Commit Graph

360 Commits

Author SHA1 Message Date
yoff
cfbae50845 Python: convert barrier guard to MaD 2026-02-26 13:12:34 +01:00
yoff
c4f8748a42 Python: simplify barrier guard 2026-02-25 18:03:40 +01:00
Ben Rodes
ceb3b21e0f Update python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll
Co-authored-by: Taus <tausbn@github.com>
2026-02-17 10:28:43 -05:00
REDMOND\brodes
a91cf6b7cb Applying copilot PR suggestions. 2026-02-10 11:37:11 -05:00
REDMOND\brodes
42f6e6a19c Fixing inefficiently passed variable in nested existential quantification. 2026-02-06 11:20:15 -05:00
REDMOND\brodes
97ddab0724 Added support for new URIValidator in AntiSSRF library. Updated test caes to use postprocessing results. Currently results for partial ssrf still need work, it is flagging cases where the URL is fully controlled, but is sanitized. I'm not sure if this should be flagged yet. 2026-02-06 11:20:11 -05:00
Owen Mansel-Chan
0222159df5 Specify vulnerable args instead of safe ones 2026-01-30 14:10:03 +00:00
Owen Mansel-Chan
a3885cd8b2 Replace sanitizer by exclusion from sink definition 2026-01-30 09:28:02 +00:00
Owen Mansel-Chan
b4cb2c3f13 Make qldoc slightly more specific 2026-01-30 09:28:01 +00:00
Owen Mansel-Chan
ef6332c581 Allow MaD sanitizers for queries with MaD sinks 2026-01-30 09:27:59 +00:00
yoff
55abc52c61 python: format file 2026-01-22 20:51:46 +01:00
yoff
7f00a7f67e Update python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
2026-01-22 17:30:24 +01:00
yoff
3dbfb9fa4b python: add machinery for MaD barriers
and reinstate previously removed barrier
now as a MaD row
2026-01-22 17:30:24 +01:00
Anders Schack-Mulligen
78e1879c9e Use more flowTo. 2025-12-03 14:12:08 +01:00
Nora Dimitrijević
37fff48dcd Python/ServerSideRequestForgeryQuery
python/ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql
2025-10-28 09:40:24 +01:00
Nora Dimitrijević
baccdcc07f Python/PolynomialReDoSQuery
python/ql/src/Security/CWE-730/PolynomialReDoS.ql
2025-10-28 09:40:21 +01:00
Jeroen Ketema
c582a9ccd6 Remove duplicate copies of SensitiveDataHeuristics 2025-07-14 11:38:52 +02:00
Asger F
4a2d795076 Shared: Make approximate location filtering the default behaviour 2025-07-02 14:41:02 +02:00
Asger F
a46b5f9529 Python: enable diff-informedness for poly redos using approximate related locations 2025-07-02 14:39:42 +02:00
Kasper Svendsen
2da8d61984 Run config/sync-files.py 2025-06-24 10:25:06 +02:00
Chuan-kai Lin
6c1e80df3a Python: disable diff-informed PolynomialReDoS.ql
This commit disabled diff-informed for PolynomialReDoS.ql because it
could miss some alerts within diff ranges.
2025-04-24 14:57:06 -07:00
Asger F
d3b9d1d89d JS: Partial SSRF does not select the sink location 2025-02-06 11:30:32 +01:00
Asger F
7d6abb4e0a JS: Disable diff-informedness for full SSRF
Partial SSRF uses its result in a way that prevents diff-informedness
2025-02-06 11:30:18 +01:00
Asger F
d3ee658399 Python: resolve remaining TODOs 2025-02-06 10:27:56 +01:00
Asger F
975ce064fc Python: implement for polynomial redos 2025-02-06 10:27:45 +01:00
Asger F
e4a1847dad Python: mass enable diff-informed data flow 2025-02-06 10:27:19 +01:00
Geoffrey White
f8659c0a4e Sync identical files. 2025-01-10 10:26:13 +00:00
Joe Farebrother
71ab82dee0 Fix qldoc, formatting, and redundant import warnings 2024-12-09 19:55:21 +00:00
Joe Farebrother
8647073433 Copy template injection to standard pack + add jinja sinks 2024-12-09 19:47:06 +00:00
Anders Schack-Mulligen
8a5fc97b06 Python: Remove deprecated configuration classes referencing deleted api. 2024-12-03 20:08:45 +01:00
yoff
7816f34d75 Merge branch 'main' into stdlib-optparse 2024-10-01 12:48:09 +02:00
Rasmus Wriedt Larsen
431a1af628 Merge branch 'main' into threat-models 2024-09-26 11:44:24 +02:00
yoff
e7f9b5bbbc Merge branch 'main' into stdlib-optparse 2024-09-24 20:24:00 +02:00
Joe Farebrother
48f9e0efe5 Adress review comments: Add missing deprecation + additional test case 2024-09-23 10:57:04 +01:00
Rasmus Wriedt Larsen
4a21a85e73 Merge branch 'main' into threat-models 2024-09-23 11:19:58 +02:00
Joe Farebrother
3001a570b2 Replace uses of StringConstCompare 2024-09-20 14:47:22 +01:00
Rasmus Wriedt Larsen
528f08fb83 Python: Make queries use ActiveThreatModelSource 2024-09-10 14:32:35 +02:00
Joe Farebrother
d1cca13563 Merge pull request #17314 from joefarebrother/python-x509-cert
Python: Exclude certificate classification fo sensitive data queries
2024-09-09 10:48:36 +01:00
erik-krogh
20dfdc9661 delete some deprecated files 2024-09-03 20:30:59 +02:00
erik-krogh
0fdd06fff5 use my script to delete outdated deprecations 2024-09-03 20:30:58 +02:00
Joe Farebrother
ec7ad84cd1 Update formatting 2024-08-30 13:51:33 +01:00
Joe Farebrother
5360192a58 Apply review suggestions - change = to in
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2024-08-30 13:25:59 +01:00
Joe Farebrother
1cb23e7e86 Exclude certificates from being cinsidered sensitive data by cleartext-storage and cleartext-logging queries 2024-08-27 14:18:39 +01:00
Joe Farebrother
123214cb2b Promoto cookie injection query 2024-07-16 16:49:56 +01:00
Joe Farebrother
8152ec7472 Merge pull request #16696 from joefarebrother/python-cookie-write-headers
Python: Model CookieWrites from HeaderWrites
2024-07-11 14:25:54 +01:00
Rasmus Lerchedahl Petersen
a3076f4f72 Python: fix test expectations, add missing sanitizer 2024-06-26 13:27:32 +02:00
Joe Farebrother
b71ba7c30f Move Header Write derrived concepts to Concepts 2024-06-24 17:26:51 +01:00
Rasmus Lerchedahl Petersen
f0e68887d4 Python: autoformat 2024-06-20 10:59:39 +02:00
Rasmus Lerchedahl Petersen
5cb37f5c4c python: Document MaD format
- add a few tests reflecting the documentation
- make the mentioned sink-kinds have an effect on relevant queries
2024-06-19 17:00:15 +02:00
Joe Farebrother
93f10fcf14 Add sanitizers for compiled regexes 2024-06-11 15:44:16 +01:00