hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-12 05:01:06 +01:00
Code Issues Packages Projects Releases Wiki Activity
29,965 Commits 1,690 Branches 160 Tags
cb934e17b175afa8be89e9f094925cbf423cd236
Commit Graph

29965 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rasmus Wriedt Larsen
cb934e17b1 Python: Adjust SSRF location to request call 
Since that might not be the same place where the vulnerable URL part is.
 2021-12-16 22:48:51 +01:00
Rasmus Wriedt Larsen
b1bca85162 Python: Add interesting test-case 2021-12-16 22:48:51 +01:00
Rasmus Wriedt Larsen
5a7efd0fee Python: Minor adjustments to QLDoc of HTTP::Client::Request 2021-12-16 22:48:51 +01:00
Rasmus Wriedt Larsen
6ce1524192 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-12-16 15:19:37 +01:00
Rasmus Wriedt Larsen
1cc5e54357 Python: Add SSRF queries 
I've added 2 queries:

- one that detects full SSRF, where an attacker can control the full URL,
  which is always bad
- and one for partial SSRF, where an attacker can control parts of an
  URL (such as the path, query parameters, or fragment), which is not a
  big problem in many cases (but might still be exploitable)

full SSRF should run by default, and partial SSRF should not (but makes
it easy to see the other results).

Some elements of the full SSRF queries needs a bit more polishing, like
being able to detect `"https://" + user_input` is in fact controlling
the full URL.
 2021-12-16 01:48:34 +01:00
Rasmus Wriedt Larsen
579de0c3f0 Python: Remove getResponse and do manual taint steps 2021-12-15 21:55:04 +01:00
Rasmus Wriedt Larsen
f8fc583af3 Python: client request: getUrl => getAUrlPart 
I think `getUrl` is a bit too misleading, since from the name, I would
only ever expect ONE result for one request being made.

`getAUrlPart` captures that there could be multiple results, and that
they might not constitute a whole URl.

Which is the same naming I used when I tried to model this a long time ago
a80860cdc6/python/ql/lib/semmle/python/web/Http.qll (L102-L111)
 2021-12-15 21:55:04 +01:00
Rasmus Wriedt Larsen
6f81685f48 Python: Add modeling of http.client.HTTPResponse 2021-12-15 21:55:04 +01:00
Rasmus Wriedt Larsen
a5bae30d81 Python: Add tests of http.client.HTTPResponse 2021-12-15 20:39:46 +01:00
Rasmus Wriedt Larsen
cf2ee0672f Python: Model requests Responses 2021-12-13 15:09:46 +01:00
Rasmus Wriedt Larsen
35cba17642 Python: Consider taint of client http requests 2021-12-13 14:56:16 +01:00
Rasmus Wriedt Larsen
b68d280129 Python: Add modeling of requests 2021-12-13 14:56:16 +01:00
Rasmus Wriedt Larsen
1ff56d5143 Python: Add tests of requests 
Also adjusts test slightly. Writing
`clientRequestDisablesCertValidation=False` to mean that certificate
validation was disabled by the `False` expression is just confusing, as
it easily reads as _certificate validate was NOT disabled_ :|

