hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
48,255 Commits 1,672 Branches 157 Tags
bbce52535a84e38ffd8fc1036fbcdf7a758c935e
Commit Graph

2890 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
d684dbdf5c Merge pull request #10656 from porcupineyhairs/PyPamImprove 
Python: Improve the PAM authentication bypass query
 2022-12-08 11:59:10 +01:00
Jami
5e694b5983 Merge pull request #11192 from jcogs33/jcogs33/share-key-sizes 
Share encryption key sizes between Java and Python
 2022-12-07 08:08:24 -05:00
Tom Hvitved
b5e2e1e469 Merge pull request #11564 from hvitved/dataflow/parameter-position-consistency-checks 
Data flow: Add consistency checks for parameter positions
 2022-12-06 09:33:36 +01:00
Tom Hvitved
8f701cf1cb Python: Update expected test output 2022-12-05 14:33:06 +01:00
Asger F
2d578c1a73 Merge branch 'main' into merge-package-type-columns 2022-12-02 10:00:44 +01:00
Jami Cogswell
25f0a13e15 update python test cases 2022-12-01 11:56:44 -05:00
Rasmus Wriedt Larsen
544de5232c Python: Use ' instead of ` in select text 2022-11-29 14:47:45 +01:00
Rasmus Wriedt Larsen
4e67ec19d0 Python: Adjust alert text of py/pam-auth-bypass 2022-11-28 16:14:38 +01:00
Rasmus Wriedt Larsen
f8442ccb0e Python: Adjust PAM Auth bypass test slightly 2022-11-28 16:08:44 +01:00
Rasmus Wriedt Larsen
fef06679e5 Python: Remove options file for PAM Auth Bypass 
Should not be needed
 2022-11-28 16:03:32 +01:00
Rasmus Wriedt Larsen
479a9e4156 Python: Update .expected 2022-11-28 16:01:42 +01:00
Rasmus Lerchedahl Petersen
91198524cd Python: port py/super-not-enclosing-class 2022-11-23 14:37:45 +01:00
Asger F
1c910550e6 Python: merge package/type columns 2022-11-23 11:17:42 +01:00
Rasmus Wriedt Larsen
5866af413f Merge pull request #11347 from tausbn/python-clean-up-import-resolution 
Python: Add change note for module resolution
 2022-11-22 15:28:38 +01:00
Rasmus Wriedt Larsen
04a68f8d52 Merge pull request #11372 from RasmusWL/getpass 
Python: Model `getpass.getpass` as source of passwords
 2022-11-22 14:49:04 +01:00
Rasmus Wriedt Larsen
9195b73d84 Python: Model getpass.getpass as source of passwords 2022-11-22 14:11:52 +01:00
Rasmus Wriedt Larsen
80e71b202a Python: Cleartext queires: Remove flow from getpass.py 2022-11-22 14:08:00 +01:00
Rasmus Wriedt Larsen
9342e3ba76 Python: Enable new test 
But look at all those elements from getpass.py implementation :(
 2022-11-22 13:59:59 +01:00
Rasmus Wriedt Larsen
e01df3ea7c Python: Prepare for new test 
.expected line changes 😠
 2022-11-22 13:52:50 +01:00
Rasmus Wriedt Larsen
1b30cf8eca Merge branch 'main' into call-graph-tests 2022-11-22 13:39:27 +01:00
Rasmus Wriedt Larsen
84faf49bf0 Python: Add tests for compound arguments field flow 2022-11-22 11:29:00 +01:00
Rasmus Wriedt Larsen
d876acde4c Python: Fix SINK/SINK_F usage for crosstalk tests 
As discussed in PR review
https://github.com/github/codeql/pull/11208#discussion_r1022473421
 2022-11-22 11:29:00 +01:00
Taus
f12e15b46b Python: Fix implicit this warnings 2022-11-21 15:23:13 +00:00
Taus
a385e87273 Python: Add change note for module resolution 
Also adapts the version-specific tests to support results specific to
Python 2 (though at the moment there are no such tests).
 2022-11-21 14:29:39 +00:00
Porcupiney Hairs
db231a111c Python : Improve the PAM authentication bypass query 
The current PAM auth bypass query which was contributed by me a few months back, alert on a vulenrable function but does not check if the function is actually function. This leads to a lot of fasle positives.

With this PR, I add a taint-tracking configuration to check if the username parameter can actually be supplied by an attacker.

This should bring the FP's significantly down.
 2022-11-19 01:29:25 +05:30
Taus
e76ab8c78c Merge branch 'main' into python-clean-up-import-resolution 2022-11-17 22:47:50 +00:00
Taus
811426c586 Python: Remove manual magic entirely 
This was causing issues with imports with many "dots" in the name.

