hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-14 06:54:48 +01:00
Code Issues Packages Projects Releases Wiki Activity
48,095 Commits 1,680 Branches 158 Tags
f4f7d83349dfa10c0ffa6af34ef3b2b14dd4dcc6
Commit Graph

1200 Commits

Author SHA1 Message Date
Michael Nebel
f4f7d83349 Python: Rename Negative Summary Model to Neutral Model. 2022-12-09 15:04:43 +01:00
Michael Nebel
079d48c42a Sync files. 2022-12-09 15:04:42 +01:00
Asger F
387a673c10 Merge pull request #11567 from asgerf/js/data-extensions2 
JS: Move MaD models to data extensions
 2022-12-09 10:09:24 +01:00
Rasmus Wriedt Larsen
d684dbdf5c Merge pull request #10656 from porcupineyhairs/PyPamImprove 
Python: Improve the PAM authentication bypass query
 2022-12-08 11:59:10 +01:00
Jami
5e694b5983 Merge pull request #11192 from jcogs33/jcogs33/share-key-sizes 
Share encryption key sizes between Java and Python
 2022-12-07 08:08:24 -05:00
Asger F
5af1b367c7 Support data extensions 2022-12-07 11:35:05 +01:00
Tom Hvitved
b5e2e1e469 Merge pull request #11564 from hvitved/dataflow/parameter-position-consistency-checks 
Data flow: Add consistency checks for parameter positions
 2022-12-06 09:33:36 +01:00
Tom Hvitved
52f3a48638 Data flow: Sync files 2022-12-05 12:57:27 +01:00
Tom Hvitved
faca4b5b56 Merge pull request #11461 from hvitved/ruby/unique-hash-splat-param 
Ruby: At most one hash-splat `ParameterNode` per callable
 2022-12-05 11:53:28 +01:00
Asger F
2d578c1a73 Merge branch 'main' into merge-package-type-columns 2022-12-02 10:00:44 +01:00
Jami Cogswell
1f4bd00993 split rsa/dsa/dh 2022-12-01 11:56:44 -05:00
Jami Cogswell
0fa05d47e3 add shared key sizes 2022-12-01 11:56:44 -05:00
Tom Hvitved
b33f5925bb Data flow: Sync files 2022-11-30 13:39:25 +01:00
Owen Mansel-Chan
55c4643b20 Dataflow: Sync. 2022-11-30 11:00:07 +00:00
Tom Hvitved
f3dca95958 Merge pull request #11087 from hvitved/dataflow/summary-ctx 
Data flow: Add summary/return context to pruning stages 2-4
 2022-11-29 10:36:53 +01:00
Rasmus Wriedt Larsen
3d9556e5a3 Python: Use proper Query suffix 2022-11-28 16:03:17 +01:00
Rasmus Wriedt Larsen
c310948521 Python: Remove enclosing module for PAM Auth Bypass.qll 2022-11-28 16:02:38 +01:00
Tom Hvitved
cde05e1190 Data flow: Sync files 2022-11-28 12:11:38 +01:00
Erik Krogh Kristensen
03737543d4 Merge pull request #11403 from erik-krogh/additional 
ReDoS: add missing additional keywords
 2022-11-24 15:53:51 +01:00
Erik Krogh Kristensen
1eec067474 Merge pull request #11294 from erik-krogh/fileDoc 
QL: improve the "this block-comment should have been a QLDoc"-query
 2022-11-23 22:23:36 +01:00
erik-krogh
95f35196e4 add missing additional keywords 2022-11-23 20:45:51 +01:00
Asger F
abf0c0f296 Python: update more comments referring to the package column 2022-11-23 15:02:08 +01:00
Asger F
1c910550e6 Python: merge package/type columns 2022-11-23 11:17:42 +01:00
Rasmus Wriedt Larsen
04a68f8d52 Merge pull request #11372 from RasmusWL/getpass 
Python: Model `getpass.getpass` as source of passwords
 2022-11-22 14:49:04 +01:00
Rasmus Wriedt Larsen
9195b73d84 Python: Model getpass.getpass as source of passwords 2022-11-22 14:11:52 +01:00
Rasmus Wriedt Larsen
80e71b202a Python: Cleartext queires: Remove flow from getpass.py 2022-11-22 14:08:00 +01:00
Taus
8f4eb7107a Merge pull request #10861 from tausbn/python-clean-up-import-resolution 
Python: Clean up import resolution
 2022-11-21 15:18:08 +01:00
Tom Hvitved
99e70e9a50 Data flow: Sync files 2022-11-20 10:19:23 +01:00
Porcupiney Hairs
db231a111c Python : Improve the PAM authentication bypass query 
The current PAM auth bypass query which was contributed by me a few months back, alert on a vulenrable function but does not check if the function is actually function. This leads to a lot of fasle positives.

