hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-23 16:06:47 +01:00
Code Issues Packages Projects Releases Wiki Activity
14,912 Commits 1,712 Branches 163 Tags
cb4b4e91abc61e548d70bf7a9430dbd388439961
Commit Graph

1665 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
cb4b4e91ab Python: Taint for string multiplication 2020-08-24 14:54:06 +02:00
Rasmus Wriedt Larsen
b688fe68d6 Python: Add options file to shared dataflow tests 
Since there isn't one in top-level of experimental, making a single import made
tests go really slow :|
 2020-08-24 14:54:05 +02:00
Rasmus Wriedt Larsen
5125c7a55c Python: Add taint tests for encode/decode functions 2020-08-24 14:54:04 +02:00
Rasmus Wriedt Larsen
31b398937a Python: Handle taint from bytes(obj) 2020-08-24 14:17:59 +02:00
Rasmus Wriedt Larsen
1e447c5ca2 Python: Handle taint for % formatting 2020-08-24 14:15:27 +02:00
Rasmus Wriedt Larsen
80745e8881 Python: Model string methods in shared taint tracking library 2020-08-24 13:58:42 +02:00
Rasmus Wriedt Larsen
a77f118b62 Python: Shared taint tracking: Handle string concat + subcript 2020-08-24 13:58:41 +02:00
Rasmus Wriedt Larsen
61f89ca3c3 Python: Add tests for shared taint tracking for strings 
I adopted the TestTaint testing setup that I made for the "old" taint tracking
tests. This time around we should figure out if we can use .qlref or similar so
it doesn't end up in multiple copies that are not kept up to date :|

The `repr` predicate could probably be placed somewhere better. For now I just
wanted something that could help me. I considered just expanding the `repr`
predicate in `ql/src/semmle/python/strings.qll`, but since it's currently used
by queries, I didn't want to do anything about it.

Anyway, the output it gives is much more useful than seeing this ;)

```
| test.py:20 | ok   | str_operations | test.py:20:9:20:10 | ts |
| test.py:21 | fail | str_operations | test.py:21:9:21:18 | BinaryExpr |
| test.py:22 | fail | str_operations | test.py:22:9:22:18 | BinaryExpr |
| test.py:23 | fail | str_operations | test.py:23:9:23:21 | Subscript |
| test.py:24 | fail | str_operations | test.py:24:9:24:13 | Subscript |
| test.py:25 | fail | str_operations | test.py:25:9:25:18 | Subscript |
| test.py:26 | fail | str_operations | test.py:26:9:26:13 | Subscript |
| test.py:27 | fail | str_operations | test.py:27:9:27:15 | str() |
| test.py:35 | fail | str_methods | test.py:35:9:35:23 | Attribute() |
| test.py:36 | fail | str_methods | test.py:36:9:36:21 | Attribute() |
| test.py:37 | fail | str_methods | test.py:37:9:37:22 | Attribute() |
| test.py:38 | fail | str_methods | test.py:38:9:38:23 | Attribute() |
| test.py:40 | fail | str_methods | test.py:40:9:40:19 | Attribute() |
| test.py:41 | fail | str_methods | test.py:41:9:41:23 | Attribute() |
| test.py:42 | fail | str_methods | test.py:42:9:42:36 | Attribute() |
| test.py:44 | fail | str_methods | test.py:44:9:44:25 | Attribute() |
| test.py:45 | fail | str_methods | test.py:45:9:45:45 | Attribute() |
| test.py:47 | fail | str_methods | test.py:47:9:47:21 | Attribute() |
| test.py:48 | fail | str_methods | test.py:48:9:48:19 | Attribute() |