The new one ties to each request that is being made, which seems like
the right setup.
 2021-12-13 14:07:32 +01:00
Rasmus Wriedt Larsen
7bf285a52e Python: Alter disablesCertificateValidation to fit our needs 
For the snippet below, our current query is able to show _why_ we
consider `var` to be a falsey value that would disable SSL/TLS
verification. I'm not sure we're going to need the part that Ruby did,
for being able to specify _where_ the verification was removed, but
we'll see.

```
requests.get(url, verify=var)
```
 2021-12-13 11:37:12 +01:00
Rasmus Wriedt Larsen
08f6d1ab80 Python: Clearer sourceType for client response body 2021-12-13 11:24:38 +01:00
Rasmus Wriedt Larsen
5de79b4ffe Python: Add HTTP::Client::Request concept 
Taken from Ruby, except that `getURL` member predicate was changed to
`getUrl` to keep consistency with the rest of our concepts, and stick
to our naming convention.
 2021-12-13 11:09:09 +01:00
Michael Nebel
a6360215f3 Merge pull request #7304 from michaelnebel/csharp-mad-as-csv2 
C#: Convert flow summaries to CSV format.
 2021-12-13 08:56:06 +01:00
Harry Maclean
0ca9852cc8 Merge pull request #7325 from github/hmac/action-controller-private-methods 
Ruby: Don't count private methods as Rails actions
 2021-12-13 20:47:22 +13:00
Harry Maclean
e1d290d4c0 Ruby: Don't count private methods as Rails actions 
Private instance methods on ActionController classes aren't valid
request handlers. Routing to them will raise an exception.
 2021-12-13 15:36:55 +13:00
Nick Rolfe
b80a84c156 Merge pull request #7341 from github/nickrolfe/cookies 2021-12-10 19:52:23 +00:00
Andrew Eisenberg
66c1629974 Merge pull request #7285 from github/post-release-prep-2.7.3-ddd4ccbb 
Post-release preparation 2.7.3
 2021-12-10 09:59:45 -08:00
Nick Rolfe
b6c5b4d213 Ruby: define ActionViewCookiesCall 2021-12-10 16:36:26 +00:00
yoff
d8857c7ce8 Merge pull request #7246 from tausbn/python/import-star-flow 
Python: Support flow through `import *`
 2021-12-10 16:34:32 +01:00
Henry Mercer
a46787ea07 Merge pull request #7351 from github/henrymercer/js-atm-heuristic-sinks-improvements 
JS: Improve handling of heuristic sinks in endpoint filters
 2021-12-10 14:56:45 +00:00
Rasmus Wriedt Larsen
bd9b96e154 Merge pull request #7331 from tausbn/python-fix-bad-callsite-points-to-join 
Python: Fix bad `callsite_points_to` join
 2021-12-10 15:39:49 +01:00
Rasmus Wriedt Larsen
8ee020f79c Merge pull request #7332 from tausbn/python-fix-bad-scope-entry-points-to-join 
Python: Fix bad `scope_entry_points_to` join
 2021-12-10 15:33:13 +01:00
Henry Mercer
6e167040f5 Merge pull request #7307 from adityasharad/atm/perf-debugging 
JS/ATM: Various compilation fixes and performance improvements
 2021-12-10 11:00:27 +00:00
Tom Hvitved
657cd89286 Merge pull request #7347 from hvitved/cfg/more-consistency-tests 
Shared CFG: Add two more consistency queries
 2021-12-10 10:50:39 +01:00
Michael Nebel
afa58f5676 C#: Ensure bi-directional importing of external flow for System.Text. 2021-12-10 10:28:35 +01:00
Arthur Baars
13f7fd88f1 Merge pull request #7283 from aibaars/ruby-pattern-matching-cfg 
Ruby: pattern matching: CFG
 2021-12-10 10:24:38 +01:00
Anders Schack-Mulligen
634ed91904 Merge pull request #7346 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2021-12-10 10:12:23 +01:00
Tom Hvitved
cf42427f54 Merge pull request #7321 from hvitved/csharp/cil/unique-type 
C#: Avoid CIL instructions with multiple types
 2021-12-10 09:58:06 +01:00
Tom Hvitved
f7f3890b40 Merge pull request #7320 from hvitved/csharp/unknown-type 
C#: Populate `UnknownType`
 2021-12-10 09:57:55 +01:00
Tom Hvitved
70f76d06c7 Shared CFG: Add two more consistency queries 2021-12-10 09:56:50 +01:00
Tom Hvitved
45c0d4a3b2 Merge pull request #7343 from hvitved/cfg/consistency-test 
Shared CFG: Add another consistency test
 2021-12-10 09:49:05 +01:00
github-actions[bot]
7e5bfa5aa0 Add changed framework coverage reports 2021-12-10 00:09:34 +00:00
Aditya Sharad
271b23ba8f JS: Expand explanatory comment about version placeholders 2021-12-09 13:43:08 -08:00
Aditya Sharad
0c3daabc51 JS: Fix broken regex matching predicate 
The receiver string and the regex were in the wrong order,
leading to test failures when looking for matching comments.
 2021-12-09 13:42:33 -08:00
Chris Smowton
753d886b0d Merge pull request #6319 from haby0/java/MyBatisSqlInjection 
[Java] CWE-089 MyBatis Mapper Sql Injection
 2021-12-09 19:57:18 +00:00
Taus
6d247bfdf9 Merge pull request #7330 from tausbn/python-fix-bad-adjacentuseuse-join 
Python: Fix bad join in SSA
 2021-12-09 20:55:45 +01:00
Erik Krogh Kristensen
e7209d1ee1 Merge pull request #7216 from erik-krogh/ts45 
JS: Add support for TypeScript 4.5
 2021-12-09 20:33:52 +01:00
Chris Smowton
75f3ebf051 Fix OTHER XML tag 2021-12-09 17:55:03 +00:00
Chris Smowton
9f69c75c50 Fix XML tag 2021-12-09 17:44:49 +00:00
Chris Smowton
2cd70b96cd Fix doctype 2021-12-09 17:44:08 +00:00
Michael Nebel
d60b90acd3 C#: Manual update of System.String and System.Convert flow summaries. 2021-12-09 16:34:42 +01:00
Michael Nebel
e879ca7a3b C#: Convert System.Convert flow to CSV format. 2021-12-09 16:34:42 +01:00
Michael Nebel
15b4b218c8 C#: Convert System.Nullable<> flow to CSV format. 2021-12-09 16:34:42 +01:00
Michael Nebel
bbab0e582a C#: Convert System.Lazy<> flow to CSV format. 2021-12-09 16:34:42 +01:00
Michael Nebel
9e61dfb41f C#: Convert System.Text.StringBuilder flow to CSV format. 2021-12-09 16:34:41 +01:00
Michael Nebel
5a26346ba5 C#: Allow the use of pointer types in CSV validation. 2021-12-09 16:34:41 +01:00