hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-15 12:04:07 +02:00
Code Issues Packages Projects Releases Wiki Activity
86,889 Commits 1,733 Branches 164 Tags
c748fdf8eee6851747dbb595835fd0e03f3ecc35
Commit Graph

9903 Commits

Author SHA1 Message Date
Taus
c748fdf8ee Merge pull request #21694 from github/tausbn/python-add-support-for-pep-810 
Python: Add support for PEP 810
 2026-04-14 13:27:08 +02:00
Owen Mansel-Chan
7458674470 Merge pull request #21584 from owen-mc/shared/update-mad-comments 
Shared: update code comments explaining models-as-data format to include barriers and barrier guards
 2026-04-14 09:30:28 +01:00
Taus
2eeb31b472 Python: Add tests for lazy from ... import * as well 2026-04-13 11:49:06 +00:00
Taus
81468daf9c Merge pull request #21603 from github/tausbn/python-port-use-of-exit 
Python: Port UseOfExit.ql
 2026-04-13 13:20:29 +02:00
Taus
720ea702fe Merge pull request #21602 from github/tausbn/python-port-modification-of-locals 
Python: Port ModificationOfLocals.ql
 2026-04-13 13:19:40 +02:00
Taus
36bbc8ca14 Merge pull request #21601 from github/tausbn/python-port-unused-exception-object 
Python: Port UnusedExceptionObject.ql
 2026-04-13 13:19:12 +02:00
Taus
cc9bc746a1 Merge pull request #21597 from github/tausbn/python-port-unreachable-code 
Python: Port UnreachableCode.ql
 2026-04-13 13:17:59 +02:00
Taus
86020d9eed Python: Add change note 2026-04-10 14:43:30 +00:00
Taus
6b7d47ee7d Python: Add QL test for the new syntax 2026-04-10 14:39:13 +00:00
Taus
1ddfed6b6b Python: Add QL support for lazy imports 
Adds a new `isLazy` predicate to the relevant classes, and adds the
relevant dbscheme (and up/downgrade) changes. On upgrades we do nothing,
and on downgrades we remove the `is_lazy` bits.
 2026-04-10 14:25:08 +00:00
Taus
fe94828fe4 Python: Add overlay annotations to AST template 
Otherwise these will disappear every time we regenerate the AST.
 2026-04-10 14:23:29 +00:00
Taus
2c79f9d828 Python: Regenerate parser files 2026-04-10 13:50:59 +00:00
Taus
ad4018f399 Python: Add parser support for lazy imports 
As defined in PEP-810. We implement this in much the same way as how we
handle `async` annotations currently. The relevant nodes get an
`is_lazy` field that defaults to being false.
 2026-04-10 13:50:43 +00:00
Taus
d622dabf3e Python: Add create-extractor-pack.sh for Python 
This allows us to build and test the extractor (for actual QL extraction
-- not just the extractor unit tests) entirely from within the
`github/codeql` repo, just as we do with Ruby. All that's needed is a
`--search-path` argument that points to the repo root.
 2026-04-09 13:06:45 +00:00
Taus
e3688444d7 Python: Also exclude class scope 
Changing the `locals()` dictionary actually _does_ change the attributes
of the class being defined, so we shouldn't alert in this case.
 2026-04-07 23:46:03 +02:00
Taus
8d79248ea7 Python: Port ModificationOfLocals.ql 2026-04-07 23:46:03 +02:00
Taus
16683aee0e Merge pull request #21590 from github/tausbn/python-improve-bind-all-interfaces-query 
Python: Improve "bind all interfaces" query
 2026-04-07 17:59:48 +02:00
Taus
4cb238f1af Merge pull request #21598 from github/tausbn/python-port-should-use-with 
Python: Port ShouldUseWithStatement.ql
 2026-04-07 14:16:41 +02:00
Óscar San José
59eec7ffa2 Merge branch 'main' of https://github.com/github/codeql into post-release-prep/codeql-cli-2.25.1 2026-03-30 10:51:12 +02:00
github-actions[bot]
ce6e6d5db3 Post-release preparation for codeql-cli-2.25.1 2026-03-30 08:43:48 +00:00
Taus
a0b3c2f13a Python: Update change note 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-03-27 23:46:50 +01:00
Taus
187f7c7bcf Python: Move isNetworkBind check into isSink 2026-03-27 22:45:26 +00:00
Owen Mansel-Chan
37aac05964 Replace branch with acceptingValue 2026-03-27 22:39:10 +00:00
Taus
c5ef1f6342 Python: Port UseOfExit.ql 2026-03-27 22:28:38 +00:00
Taus
4f74d421b9 Python: Exclude AF_UNIX sockets from BindToAllInterfaces 
Looking at the results of the the previous DCA run, there was a bunch of
false positives where `bind` was being used with a `AF_UNIX` socket (a
filesystem path encoded as a string), not a `(host, port)` tuple. These
results should be excluded from the query, as they are not vulnerable.