| test.py:49 | fail | str_methods | test.py:49:9:49:18 | Attribute() |
| test.py:51 | fail | str_methods | test.py:51:9:51:32 | Attribute() |
| test.py:52 | fail | str_methods | test.py:52:9:52:34 | Attribute() |
| test.py:54 | fail | str_methods | test.py:54:9:54:21 | Attribute() |
| test.py:55 | fail | str_methods | test.py:55:9:55:19 | Attribute() |
| test.py:56 | fail | str_methods | test.py:56:9:56:18 | Attribute() |
| test.py:57 | fail | str_methods | test.py:57:9:57:21 | Attribute() |
| test.py:58 | fail | str_methods | test.py:58:9:58:18 | Attribute() |
| test.py:59 | fail | str_methods | test.py:59:9:59:18 | Attribute() |
| test.py:60 | fail | str_methods | test.py:60:9:60:21 | Attribute() |
| test.py:62 | fail | str_methods | test.py:62:9:62:26 | Attribute() |
| test.py:63 | fail | str_methods | test.py:63:9:63:42 | Attribute() |
| test.py:65 | fail | str_methods | test.py:65:9:65:26 | Attribute() |
| test.py:66 | fail | str_methods | test.py:66:9:66:42 | Attribute() |
| test.py:69 | fail | str_methods | test.py:69:9:69:25 | Attribute() |
| test.py:70 | fail | str_methods | test.py:70:9:70:26 | Attribute() |
| test.py:71 | fail | str_methods | test.py:71:9:71:22 | Attribute() |
| test.py:72 | fail | str_methods | test.py:72:9:72:21 | Attribute() |
| test.py:73 | fail | str_methods | test.py:73:9:73:23 | Attribute() |
| test.py:78 | ok   | str_methods | test.py:78:9:78:39 | Attribute() |
```
 2020-08-24 13:58:39 +02:00
Taus
b8d6f76749 Merge pull request #4056 from yoff/SharedDataflow_ParameterTests 
Python: Shared dataflow, parameter routing tests
 2020-08-24 11:36:30 +02:00
Rasmus Wriedt Larsen
7fb8e0e277 Python: Add basic shared taint tracking test 2020-08-20 14:49:17 +02:00
Rasmus Wriedt Larsen
0baac8fd54 Python: Adjust shared taint tracking skeleton 
So it fits the setup from Java/Go, with AdditionalTaintStep class.
 2020-08-20 14:49:09 +02:00
Anders Schack-Mulligen
f75f5ab125 Merge pull request #3838 from hvitved/dataflow/flow-fwd-ctx 
Data flow: Use precise call contexts in `flowFwd()`
 2020-08-18 13:06:11 +02:00
Tom Hvitved
a2fc92b9db Data flow: Address review comments 2020-08-17 15:46:43 +02:00
Rasmus Lerchedahl Petersen
2817602a97 Merge branch 'master' of github.com:github/codeql into SharedDataflow_ParameterTests 2020-08-14 14:27:57 +02:00
CodeQL CI
e9a36b2524 Merge pull request #4062 from tausbn/python-fix-unknown-import-star 
Approved by yoff
 2020-08-14 13:17:45 +01:00
Rasmus Lerchedahl Petersen
9556937840 Python: address review comments 2020-08-14 11:29:58 +02:00
Tom Hvitved
e518cbabd6 Python: Sync data flow files 2020-08-14 11:04:45 +02:00
yoff
8d49ad7325 Update python/ql/test/experimental/dataflow/coverage/datamodel.py 
Co-authored-by: Taus <tausbn@github.com>
 2020-08-14 10:53:37 +02:00
yoff
4b336e9b01 Update python/ql/test/experimental/dataflow/coverage/classes.py 
Co-authored-by: Taus <tausbn@github.com>
 2020-08-14 10:53:10 +02:00
Taus Brock-Nannestad
a1a1218f95 Python: Ignore from foo import * when foo is absent. 2020-08-13 10:50:28 +02:00
Taus Brock-Nannestad
dc5c0f8e7a Python: Add test case for missing modules 2020-08-13 10:49:11 +02:00
Rasmus Lerchedahl Petersen
3f2fcbf0ae Python: Remove most noise in the query output 
