hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
50,611 Commits 1,672 Branches 157 Tags
ea4c2e432100cb15e4ad5448d02c36153a6f9f95
Commit Graph

3828 Commits

Author SHA1 Message Date
Asger F
d94010c244 Grammar: report -> reports 2022-06-23 14:17:52 +02:00
github-actions[bot]
a74051c658 Release preparation for version 2.10.0 2022-06-23 11:17:46 +00:00
yoff
140dc1a61e merge in main 2022-06-23 09:05:32 +00:00
yoff
cedf9ef538 python: make DataFlowCall "publicly usable" 
- add `getCallable`, `getArg` and `getNode`
- these are `none` for summary calls
- revert "external" uses (they had been changed to `DataFlowSourceCall`)
 2022-06-23 08:32:23 +00:00
Anders Schack-Mulligen
df6d68b215 Merge pull request #9618 from aschackmull/dataflow/deprecate-barrierguard-class 
Dataflow: Deprecate BarrierGuard class
 2022-06-22 10:44:08 +02:00
Asger F
3a669a8d21 Python: getAValueReachingRhs -> getAValueReachingSink 2022-06-21 12:44:06 +02:00
Asger F
b096f9ec72 Python: Rename getAUse -> getAValueReachableFromSource 2022-06-21 12:44:06 +02:00
Edoardo Pirovano
70dbd92e25 Bump minor version of all regularly released packs 2022-06-21 11:22:58 +01:00
Edoardo Pirovano
ad02b85efa Merge branch main into rc/3.6 2022-06-21 11:15:25 +01:00
Anders Schack-Mulligen
f473a0a961 Python: Deprecate and replace BarrierGuard class. 2022-06-20 15:46:38 +02:00
Taus
3a328f6a3f Merge pull request #6570 from yoff/python/broaden-noqa-regex 
Python: Broaden noqa regex to allow comments
 2022-06-17 23:56:39 +02:00
Taus
9bf2eb55ca Python: Allow whitespace before colon 
As suggested by @DimitriPapadopolous.

Also fixes the test output to account for the `noqa` annotation (with
added comment) that we're now detecting.
 2022-06-16 11:16:58 +02:00
Rasmus Lerchedahl Petersen
98301332bd Python: Broaden noqa regex 2022-06-16 11:16:58 +02:00
github-actions[bot]
1ed70d51d7 Post-release preparation for codeql-cli-2.9.4 2022-06-15 13:25:20 +00:00
yoff
f14a90ff09 Merge pull request #9200 from tausbn/python-modernise-weak-file-permissions-query 
Python: Modernise weak file permissions query
 2022-06-15 14:37:17 +02:00
yoff
9dbb451f41 Merge pull request #9463 from RasmusWL/req-wo-cert-validation 
Python: Rewrite `py/request-without-cert-validation`
 2022-06-15 13:00:57 +02:00
github-actions[bot]
104ac05f49 Release preparation for version 2.9.4 2022-06-15 08:22:38 +00:00
Rasmus Lerchedahl Petersen
7b5d9ec7df python: Straight port of tarslip 2022-06-14 15:01:13 +02:00
yoff
699761889d Merge pull request #7127 from jty-team/jty/python/emailInjection 
Python: CWE-079 - Add Email injection query
 2022-06-14 10:54:16 +02:00
Alex Ford
8d195e3188 Merge pull request #9157 from alexrford/crypto-op-block-mode 
Ruby/Python: Add a `BlockMode` concept for `CryptographicOperations`
 2022-06-13 21:32:36 +02:00
Rasmus Wriedt Larsen
d91b92511f Python: Add change-note 2022-06-08 17:46:51 +02:00
Rasmus Wriedt Larsen
c21e05aa44 Python: Use HTTP::Client::Request request for py/request-without-cert-validation 
This is very much like the Ruby query, except we also have the origin
that does the disabling.

