hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-12 21:21:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,133 Commits 1,688 Branches 160 Tags
dbd31259b3e62de0ffd7bb7103b402d4616d06cd
Commit Graph

1497 Commits

Author SHA1 Message Date
Michael Nebel
dbd31259b3 Python: Fix some Ql4Ql violations. 2025-09-01 15:16:25 +02:00
Nora Dimitrijević
20030d56a5 [DIFF-INFORMED] Python: (Possible)TimingAttackAgainstHash 2025-07-17 14:40:31 +02:00
Nora Dimitrijević
b79ce6d30b Python: mass enable diff-informed data flow none() location overrides 
An auto-generated patch that enables diff-informed data flow in the obvious cases.

Builds on github#18346 and github/codeql-patch#88
 2025-06-17 15:36:52 +02:00
Owen Mansel-Chan
cf614a596d Fix cwe tags to include leading zero 2025-04-30 16:43:03 +01:00
Asger F
d3ee658399 Python: resolve remaining TODOs 2025-02-06 10:27:56 +01:00
Asger F
15c2ccb880 Python: ignore experimental for now 2025-02-06 10:27:43 +01:00
Asger F
e4a1847dad Python: mass enable diff-informed data flow 2025-02-06 10:27:19 +01:00
Joe Farebrother
4602c5c905 Remove experimental version + qhelp fixes 2024-12-09 19:56:18 +00:00
Joe Farebrother
60d8a85a9c Promote jinja sinks 2024-12-09 19:54:57 +00:00
Joe Farebrother
8647073433 Copy template injection to standard pack + add jinja sinks 2024-12-09 19:47:06 +00:00
Taus
92bca9c268 Python: Update CORS query tags and change note 
Makes it more clear that the query is experimental.
 2024-10-08 15:44:29 +00:00
Rasmus Wriedt Larsen
431a1af628 Merge branch 'main' into threat-models 2024-09-26 11:44:24 +02:00
Taus
8c015b0784 Merge pull request #17305 from Kwstubbs/CORSMiddleware-Starlette 
Python: Add Support for CORS Middlewares
 2024-09-24 15:51:49 +02:00
Rasmus Wriedt Larsen
4a21a85e73 Merge branch 'main' into threat-models 2024-09-23 11:19:58 +02:00
Joe Farebrother
3001a570b2 Replace uses of StringConstCompare 2024-09-20 14:47:22 +01:00
Kevin Stubbings
c30332818f Reorder and rename 2024-09-13 00:41:55 -07:00
Kevin Stubbings
831d522025 First round feedback 2024-09-12 20:49:10 -07:00
Rasmus Wriedt Larsen
528f08fb83 Python: Make queries use ActiveThreatModelSource 2024-09-10 14:32:35 +02:00
Joe Farebrother
959715ac8e Merge pull request #16814 from porcupineyhairs/pyCors 
WIP: Python: CORS Bypass
 2024-09-05 02:43:02 +01:00
erik-krogh
0fdd06fff5 use my script to delete outdated deprecations 2024-09-03 20:30:58 +02:00
Porcupiney Hairs
f86570f6e7 WIP: Python: CORS Bypass 
This PR adds a query to detect a Cross Origin Resource Sharing(CORS) policy bypass due to an incorrect check.

This PR attempts to detect the vulnerability pattern found in CVE-2022-3457

```python
if request.method in ['POST', 'PUT', 'PATCH', 'DELETE']:
    origin = request.headers.get('Origin', None)
    if origin and not origin.startswith(request.base):
        raise cherrypy.HTTPError(403, 'Unexpected Origin header')
```

In this case, a value obtained from a header is compared using `startswith` call. This comparision is easily bypassed resulting in a CORS bypass. Given that similar bugs have been found in other languages as well, I think this PR would be a great addition to the exisitng python query pack.

