hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 20:56:33 +01:00
Code Issues Packages Projects Releases Wiki Activity
63,998 Commits 1,673 Branches 157 Tags
bbdf97e8f3acb64be15ca59a3ae3366cd6fc8cd5
Commit Graph

8093 Commits

Author SHA1 Message Date
Dilan Bhalla
87fd2fc067 upgrading to 2.16.3, resolving zipslip merge conflict 2024-02-22 15:24:05 -08:00
github-actions[bot]
6d061fbc35 Release preparation for version 2.16.3 2024-02-20 14:26:23 +00:00
amammad
09d8a75844 Fix QLDoc issues 2024-02-14 23:31:22 +04:00
Rasmus Wriedt Larsen
eb401a205d Python: Fix test exclusion for stdlib Python 3.12 2024-02-14 16:53:19 +01:00
Rasmus Wriedt Larsen
59014787a1 Python: Fix DataflowQueryTest 
You're only allowed to have `result=OK` if there is a sink on that line...
 2024-02-14 15:44:40 +01:00
Rasmus Wriedt Larsen
cd596f5d05 Python: Reformat test-file 
All those newlines are not good for inline expectations
 2024-02-14 15:44:06 +01:00
Rasmus Wriedt Larsen
e5bd633028 Python: Change name/id to Decompression Bomb 
The old title/id matches how we used to write queries, but I think just
using the normal conversational name is easier for everyone :)
 2024-02-14 14:54:25 +01:00
Rasmus Wriedt Larsen
69c8ef9898 Python: Use dataflow instead of taint-tracking 2024-02-14 14:52:37 +01:00
Rasmus Wriedt Larsen
ba7dd38fc9 Python: Delete duplicated file 2024-02-14 14:48:37 +01:00
Rasmus Wriedt Larsen
9ae3ea81ff Python: Remove spurious results in stdlib 2024-02-14 14:47:28 +01:00
Rasmus Wriedt Larsen
d8fd457310 Python: Use helper predicate 
Since the helper predicate had nice qldocs
 2024-02-14 14:47:28 +01:00
Rasmus Wriedt Larsen
e7772f1062 Python: Use Unit class 2024-02-14 14:47:28 +01:00
Rasmus Wriedt Larsen
ad39b8c68b Python: Accept .expected changes 2024-02-14 14:46:33 +01:00
Rasmus Wriedt Larsen
9399258e3b Merge branch 'main' into amammad-python-bombs 2024-02-14 13:37:59 +01:00
Dilan
50dad18134 Merge tag 'codeql-cli/latest' 
Compatible with the latest released version of the CodeQL CLI
 2024-02-12 18:59:04 +00:00
Rasmus Wriedt Larsen
cbb9a64bbb Merge pull request #15457 from RasmusWL/psycopg 
Python: Model the `psycopg` package
 2024-02-12 15:59:16 +01:00
Tom Hvitved
1ea7717714 Capture flow: Take overwrites in nested scopes into account 2024-02-09 14:49:23 +01:00
Anders Schack-Mulligen
088a0a54ba Python: Add empty provenance column to expected files. 2024-02-09 11:32:08 +01:00
Anders Schack-Mulligen
817aa7655f Python: Remove redundant IncludePostUpdateFlow and PhaseDependentFlow application. 2024-02-09 11:32:08 +01:00
Josh Brown
df915dc60c Merge commit '737dd9d4c1' into jb1/lib/dataflowstack 2024-02-08 08:18:04 -08:00
github-actions[bot]
36f01ff31a Release preparation for version 2.16.2 2024-02-08 15:25:24 +00:00
Dave Bartolomeo
a58dd45d0b Revert "Merge pull request #15522 from github/release-prep/2.16.2" 
This reverts commit c4c8cd6b34, reversing
changes made to 525f27173d.
 2024-02-08 09:28:34 -05:00
Dave Bartolomeo
92bd550c55 Merge pull request #15531 from github/post-release-prep/codeql-cli-2.16.2 
Post-release preparation for codeql-cli-2.16.2
 2024-02-08 05:58:17 -08:00
github-actions[bot]
b5139078d0 Post-release preparation for codeql-cli-2.16.2 2024-02-06 19:22:35 +00:00
github-actions[bot]
c1b35fbf47 Release preparation for version 2.16.2 2024-02-05 17:58:57 +00:00
James Ockers
9f7f9fcc6e Updating change-notes to reflect what will be the visible change to end users 2024-02-02 11:38:17 -08:00
James Ockers
0f1e21aa09 Adding per-language change-notes 2024-01-30 17:28:34 -08:00
James Ockers
eb5e0123d6 exclude certification from maybeCertificate() regexes 2024-01-30 13:16:18 -08:00
Sid Shankar
f557110d9b Merge pull request #15465 from sidshank/sidshank/rename-file-name-for-extracted-files-diagnostic 
JS/TS/Python/Ruby: Renames diagnostic query files and tests
 2024-01-30 10:19:00 -05:00
Rasmus Wriedt Larsen
c265c15f3f Merge pull request #15398 from RasmusWL/html-escape 
Python: Add `html.escape` as HTML sanitizer
 2024-01-30 16:06:01 +01:00
Rasmus Wriedt Larsen
c70b32f7eb Python: Require quote escaping for html.escape 2024-01-30 12:17:01 +01:00
Josh Brown
3056e8cdab Remove getNode as required interface 2024-01-29 16:15:57 -08:00
Josh Brown
2314d3be16 stubs 2024-01-29 16:14:20 -08:00
Sid Shankar
b1d7a635f5 Renames diagnostic query files and tests 
This commit renames the files relating to the diagnostic query that produces information on the number of files extracted. The files have been renamed from "SuccessfullExtractedFiles.*" to "ExtractedFiles.*". All related tests and test files have been renamed too.

