hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-23 16:06:47 +01:00
Code Issues Packages Projects Releases Wiki Activity
48,607 Commits 1,712 Branches 163 Tags
f5e33ac00a3c0ea059db832dd3f17283c06c28fa
Commit Graph

2900 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
88f703af1f DataFlow: Accept changes to .expected 2022-11-10 22:13:34 +01:00
Rasmus Wriedt Larsen
4caaa3a396 Python: Rewrite call-graph tests to be inline expectation (1/2) 
This adds inline expectations, next commit will remove old annotations
code... but I thought it would be easier to review like this.
 2022-11-10 21:08:29 +01:00
erik-krogh
618438642a update expected output of the queries (some sorting changed due to locations being used slightly differently in the shared pack) 2022-11-07 14:31:52 +01:00
erik-krogh
4f11e2d25f port the Python regex/redos queries to use the shared pack 2022-11-07 14:31:51 +01:00
Dave Bartolomeo
9d5e5e3ee7 ${workspace} all the things 2022-11-01 13:29:05 -04:00
Rasmus Wriedt Larsen
ead0844174 Merge pull request #10998 from RasmusWL/essa-use-use-test 
Python: Add failing ESSA use-use test
 2022-10-31 10:38:26 +01:00
Rasmus Wriedt Larsen
a04c78ab94 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-10-28 15:31:42 +02:00
Rasmus Wriedt Larsen
e8fdff7a3b Python: Expand ExternalAPIs test 
We never had a showcase of how keyword arguments were handled
 2022-10-28 09:38:02 +02:00
Rasmus Wriedt Larsen
6577281bed Python: Add crosstalk fieldflow test 2022-10-28 09:31:16 +02:00
Rasmus Wriedt Larsen
c1b2561598 Python: Extend fieldflow tests with bound method call 2022-10-28 09:31:16 +02:00
Rasmus Wriedt Larsen
0f34752f8f Python: Delete classesCallGraph.ql 
I don't see the value from this, so just going to outright delete it.
(it actually stayed alive for quite some time in the original git history,
but never seemed to be that useful.)
 2022-10-28 09:31:01 +02:00
Rasmus Wriedt Larsen
7d8c0c663f Python: Remove dataflow/coverage/dataflow.ql 
The selected edges is covered by `NormalDataflowTest.ql` now... and
reading the test-output changes in `edges` is just going to make commits
larger while not providing any real value.
 2022-10-28 09:29:32 +02:00
Rasmus Wriedt Larsen
609a4cfd42 Python: validate tests in datamodel.py 
And adopt argument passing tests as well.

turns out that `C.staticmethod.__func__` doesn't actually work :O
 2022-10-28 09:29:32 +02:00
Rasmus Wriedt Larsen
39081e9c1c Python: Fix staticmethod datamodel test 2022-10-28 09:29:32 +02:00
Rasmus Wriedt Larsen
dbd84b2d37 InlineExpectationsTest: Add quote around missing tag 
To aid with quickly scanning where the missing tag is. I just had to do
this myself looking over some test failures, and it all just blurred
into each other in the logs.

see https://github.com/github/codeql/actions/runs/3332266045/jobs/5512944867#step:5:467
 2022-10-27 09:02:28 +02:00
Rasmus Wriedt Larsen
76e84ef63a InlineExpectationsTest: Fail if missing getARelevantTag 2022-10-26 18:20:37 +02:00
Rasmus Wriedt Larsen
bfe9aa1225 InlineExpectationsTest: Add test showing what happens if you leave out getARelevantTag 2022-10-26 18:00:03 +02:00
Rasmus Wriedt Larsen
b3f29b0a53 Python: Add failing ESSA use-use test 
I initially created this as a dataflow test, but then realized it could
just be an ESSA test. I cound't find any existing ESSA tests though :|
so created a new dir for it.
 2022-10-26 17:49:33 +02:00
ALJI Mohamed
fdbed2a019 Add expected test results without considering inStdLib files. 2022-10-22 09:34:57 +01:00
ALJI Mohamed
0f44268038 Add expected test results 2022-10-21 22:14:55 +01:00
ALJI Mohamed
7d60f1f1c8 Modified the QL ref file and add TarSlip examples 2022-10-21 22:14:00 +01:00
ALJI Mohamed
31a6fb4181 Add TarSlip qlref for query-tests 2022-10-21 21:28:20 +01:00
Taus
58754982ce Python: Update type tracking tests 
No longer missing! 🎉
 2022-10-17 14:34:10 +00:00
Taus
ad13fbaeb6 Python: Add tests 
A slightly complicated test setup. I wanted to both make sure I captured
the semantics of Python and also the fact that the kinds of global flow
we expect to see are indeed present.

The code is executable, and prints out both when the execution reaches
certain files, and also what values are assigned to the various
attributes that are referenced throughout the program. These values are
validated in the test as well.

My original version used introspection to avoid referencing attributes
directly (thus enabling better error diagnostics), but unfortunately
that made it so that the model couldn't follow what was going on.