Ideally, we would just add `.TupleElement[0]` to the MaD sink, except we
don't actually support this in Python MaD...

So, instead I opted for a more low-tech solution: check that the
argument in question flows from a tuple in the local scope.

This eliminates a bunch of false positives on `python/cpython` leaving
behind four true positive results.
 2026-03-27 16:55:10 +00:00
Taus
47d24632e6 Python: Port ShouldUseWithStatement.ql 
Only trivial test changes.
 2026-03-27 12:34:20 +00:00
Taus
0ea80ac184 Python: Port UnusedExceptionObject.ql 
Depending on whether other queries depend on this, we may end up moving
the exception utility functions to a more central location.
 2026-03-27 12:34:14 +00:00
Taus
60f9ce4ce7 Python: Port UnreachableCode.ql 2026-03-27 12:33:04 +00:00
Owen Mansel-Chan
10fddc7b96 Add barriers and barrier guards to MaD format explanations 2026-03-27 09:47:24 +00:00
yoff
08e115056d Merge pull request #21519 from github/tausbn/python-port-no-alert-change 2026-03-27 08:44:28 +01:00
Taus
c9832c330a Python: Convert BindToAllInterfaces to path-problem 
Now that we're using global data-flow, we might as well make use of the
fact that we know where the source is.
 2026-03-26 21:10:43 +00:00
Taus
c0ce6699a5 Python: Add change note 2026-03-26 15:35:33 +00:00
Taus
c439fc5d45 Python: Replace type tracking with global data-flow 
This takes care of most of the false negatives from the preceding
commit.

Additionally, we add models for some known wrappers of `socket.socket`
from the `gevent` and `eventlet` packages.
 2026-03-26 15:35:33 +00:00
Taus
1ecd9e83b8 Python: Add test cases for BindToAllInterfaces FNs 
Adds test cases from github/codeql#21582 demonstrating false negatives:
- Address stored in class attribute (`self.bind_addr`)
- `os.environ.get` with insecure default value
- `gevent.socket` (alternative socket module)
 2026-03-26 14:57:24 +00:00
Taus
824d004a27 Python: Convert BindToAllInterfaces test to inline expectations 2026-03-26 14:56:57 +00:00
github-actions[bot]
fb011842c9 Release preparation for version 2.25.1 2026-03-25 23:43:06 +00:00
github-actions[bot]
8cf0954796 Release preparation for version 2.25.1 2026-03-25 08:28:30 +00:00
Taus
059693ce89 Python: Restrict ShouldBeContextManager.ql results 
By limiting the results to the class that actually defines the `__del__`
method, we eliminate a bunch of FPs where a _subclass_ of such a class
would also get flagged.
 2026-03-24 13:04:44 +00:00
Taus
ac48eca916 Python: Use cls.getMethod instead of getName 2026-03-23 15:26:00 +00:00
Taus
93e35661e6 Python: Make isNewType more precise 
For module-level metaclass declarations, we now also check that the
right hand side in a `__metaclass__ = type` assignment is in fact the
built-in `type`.
 2026-03-23 15:22:24 +00:00
Taus
a276f721f7 Python: Add ternary overridesMethod 
This one also allows easy access to the method being overridden and the
class on which it resides. This let's us simplify DocStrings.ql
accordingly.
 2026-03-23 15:21:27 +00:00
Taus
1ffcdc9293 Python: Select property instead of function 
in PropertyInOldStyleClass. This matches the previous behaviour more
closely.
 2026-03-23 14:55:28 +00:00
Taus
56c83e250e Python: Make comment more precise 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-03-23 15:09:27 +01:00
Taus
5859590b5d Python: Fix typo in comment 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-03-23 15:07:31 +01:00
Taus
434b3973eb Python: Add change note 2026-03-20 13:30:29 +00:00
Taus
3584ad1905 Python: Port DeprecatedSliceMethod.ql 
Only trivial test changes.
 2026-03-20 13:30:29 +00:00
Taus
50b3b7ee1f Python: Add DuckTyping::hasUnreliableMro 
Primarily used to filter out false positives in cases where our MRO
approximation may be wrong.
 2026-03-20 13:30:29 +00:00
Taus
fa8e4f7314 Python: Port DocStrings.ql 2026-03-20 13:28:45 +00:00
Taus
c04b615a07 Python: Extend DuckTyping module 
Adds `overridesMethod` and `isPropertyAccessor`.
 2026-03-20 13:28:45 +00:00
Taus
283231bdbc Python: Port ShouldBeContextManager.ql 
Only trivial test changes.
 2026-03-20 13:28:45 +00:00