph to new qll file 
Seems like all other languages use a file called `DataFlowDispatch`. I
want to introduce a setup where we have (old) points-to based approach
in one file, and can develop a type-tracking based approach in another
file, so that's the reason for the naming differing slightly.

For which predicates go in which files, I have taken mostly inspiration
from C# and Ruby.
 2022-04-13 15:56:57 +02:00
Rasmus Wriedt Larsen
3d15205084 Python: Autoformat 2022-04-13 15:36:16 +02:00
Rasmus Wriedt Larsen
ded4e9250c Python: Move IterableUnpacking to own file 2022-04-13 15:36:05 +02:00
Rasmus Wriedt Larsen
c740894408 Python: Move MatchUnpacking to own file 
I had hoped that git would be able to see this as a rename, and
therefore I haven't done autoformat
 2022-04-13 15:36:05 +02:00
Rasmus Wriedt Larsen
2e60172bfa Python: Delete old dataflow readme 2022-04-13 12:09:38 +02:00
Taus
626770aaab Merge pull request #8004 from ahmed-farid-dev/ZipSlip 
Add query to detect ZipSlip
 2022-04-08 23:55:02 +02:00
Taus
3d14c5f3c3 Python: Update tests 
We need to import `tty` in order to be able to detect the standard library correctly.
 2022-04-08 23:20:47 +02:00
Taus
ab81247b7c Python: Fix modelling in ZipSlip.qll 
- Remove use of points-to.
- Exclude sources and sinks in the standard library (to prevent test brittleness).
 2022-04-08 23:19:41 +02:00
Taus
57beeaada0 Python: Fix name clash in CopyFile.qll 2022-04-08 23:18:03 +02:00
Taus
e1371151f9 Python: Autoformat Concepts.qll 2022-04-08 23:16:41 +02:00
Taus
8521f9a008 Python: Autoformat ZipSlip.ql 2022-04-08 23:13:38 +02:00
Taus
4b580820c8 Python: Fix broken QHelp 2022-04-08 23:12:46 +02:00
Edoardo Pirovano
f25618eed6 Bump minor version of all packs 2022-04-08 15:38:58 +01:00
Edoardo Pirovano
ce82c54b94 Merge branch 'main' into edoardo/3.5-mergeback 2022-04-08 15:30:58 +01:00
Rasmus Wriedt Larsen
517444b5ff Python: Fix SimpleXmlRpcServer.expected 2022-04-07 16:42:40 +02:00
Rasmus Wriedt Larsen
8191be9d75 Python: Move last XXE/XML bomb out of experimental 2022-04-07 15:37:56 +02:00
Rasmus Wriedt Larsen
405480c410 Python: Rename sink definitions for XXE/XML bomb 2022-04-07 15:37:56 +02:00
Anders Schack-Mulligen
4eaec3953a Merge pull request #8694 from aschackmull/dataflow/cleanup-unused 
Dataflow: Cleanup unused column
 2022-04-07 15:16:27 +02:00
Anders Schack-Mulligen
7beed570f2 Dataflow: Sync. 2022-04-07 13:53:48 +02:00
Rasmus Wriedt Larsen
7728b6cf1b Python: Change XmlBomb vulnerability kind 2022-04-07 10:56:35 +02:00
Rasmus Wriedt Larsen
f2f0873d91 Python: Use new API::CallNode for XML constant check 
This also means that the detection of the values passed to these keyword
arguments will no longer just be from a local scope, but can also be
across function boundaries.
 2022-04-06 15:49:06 +02:00
Rasmus Wriedt Larsen
c784f15762 Python: Rename more XML classes to follow convention 
- `XMLEtree` to `XmlEtree`
- `XMLSax` to `XmlSax`
- `LXML` to `Lxml`
- `XMLParser` to `XmlParser`
 2022-04-06 15:44:54 +02:00
Rasmus Wriedt Larsen
f8f41428df Python: Minor refactor for FlaskViewClass 2022-04-06 15:15:42 +02:00
Rasmus Wriedt Larsen
1c2323eb85 Python: Refactor how we find a Class from API::Node 
Using `getAnImmediateUse` might give better performance than `getAUse`.

