hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-12 02:24:00 +02:00
Code Issues Packages Projects Releases Wiki Activity
86,807 Commits 1,740 Branches 164 Tags
d622dabf3e12ee9b6fb2b6167627e958943bf687
Commit Graph

9883 Commits

Author SHA1 Message Date
Taus
d622dabf3e Python: Add create-extractor-pack.sh for Python 
This allows us to build and test the extractor (for actual QL extraction
-- not just the extractor unit tests) entirely from within the
`github/codeql` repo, just as we do with Ruby. All that's needed is a
`--search-path` argument that points to the repo root.
 2026-04-09 13:06:45 +00:00
Taus
16683aee0e Merge pull request #21590 from github/tausbn/python-improve-bind-all-interfaces-query 
Python: Improve "bind all interfaces" query
 2026-04-07 17:59:48 +02:00
Taus
4cb238f1af Merge pull request #21598 from github/tausbn/python-port-should-use-with 
Python: Port ShouldUseWithStatement.ql
 2026-04-07 14:16:41 +02:00
Óscar San José
59eec7ffa2 Merge branch 'main' of https://github.com/github/codeql into post-release-prep/codeql-cli-2.25.1 2026-03-30 10:51:12 +02:00
github-actions[bot]
ce6e6d5db3 Post-release preparation for codeql-cli-2.25.1 2026-03-30 08:43:48 +00:00
Taus
a0b3c2f13a Python: Update change note 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-03-27 23:46:50 +01:00
Taus
187f7c7bcf Python: Move isNetworkBind check into isSink 2026-03-27 22:45:26 +00:00
Taus
4f74d421b9 Python: Exclude AF_UNIX sockets from BindToAllInterfaces 
Looking at the results of the the previous DCA run, there was a bunch of
false positives where `bind` was being used with a `AF_UNIX` socket (a
filesystem path encoded as a string), not a `(host, port)` tuple. These
results should be excluded from the query, as they are not vulnerable.

Ideally, we would just add `.TupleElement[0]` to the MaD sink, except we
don't actually support this in Python MaD...

So, instead I opted for a more low-tech solution: check that the
argument in question flows from a tuple in the local scope.

This eliminates a bunch of false positives on `python/cpython` leaving
behind four true positive results.
 2026-03-27 16:55:10 +00:00
Taus
47d24632e6 Python: Port ShouldUseWithStatement.ql 
Only trivial test changes.
 2026-03-27 12:34:20 +00:00
yoff
08e115056d Merge pull request #21519 from github/tausbn/python-port-no-alert-change 2026-03-27 08:44:28 +01:00
Taus
c9832c330a Python: Convert BindToAllInterfaces to path-problem 
Now that we're using global data-flow, we might as well make use of the
fact that we know where the source is.
 2026-03-26 21:10:43 +00:00
Taus
c0ce6699a5 Python: Add change note 2026-03-26 15:35:33 +00:00
Taus
c439fc5d45 Python: Replace type tracking with global data-flow 
This takes care of most of the false negatives from the preceding
commit.

