hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 12:46:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
41,654 Commits 1,673 Branches 157 Tags
dd465e739bbb4e39c0f2bc51bc43f33f625f2ea9
Commit Graph

1260 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
f89b32183f Merge branch 'main' into typetracker-decorators 2022-08-08 11:52:09 +02:00
yoff
6087bc6888 Merge branch 'main' into python/more-logic-tests 2022-06-28 22:16:38 +02:00
Asger F
a522562f93 Merge pull request #9369 from asgerf/python/api-graph-api 
Python: API graph renaming and documentation
 2022-06-28 14:48:12 +02:00
Rasmus Lerchedahl Petersen
a1fe8a5b2b python: handle not in BarrierGuard 
in the program
```python
if not is_safe(path):
  return
```
the last node in the `ConditionBlock` is `not is_safe(path)`,
so it would never match "a call to is_safe".
Thus, guards inside `not` would not be part of `GuardNode`
(nor `BarrierGuard`). Now they can.
 2022-06-27 20:10:47 +00:00
Rasmus Lerchedahl Petersen
882000afb3 python: not is confusing our logic 
- added `is_unsafe`
- added "negated version" of two tests.
These versions do not use `not` and the analysis gets the taint right.
 2022-06-27 20:10:47 +00:00
Rasmus Wriedt Larsen
3248f7b423 Merge pull request #9649 from RasmusWL/certificate-modeling 
Python/JS/Ruby: Ignore common words (like certain) as sensitive data source
 2022-06-23 12:04:58 +02:00
Rasmus Wriedt Larsen
4be375521f Python: Handle _ in sensitive-data-sources 2022-06-22 11:05:14 +02:00
Rasmus Wriedt Larsen
4a844312f4 Python: _ in var name not handled by sensitive-data-sources 2022-06-22 11:05:14 +02:00
Rasmus Wriedt Larsen
5dc2bb717a Python: ignore common words (certain/concert) as sensitive source 2022-06-22 11:05:05 +02:00
Anders Schack-Mulligen
df6d68b215 Merge pull request #9618 from aschackmull/dataflow/deprecate-barrierguard-class 
Dataflow: Deprecate BarrierGuard class
 2022-06-22 10:44:08 +02:00
Rasmus Wriedt Larsen
abdcfd55c3 Python: uncertainty is treated as a certificate :O 2022-06-22 10:16:28 +02:00
Asger F
181a53bd03 Python: Rename getAnImmediateUse -> asSource 2022-06-21 12:44:06 +02:00
Asger F
60fde3c031 Python: Rename getARhs -> asSink 2022-06-21 12:44:06 +02:00
Anders Schack-Mulligen
a7c268f804 Python: adjust test. 2022-06-20 15:46:38 +02:00
Anders Schack-Mulligen
f473a0a961 Python: Deprecate and replace BarrierGuard class. 2022-06-20 15:46:38 +02:00
Rasmus Wriedt Larsen
ae44a941f9 Merge pull request #9421 from RasmusWL/inline-brackets 
Inline Expectation Tests: Allow `tag[foo bar]`
 2022-06-20 10:01:19 +02:00
Rasmus Wriedt Larsen
b2c8e0fe8d Python: Add comment to test 2022-06-15 15:59:54 +02:00
Rasmus Wriedt Larsen
24c9aff2fc Python: Fix a type-tracking test 2022-06-15 15:58:17 +02:00
yoff
699761889d Merge pull request #7127 from jty-team/jty/python/emailInjection 
Python: CWE-079 - Add Email injection query
 2022-06-14 10:54:16 +02:00
Alex Ford
8d195e3188 Merge pull request #9157 from alexrford/crypto-op-block-mode 
Ruby/Python: Add a `BlockMode` concept for `CryptographicOperations`
 2022-06-13 21:32:36 +02:00
Rasmus Wriedt Larsen
c1e6996e99 Inline Expectation Tests: Allow tag[foo bar] 
This is partly motivated by the MaD tests which looks much better now in
my opinion.

