hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-22 01:43:41 +01:00
Code Issues Packages Projects Releases Wiki Activity
64,787 Commits 1,692 Branches 161 Tags
bc745dfd5eea4e87a3d29bc745bea7cb815ba6b2
Commit Graph

1426 Commits

Author SHA1 Message Date
ALJI Mohamed
25a7fcffc0 Add an additional taint step 2022-10-19 16:01:34 +01:00
ALJI Mohamed
d6fa745279 Add TarSlip Improv query 2022-10-19 14:01:40 +01:00
Taus
f5b2eb94a6 Merge pull request #10783 from yoff/python/subscript-nodes 
Python: API graph improvements for subscripts
 2022-10-17 15:21:56 +02:00
Josh Soref
ad7dc81bdc spelling: sanitize 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-13 11:21:09 -04:00
Josh Soref
24f847a58c spelling: representing 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-13 11:21:09 -04:00
Rasmus Lerchedahl Petersen
db616a526a python: rewrite models using subscripts 
more rewrites could be done to these models
for instance, I think the extra taint configuration could be removed,
but here I just wanted to illustrate the benefits of the new API graph.
 2022-10-12 20:15:49 +02:00
Rasmus Lerchedahl Petersen
0b8e908823 Python: fix def nodes for subscript 
We were using `getMember` for dictionaries, these are now getIndex
Also add convenience predicate for string keys
 2022-10-12 20:13:48 +02:00
Jeroen Ketema
d389a183f0 Merge pull request #10743 from jsoref/spelling 
Spelling
 2022-10-12 12:48:22 +02:00
erik-krogh
4da0508dae Merge branch 'main' into py-last-msg 2022-10-11 10:49:19 +02:00
Josh Soref
704aba8c1c spelling: necessitates 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-11 03:59:17 -04:00
Rasmus Wriedt Larsen
4b1f6f0865 Merge pull request #10629 from RasmusWL/fix-flask-source 
Python: Fix flask request modeling
 2022-10-10 09:56:22 +02:00
erik-krogh
6fdfd40880 changes to address reviews 2022-10-07 22:31:00 +02:00
erik-krogh
944ca4a0da fix some more style-guide violations in the alert-messages 2022-10-07 11:23:34 +02:00
Rasmus Wriedt Larsen
d7be27a1c0 Python: Fix experimental py/ip-address-spoofing 
I realized the modeling was done in a non-recommended way, so I changed
the modeling. It was very nice that I could use API graphs for the flask
part, and a little sad when I couldn't for Django/Tornado.
 2022-10-03 21:19:30 +02:00
CodeQL CI
b66e5c5aee Merge pull request #10634 from yoff/python/rewrite-typetrackers 
Approved by tausbn
 2022-09-30 03:55:35 -07:00
Rasmus Lerchedahl Petersen
84ab860600 python: rewrite type tracker for ldap operations 
There are several other clean ups I would like to do in this file,
but this can wait until we promote the query.
 2022-09-29 20:32:19 +02:00
Rasmus Lerchedahl Petersen
63ee51a4e2 Python: inline mongoCollectionMethod 2022-09-28 11:40:06 +02:00
Rasmus Lerchedahl Petersen
441fc1bb28 Python: type trackers to API graph 
base on new subscript in the API graph

There are a few more uses of type tracking
through `SubscriptNode`s, but these start
from an instance given by a data flow node.
 2022-09-26 15:05:50 +02:00
Rasmus Lerchedahl Petersen
9b1ec03d70 Python: type tracking to API graph 
using the new subscript node
 2022-09-26 13:39:59 +02:00
erik-krogh
26d8553f6e ensure consistent casing of names 2022-09-09 10:34:14 +02:00
Ahmed Farid
64bb022adf Add www-authenticate to sensitiveheaders() 2022-09-07 11:12:53 +01:00
Ahmed Farid
23871b3f5a Update Concepts.qll 2022-09-05 18:26:56 +01:00
Ahmed Farid
f84331f5a5 Provides classes for modeling HTTP Header APIs 2022-09-05 00:53:10 +01:00
Ahmed Farid
94b91536f9 Replacing getParameter by getArg and getArgByName 2022-09-03 14:05:07 +01:00
Ahmed Farid
a50c226ca9 Autoformat 2022-09-03 12:10:55 +01:00
Ahmed Farid
0fd684cde8 Add more source of crypto call 2022-08-31 17:13:43 +01:00
Ahmed Farid
cf83b07aae Add more source of crypto call 2022-08-31 17:04:02 +01:00
Ahmed Farid
daff7775ca Update TimingAttack.qll 2022-08-31 16:09:22 +01:00
Ahmed Farid
a42cb20b86 Update TimingAttack.qll 2022-08-31 16:07:58 +01:00
Ahmed Farid
13d1a4fdc1 Update TimingAttackAgainstHeaderValue.ql 2022-08-31 12:46:17 +01:00
Ahmed Farid
12960fd00f Update TimingAttack.qll 2022-08-31 12:39:46 +01:00
Ahmed Farid
f2688c4a02 Update select statement 2022-08-31 12:39:00 +01:00
Ahmed Farid
275ed0d6e5 Update select statement 2022-08-31 12:37:36 +01:00
Ahmed Farid
740bf716cb Update TimingAttack.qll 2022-08-31 12:22:01 +01:00
Ahmed Farid
ca28d79541 Prevent crosstalk between the configurations 2022-08-31 11:15:39 +01:00
Ahmed Farid
133a3c19f0 Add more source of crypto call 2022-08-31 11:09:24 +01:00
Ahmed Farid
23f268f3b9 Import Django and Flask model 2022-08-30 16:39:40 +01:00
Ahmed Farid
de58d0f024 Update the subclasses of ClientSuppliedSecret class 2022-08-30 16:34:43 +01:00
Ahmed Farid
0177cd810e Update suspicious() 2022-08-30 13:58:54 +01:00
Ahmed Farid
9995e91bb7 Update the name of the class (and its subclasses) 2022-08-29 18:57:56 +01:00
Ahmed Farid
b2551a5581 Update the name of the class (and its subclasses) 2022-08-29 18:30:43 +01:00
Ahmed Farid
baa0fd4148 Convert %UserPass% word to lowercase 2022-08-29 18:25:26 +01:00
Ahmed Farid
141b65fea8 Fix typo 2022-08-29 18:18:19 +01:00
Ahmed Farid
199e3d9462 Rename the query ID 2022-08-29 18:13:45 +01:00
Ahmed Farid
66fb420d00 Update PossibleTimingAttackAgainstHash.ql 2022-08-29 18:08:09 +01:00
erik-krogh
cc7a9ef97a rename more acronyms 2022-08-25 20:52:27 +02:00
Ahmed Farid
93257be913 Add Werkzeug source 2022-08-23 12:51:48 +01:00
Ahmed Farid
ee05e2ca76 add x-gitlab-token to sensitive headers 2022-08-23 12:27:20 +01:00
erik-krogh
28083ebe09 run the implicit-this patch 2022-08-22 21:23:31 +02:00
erik-krogh
e89e0eb7fb make some acronyms camelCase 2022-08-22 21:22:35 +02:00