Additionally, we add models for some known wrappers of `socket.socket`
from the `gevent` and `eventlet` packages.
 2026-03-26 15:35:33 +00:00
Taus
1ecd9e83b8 Python: Add test cases for BindToAllInterfaces FNs 
Adds test cases from github/codeql#21582 demonstrating false negatives:
- Address stored in class attribute (`self.bind_addr`)
- `os.environ.get` with insecure default value
- `gevent.socket` (alternative socket module)
 2026-03-26 14:57:24 +00:00
Taus
824d004a27 Python: Convert BindToAllInterfaces test to inline expectations 2026-03-26 14:56:57 +00:00
github-actions[bot]
fb011842c9 Release preparation for version 2.25.1 2026-03-25 23:43:06 +00:00
github-actions[bot]
8cf0954796 Release preparation for version 2.25.1 2026-03-25 08:28:30 +00:00
Taus
059693ce89 Python: Restrict ShouldBeContextManager.ql results 
By limiting the results to the class that actually defines the `__del__`
method, we eliminate a bunch of FPs where a _subclass_ of such a class
would also get flagged.
 2026-03-24 13:04:44 +00:00
Taus
ac48eca916 Python: Use cls.getMethod instead of getName 2026-03-23 15:26:00 +00:00
Taus
93e35661e6 Python: Make isNewType more precise 
For module-level metaclass declarations, we now also check that the
right hand side in a `__metaclass__ = type` assignment is in fact the
built-in `type`.
 2026-03-23 15:22:24 +00:00
Taus
a276f721f7 Python: Add ternary overridesMethod 
This one also allows easy access to the method being overridden and the
class on which it resides. This let's us simplify DocStrings.ql
accordingly.
 2026-03-23 15:21:27 +00:00
Taus
1ffcdc9293 Python: Select property instead of function 
in PropertyInOldStyleClass. This matches the previous behaviour more
closely.
 2026-03-23 14:55:28 +00:00
Taus
56c83e250e Python: Make comment more precise 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-03-23 15:09:27 +01:00
Taus
5859590b5d Python: Fix typo in comment 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-03-23 15:07:31 +01:00
Taus
434b3973eb Python: Add change note 2026-03-20 13:30:29 +00:00
Taus
3584ad1905 Python: Port DeprecatedSliceMethod.ql 
Only trivial test changes.
 2026-03-20 13:30:29 +00:00
Taus
50b3b7ee1f Python: Add DuckTyping::hasUnreliableMro 
Primarily used to filter out false positives in cases where our MRO
approximation may be wrong.
 2026-03-20 13:30:29 +00:00
Taus
fa8e4f7314 Python: Port DocStrings.ql 2026-03-20 13:28:45 +00:00
Taus
c04b615a07 Python: Extend DuckTyping module 
Adds `overridesMethod` and `isPropertyAccessor`.
 2026-03-20 13:28:45 +00:00
Taus
283231bdbc Python: Port ShouldBeContextManager.ql 
Only trivial test changes.
 2026-03-20 13:28:45 +00:00
Taus
025a7d0cca Python: Port UselessClass.ql 
No test changes.
 2026-03-20 13:28:45 +00:00
Taus
8cfdea2001 Python: Port PropertyInOldStyleClass.ql 
Only trivial test changes.
 2026-03-20 13:28:45 +00:00
Taus
e860d706c9 Python: Port SuperInOldStyleClass.ql 2026-03-20 13:28:45 +00:00
Taus
3d20050c0a Python: Port SlotsInOldStyleClass.ql 
Only trivial test changes.
 2026-03-20 13:28:45 +00:00
Taus
b57e92164c Python: Add declares/getAttribute API 
These could arguably be moved to `Class` itself, but for now I'm
choosing to limit the changes to the `DuckTyping` module (until we
decide on a proper API).
 2026-03-20 13:28:45 +00:00
Taus
cd92162920 Python: Add DuckTyping::isNewStyle 
Approximates the behaviour of `Types::isNewStyle` but without depending
on points-to
 2026-03-20 13:28:45 +00:00
Taus
33ed6034f6 Python: Introduce DuckTyping module 
This module (which for convenience currently resides inside
`DataFlowDispatch`, but this may change later) contains convenience
predicates for bridging the gap between the data-flow layer and the old
points-to analysis.
 2026-03-20 13:28:44 +00:00
Taus
1dcc76996d Python: Port py/print-during-import 
Uses a (perhaps) slightly coarser approximation of what modules are
imported, but it's probably fine.
 2026-03-20 13:28:44 +00:00
Taus
f4841e1f39 Python: Use API graphs instead of points-to for simple built-ins 
Also extends the list of known built-ins slightly, to add some that were
missing.
 2026-03-20 13:28:44 +00:00
Óscar San José
2139b97628 Merge branch 'main' into post-release-prep/codeql-cli-2.25.0 2026-03-19 13:07:00 +01:00
Owen Mansel-Chan
5b17d8cf76 Merge pull request #21472 from owen-mc/adjust-severity/xss-log-injection 
Adjust `@security-severity` metadata for XSS and log injection queries
 2026-03-18 16:51:14 +00:00
github-actions[bot]
e3dbf5b022 Post-release preparation for codeql-cli-2.25.0 2026-03-16 16:03:22 +00:00
Taus
a99b3f2c3b Merge pull request #21459 from github/tausbn/python-fix-missing-relative-imports 
Python: Fix resolution of relative imports from namespace packages
 2026-03-16 14:59:44 +01:00
Taus
92718a98d0 Python: Add test for package inside namespace package 2026-03-16 12:41:09 +00:00
Taus
e70727524a Python: Rename prints tag to flow 
The former was a remnant of copying the setup over from
`ql/test/experimental/import-resolution/importflow.ql`.
 2026-03-16 12:37:00 +00:00
github-actions[bot]
d6055754b6 Release preparation for version 2.25.0 2026-03-16 12:15:34 +00:00
Owen Mansel-Chan
52809133f5 Add change notes 2026-03-13 11:10:43 +00:00
Owen Mansel-Chan
056aa342fe Change @security-severity for log injection queries from 7.8 to 6.1 2026-03-13 10:02:01 +00:00
Owen Mansel-Chan
f58a6e5d3a Change @security-severity for XSS queries from 6.1 to 7.8 2026-03-13 10:01:02 +00:00
Taus
3ee369b710 Python: Add change note 2026-03-12 13:29:24 +00:00