hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 12:46:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
65,147 Commits 1,673 Branches 157 Tags
f31bb1391dee7f56f8d660dec61ec52262ac3668
Commit Graph

8358 Commits

Author SHA1 Message Date
Taus
1d38ca371b Merge pull request #15845 from github/tausbn/python-extractor-fix-build 
Python: Build external extractor
 2024-03-20 15:18:59 +01:00
Taus
d12ac1e7ce Python: Use tsp instead of tree-sitter-python 2024-03-19 17:11:40 +00:00
Taus
38169a981d Python: Shorten tree-sitter-python directory name 
The current name results in a path that is more than 260 characters long,
and this causes issues for the build on Windows.
 2024-03-19 17:11:40 +00:00
Taus
6f388acdd8 Python: Rename tsg_python_crate_index to py_deps 
This aligns us a bit more with Ruby.
 2024-03-19 17:11:40 +00:00
Taus
04c9ed37a7 Python: Fix reference in unit test 
The referenced file lives in the internal repo, so this is perhaps a bit
of a hack, but I think it should be fine in the short run.
 2024-03-19 17:11:40 +00:00
Taus
cac5a8236e Python: Fix CLI integration tests 
Two issues:

- Tests relying on existing query machinery (i.e. `import python`) were not resolving
  correctly due to a bad `qlpack.yml` file.
- The diagnostics output tests needed an updated import to account for their new location.
 2024-03-19 17:11:40 +00:00
Taus
0550c46766 Python: Fix Bazel build 2024-03-19 17:11:40 +00:00
Taus
5fed8bc57b Python: Add codeql-extractor.yml 2024-03-19 17:11:40 +00:00
Taus
016aedab0a Python: Move Python language pack tooling to external repo 
This is essentially the contents of `language-packs/python/tools` with some minor
modifications to account for the changed location.

Of note: we explicitly exclude the `recorded-call-graph-metrics` director that
was already present in `python/tools`. When we revisit this directory for some
cleanup (e.g. to get rid of the `lgtm` references), we'll probably want to switch
to an explicit list of sources to include.
 2024-03-19 17:11:40 +00:00
Taus
cdc879ee89 Python: Fix up some bazel references 2024-03-19 17:11:40 +00:00
Dave Bartolomeo
bf46fa27d6 Merge remote-tracking branch 'origin/main' into dbartol/rc3.13-mergeback 2024-03-19 13:02:15 -04:00
yoff
ee411cc53a Merge pull request #15936 from yoff/python/test-conflicting-summaries 
Python: No `fieldFlowBranchLimit` for `SummarizedCallable`s
 2024-03-19 16:56:56 +01:00
Dave Bartolomeo
311ba8ea1b Merge from main to resolve conflicts 2024-03-19 10:41:31 -04:00
yoff
f025430431 Merge pull request #15319 from Sim4n6/main 
[Python] Add Unicode DoS (qhelp, tests and the query)
 2024-03-19 10:00:30 +01:00
yoff
44ab36f238 Merge pull request #15729 from yoff/python/hardcoded-credentials-without-pointsto 
python: Rewrite `HardcodedCredentials` away from `PointsTo`
 2024-03-18 20:48:30 +01:00
Tom Hvitved
fc55567d90 Merge pull request #15853 from hvitved/dataflow/get-location 
Data flow: Replace `hasLocationInfo` with `getLocation`
 2024-03-18 20:21:46 +01:00
Tom Hvitved
e53357d376 Update expected test output 2024-03-18 14:49:32 +01:00
Sim4n6
1af8167354 updated the .expected file 2024-03-18 13:26:20 +00:00
github-actions[bot]
0a6243d07b Release preparation for version 2.16.5 2024-03-18 10:14:07 +00:00
Tom Hvitved
a13391bda1 Merge pull request #15802 from hvitved/dataflow/variable-capture-overlapping-paths 
Variable capture: Avoid overlapping and false-positive data flow paths
 2024-03-18 10:45:55 +01:00
Rasmus Lerchedahl Petersen
2a0c451d2d python: No fieldFlowBranchLimit for SummarizedCallables 
Like https://github.com/github/codeql/pull/15689 for Ruby.
 2024-03-18 10:29:36 +01:00
Rasmus Lerchedahl Petersen
45c65b48aa python: make it a real package 
so python2 also respects it
 2024-03-18 08:49:31 +01:00
Rasmus Lerchedahl Petersen
cfbc3f73ec Pyhton: add test for conflicting summaries 
We noticed that when
- a function has more than one summary (with different charpred)
- one summary is subsumed by a subpath (or something happens around the function being extracted)
- the function is called multiple times(we needed at least three)
one of the summaries would no longer lead to flow.
 2024-03-15 15:13:39 +01:00
Sim4n6
3acdd3382c Update the expected file 2024-03-15 14:17:23 +01:00
Sim4n6
26a16b7857 use of a single var "op" of type Cmpop 2024-03-15 14:17:23 +01:00
Sim4n6
a717bf1b9d Fix p tag in UnicodeDoS.qhelp 2024-03-15 14:17:23 +01:00
Sim4n6
af19a0342e Fix UnicodeDoS vulnerability in CWE-770 code 2024-03-15 14:17:23 +01:00
Sim4n6
085d803b14 Fix UnicodeDoS vulnerability in CWE-770 2024-03-15 14:17:23 +01:00
Sim4n6
31dc542111 Update request parameter name in good_1() function 2024-03-15 14:17:23 +01:00
Sim4n6
70ebc58b4c Refactor Unicode normalization code 2024-03-15 14:17:23 +01:00
Sim4n6
3d8868a6c3 Add routes for bad_5 and bad_6, and fix routes for good_3 and good_4 2024-03-15 14:17:23 +01:00
Sim4n6${{7*'7'}}
658b88e62f Update python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql 
update the Config API

