codeql

mirror of https://github.com/github/codeql.git synced 2026-03-10 01:26:47 +01:00

Author	SHA1	Message	Date
Joe Farebrother	cf8db4e425	Update instances of experimental concept to the main one, and anotate missing experimental test results.	2024-04-24 14:05:39 +01:00
Joe Farebrother	daa31b5bb7	Add documentation	2024-04-24 14:05:38 +01:00
Joe Farebrother	8636a50190	Fix qldoc + remove deprecation from experimental concepts (as they are still used in another experimental query)	2024-04-24 14:05:38 +01:00
Joe Farebrother	a88ad62c00	Implemented sinks for bulk header updates, and added corresponding tests.	2024-04-24 14:05:38 +01:00
Joe Farebrother	68d90918cf	Add to header write concept a specification of whether the name or value arg allows newlines. Ported sink defenitions from Flask and Werzeug from experimental to main. Removed experimental sink definitions for Django, as neither name nor value are vulnerable.	2024-04-24 14:05:37 +01:00
Joe Farebrother	6021d9238c	Move headers injection query and concept from experimental to main	2024-04-24 14:05:37 +01:00
Taus	b484aee39e	Python: Autoformat everything Of course, `StringLiteral` being much longer than `StrConst` meant a bunch of files changed formatting.	2024-04-22 12:00:09 +00:00
Taus	1c68c987b0	Python: Change all remaining occurrences of `StrConst` Done using ``` git grep StrConst \| xargs sed -i 's/StrConst/StringLiteral/g' ```	2024-04-22 12:00:09 +00:00
Sim4n6	26a16b7857	use of a single var "op" of type Cmpop	2024-03-15 14:17:23 +01:00
Sim4n6	a717bf1b9d	Fix p tag in UnicodeDoS.qhelp	2024-03-15 14:17:23 +01:00
Sim4n6	af19a0342e	Fix UnicodeDoS vulnerability in CWE-770 code	2024-03-15 14:17:23 +01:00
Sim4n6	085d803b14	Fix UnicodeDoS vulnerability in CWE-770	2024-03-15 14:17:23 +01:00
Sim4n6	31dc542111	Update request parameter name in good_1() function	2024-03-15 14:17:23 +01:00
Sim4n6	70ebc58b4c	Refactor Unicode normalization code	2024-03-15 14:17:23 +01:00
Sim4n6${{7*'7'}}	658b88e62f	Update python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql update the Config API Co-authored-by: yoff <lerchedahl@gmail.com>	2024-03-15 14:17:23 +01:00
Sim4n6	1f767b887e	Add some comments and docs	2024-03-15 14:17:23 +01:00
Sim4n6	5cc9170249	Add UnicodeDoS sink for werkzeug secure_filename	2024-03-15 14:17:23 +01:00
Sim4n6	342465057c	Add Unicode DoS (CWE-770)	2024-03-15 14:17:23 +01:00
amammad	09d8a75844	Fix QLDoc issues	2024-02-14 23:31:22 +04:00
Rasmus Wriedt Larsen	eb401a205d	Python: Fix test exclusion for stdlib Python 3.12	2024-02-14 16:53:19 +01:00
Rasmus Wriedt Larsen	e5bd633028	Python: Change name/id to `Decompression Bomb` The old title/id matches how we used to write queries, but I think just using the normal conversational name is easier for everyone :)	2024-02-14 14:54:25 +01:00
Rasmus Wriedt Larsen	69c8ef9898	Python: Use dataflow instead of taint-tracking	2024-02-14 14:52:37 +01:00
Rasmus Wriedt Larsen	ba7dd38fc9	Python: Delete duplicated file	2024-02-14 14:48:37 +01:00
Rasmus Wriedt Larsen	9ae3ea81ff	Python: Remove spurious results in stdlib	2024-02-14 14:47:28 +01:00
Rasmus Wriedt Larsen	d8fd457310	Python: Use helper predicate Since the helper predicate had nice qldocs	2024-02-14 14:47:28 +01:00
Rasmus Wriedt Larsen	e7772f1062	Python: Use `Unit` class	2024-02-14 14:47:28 +01:00
Rasmus Wriedt Larsen	9399258e3b	Merge branch 'main' into amammad-python-bombs	2024-02-14 13:37:59 +01:00
erik-krogh	8be7eadace	delete outdated deprecations	2024-01-22 09:11:35 +01:00
Anders Schack-Mulligen	8ef4821f63	Python: Remove references to FlowStateString.	2023-12-14 15:05:33 +01:00
amammad	5795c72a99	added inline tests	2023-12-07 14:04:33 +01:00
amammad	6ebdae3bab	Merge branch 'main' into amammad-python-bombs	2023-12-07 13:50:20 +01:00
amammad	2d0067d618	fix some qldocs, change Sink extenstion model, deduct some not necessarily checks :)	2023-12-07 13:45:28 +01:00
Chris Campbell	114b694553	Remove @precision values, correct missing tags	2023-11-16 15:50:41 +00:00
amammad	4283bb7d48	clean up unused vars,fix tests	2023-10-09 23:15:58 +02:00
amammad	9d86e7946c	move library file to experimental lib directory	2023-10-09 23:10:30 +02:00
amammad	1318afdb27	modularize	2023-10-09 23:07:52 +02:00
amammad	3175db226e	upgrade fastAPI remote sources	2023-10-09 20:51:19 +02:00
erik-krogh	4bc4e0845d	delete the deprecated `isBarrierGuard` predicate from the shared dataflow library, and its uses	2023-10-07 21:48:49 +02:00
Josh Brown	ad86e576a4	autoformat	2023-10-03 13:40:17 -07:00
Josh Brown	b683a3caf8	Merge branch 'main' into jb1/16-cryptography-models-libraries-and-queries-migration	2023-10-04 07:24:29 +11:00
Benjamin Rodes	25203db4e7	Removing 'security' tags from all queries.	2023-09-27 12:43:51 -04:00
Josh Brown	7ad2932b3f	Update SymmetricEncryptionAlgorithms.ql Changing metadata to under python namespace	2023-09-21 12:12:16 -07:00
Benjamin Rodes	5fed923af0	Changed python inventory subdirectory structure to add old and new inventory models. Added some example old models.	2023-09-21 12:12:15 -07:00
Benjamin Rodes	50db4fd63e	Moved Cpp into sub directory 'cryptography' instead of crypto. Added python models, inventory, and example alerts.	2023-09-21 12:12:15 -07:00
amammad	6ee5865789	add sources to detect CVE completely	2023-09-07 18:27:40 +10:00
Rasmus Lerchedahl Petersen	55707d395e	Python: Make things compile in their new location - Move NoSQL concepts to the non-experimental concepts file - fix references	2023-09-07 09:28:30 +02:00
Rasmus Lerchedahl Petersen	60dc1afbc0	Python: prepare to promote NoSqlInjection Mostly move files, preserving authourship. This will not compile.	2023-09-07 09:28:29 +02:00
amammad	bcfc28aae0	add sources to detect CVE completely	2023-09-07 02:02:32 +10:00
Rasmus Wriedt Larsen	e8e8d975e3	Python: Remove all usage of DataFlow2+TaintTracking2 (and any higher number as well)	2023-08-28 15:34:19 +02:00
Rasmus Wriedt Larsen	c665c21d83	Python: More style-guide renaming Split it into multiple commits to make it easier to review.	2023-08-28 15:31:08 +02:00

1 2 3 4 5 ...

1444 Commits