Commit Graph

506 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
bfcc194b85 Python: Move experimental paramiko to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
acd0f2a8fb Python: Move experimental LDAPInsecureAuth to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
c6911c2ae0 Python: Move experimental UnicodeBypassValidation to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
2c06394bf3 Python: Move experimental CookieInjection to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
2c412707ab Python: Move experimental CsvInjection to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
ace1e23c21 Python: Move experimental ClientSuppliedIpUsedInSecurityCheck to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
d948e103fa Python: Move experimental HeaderInjection to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
53e57dad5c Python: Move experimental InsecureRandomness to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
3bf2705668 Python: Move experimental TimingAttackAgainstHeaderValue to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
c88a0ccb7c Python: Move experimental TimingAttackAgainstHash to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
a779547515 Python: Move experimental PossibleTimingAttackAgainstHash to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
8abd3430a2 Python: Move experimental TimingAttackAgainstSensitiveInfo to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
1a4e8d9464 Python: Move experimental PossibleTimingAttackAgainstSensitiveInfo to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
5d8329d9c8 Python: Move experimental ZipSlip to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
67cc3a3935 Python: Move experimental ReflectedXSS to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
a0d26741d0 Python: Move experimental TarSlipImprov to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
3cdd875e9f Python: Move experimental UnsafeUnpack to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
3edb9d1011 Python: Move experimental TokenBuiltFromUUID to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
0f242475f2 Merge branch 'main' into experimental-cleanup 2023-08-28 11:01:22 +02:00
Rasmus Wriedt Larsen
39e2b133e9 Python: Fix naming 2023-08-28 10:40:33 +02:00
Rasmus Wriedt Larsen
4c693b4fc3 Python: Port py/xslt-injection to new data-flow 2023-08-17 15:45:07 +02:00
Rasmus Wriedt Larsen
779fe6498c Python: Rename to XsltInjection.ql 2023-08-17 15:45:07 +02:00
Rasmus Wriedt Larsen
91edde72c4 Python: Port py/template-injection to new data-flow
I kept all the modeling in _one_ file, since that makes it easy to work
with such an external contribution... and I would certainly propose this
file setup for the future 👍
2023-08-17 15:44:26 +02:00
Rasmus Wriedt Larsen
24f9f13790 Python: Fix tests 2023-08-17 10:15:36 +02:00
amammad
eb5529eac5 sanitize resutls exist in test/demo/example/sample directories 2023-08-14 23:48:03 +10:00
Rasmus Wriedt Larsen
1c3cc1fa29 Python: Remove flow through stdlib
This means tests can pass on any machine now 👍
2023-08-14 11:55:22 +02:00
Rasmus Wriedt Larsen
6e168ff7d8 Python: Only interested in StrConst 2023-08-14 11:46:21 +02:00
Rasmus Wriedt Larsen
eeefdc5dcd Python: Fix formatting 2023-08-14 11:29:38 +02:00
amammad
bee8e6ff0d remove unused saniter 2023-07-27 01:41:31 +10:00
amammad
591d81b5f9 remove saniter which was responsible for a defensive technique 2023-07-26 02:39:10 +10:00
amammad
1e1d42fa35 fix a mistake :( 2023-07-25 00:11:23 +10:00
amammad
7aff0079f5 better safe Flask example 2023-07-25 00:08:51 +10:00
amammad
0e8f83460c a little bit change on flask example 2023-07-24 21:41:54 +10:00
amammad
bbba906ff1 a little bit change on flask example 2023-07-24 21:41:44 +10:00
amammad
6f8ec118df fix qlhelp and qldoc bugs 2023-07-24 17:15:43 +10:00
amammad
c704158150 remove sources which are contained from environment variables, fix some bugs thanks to @yoff 2023-07-24 17:06:27 +10:00
Rasmus Wriedt Larsen
13fa08a90a Python: Move source modeling to shared file 2023-07-14 14:47:50 +02:00
amammad
2ba83022c7 delete old qhelp file 2023-07-01 04:49:35 +10:00
amammad
816799c4ba upgrade query to detect redash CVE too 2023-06-30 22:14:50 +10:00
amammad
7a17b99c17 V2 2023-06-29 20:55:51 +10:00
amammad
e3e0307db7 V1 2023-06-25 20:36:28 +10:00
Tony Torralba
8f6d2ed2f9 Adjust ZipSlip query description according to review suggestions. 2023-06-19 10:27:41 +02:00
Tony Torralba
3c4d938cf1 Apply code review suggestions.
Co-authored-by: Asger F <asgerf@github.com>
2023-06-19 10:20:19 +02:00
Tony Torralba
3e96fe60c5 Go/Java/JS/Python/Ruby: Update the description and qhelp of the ZipSlip query
All filesystem operations, not just writes, with paths built from untrusted archive entry names are dangerous
2023-06-16 08:52:44 +02:00
Rasmus Wriedt Larsen
0c8b4251cf Python: Avoid duplicated query-id 2023-06-07 10:07:01 +02:00
Rasmus Wriedt Larsen
c1b90c8f05 Python: Apply suggested change 2023-05-22 11:58:32 +02:00
Sim4n6
be3f59afab Replaced StringMethod() with a restrained String method calls 2023-05-20 12:17:33 +01:00
Sim4n6
21e99d52c7 Fix a redundant import 2023-05-20 10:23:04 +01:00
Sim4n6
b8969707c5 Delete the vulnerability flow image from the QHelp file. 2023-05-20 10:21:38 +01:00
Sim4n6
16ce024429 Update python/ql/src/experimental/Security/CWE-176/UnicodeBypassValidation.qhelp
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2023-05-20 10:13:23 +01:00