976daddd36/ruby/ql/src/queries/security/cwe-295/RequestWithoutValidation.ql (L18-L20)
 2022-06-08 15:42:32 +02:00
jorgectf
171239b78f Format FlaskMail.qll and Sendgrid.qll 2022-06-03 18:27:45 +02:00
Jorge
897d5c9471 Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-06-01 12:44:08 +02:00
Nick Rolfe
f417c12c5e Merge pull request #9332 from github/post-release-prep/codeql-cli-2.9.3 
Post-release preparation for codeql-cli-2.9.3
 2022-05-31 16:17:50 +01:00
github-actions[bot]
ed2f3409bc Post-release preparation for codeql-cli-2.9.3 2022-05-31 09:54:55 +00:00
${sleep,7}
76c27c685f Merge branch 'main' into jty/python/emailInjection 2022-05-26 16:27:57 -04:00
yoff
aadfa8eacd Merge branch 'main' into py/CsvInjection 2022-05-25 10:43:08 +02:00
github-actions[bot]
1f1b364feb Release preparation for version 2.9.3 2022-05-25 07:46:48 +00:00
Taus
3745526d69 Merge pull request #9108 from RasmusWL/promote-pam 
Python: Promote `py/pam-auth-bypass`
 2022-05-23 15:27:12 +02:00
yoff
23d64ffa04 Merge pull request #9135 from tausbn/python-modernise-py-jinja2-autoescape-false 
Python: Modernise py/jinja2/autoescape-false
 2022-05-23 14:18:06 +02:00
Alex Ford
9e483ac4e0 Fix change note formatting 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-05-19 14:25:44 +01:00
Erik Krogh Kristensen
215a6a72cc Merge branch 'main' into useStringComp 2022-05-18 10:55:31 +02:00
Rasmus Wriedt Larsen
6611e5b4b8 Merge branch 'main' into promote-pam 2022-05-18 10:35:39 +02:00
Rasmus Wriedt Larsen
b54de13d97 Python: Apply suggestions from code review 
Co-authored-by: Taus <tausbn@github.com>
 2022-05-18 10:30:29 +02:00
Erik Krogh Kristensen
7245591468 Merge pull request #7763 from erik-krogh/unused-field 
QL: add unused-field query
 2022-05-18 09:15:16 +02:00
Taus
b2fe615ef2 Python: Modernise weak file permissions query 
Using API graphs instead of points-to.

Unfortunately, some results will be lost because of this, due to the
fact that points-to tracks bitwise operations on small numbers (i.e.
flags), whereas API graphs does no such thing. This means using
something like `stat.S_IWUSR | stat.S_IWGRP` will not work.

A custom type tracker (like the one used for `re` flags) could be used
to recapture this behaviour, but I think that's best left as future
work, as it's not clear to me that this query is actually worth the
effort it would take to implement this.
 2022-05-17 20:20:15 +00:00
Erik Krogh Kristensen
6c7c9b6a4b Merge pull request #9082 from erik-krogh/countZero 
QL: add query warning about `count(...) = 0`.
 2022-05-17 21:46:58 +02:00
Taus
ea32299ab0 Python: Use API-graph flow for boolean tracking 
Introduces a false positive, but arguably that false positive should
have been there with the local flow as well.
 2022-05-17 13:14:55 +00:00
Erik Krogh Kristensen
86e97c32d6 fix all ql/use-string-compare 2022-05-17 14:11:05 +02:00
Taus
ba8d73c2be Python: Use API::CallNode 2022-05-17 12:00:17 +00:00
Mathias Vorreiter Pedersen
1280d43e36 Merge pull request #9141 from github/post-release-prep/codeql-cli-2.9.2 
Post-release preparation for codeql-cli-2.9.2
 2022-05-17 10:01:37 +01:00
Alex Ford
bda1c21562 BrokenCryptoAlgorithm block mode change notes 2022-05-16 15:49:19 +01:00
yoff
2822ed9594 Merge remote-tracking branch 'upstream/main' into python-dataflow/flow-summaries-from-scratch 2022-05-16 08:10:15 +00:00
Alex Ford
bc073eb460 python: update py/weak-cryptographic-algorithm to flag use of ECB block mode 2022-05-13 16:32:36 +01:00
github-actions[bot]
b7cbd8fd75 Post-release preparation for codeql-cli-2.9.2 2022-05-12 18:21:38 +00:00
Taus
a0f8e2f0b1 Python: Modernise py/jinja2/autoescape-false 
A simple rewrite to use API graphs instead.

The handling of falsy values is potentially a bit more restrictive now,
as it only accounts for local flow. We should probably figure out a
better way of capturing this pattern, but I felt that this was out of
scope for the present PR.
 2022-05-12 12:55:42 +00:00
Rasmus Wriedt Larsen
795adf0566 Python: Fix API::moduleImport("foo.bar") 2022-05-12 13:33:00 +02:00
github-actions[bot]
ee9980b31c Release preparation for version 2.9.2 2022-05-12 10:17:28 +00:00
Rasmus Wriedt Larsen
044829c3bb Python: Add @security-severity to py/pam-auth-bypass 
The value 8.1 was calculated by our internal tool. This corresponds to a
'High' severity, which from my gut feeling seems reasonable for
authorization bypass.
 2022-05-11 14:57:21 +02:00