hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,053 Commits 1,673 Branches 157 Tags
c155ac6e7ada78eba0a1c40f04c9ca408ddde6ec
Commit Graph

4692 Commits

Author SHA1 Message Date
jorgectf
c155ac6e7a Add HtmlEscaping sanitizer 2022-03-10 00:47:04 +01:00
jorgectf
3f43e6ef54 Fix FlaskMail's getTo 2022-03-08 18:45:53 +01:00
jorgectf
bbba1a21c4 Explicitly call this in SendGridMail 2022-03-08 18:40:20 +01:00
jorgectf
930fbf777c Move getFlaskMailArgument inside FlaskMail and refactor 2022-03-08 18:38:32 +01:00
jorgectf
6b04344655 Refactor sendgridContent and sendgridWrite 
Move the predicates inside `SendGridMail`.
See https://github.com/github/codeql/pull/7127#discussion_r821574462
 2022-03-08 18:26:20 +01:00
jorgectf
6722671541 Refactor sendgridApiClient and sendgridApiSendCall 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-03-08 18:24:38 +01:00
jorgectf
3159d8e211 Correlate SendGridMail declaration with its predicates 2022-03-03 04:33:10 +01:00
jorgectf
67b672a467 Merge remote-tracking branch 'origin/main' into jty/python/emailInjection 2022-02-26 01:22:55 +01:00
jorgectf
2f2cf2c1f6 Use StrConst.getText() instead of Str_.getS() 2022-02-26 01:19:50 +01:00
yoff
8b926f6859 Merge pull request #7873 from RasmusWL/fix-attribute-taint 
Python: Fix attribute taint
 2022-02-25 15:02:24 +01:00
Rasmus Wriedt Larsen
aeba497832 Merge pull request #7735 from yoff/python/promote-log-injection 
Python: promote log injection
 2022-02-23 16:21:12 +01:00
Taus
3ce7d47b5b Merge pull request #7452 from jorgectf/python_jwt 
Python: Add Python_JWT to JWT security query
 2022-02-23 15:23:20 +01:00
jorgectf
4aa1c0a11e Update .expected 2022-02-23 00:55:39 +01:00
jorgectf
7c108c7892 Polish test 2022-02-22 20:57:20 +01:00
Jorge
0216798cb9 Apply suggestions from code review 
Co-authored-by: Taus <tausbn@github.com>
 2022-02-22 20:55:51 +01:00
Rasmus Wriedt Larsen
b59ab7f5f3 Merge branch 'main' into python/promote-log-injection 2022-02-21 09:59:31 +01:00
Arthur Baars
ebb87c4b36 Merge pull request #7975 from github/post-release-prep/codeql-cli-2.8.1 
Post-release preparation for codeql-cli-2.8.1
 2022-02-15 20:17:35 +01:00
Rasmus Wriedt Larsen
62d4bb50a5 Python: Autoformat 
Trailing whitespace is a bit too easy with the ```suggestions through
the UI :|
 2022-02-15 10:38:52 +01:00
Rasmus Wriedt Larsen
5a90214ece Merge pull request #7783 from yoff/python/promote-ldap-injection 
Python: promote LDAP injection query
 2022-02-15 10:24:18 +01:00
yoff
de5b3a272d Merge pull request #7660 from RasmusWL/deprecate-old-modeling 
Python: Deprecate old points-to based modeling
 2022-02-14 19:48:03 +01:00
yoff
3a995ec1b1 Update python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-02-14 16:08:44 +01:00
yoff
62598c0fd1 Update python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-02-14 16:07:40 +01:00
Rasmus Lerchedahl Petersen
d1200d0cd5 python: fix change-note formatting 2022-02-14 12:22:29 +01:00
Rasmus Lerchedahl Petersen
84447e4710 python: more detailed alert message 2022-02-14 11:55:07 +01:00
Rasmus Lerchedahl Petersen
bd14adefa0 python: add apologetic comment 2022-02-14 11:37:46 +01:00
Chuan-kai Lin
9b4dbb9dd8 Merge pull request #7895 from github/cklin/upgrades-initial-dbscheme 
Upgrade scripts testing: set initial dbschemes
