hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-27 14:16:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
19,944 Commits 1,673 Branches 157 Tags
ecdadd182632faba8e532ecf2ba42e1c1aa40d2b
Commit Graph

2793 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
1961ec6e8d Merge pull request #5159 from tausbn/python-unknown-argument-in-format-string-fp 
Python: Add FP test for unknown argument in string format
 2021-02-15 14:39:10 +01:00
CodeQL CI
178c54e69b Merge pull request #5139 from RasmusWL/django-improvements 
Approved by yoff
 2021-02-14 02:16:52 -08:00
Taus Brock-Nannestad
2632422783 Python: Add FP test for unknown argument in string format 
Reported in https://github.com/github/codeql/issues/2650

I found this during a bit of spring cleaning in my working
directory. As this doesn't have any immediate security implications, I
don't know when we'll get round to fixing it, but it can't hurt to
have the test case checked in.
 2021-02-12 19:28:12 +01:00
Rasmus Wriedt Larsen
1651f81ac8 Python: Refactor to avoid confusing name 
After discussion with @yoff
 2021-02-12 12:19:37 +01:00
Rasmus Wriedt Larsen
ed2dc5f6ad Python: Fix date for change-note 2021-02-12 10:26:31 +01:00
Rasmus Wriedt Larsen
c57a4df819 Python: Model taint of self.request on django view class 2021-02-10 17:48:48 +01:00
Rasmus Wriedt Larsen
9ca738d921 Python: Add taint test for self.request on django view class 2021-02-10 17:48:41 +01:00
Rasmus Wriedt Larsen
ca0d345987 Django: Model any class used in django route setup as view class 2021-02-10 16:26:25 +01:00
Rasmus Wriedt Larsen
b428945bc2 Django: Fix DjangoRouteHandler char-pred 
Before it the class would contain _all_ functions xD
 2021-02-10 16:21:51 +01:00
Rasmus Wriedt Larsen
78a3206fce Python: Add test with unkown view class in django 2021-02-10 15:56:33 +01:00
Rasmus Wriedt Larsen
42eceb80bd Python: Handle view functions with decorators 2021-02-10 15:47:55 +01:00
Anders Schack-Mulligen
66d0bf6b5e Merge pull request #5128 from hvitved/dataflow/exploration-clears-content 
Data flow: Take `clearsContent()` into account in flow exploration
 2021-02-10 11:52:24 +01:00
Tom Hvitved
1f9b42f9ab Data flow: Sync files 2021-02-09 20:10:23 +01:00
Rasmus Wriedt Larsen
1d25184b32 Python: Add test for type-tracking through decorators 
In general, if there is _some_ decorator on a function, it might not be safe to
track content out of it (since the decorator could do anything), but in this
case, we can see what the decorator does, so we should be able to handle it (but
we don't right now).

By my understanding of how type-tracking works, if we track content through
`my_decorator`, then we would also track content to the result of
`unrelated_func()`, which I wanted to make sure our tests would catch.

I found out the core of the problem seems to come from our lack of being able to
track to the inner scope, and added an explicit test for that.
 2021-02-09 13:43:10 +01:00
Rasmus Wriedt Larsen
eb7e30d472 Python: Add test of django view handler with decorator 
Which we currently don't handle :(