I also wanted this for testing argument passing. In Python we're
adopting the same argument positions as Ruby has
[here](4f3751dfea/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll (L508-L540))

So it would be nice if `arg[keyword foo]=...` was allowed, without
having to transform the `toString()` result of an argument position into
something without a space.
 2022-06-03 11:39:57 +02:00
Anders Schack-Mulligen
4f3751dfea Merge pull request #9316 from hvitved/dataflow/edges-get-a-successor-consistency 
Data flow: Make `PathGraph::edges/2` and `PathNode::getASuccessor/1` consistent
 2022-06-01 10:38:25 +02:00
yoff
cd46f31cba Merge branch 'main' into py/CsvInjection 2022-05-30 13:41:31 +02:00
Rasmus Wriedt Larsen
7a6646dcaf Merge pull request #8883 from erik-krogh/pyMaD 
Python: add MaD implementation
 2022-05-30 13:31:07 +02:00
jorgectf
e577a0e836 Update .expected tests 2022-05-27 00:13:40 +02:00
${sleep,7}
76c27c685f Merge branch 'main' into jty/python/emailInjection 2022-05-26 16:27:57 -04:00
Tom Hvitved
4f95abc4f6 Python: Update expected test output 2022-05-25 14:39:37 +02:00
yoff
aadfa8eacd Merge branch 'main' into py/CsvInjection 2022-05-25 10:43:08 +02:00
Rasmus Wriedt Larsen
6611e5b4b8 Merge branch 'main' into promote-pam 2022-05-18 10:35:39 +02:00
Erik Krogh Kristensen
7245591468 Merge pull request #7763 from erik-krogh/unused-field 
QL: add unused-field query
 2022-05-18 09:15:16 +02:00
Erik Krogh Kristensen
5d1c41c269 Merge branch 'main' into pyMaD 2022-05-17 12:23:03 +02:00
Alex Ford
da135448a2 python: update tests for CryptographicOperation#getBlockMode 2022-05-13 16:32:36 +01:00
Nick Rolfe
2efa38aaa6 Python: fix typos in comments 2022-05-12 16:02:20 +01:00
Erik Krogh Kristensen
31e9876de7 Merge branch 'main' into pyMaD 2022-05-12 14:43:16 +02:00
Rasmus Wriedt Larsen
795adf0566 Python: Fix API::moduleImport("foo.bar") 2022-05-12 13:33:00 +02:00
Rasmus Wriedt Larsen
cff950f5f7 Python: Fix select of py/insecure-cookie 2022-05-11 14:06:30 +02:00
Rasmus Wriedt Larsen
0956d506de Python: Actually promote py/pam-auth-bypass 
🤦
 2022-05-11 13:44:47 +02:00
Rasmus Wriedt Larsen
fc8633cc01 Python: Fix select for py/cookie-injection 2022-05-11 13:18:14 +02:00
Rasmus Wriedt Larsen
d127d2164a Merge branch 'main' into jorgectf/python/insecure-cookie 2022-05-11 11:13:47 +02:00
Rasmus Wriedt Larsen
7e87e18b32 Python: Adjust name/description/select of PamAuthorization.ql 
Thought that calling out the actual vulnerability would make things
easier for our end users :)
 2022-05-10 18:02:17 +02:00
Rasmus Wriedt Larsen
2b6e0cfb44 Merge pull request #8340 from yoff/python/simple-csrf 
python: minimal CSRF implementation
 2022-05-10 13:36:38 +02:00
Rasmus Wriedt Larsen
cb17e2a649 Merge pull request #8595 from porcupineyhairs/pypam 
Python : Add query to detect PAM authorization bypass
 2022-05-10 13:35:12 +02:00
Rasmus Lerchedahl Petersen
aa3d7babf4 python: fix bad merge 
caused by an optimistic attempt at solving a
merge conflict in the online GUI.
 2022-05-10 11:37:41 +02:00
Rasmus Wriedt Larsen
2421076d2f Merge pull request #8696 from RasmusWL/new-nosql-examples 
Python: Improve experimental modeling for `pymongo`
 2022-05-10 11:03:05 +02:00
yoff
6c3e2db7fd Merge branch 'main' into python/simple-csrf 2022-05-10 10:55:28 +02:00
yoff
b6605bc330 Merge pull request #8634 from RasmusWL/promote-xxe 
Python: Promote XXE and XML-bomb queries
 2022-05-09 21:54:55 +02:00
Rasmus Wriedt Larsen
c218162104 Merge branch 'main' into pypam 2022-05-09 14:20:05 +02:00
Erik Krogh Kristensen
fc1ab06c1c autoformat 2022-05-09 12:39:38 +02:00
Rasmus Wriedt Larsen
de05b108fa Python: Fix singleton set 2022-05-09 11:01:13 +02:00
Rasmus Wriedt Larsen
dfe99b0b51 Python: Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2022-05-05 14:14:44 +02:00