 2022-02-11 11:06:12 -08:00
Taus
d7f30de5b0 Merge pull request #7874 from RasmusWL/set-store-step 
Python: Fix setStoreStep to use `SetElementContent`
 2022-02-11 12:50:02 +01:00
github-actions[bot]
21bf29353f Post-release preparation for codeql-cli-2.8.1 2022-02-11 11:07:31 +00:00
github-actions[bot]
f25fc70b7c Release preparation for version 2.8.1 2022-02-10 22:08:24 +00:00
Taus Brock-Nannestad
be323bafaf Merge remote-tracking branch 'upstream/main' into python-normalise-prefixes 2022-02-10 12:55:49 +01:00
Rasmus Wriedt Larsen
94f9656e8e Python: Solve deprecation warnings for old experimental queries 2022-02-10 00:09:43 +01:00
Tamás Vajk
6483a92587 Merge pull request #7865 from github/post-release-prep/codeql-cli-2.8.0 
Post-release preparation for codeql-cli-2.8.0
 2022-02-09 16:42:38 +01:00
Rasmus Wriedt Larsen
9d5e8d5bd8 Merge pull request #7842 from RasmusWL/consistency-queires 
Misc: Streamline `consistency-queries/qlpack.yml`
 2022-02-09 13:42:18 +01:00
Tom Hvitved
9440a45015 Merge branch 'main' into post-release-prep/codeql-cli-2.8.0 2022-02-09 09:40:33 +01:00
yoff
f21ac04285 Update python/ql/lib/semmle/python/frameworks/Stdlib.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-02-09 09:22:31 +01:00
jorgectf
3ccac4ed8a Update .expected 2022-02-08 23:59:36 +01:00
jorgectf
c6d8b97871 Make verifyCall() a private predicate 2022-02-08 23:37:17 +01:00
jorgectf
7b51b91d13 Improve test 2022-02-08 23:33:43 +01:00
jorgectf
ed60d16367 Refactor the way to check the verifying call 2022-02-08 23:33:30 +01:00
Jorge
f1fab98ea2 Merge branch 'github:main' into python_jwt 2022-02-08 23:12:58 +01:00
Taus Brock-Nannestad
54ae744b2c Python: Also update Python 2 file 2022-02-08 22:08:53 +01:00
Chuan-kai Lin
a7f1ee574c Upgrade scripts testing: set initial dbschemes 
This commit sets initial dbschemes for cpp, csharp, java, javascript, and
python so that automated testing for upgrade scripts would also cover legacy
upgrades.
 2022-02-08 11:11:41 -08:00
Taus Brock-Nannestad
6ea8986daa Python: Normalise string prefixes 2022-02-08 16:48:17 +01:00
Rasmus Wriedt Larsen
3e01816f0c Python: Add change-note 2022-02-08 12:03:40 +01:00
Rasmus Wriedt Larsen
a8edd44a3c Python: Update .expected 2022-02-08 11:12:34 +01:00
Rasmus Wriedt Larsen
eb109828c0 Merge pull request #7252 from museljh/feature/cwe-338 
Python: CWE-338 insecureRandomness
 2022-02-07 19:30:06 +01:00
Rasmus Wriedt Larsen
62702d0ca9 Python: Fix setStoreStep to use SetElementContent 2022-02-07 13:18:36 +01:00
Rasmus Wriedt Larsen
b276b2d48c Python: Clean up taint steps for attributes 2022-02-07 13:12:31 +01:00
Rasmus Wriedt Larsen
59160eeb24 Python: Add test showing taint for attr store 
In `x.arg = TAINTED_STRING` there is a store step to the attribute `arg`
of `x`. In our taint modeling, we allow _any_ store step with the code
below. This means that we also say there is a taint-step directly from
`TAINTED_STRING` to `x` :|

```codeql
  // construction by literal
  // TODO: Not limiting the content argument here feels like a BIG hack, but we currently get nothing for free :|
  DataFlowPrivate::storeStep(nodeFrom, _, nodeTo)
```
 2022-02-07 13:12:28 +01:00
Rasmus Wriedt Larsen
32cd7d6fa7 Add groups to all consistency-queries/qlpack.yml 
as discussed in PR review
 2022-02-07 11:15:48 +01:00