Just a quick change, the query should probably be rewritten
 2020-08-13 08:23:12 +02:00
Rasmus Lerchedahl Petersen
2cc7712d40 Python: Annotate test cases 2020-08-13 08:02:42 +02:00
Rasmus Lerchedahl Petersen
20ffb3fd4c Python: tests for argument routing 
Needs annotations
 2020-08-12 15:43:07 +02:00
Rasmus Lerchedahl Petersen
dd4d00293d Python: remaining class tests 2020-08-11 14:16:02 +02:00
Rasmus Lerchedahl Petersen
394991164f Python: Update test expectations 2020-08-11 13:05:35 +02:00
Rasmus Lerchedahl Petersen
f834d71bab Python: split out data model tests 2020-08-11 11:22:11 +02:00
Rasmus Lerchedahl Petersen
2c5de7f50e Python: fix r/l confusion 2020-08-11 10:48:23 +02:00
Rasmus Lerchedahl Petersen
12dfc4afd9 Python: clean up validity check code 2020-08-11 08:16:49 +02:00
Rasmus Lerchedahl Petersen
3929e01350 Python: tests for async iterators/context managers 2020-08-11 08:10:46 +02:00
Rasmus Lerchedahl Petersen
5da37f5cf4 Python: Update test expectations 2020-08-10 17:07:00 +02:00
Rasmus Lerchedahl Petersen
a963f15100 Python: format strings are unnecessary and mess up 
For some reason, we got no results when format strings were present.
 2020-08-10 11:54:24 +02:00
Rasmus Lerchedahl Petersen
959c6315c4 Python: update reference to fix tests 2020-08-10 09:24:45 +02:00
Rasmus Lerchedahl Petersen
639d914a47 Python: test Awaitable, framework for async test 2020-08-10 09:03:28 +02:00
Rasmus Lerchedahl Petersen
02478774c3 Python: tests for context managers 2020-08-10 08:11:25 +02:00
Rasmus Lerchedahl Petersen
5b7c7f933c Python: tests for numeric classes 2020-08-08 00:31:29 +02:00
Rasmus Lerchedahl Petersen
f6d6f91a42 Python: tests for containers 2020-08-07 23:39:42 +02:00
Rasmus Lerchedahl Petersen
aff4535965 Python: fix tests for descriptors 2020-08-07 23:07:58 +02:00
Rasmus Lerchedahl Petersen
d84294df3d Python: Check that tests are valid 2020-08-07 20:07:02 +02:00
Rasmus Lerchedahl Petersen
3db1ceeb70 Python: format ql 2020-08-06 15:42:14 +02:00
Rasmus Lerchedahl Petersen
614103c3b6 Python: Test calls rather than flows 2020-08-06 15:40:41 +02:00
yoff
e642808a75 Update python/ql/test/experimental/dataflow/coverage/classes.py 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2020-08-05 15:12:27 +02:00
Rasmus Lerchedahl Petersen
a89624698d Python: format ql 2020-08-05 14:28:28 +02:00
Rasmus Lerchedahl Petersen
81ad4552c9 Python: full list of magic methods to be tested 2020-08-05 13:30:30 +02:00
Rasmus Lerchedahl Petersen
d7c08f732d Merge branch 'master' of github.com:github/codeql into SharedDataflow_Classes 2020-08-04 16:01:42 +02:00
Calum Grant
595ab442e6 Merge pull request #3996 from yoff/SharedDataflow_Syntax 
Python: Test all expressions that incur dataflow
 2020-07-31 17:45:00 +01:00
Rasmus Lerchedahl Petersen
3e13056140 Python: Address most review comments 2020-07-31 17:20:58 +02:00
Rasmus Lerchedahl Petersen
e8ce62e211 Python: Fix missing flow annotation 2020-07-31 15:28:27 +02:00
Rasmus Lerchedahl Petersen
e13cf2e126 Python: fix formatting 2020-07-31 14:25:09 +02:00
Rasmus Lerchedahl Petersen
29493f5bd7 Python: Make the coverage test a path query 2020-07-31 12:38:57 +02:00