The databases for CVE-2022-3457 can be downloaded from
```
https://filetransfer.io/data-package/i4Mfepls#link
https://file.io/V67T4SSgmExF
```
 2024-09-03 03:11:35 +05:30
Kevin Stubbings
c60f459530 Grammar 2024-08-26 23:57:19 -07:00
Kevin Stubbings
1db7865d49 Corrections 2024-08-26 22:06:12 -07:00
Kevin Stubbings
8bf8893307 Add support for vulnerable CORS middlewares 2024-08-26 21:30:48 -07:00
Joe Farebrother
1127b08635 Merge branch 'main' into python-cookie-concept-promote 2024-07-29 10:26:03 +01:00
Joe Farebrother
ebeb187fd9 Remove unneeded experimental file 2024-07-25 23:16:48 +01:00
Joe Farebrother
a73d675e6e Remove experimental query versions 2024-07-23 10:14:55 +01:00
Joe Farebrother
226e4eb8a5 Use a 3-valued newtype for hasSameSiteAttribute 2024-07-23 10:14:45 +01:00
Joe Farebrother
6a7bdaf284 Fix experimental query compilation 2024-07-23 10:14:29 +01:00
Joe Farebrother
9ad6c8c5eb Implement cookie attributes for cases in which a raw header is set 2024-07-23 10:14:16 +01:00
Joe Farebrother
2df09f6194 Change flag predicates to boolean parameters rather than boolean results 2024-07-23 10:14:08 +01:00
Joe Farebrother
6f7b2a2d20 Add cookie flags to cookie write concept, and alter experimental queries to use them 2024-07-23 10:14:00 +01:00
Joe Farebrother
070d67816d Remove experimental version 2024-07-16 16:50:10 +01:00
Rasmus Wriedt Larsen
0a32f9fed6 Python: Update query metadata 2024-07-04 14:09:37 +02:00
Rasmus Wriedt Larsen
8d1113cdaf Python: Fixup qhelp 2024-07-04 14:01:30 +02:00
Porcupiney Hairs
808af28618 Python : Arbitrary codde execution due to Js2Py 
Js2Py is a Javascript to Python translation library written in Python. It allows users to invoke JavaScript code directly from Python.
The Js2Py interpreter by default exposes the entire standard library to it's users. This can lead to security issues if a malicious input were directly.

This PR includes a CodeQL query along with a qhelp and testcases to detect cases where an untrusted input flows to an Js2Py eval call.

This query successfully detects CVE-2023-0297 in `pyload/pyload`along with it's fix.
The databases can be downloaded from the links bellow.
```
https://file.io/qrMEjSJJoTq1
https://filetransfer.io/data-package/a02eab7V#link
```
 2024-07-03 19:06:34 +05:30
am0o0
ccb923a436 fix formatting 2024-06-18 18:31:29 +02:00
am0o0
1f99559e9f Revert "update id of the query file" 
This reverts commit 1f112467ce.
 2024-06-18 17:33:07 +02:00
am0o0
8a7fdfa6fe fix conflict 2024-06-18 17:18:59 +02:00
am0o0
1f112467ce update id of the query file 2024-05-29 16:48:35 +02:00
am0o0
b9edcb7943 rename secondary to remote :), complete the previous commit changes 2024-05-29 16:47:37 +02:00
am0o0
52a809145e SecondaryCommandInjection to RemoteCommandExecution, change RemoteCommandExecution to module like SystemCommandExecution module 2024-05-29 16:18:55 +02:00
am0o0
fd9e6f48d7 fix the docs of secondary server cmd injection 2024-05-29 16:01:43 +02:00
am0o0
171486641e Ssh2.qll: fix a typo 2024-05-29 16:00:52 +02:00
am0o0
5299c4a845 fix the qhelp of secondary server cmd injectino 2024-05-29 16:00:06 +02:00
am0o0
0e80e867af fix actions reviews 2024-05-10 08:32:45 +02:00
amammad
6b9cc1a278 update Twisted document link 2024-05-06 14:36:10 +02:00
amammad
c4a38d0a2f add twisted SSH client as secondary server command injection sinks, add proper test cases 2024-05-06 14:36:10 +02:00
amammad
0a765cc94a add jsonpickle and pexpect libs in case of unsafe decoding and secondary command execution, add proper test cases 2024-05-06 14:36:10 +02:00
amammad
7e93102097 finalize Secondary server command injection queries and tests. 2024-05-06 14:36:10 +02:00