hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
58,977 Commits 1,672 Branches 157 Tags
db95eade64e92b87fffb46d870fdb31c42f801f9
Commit Graph

7719 Commits

Author SHA1 Message Date
Rasmus Lerchedahl Petersen
db95eade64 Python: accept improved test output 2023-09-26 20:58:51 +02:00
Rasmus Lerchedahl Petersen
35f28c832a Python: small refactor (reviewer suggestion) 2023-09-26 20:55:35 +02:00
Rasmus Lerchedahl Petersen
f5059a6918 Python: fix computation at part boundaries 2023-09-26 20:51:15 +02:00
Rasmus Lerchedahl Petersen
cdf1db09bd Python: add test for part boundaries 2023-09-26 20:50:08 +02:00
Rasmus Lerchedahl Petersen
73aa302bd2 Python: only expose lengths of quote and prefix 2023-09-26 20:45:24 +02:00
Rasmus Lerchedahl Petersen
d25b93d944 Python: fix ql alerts 2023-09-26 20:33:24 +02:00
Rasmus Lerchedahl Petersen
d10b181d89 Python: add change note 2023-09-26 12:13:07 +02:00
Rasmus Lerchedahl Petersen
c1ebde4288 Python: improve location computation 2023-09-26 12:08:50 +02:00
Rasmus Lerchedahl Petersen
aa64390af7 Python: add more tests 2023-09-26 10:54:45 +02:00
yoff
c9976cf724 Merge pull request #14307 from yoff/python/inline-regex-location-tests 
Python: switch regex location tests to inline expectations
 2023-09-25 13:37:48 +02:00
Rasmus Lerchedahl Petersen
417907b36d Python: switch to inline expectations 2023-09-25 11:44:56 +02:00
Anders Schack-Mulligen
06cb277eb0 Merge pull request #14299 from aschackmull/dataflow/more-defaults 
Dataflow: Make use of defaults for language-specific hooks.
 2023-09-25 11:19:44 +02:00
Anders Schack-Mulligen
66da997b7b Dataflow: Make use of defaults for language-specific hooks. 2023-09-22 14:54:22 +02:00
Max Schaefer
dfec1620ea Update expected test output. 2023-09-22 11:28:50 +01:00
Max Schaefer
6f67055852 Correctly account for length of string literal prefix when computing locations for RegExpTerms. 2023-09-22 11:24:25 +01:00
Max Schaefer
d4ff9c8ed1 Add test for locations of regexp terms. 2023-09-22 11:24:24 +01:00
Anders Schack-Mulligen
13f7daf71e Merge pull request #13982 from aschackmull/dataflow/typeflow-calledge-pruning 
Dataflow: Add type-based call-edge pruning.
 2023-09-21 13:33:08 +02:00
yoff
811a7d0671 Merge pull request #14248 from RasmusWL/debug-queries 
Python: Add debug queries
 2023-09-19 11:27:27 +02:00
Rasmus Wriedt Larsen
fd8d186b34 Python: Add debug queries 
For manually debugging things, it's nice to be able to share debug
queries.

