hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 12:46:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
18,130 Commits 1,673 Branches 157 Tags
e03c19b7fc6719745c36ad90fdb5d73c62d5b0ea
Commit Graph

2479 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
aa4345ac76 Merge pull request #4710 from yoff/python-dataflow-variable-capture 
Python: Dataflow, variable capture
 2020-11-24 15:04:38 +01:00
yoff
215986bce5 Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2020-11-24 14:12:23 +01:00
Rasmus Lerchedahl Petersen
05d156ba0f Python: add comments 2020-11-24 14:11:14 +01:00
CodeQL CI
2277242196 Merge pull request #4692 from yoff/python-psycopg 
Approved by RasmusWL
 2020-11-24 10:59:04 +00:00
Rasmus Lerchedahl Petersen
39c5e0d487 Python: update test expectations 2020-11-23 16:46:35 +01:00
Rasmus Lerchedahl Petersen
38bb06a207 Merge remote-tracking branch 'upstream/main' into python-dataflow-variable-capture 2020-11-23 16:40:20 +01:00
Rasmus Lerchedahl Petersen
777100f25c Python: rename file, package, and class 2020-11-23 09:17:40 +01:00
Henning Makholm
a2a4938f60 Remove unit tests for duplicate-code detection, take II 
In #4689 I forgot to remove the `.expected` files too, but they are
now of course useless.
 2020-11-20 21:07:42 +01:00
yoff
b478a51d4e Apply suggestions from code review 
Thanks for doing the work for me :-)

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2020-11-20 10:46:04 +01:00
Rasmus Lerchedahl Petersen
7cbbf3bbf7 Python: slightly nicer test 2020-11-19 16:20:57 +01:00
Rasmus Lerchedahl Petersen
6cc8e5acf1 Python: support psycopg 2020-11-19 12:13:20 +01:00
Rasmus Lerchedahl Petersen
39f134c1c1 Python: reorganized and added to tests 2020-11-19 12:06:58 +01:00
Henning Makholm
a86679a377 Remove unit tests for duplicate-code detection 
The old Semmle duplicate-code detection code has never been done when
extracting databases for the CodeQL CLI, except that `codeql test run`
will run it _just_ in order to support tests of the feature. With the
sunsetting of Odasa there's no need to even _test_ the feature anymore.