With this PR, I add a taint-tracking configuration to check if the username parameter can actually be supplied by an attacker.

This should bring the FP's significantly down.
 2022-11-19 01:29:25 +05:30
Taus
d79eed533b Python: Remove unwanted recursion 
Depending on `localFlowStep` meant that this predicate ended up being
recursive with itself (by way of flow summaries which depend on API
graphs, which in turn depend on import resolution).

Changing this to use the simple local flow step predicate that we use
for type tracking should fix this issue.
 2022-11-18 13:50:50 +00:00
Taus
e76ab8c78c Merge branch 'main' into python-clean-up-import-resolution 2022-11-17 22:47:50 +00:00
erik-krogh
468a879c1f Python: delete dead code. thanks QL-for-QL 2022-11-17 22:12:51 +01:00
erik-krogh
e491b61e09 Python: move the contents of PEP249Impl to PEP249, which is possible now that the deprecations have been deleted 2022-11-17 22:12:50 +01:00
erik-krogh
a7ba693ccb Python: delete old deprecations 2022-11-17 22:12:50 +01:00
Taus
811426c586 Python: Remove manual magic entirely 
This was causing issues with imports with many "dots" in the name.

Previously, the test added in this commit would not have the desired
result for the `check` call.
 2022-11-17 14:15:55 +00:00
Taus
81348049df Python: Fix missing module resolution 
This was due to bad manual magic: restricting the attribute name makes
sense when we're talking about submodules of a package, but it doesn't
when we're talking about reexported modules.

Also (hopefully) fixes the tests so that the Python 3-specific bits are
ignored under Python 2.
 2022-11-16 19:58:32 +00:00
Taus
19261ecfbf Python: Remove spurious module references 2022-11-16 18:19:54 +00:00
erik-krogh
25b32860ba Py: convert a block-comment that could be QLDoc to QLDoc 2022-11-16 13:45:37 +01:00
Anders Schack-Mulligen
94bca4399a Merge pull request #11183 from aschackmull/dataflow/groupflow 
Dataflow: Introduce support for src/sink grouping in path results.
 2022-11-16 12:59:01 +01:00
Erik Krogh Kristensen
d2857006cf Merge pull request #11247 from erik-krogh/py-redosMod 
Python: use the shared regex pack
 2022-11-14 21:10:43 +01:00
Erik Krogh Kristensen
99636ba344 fix typo 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-11-14 17:35:55 +01:00
Nick Rolfe
83b3312467 Merge pull request #11207 from github/nickrolfe/arel-sql 
Ruby: add `SqlConstruction` concept, and implement it for calls to `Arel.sql`
 2022-11-14 10:21:37 +00:00
Taus
f92d836607 Python: Fix test failure 
Casting to `ImportExpr` caused the `typetracking_imports` test to fail.
 2022-11-11 16:03:14 +00:00
Taus
a08253b6d0 Python: Fix typo 2022-11-11 14:50:04 +00:00
Taus
b540eb094c Python: Various small fixes 
- Swaps `module_reference_in_scope` and `module_name_in_scope`.
- uses `AttrRead::accesses` instead of `getObject`, etc.
- Removes an errant `none()`.
- Expands the QLDoc for some of the predicates.
 2022-11-11 14:00:36 +00:00
Rasmus Wriedt Larsen
ddbcdcb4ba Merge pull request #11160 from RasmusWL/dataflow-consistency-read-store 
DataFlow: Add read/store stepIsLocal consistency checks
 2022-11-11 14:51:45 +01:00
Taus
7f790432cc Python: More review suggestions 
I could have sworn I added all of them to the batch, but somehow these slipped through.

Co-authored-by: yoff <lerchedahl@gmail.com>
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-11-11 14:40:58 +01:00
Taus
131fc986b4 Python: Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-11-11 13:49:46 +01:00
Erik Krogh Kristensen
90382c4d1c Merge pull request #11178 from erik-krogh/passcode 
JS/RB/PY: Recognize `passcode` as sensitive
 2022-11-10 17:58:34 +01:00
Michael Nebel
9c6875ec0f Merge pull request #10777 from michaelnebel/csharp/generatedataextensions 
C#: Generate data extension files
 2022-11-10 13:08:31 +01:00