I had the DebugStats.ql lying around from way back, and thought it was
kinda cute. I've extended it with a bunch of things, not too sure if
they're all important, but I think it's kinda fun to see the
distribution of things 😊
 2023-09-18 20:46:52 +02:00
Rasmus Wriedt Larsen
ad1743ecde Python: Modernize modeling of BaseHTTPRequestHandler 2023-09-18 14:13:27 +02:00
Anders Schack-Mulligen
f5a4b792bd C++/Go/Python/Ruby/Swift: Add dummy localMustFlowStep. 2023-09-13 15:43:46 +02:00
yoff
62b41799d2 Merge pull request #14178 from yoff/python/broaden-sql-injection-frameworks 
Python: import all frameworks in SQL-injection query
 2023-09-13 14:14:09 +02:00
yoff
7d931492d8 Update python/ql/lib/semmle/python/security/dataflow/SqlInjectionCustomizations.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-09-13 13:37:18 +02:00
Erik Krogh Kristensen
cd5973764b Merge pull request #14112 from erik-krogh/pyAllowedHosts 
Py: add sanitizer guard for `url_has_allowed_host_and_scheme`
 2023-09-13 12:59:38 +02:00
Rasmus Wriedt Larsen
7292730391 Python: Add change-note 2023-09-13 11:55:48 +02:00
Rasmus Wriedt Larsen
f62c4108ef Python: Move url_has_allowed_host_and_scheme to Django.qll 2023-09-13 11:55:44 +02:00
Tom Hvitved
d3558f8579 Python: Update expected test output 2023-09-12 21:18:31 +02:00
Rasmus Wriedt Larsen
1de7460aba Python: Don't warn on multipleArgumentCall 2023-09-12 21:16:14 +02:00
Rasmus Lerchedahl Petersen
93140cb061 Python: import all frameworks 
Are there any frameworks we do _not_ want here?
 2023-09-11 11:17:08 +02:00
erik-krogh
bf3fe3cd66 add new qhelp for clear-text-logging 2023-09-07 12:39:13 +02:00
Rasmus Wriedt Larsen
ec0529d68c Merge pull request #14145 from p-/p--asyncio-cmdi-exec 
Python: Support for command injection sinks found in the `asyncio` module
 2023-09-07 11:27:50 +02:00
Rasmus Wriedt Larsen
bfb4be26c2 Python: Autoformat 2023-09-07 10:31:39 +02:00
Rasmus Wriedt Larsen
54c456d95d Python: Apply suggestions from code review 2023-09-07 10:28:46 +02:00
Rasmus Wriedt Larsen
c85ea9a0c0 Python: Fix typo in SSRF example 2023-09-07 09:45:02 +02:00
Peter Stöckli
7aa5d2dc8a Python: move asyncio CMDi related tests to stdlib tests 2023-09-06 16:54:18 +02:00
Peter Stöckli
ede7d8fb6a Python: apply suggestions from code review for asyncio 2023-09-06 15:47:07 +02:00
Peter Stöckli
9027eac312 Python: add change notes for asyncio CMDi sinks 2023-09-05 16:14:56 +02:00
Peter Stöckli
8c4dccc81b Python: initial support for CMDi via asyncio 2023-09-05 15:33:29 +02:00
Rasmus Wriedt Larsen
49f5d38956 Merge pull request #14068 from RasmusWL/dataflow-config-refactor 
Python: Use new dataflow API
 2023-09-04 21:04:10 +02:00
yoff
da64ea40b9 Merge pull request #13782 from jorgectf/jorgectf/shlex-quote 
Python: Add `shlex.quote` as `py/shell-command-constructed-from-input` sanitizer
 2023-08-31 21:08:58 +02:00
erik-krogh
8dad4950a9 add sanitizer guard for url_has_allowed_host_and_scheme 2023-08-31 13:48:42 +02:00
erik-krogh
d4bc6e434a add test with false positive 2023-08-31 13:40:47 +02:00
Tom Hvitved
253f932d2a Python: Use data flow consistency checks from shared pack 2023-08-30 15:29:41 +02:00
Rasmus Wriedt Larsen
62c2316124 Merge pull request #14084 from RasmusWL/flask-jsonify 
Python: Remove XSS FP from use of `flask.jsonify`
 2023-08-30 13:07:54 +02:00
yoff
ae4c76c788 Merge pull request #13975 from yoff/python/parsemodechars-not-chars 2023-08-29 14:05:57 +02:00
Rasmus Wriedt Larsen
49d510018d Python: Add change-note 2023-08-29 11:11:32 +02:00
Rasmus Wriedt Larsen
0b2458d065 Python: Improve modeling of Flask jsonify 
I also tested whether `Flask.jsonify` or `Flask().jsonify` worked, but
they do not.
 2023-08-29 11:11:32 +02:00
Rasmus Wriedt Larsen
26319bfc04 Python: Fix Flask jsonify XSS regression 
The reason the result was found before, is that `jsonify(data)` was
modeled as TWO separate subclasses of `Http::Server::HttpResponse`, one
because of the implicit construction in return
(FlaskRouteHandlerReturn), and one from the `jsonify` call
(FlaskJsonifyCall). Due to the QL evaluation, we got a combination from
the two, meaning mime-type from FlaskRouteHandlerReturn and body from
FlaskJsonifyCall...
 2023-08-29 11:11:32 +02:00
Rasmus Wriedt Larsen
b36fd9fdab Python: Add jsonify XSS regression example 2023-08-29 10:38:49 +02:00
Dave Bartolomeo
3343b78015 Merge pull request #14074 from github/post-release-prep/codeql-cli-2.14.3 
Post-release preparation for codeql-cli-2.14.3
 2023-08-28 13:34:10 -04:00