Previously, the test added in this commit would not have the desired
result for the `check` call.
 2022-11-17 14:15:55 +00:00
Taus
8ed8161d5c Python: Fix tests for Python 2 
This should make it so that the `prints3` tag is skipped when running
then Python 2 Language tests.
 2022-11-16 22:20:08 +00:00
Taus
81348049df Python: Fix missing module resolution 
This was due to bad manual magic: restricting the attribute name makes
sense when we're talking about submodules of a package, but it doesn't
when we're talking about reexported modules.

Also (hopefully) fixes the tests so that the Python 3-specific bits are
ignored under Python 2.
 2022-11-16 19:58:32 +00:00
Taus
19261ecfbf Python: Remove spurious module references 2022-11-16 18:19:54 +00:00
Taus
2717b9a47d Python: Extend import resolution tests 
Extends the tests to

1. Account parts of the test code that may be specific to Python 2 or 3,
2. Also track which arguments passed to `check` are references to
   modules.

The latter revealed a bunch of spurious results, which I have annotated
accordingly.
 2022-11-16 17:58:24 +00:00
Rasmus Wriedt Larsen
e886b53a94 Python: CallGraph tests: remove rest of old annotations 2022-11-15 11:16:10 +01:00
Rasmus Wriedt Larsen
98bf3adc72 Python: Add enclosing-callable test 2022-11-15 11:11:59 +01:00
Rasmus Wriedt Larsen
7ca32ee2b5 Python: Fieldflow: merge assignment tests 2022-11-15 11:11:59 +01:00
Erik Krogh Kristensen
d2857006cf Merge pull request #11247 from erik-krogh/py-redosMod 
Python: use the shared regex pack
 2022-11-14 21:10:43 +01:00
Taus
a8a7a59ae8 Python: Add test for attribute name clash 2022-11-11 14:47:35 +00:00
Taus
7f790432cc Python: More review suggestions 
I could have sworn I added all of them to the batch, but somehow these slipped through.

Co-authored-by: yoff <lerchedahl@gmail.com>
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-11-11 14:40:58 +01:00
Rasmus Wriedt Larsen
ab42521906 Python: Port CallGraph-implicit-init tests 
to the new call-graph test setup. Nice that we can write `MISSING:` now!
 2022-11-11 10:34:28 +01:00
Rasmus Wriedt Larsen
b60504f404 Python: Delete CallGraph-xfail 
No longer needed since we're using an established testing framework now
 2022-11-11 10:34:28 +01:00
Rasmus Wriedt Larsen
6d9745e5c3 Python: Rewrite call-graph tests to be inline expectation (2/2) 
I ported the predicates showing difference between points-to and
type-tracking, since it's helpful to see the list of differences,
instead of having to parse expectations!
 2022-11-11 10:34:28 +01:00
Rasmus Wriedt Larsen
88f703af1f DataFlow: Accept changes to .expected 2022-11-10 22:13:34 +01:00
Rasmus Wriedt Larsen
4caaa3a396 Python: Rewrite call-graph tests to be inline expectation (1/2) 
This adds inline expectations, next commit will remove old annotations
code... but I thought it would be easier to review like this.
 2022-11-10 21:08:29 +01:00
erik-krogh
618438642a update expected output of the queries (some sorting changed due to locations being used slightly differently in the shared pack) 2022-11-07 14:31:52 +01:00
erik-krogh
4f11e2d25f port the Python regex/redos queries to use the shared pack 2022-11-07 14:31:51 +01:00
Dave Bartolomeo
9d5e5e3ee7 ${workspace} all the things 2022-11-01 13:29:05 -04:00
Rasmus Wriedt Larsen
ead0844174 Merge pull request #10998 from RasmusWL/essa-use-use-test 
Python: Add failing ESSA use-use test
 2022-10-31 10:38:26 +01:00
Rasmus Wriedt Larsen
a04c78ab94 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-10-28 15:31:42 +02:00
Rasmus Wriedt Larsen
e8fdff7a3b Python: Expand ExternalAPIs test 
We never had a showcase of how keyword arguments were handled
 2022-10-28 09:38:02 +02:00
Rasmus Wriedt Larsen
6577281bed Python: Add crosstalk fieldflow test 2022-10-28 09:31:16 +02:00
Rasmus Wriedt Larsen
c1b2561598 Python: Extend fieldflow tests with bound method call 2022-10-28 09:31:16 +02:00