Since all the changed code is about `API::Node`s that are found after
doing `.getASubclass*()`, this change is OK.

It's also nice to align how we actually do this.
 2022-04-06 15:12:24 +02:00
Rasmus Wriedt Larsen
23637fd691 Merge branch 'main' into promote-xxe 2022-04-06 12:56:31 +02:00
Rasmus Wriedt Larsen
b99767ef52 Merge pull request #8668 from RasmusWL/use-instanceof 
Python: Rewrite concepts to use `extends ... instanceof ...`
 2022-04-06 12:09:12 +02:00
Rasmus Wriedt Larsen
4d2a3b38d2 Merge pull request #8511 from RasmusWL/use-query-suffix 
Python: Use `Query.qll` suffix for dataflow configuration definitions
 2022-04-06 11:59:29 +02:00
Ahmed Farid
29f69bde75 Update zipslip_bad.py 2022-04-05 12:46:51 +00:00
Ahmed Farid
dfe7f532ac Update CopyFile.qll 2022-04-05 12:42:05 +00:00
Ahmed Farid
0d6d07886b Rename Zip.qll to CopyFile.qll 2022-04-05 12:37:14 +00:00
Ahmed Farid
8882bc1533 Update Frameworks.qll 2022-04-05 12:32:10 +00:00
Ahmed Farid
68bfe38529 Update Zip.qll 2022-04-05 12:31:30 +00:00
Rasmus Wriedt Larsen
5b96db26b3 Python: Rewrite concepts to use extends ... instanceof ... 
This solved performance problems experienced in
https://github.com/github/codeql/pull/8634, and this commit+PR is to
ensure we get this change in as fast as possible.
 2022-04-05 12:34:15 +02:00
Rasmus Wriedt Larsen
b7f56dd17e Python: Rewrite concepts to use extends ... instanceof ... 
This caused compilation time for `ConceptsTest.ql` to go from 1m24s to
7s
 2022-04-05 12:31:09 +02:00
Rasmus Wriedt Larsen
a7dab53ed2 Python: Add change-note 2022-04-05 11:46:49 +02:00
Rasmus Wriedt Larsen
1f285b8983 Python: Rename to XmlParsingVulnerabilityKind 
To keep up with style guide
 2022-04-05 11:07:12 +02:00
Rasmus Wriedt Larsen
ab59d5c786 Python: Rename to XmlParsing 
To follow our style guide
 2022-04-05 11:06:22 +02:00
Tom Hvitved
50dc3820c6 Merge pull request #8589 from hvitved/regex/speedup-concretise 2022-04-03 17:56:07 +02:00
github-actions[bot]
6af568b16d Post-release preparation for codeql-cli-2.8.5 2022-04-01 16:22:14 +00:00
Chris Smowton
3119885a9b Merge pull request #8638 from smowton/smowton/docs/additional-flow-step-description 
Improve wording of isAdditionalFlow/TaintStep qldoc
 2022-04-01 16:41:04 +01:00
Chris Smowton
28fa49dcd6 dataflow -> data-flow 2022-04-01 13:22:58 +01:00
Rasmus Wriedt Larsen
ba011fb13f Merge pull request #8601 from zbazztian/recognize-flask-named-body-param 
Python: Flask: Identify body contents passed via named response parameter in invocations of Response constructor
 2022-04-01 14:19:28 +02:00
Sebastian Bauersfeld
504e7e4a55 Update python/ql/lib/change-notes/2022-03-30-flask-recognize-body-param.md 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-04-01 18:41:27 +07:00
Erik Krogh Kristensen
eae2a6af36 update expected output for Locations.ql 2022-04-01 12:58:00 +02:00
Erik Krogh Kristensen
ed7e1206ff rename isBeforeCode to isCommentAfterCode 2022-04-01 12:55:00 +02:00
github-actions[bot]
ee746d20df Release preparation for version 2.8.5 2022-04-01 10:39:31 +00:00