This commit removes those tests that fail when the duplicate-code
detector is turned off. Once it is merged and bumped, we can finally
remove it from `codeql`.
 2020-11-18 16:37:29 +01:00
Rasmus Wriedt Larsen
ab856d6c01 Python: Show getCallableForArgument can have multiple results 2020-11-18 10:44:32 +01:00
Rasmus Wriedt Larsen
abf2902a69 Python: Fix QLDoc 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2020-11-18 09:47:23 +01:00
Rasmus Wriedt Larsen
39590a39cb Python: Rename helper predicate based on review 2020-11-18 09:26:53 +01:00
Rasmus Wriedt Larsen
14136154d6 Python: Fix bad join order in TypeTracker::callStep 
From a local evaluation against flask DB, after
https://github.com/github/codeql/pull/4649 was merged we would get:

```
Tuple counts for TypeTracker::callStep#ff/2@a21b71:
9876     ~0%     {3} r1 = SCAN DataFlowPrivate::DataFlowCall::getArg_dispred#fff AS I OUTPUT I.<2>, I.<0>, I.<1>
9876     ~2%     {3} r2 = JOIN r1 WITH project#DataFlowPrivate::DataFlowCall::getArg_dispred#fff AS R ON FIRST 1 OUTPUT r1.<2>, R.<0>, r1.<1>
72388997 ~0%     {4} r3 = JOIN r2 WITH DataFlowPublic::ParameterNode::isParameterOf_dispred#fff_201#join_rhs AS R ON FIRST 1 OUTPUT r2.<2>, R.<2>, r2.<1>, R.<1>
4952     ~0%     {2} r4 = JOIN r3 WITH DataFlowPrivate::DataFlowCall::getCallable_dispred#ff AS R ON FIRST 2 OUTPUT r3.<2>, r3.<3>
                     return r4
```
 2020-11-18 09:17:31 +01:00
Rasmus Lerchedahl Petersen
71830abda0 Python: remaining c# tests, except lambdas 
both via nonlocal and via dict
 2020-11-17 08:28:11 +01:00
Rasmus Lerchedahl Petersen
27b4c67b9f Python: Start of tests for captured variables 2020-11-16 17:25:39 +01:00
Rasmus Wriedt Larsen
9f1d8cd1bb Python: Convert indentation to spaces for VS Code snippets 2020-11-13 13:05:23 +01:00
Rasmus Wriedt Larsen
5200af5244 Python: Add code snippets for VS Code 
Notice that in this form, the filename doesn't matter, and you need to specify
`scope` to limit the snippet to only trigger for `ql`.
 2020-11-13 10:57:17 +01:00
yoff
86fc9e62ef Merge pull request #4650 from RasmusWL/python-set-literal-formatting 
Python: Update set literal formatting
 2020-11-11 15:35:12 +01:00
Rasmus Wriedt Larsen
611398586d Merge pull request #4649 from yoff/python-dataflow-cfgparameters 
Python: Make `ParameterNode` a `CfgNode`
 2020-11-11 10:22:12 +01:00
Rasmus Wriedt Larsen
9ed15732ed Python: Update set literal formatting 
Now that auto-formatting rules have been updated
 2020-11-11 09:38:25 +01:00
Rasmus Lerchedahl Petersen
0710963fc3 Python: update test expectations 
EssaNode -> ControlFlowNode
 2020-11-10 23:58:55 +01:00
Jonas Jensen
fc764db8e1 Merge pull request #4643 from nickrolfe/getFileBySourceArchiveName 
Replace getEncodedFile with shared getFileBySourceArchiveName predicate
 2020-11-10 17:36:29 +01:00
Nick Rolfe
ac4a1f1d9b Update comment to be a QLDoc comment 2020-11-10 14:14:27 +00:00
Nick Rolfe
1e1eb7ee33 Replace getEncodedFile with shared getFileBySourceArchiveName predicate 
While also making it work with paths for databases created on Windows.
 2020-11-10 13:55:27 +00:00
Anders Schack-Mulligen
89ef6ea4eb C++/C#/Java/JavaScript/Python: Autoformat set literals. 2020-11-10 13:32:27 +01:00
Rasmus Lerchedahl Petersen
109d55eb25 Python: Make ParameterNode a CfgNode 
Add a step from that `CfgNode` to the corresponding `EssaNode`.
The intended effect is seen in `ImpliesDataflow.expected`.
The efeect seen in other `.expected`-files is that parameter nodes
change type, that the extra steps are seen, and that flow from
`EssaVar`s is mirrored in flow from `CfgNode`s.
There is one surprise, which is the `.0` node in
`coverage/localFlow.expected`.
 2020-11-10 11:35:50 +01:00
yoff
26286e534e Merge pull request #4174 from yoff/SharedDataflow_PointsToImpliesDataflow 
Python: Dataflow, Test that `pointsTo` implies data flow
merging now, will fix `self` in a later PR
 2020-11-10 10:25:29 +01:00
Rasmus Wriedt Larsen
fbe51c51bb Python: Add missing QLDoc 2020-11-09 09:05:08 +01:00
Rasmus Wriedt Larsen
ed0e4f8425 Python: reasoning about => detecting 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2020-11-09 09:01:04 +01:00
yoff
45317bcec9 Update python/ql/test/library-tests/PointsTo/new/code/w_function_values.py 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2020-11-06 15:03:20 +01:00
Rasmus Wriedt Larsen
9ebe59d393 Python: Move UnsafeDeserialization configuration to own file 2020-11-06 14:27:37 +01:00
Rasmus Wriedt Larsen
d38c48d2c8 Python: Move ReflectedXSS configuration to own file 2020-11-06 14:24:31 +01:00
Rasmus Wriedt Larsen
1897a0d59a Python: Move PathInjection configuration to own file 
This one required a bit more thought, but ended up pretty nicely. Had to write
some QLDoc, but I think it turned out OK.
 2020-11-06 14:21:23 +01:00
Rasmus Wriedt Larsen
0c6bd8401a Python: Move SqlInjection configuration to own file 2020-11-06 14:09:46 +01:00
Rasmus Wriedt Larsen
6299b73a46 Python: Move CommandInjection configuration to own file 2020-11-06 14:07:06 +01:00
Rasmus Wriedt Larsen
7c04c59456 Python: Move CodeInjection configuration to own file 
This makes it easy to extend the sources/sinks of the configuration and re-run
the query from the query console on LGTM.com.

File location in `semmle.<lang>.security.dataflow.<QueryName>.qll` is matching
what we currently do in other languages (JS and C# sampled).

I did not follow the pattern in other languages for wrapping all the code in a
`module CodeInjection`, since I didn't understand the value in doing so -- I
would like confirmation from the other teams if we _should_ actually do that,
before merging.
 2020-11-06 13:58:06 +01:00
Rasmus Lerchedahl Petersen
fe186bf854 Python: Add test 2020-11-06 13:30:11 +01:00
Rasmus Lerchedahl Petersen
64b9e9150e Python: only show results in extracted files 2020-11-06 12:01:16 +01:00
Rasmus Lerchedahl Petersen
6cecd3ba83 Python: Move and rename query 2020-11-05 11:49:39 +01:00
yoff
79fcf598f3 Merge pull request #4608 from RasmusWL/patch-1 
Python: Remove unnecessary cached annotation from adjacentRefUse
 2020-11-04 16:08:30 +01:00
Rasmus Lerchedahl Petersen
38b2bb2828 Python: Add testfile with regressions 2020-11-04 15:55:59 +01:00
Rasmus Lerchedahl Petersen
6df3b8d524 Python: Update query and expectation 2020-11-04 15:17:38 +01:00
Rasmus Wriedt Larsen
31247739d7 Python: Remove unnecessary cached annotation from adjacentRefUse 
As discussed in https://github.com/github/codeql/pull/4544#pullrequestreview-516575676
 2020-11-04 15:16:08 +01:00
Rasmus Lerchedahl Petersen
9baa7b73da Merge branch 'main' of github.com:github/codeql into SharedDataflow_PointsToImpliesDataflow 2020-11-04 15:05:59 +01:00
yoff
62cb4ec974 Merge pull request #4605 from RasmusWL/python-fix-django-response-modeling 
Python: fix django response modeling
 2020-11-04 15:00:52 +01:00
Rasmus Wriedt Larsen
5cf8285717 Python: Fix default mimetype for django FileResponse 2020-11-04 12:28:51 +01:00