Co-authored-by: yoff <lerchedahl@gmail.com>
 2024-03-15 14:17:23 +01:00
Sim4n6
1f767b887e Add some comments and docs 2024-03-15 14:17:23 +01:00
Sim4n6
5cc9170249 Add UnicodeDoS sink for werkzeug secure_filename 2024-03-15 14:17:23 +01:00
Sim4n6
342465057c Add Unicode DoS (CWE-770) 2024-03-15 14:17:23 +01:00
Tom Hvitved
6c0ed28e6b Python: Implement new data flow interface 2024-03-13 14:41:57 +01:00
yoff
b5c0fbb827 Merge pull request #15776 from RasmusWL/tt-consistency 
Python: Add type-tracking consistency query
 2024-03-13 11:11:07 +01:00
Tom Hvitved
dddba3228b Merge pull request #15867 from hvitved/dataflow/ap-limit 
Data flow: Add `ConfigSig::accessPathLimit`
 2024-03-12 14:57:51 +01:00
Rasmus Wriedt Larsen
800351c7b7 Merge branch 'main' into tt-consistency 2024-03-11 14:12:09 +01:00
yoff
e6e6a4e9c8 Merge pull request #15841 from RasmusWL/missing-use-use2 
Python: Add example of missing use-use flow
 2024-03-11 13:59:57 +01:00
yoff
adbcbefaa9 Merge pull request #15551 from yoff/python/avoid-duplicate-model-inclusions 
python: Remove `TaintStepFromSummary`
 2024-03-11 13:52:20 +01:00
Tom Hvitved
da66281fef Sync files 2024-03-11 13:02:04 +01:00
Rasmus Wriedt Larsen
4ac8dd72a7 Merge pull request #15855 from yoff/python/add-MaD-test-tuple-output 
Python: Add test for `ReturnValue.TupleElement[n]`
 2024-03-11 12:05:31 +01:00
Rasmus Wriedt Larsen
42acd9c22c Merge pull request #15695 from github/tausbn/python-add-copy-method-as-copy-step 
Python: Add `.copy()` method call as copy step
 2024-03-11 09:43:34 +01:00
Rasmus Lerchedahl Petersen
3601773856 python: support encoding lower bound 2024-03-08 14:59:28 +01:00
Rasmus Wriedt Larsen
adf5a4b1e4 Python: Fix internal consistency failures 2024-03-08 14:13:47 +01:00
Rasmus Wriedt Larsen
87b6592dbc Python: Accept inconsistency for missing use-use flow 
At least until we have a proper fix
 2024-03-08 13:34:26 +01:00
Rasmus Wriedt Larsen
8fe483d9d8 Python: Add example of missing use-use flow 
(see PR for more detailed description)
 2024-03-08 13:26:01 +01:00
Rasmus Lerchedahl Petersen
6d8d106d91 Python: add test for ReturnValue.TupleElement[n] 2024-03-08 11:18:51 +01:00
Tom Hvitved
24e35f6f3d Update expected test output 2024-03-08 10:00:43 +01:00