Also added a bit more explanatory comments
 2021-02-09 13:25:12 +01:00
yoff
f1a0ec2dec Merge pull request #4981 from RasmusWL/port-url-redirect-query 
Python: Port url redirect query
 2021-02-06 00:39:10 +01:00
yoff
ddd362bc16 Update python/ql/src/semmle/python/frameworks/Django.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswl@github.com>
 2021-02-05 23:31:20 +01:00
yoff
7fef1a8817 Merge pull request #5069 from tausbn/python-api-graphs 
Python: Add support for API graphs
 2021-02-05 13:17:09 +01:00
Taus Brock-Nannestad
78cb53449d Python: Slight cleanup of Cached::call 
Makes it more similar to the other functions in this module.
 2021-02-05 12:47:26 +01:00
Taus
6c8dfb253d Python: Use flowsTo instead of hasLocalSource 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-02-05 12:42:41 +01:00
Taus
a66743192e Python: Fix typo in docs 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-02-05 10:58:47 +01:00
Taus
f0d5a91d59 Merge pull request #5093 from RasmusWL/fix-query-names-with-dunder 
Python: Fix query names with dunder (__)
 2021-02-04 18:47:45 +01:00
Taus Brock-Nannestad
d035937083 Python: Add change note 2021-02-04 18:43:44 +01:00
Taus Brock-Nannestad
a505eb6922 Python: Adhere to QLDoc style guide 2021-02-04 18:34:06 +01:00
Taus Brock-Nannestad
3c7d9c3c4b Python: Fix typo 2021-02-04 18:33:50 +01:00
Taus Brock-Nannestad
f6e1ea5b2a Python: Fix missing global variable source nodes 
In lieu of removing the offending flow (which would likely have
consequences for a lot of other tests), I opted to simply _include_
the relevant nodes directly.
 2021-02-04 18:07:13 +01:00
Taus Brock-Nannestad
2524f23a46 Python: Add more test cases 
There is now a bit of redundancy in the tests, but I thought it useful
to actually include some of the cases called out explicitly in the
documentation, so as to make it easy to see that the code actually
does what we expect (in these cases, anyway).
 2021-02-04 18:05:33 +01:00
Taus Brock-Nannestad
aa7e9f0b56 Python: Add big explanatory comment about prefixes. 2021-02-04 18:03:34 +01:00
Taus Brock-Nannestad
305bfaba2d Python: Fix imports/2 2021-02-04 16:46:22 +01:00
Taus Brock-Nannestad
07ffa9f1ae Python: More documentation 2021-02-04 15:59:00 +01:00
Taus Brock-Nannestad
e54c925b70 Python: Greatly simplify imports/2 predicate 2021-02-04 15:58:15 +01:00
Rasmus Wriedt Larsen
b94658fd52 Python: Highlight that __slots__ query is only for Python 2 in qhelp 
Since I was already editing this file, it was easy to just add this extra bit of
info.
 2021-02-04 15:54:37 +01:00
Rasmus Wriedt Larsen
23d9e2646a Python: Fix name of class in example of __slots__ qhelp 2021-02-04 15:54:10 +01:00
Rasmus Wriedt Larsen
dcb185b659 Python: Fix trailing whitespace in a single qhelp file 
Since I edited already, why not get this little bonus? :D
 2021-02-04 15:53:23 +01:00
Rasmus Wriedt Larsen
32be53bf72 Python: Fix missing <code> in qhelp file 2021-02-04 15:53:04 +01:00
Rasmus Wriedt Larsen
3fe715abb6 Python: Fix query names that inclde __ (dunder) 
Without backticks, the text UNDERSCORE UNDERSCORE eq UNDERSCORE UNDERSCORE would
be considered to make things bold in our markdown output, making the query info
look strange.

Example https://codeql.github.com/codeql-query-help/python/py-slots-in-old-style-class/
 2021-02-04 15:49:37 +01:00
Taus Brock-Nannestad
d01d7eea82 Python: Add documentation from DataFlowUtil::importNode 2021-02-04 13:08:19 +01:00
Taus
634041d2d7 Merge pull request #5047 from yoff/python-dataflow-unpacking-unifying-experiments 
Python: dataflow, unify iterated unpacking
 2021-02-04 12:57:43 +01:00
Taus
4627799c93 Python: Fix more typos 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-02-04 12:41:17 +01:00
Taus
e5ec1e105c Python: Fix typos in test files 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-02-04 12:18:07 +01:00
Rasmus Wriedt Larsen
ac0f2d37db Python: Fix small typo in test-output 
Spotted by yoff in https://github.com/github/codeql/pull/5069#discussion_r570063207
 2021-02-04 12:11:20 +01:00
Taus Brock-Nannestad
5974af661e Python: Update test file 
Makes the `a.b.c.d` test more sensible.

Also adds a test that shows a case where we're currently _not_ getting
the right flow.
 2021-02-03 22:43:21 +01:00
Taus Brock-Nannestad
ba98b08001 Python: Further elaboration of use/3 2021-02-03 22:31:33 +01:00
Taus Brock-Nannestad
ebfb1faf77 Python: Autoformat 2021-02-03 22:26:46 +01:00
Rasmus Lerchedahl Petersen
a7ca065411 Python: Fix ForTarget 2021-02-03 22:14:15 +01:00
yoff
b5633625b3 Update python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-02-03 21:56:03 +01:00
Taus
56515c5708 Python: Improve documentation for moduleImport 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-02-03 21:29:15 +01:00
Taus Brock-Nannestad
05f290f734 Python: Better explanation in use/3 2021-02-03 19:52:40 +01:00
Taus Brock-Nannestad
c5d6792c1e Python: Make toString abstract 2021-02-03 19:52:40 +01:00
Taus Brock-Nannestad
6ce160c51c Python: Use call instead of invocation 2021-02-03 19:52:40 +01:00