The `@tags` and `@id` attributes of the queries have been left untouched, consistent with the `@tags` and `@id` for similar queries in other languages.
 2024-01-29 20:19:20 +00:00
Rasmus Wriedt Larsen
5867fb3d29 Python: Add change-note 2024-01-29 14:30:20 +01:00
Rasmus Wriedt Larsen
3f0dc2b022 Python: Model the psycopg package 2024-01-29 14:30:20 +01:00
yoff
391ca5d8a6 Merge pull request #15390 from Marcono1234/marcono1234/python-ascii-regex-flag 2024-01-29 14:27:50 +01:00
Marcono1234
1ad08efe08 Python: Support a (ASCII) inline regex flag 2024-01-26 22:18:49 +01:00
Henry Mercer
10343dd822 Merge pull request #15416 from github/post-release-prep/codeql-cli-2.16.1 
Post-release preparation for codeql-cli-2.16.1
 2024-01-25 14:15:25 +00:00
yoff
930f1b50b9 Merge pull request #15397 from github/tausbn/python-fix-deepcopy-mutable-default-fp 
Python: Fix `deepcopy` mutable default FP
 2024-01-25 10:32:58 +01:00
Taus
96b1b8e402 Python: Remove empty lines from test file 2024-01-24 12:31:23 +00:00
github-actions[bot]
d0b74c00fe Post-release preparation for codeql-cli-2.16.1 2024-01-23 23:02:29 +00:00
github-actions[bot]
7ef611e6dc Release preparation for version 2.16.1 2024-01-23 19:45:16 +00:00
Erik Krogh Kristensen
f1d6f56621 Merge pull request #15393 from erik-krogh/deps-jan-2024 
All: delete outdated deprecations
 2024-01-23 13:52:38 +01:00
erik-krogh
865df920f9 add change-notes 2024-01-22 19:30:57 +01:00
Rasmus Wriedt Larsen
00dc55d825 Python: Add change-note 2024-01-22 17:32:33 +01:00
Rasmus Wriedt Larsen
cbed6e861d Python: Add html.escape as HTML sanitizer 2024-01-22 17:32:28 +01:00
Taus
d6d59377d3 Python: Fix flow through deepcopy 
Or, more generally, any copy step, as these presumably do not preserve
object identity.

(Arguably, `copy` could still be susceptible to interior mutability, but
I think that's outside the scope of this query anyway.)
 2024-01-22 15:40:30 +00:00
Taus
14c958ac4d Python: Remove mutable default sources from inside stdlib 2024-01-22 15:23:52 +00:00
Taus
411c107660 Python: Add tests for deepcopy FPs 
There are two issues with `deepcopy` here. Firstly, the `deepcopy` function itself
has a mutable default value in its parameter `_nil` (set to the empty list by default).

Now, this value is never actually returned from `deepcopy`, as it is only used as a
sentinel, but our analysis is not clever enough to see this. Thus, it thinks that this
mutable default is returned, and hence the result of any call to `deepcopy` is a
potential source.

To remedy this, I opted to simply exclude all sources that originate from within the
standard library. It is very unlikely for any of the sources in the standard library
to be legit.

Secondly, `deepcopy` -- by virtue of being a function that we model as preserving
values -- admits data-flow through its calls, but this is not correct for the mutable
default query, as it is here the _identity_ of the default value in question that is
important. Thus, we get spurious flow through `deepcopy` for this specific query.
 2024-01-22 15:21:57 +00:00