hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-25 13:16:33 +01:00
Code Issues Packages Projects Releases Wiki Activity
7,244 Commits 1,673 Branches 157 Tags
cb7db8f4c0dfceda540d6427eb02210777ef025a
Commit Graph

82 Commits

Author SHA1 Message Date
Mark Shannon
3f740d6efe Python: Update CWE-312 queries to use new taint-tracking configuration. 2019-08-30 11:21:04 +01:00
Mark Shannon
811815aa4e Merge branch 'master' into python-cwe-312 2019-08-30 10:39:04 +01:00
Mark Shannon
91aefab7aa Python: Reorganise code a bit to minimize diff for PR. 2019-08-29 10:31:50 +01:00
Mark Shannon
d31e55f88e Python taint-tracking: Avoid ambiguous flows through calls. Fix up tests. 2019-08-29 10:31:50 +01:00
Mark Shannon
78ce19678a Python taint-tracking: Fix up SQL injection query. 2019-08-29 10:31:50 +01:00
Mark Shannon
2d9d292ee4 Python: Fix up pi-node handling in taint-tracking. 2019-08-29 10:31:50 +01:00
Mark Shannon
8909c3d6ab Python: Fix tags and message for CWE-312 queries. 2019-08-23 15:20:19 +01:00
Mark Shannon
81c65cd37c Add missing html tag 2019-08-22 15:27:48 +01:00
Mark Shannon
15bb8b5f70 Python add new queries for clear-text logging and storage. 2019-08-22 15:27:48 +01:00
Mark Shannon
3e5fddd776 Python: Update all remaining taint-tracking queries to use configurations. 2019-07-26 16:39:10 +01:00
Mark Shannon
39b7a69abd Python: Tarslip query: Fix up sanitizers. 2019-06-19 15:00:02 +01:00
Mark Shannon
a15a89206e Python: Fix typos in qhelp file. 2019-06-19 11:48:31 +01:00
Mark Shannon
6f15c84bdc Python: Tarslip query; Add sink for members and sanitizers for tarinfo objects. 2019-06-19 11:48:31 +01:00
Mark Shannon
e14f7ef466 Python: Tarslip query; track info objects and handle sanitization. 2019-06-19 11:48:31 +01:00
Mark Shannon
ea4e263060 Python: Initial version and help of tar-slip (CWE-022) query. 2019-06-19 11:48:31 +01:00
Mark Shannon
8d4a8a6c6b Python: Reduce the number of strings and ints identified and possible hard-coded credentials. 2019-06-03 12:22:15 +01:00
Mark Shannon
28799441af Python: Fix false positive in 'Incomplete URL substring sanitization' query. 2019-04-25 18:11:01 +01:00
Taus
adf8cdcde5 Merge pull request #1203 from markshannon/python-taint-tracking-configuration-2 
Python: Use taint tracking configuration for queries.
 2019-04-09 10:01:35 +02:00
Mark Shannon
52b3f77f4f Fix typo. 2019-04-08 15:47:49 +01:00
Mark Shannon
2ba122373a Merge pull request #1128 from taus-semmle/python-paramiko-unsafe-host-key-validation 
Python: Add query for insecure SSH host key policies in Paramiko.
 2019-04-04 16:57:13 +01:00
Mark Shannon
c2e814a11a Fix CWE tag for Code injection query. 2019-04-04 15:09:12 +01:00
Mark Shannon
3bcd445a32 Python change 'SimpleHttpResponseTaintSink' to 'HttpResponseTaintSink'. 2019-04-04 14:45:37 +01:00
Mark Shannon
8b01bac900 Python: make sure unsafe deserialization query is using correct sources and that pickle is included in sinks. 2019-04-04 10:56:45 +01:00
Mark Shannon
bc19769e6d Python: make sure code injection query is using correct sources. 2019-04-04 10:56:45 +01:00
Mark Shannon
35e82dca68 Python revert .getNode() to .getSink()/.getSource() to keep expected test output the same. 2019-04-04 10:56:45 +01:00
Mark Shannon
f8c43ca40b Python: make sure all django and flask request sources conform to interface. 2019-04-04 10:56:45 +01:00
Mark Shannon
61e6ae7c4a Python: Use new taint-tracking query in unsafe deserialization query. 2019-04-04 10:56:45 +01:00
Mark Shannon
3c1a5bb046 Python: Use new taint-tracking query in code-injection query. 2019-04-04 10:56:44 +01:00
Mark Shannon
64e8be6ed1 Python: Use new taint-tracking query in reflected-xss query. 2019-04-04 10:56:44 +01:00
Mark Shannon
7fc5d690cd Python: Use new taint-tracking query in SQL-injection query. 2019-04-04 10:56:44 +01:00
Mark Shannon
058ae7befc Merge pull request #1142 from taus-semmle/python-use-new-moduleobject-api 
Python: Use new `ModuleObject` API more widely.
 2019-03-26 15:02:44 +00:00
Taus Brock-Nannestad
5eb63ae048 Fix false positive and add test. 2019-03-21 14:10:05 +01:00
Taus Brock-Nannestad
9cb35a8ca9 Use correct named argument for ssl.SSLContext. 2019-03-21 14:09:25 +01:00
Taus Brock-Nannestad
391e111189 Use attr instead of getAttribute. 2019-03-20 17:41:23 +01:00
Taus Brock-Nannestad
f14f7b50ed Python: Use ModuleObject::named more consistently. 2019-03-20 17:41:23 +01:00
Taus Brock-Nannestad
c7c6c83627 Address review comments. 2019-03-19 15:44:11 +01:00
Taus Brock-Nannestad
52278b25d9 Python: Add query for insecure SSH host key policies in Paramiko. 2019-03-18 16:45:54 +01:00
Mark Shannon
38a5fb715a Python: Avoid cross-talk between unrelated sources in py/stack-trace-exposure query. 2019-03-05 16:52:28 +00:00
Taus Brock-Nannestad
63893fe52c Python: Add missing @kind for py/insecure-temporary-file. 2019-03-04 11:20:39 +01:00
Taus Brock-Nannestad
e47b391329 Fix interpolation. 2019-02-26 16:27:04 +01:00
Taus Brock-Nannestad
7daaf77183 Make query alert refer to AST nodes rather than CFG nodes. 2019-02-26 15:56:37 +01:00
Taus Brock-Nannestad
504cb648d1 Change query description. 2019-02-26 13:26:20 +01:00
Taus Brock-Nannestad
8d774cd354 Merge branch 'master' into python-unsafe-use-of-mktemp 2019-02-26 13:23:38 +01:00
Mark Shannon
98be27a73e Python: Add 'attr' predicate as a synomnym for 'getAttribute' to help readability. 2019-02-20 11:08:44 +00:00
Mark Shannon
35fa5d8f60 Python move various theXXX() predicates into the appropriate module. 2019-02-20 10:34:08 +00:00
Taus
08fcb984a8 Implement getACall suggestion. 2019-01-29 17:59:45 +01:00
Taus
6f7c96db54 Merge branch 'master' into python-unsafe-use-of-mktemp 2019-01-29 16:12:53 +01:00
Taus Brock-Nannestad
9a9d902cfb Add support for os.tempnam and os.tmpnam. 2019-01-29 16:08:32 +01:00
Taus
9adb19f3a9 Merge branch 'master' into python-incomplete-url-sanitize 2019-01-29 14:17:37 +01:00
Mark Shannon
6d553ae2be Python: Check os.open as well as os.chmod for weak file permissions. 2019-01-28 14:26:16 +00:00