The current setup is a bit clunky (and Python's scoping rules makes it
especially so -- cf. the explicit calls to `globals` and `locals`), but
I think it does the job okay.
 2022-10-17 14:29:41 +00:00
Taus
f5b2eb94a6 Merge pull request #10783 from yoff/python/subscript-nodes 
Python: API graph improvements for subscripts
 2022-10-17 15:21:56 +02:00
sylwia-budzynska
0eb48969a0 Fix typo 2022-10-13 20:02:03 +02:00
Sylwia Budzynska
e291d61bc7 Add oracledb model 2022-10-13 18:08:47 +02:00
sylwia-budzynska
c33dd8fd4b Merge branch 'main' into python-db-models 2022-10-13 16:48:50 +02:00
Sylwia Budzynska
646c9b559b Add tests 2022-10-13 12:36:57 +02:00
Sylwia Budzynska
e41d79e37d Add python cx_oracle, phoenixdb, pyodbc models 2022-10-13 12:36:41 +02:00
Rasmus Lerchedahl Petersen
0b8e908823 Python: fix def nodes for subscript 
We were using `getMember` for dictionaries, these are now getIndex
Also add convenience predicate for string keys
 2022-10-12 20:13:48 +02:00
Jeroen Ketema
d389a183f0 Merge pull request #10743 from jsoref/spelling 
Spelling
 2022-10-12 12:48:22 +02:00
Rasmus Wriedt Larsen
b3f10311b3 Merge pull request #10752 from RasmusWL/pymssql 
Python: DB Modeling: Add `pymssql` and `executemany` in general
 2022-10-11 15:55:04 +02:00
erik-krogh
a826dbbdee fix capitalization in stack-trace-exposure 2022-10-11 13:59:10 +02:00
erik-krogh
4da0508dae Merge branch 'main' into py-last-msg 2022-10-11 10:49:19 +02:00
Josh Soref
21caa4b03f spelling: across 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-11 00:23:35 -04:00
Rasmus Wriedt Larsen
dba42d6bb8 Python: Model executemany on PEP-249 DB APIs 
Note: I kept the modeling using the old approach with type-trackers
instead of `DataFlow::MethodCallNode`.

I would like a meta query for DCA to show sinks before doing this, so I
can be absolutely sure we don't loose out on any important sinks on
this... so will postpone this work to a small one-off task (added to my
todo list).
 2022-10-10 14:16:47 +02:00
Rasmus Wriedt Larsen
4ee71ae4a1 Python: Add support for pymssql package 
I also forgot to mention `PyMySQL` in frameworks.rst
 2022-10-10 14:02:40 +02:00
Rasmus Wriedt Larsen
4b1f6f0865 Merge pull request #10629 from RasmusWL/fix-flask-source 
Python: Fix flask request modeling
 2022-10-10 09:56:22 +02:00
erik-krogh
6fdfd40880 changes to address reviews 2022-10-07 22:31:00 +02:00
erik-krogh
944ca4a0da fix some more style-guide violations in the alert-messages 2022-10-07 11:23:34 +02:00
Rasmus Wriedt Larsen
05bca0249c Python: Expand test for py/flask-debug 
(I couldn't see one using positional argument)
 2022-10-04 20:39:08 +02:00
Rasmus Wriedt Larsen
d7be27a1c0 Python: Fix experimental py/ip-address-spoofing 
I realized the modeling was done in a non-recommended way, so I changed
the modeling. It was very nice that I could use API graphs for the flask
part, and a little sad when I couldn't for Django/Tornado.
 2022-10-03 21:19:30 +02:00
Rasmus Wriedt Larsen
b01a0ae696 Python: Adjust .expected after flask source change 
It's really hard to audit that this is all good.. I tried my best with
`icdiff` though -- and there is a problem with
ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
that needs to be fixed in the next commit
 2022-10-03 20:35:49 +02:00
Rasmus Wriedt Larsen
a0fcd4a9bf Merge pull request #10631 from RasmusWL/cleanup-options-files 
Python: Remove last `-p ../lib/` in `options` files
 2022-10-03 11:09:59 +02:00
Nick Rolfe
ed74e0aad1 JS/Python/Ruby: s/a HTML/an HTML/ 2022-09-30 10:37:52 +01:00
Rasmus Wriedt Larsen
ea27f4e20f Python: Remove last -p ../lib/ in options files 
These were only needed for points-to.

If they only contained `--max-import-depth`, I've removed the `options`
file entirely.
 2022-09-29 18:05:51 +02:00
erik-krogh
7675571daa fix RegExpEscape::getValue having multiple results for some escapes 2022-09-27 13:25:23 +02:00
Rasmus Wriedt Larsen
71da217b82 Merge pull request #10535 from RasmusWL/flask-jsonify 
Python: Model `flask.jsonify`
 2022-09-23 12:18:27 +02:00
Tom Hvitved
f4b82cb2e8 Python: Update expected test output 2022-09-22 15:01:40 +02:00