hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
18,550 Commits 1,672 Branches 157 Tags
f95c480b51018ffedb693bcf90da5350b652fdfc
Commit Graph

33 Commits

Author SHA1 Message Date
Taus Brock-Nannestad
f903e4ffbe Python: Promote experimental queries 
DO NOT MERGE

Also adds performance fix to `python.qll`.
 2020-10-30 19:40:56 +01:00
Rasmus Lerchedahl Petersen
80360450de Merge branch 'main' of github.com:github/codeql into RasmusWL-python-port-reflected-xss 2020-10-30 17:56:36 +01:00
Rasmus Lerchedahl Petersen
c4d1affaf8 Python: Suggestions from reviewer 2020-10-23 16:57:11 +02:00
yoff
15167753c6 Apply suggestions from code review 
Co-authored-by: Taus <tausbn@github.com>
 2020-10-23 16:52:13 +02:00
Rasmus Lerchedahl Petersen
6317db1622 Python: Reword explanation (slightly) 2020-10-23 15:54:52 +02:00
Rasmus Lerchedahl Petersen
9eda84debb Python: PathCheck -> Path::SafeAccessCheck 2020-10-23 15:01:43 +02:00
Rasmus Lerchedahl Petersen
cf8462fa58 Python: Simplify chained configs 2020-10-23 14:52:47 +02:00
Rasmus Wriedt Larsen
082e35c2c7 Python: Model mimetype instead of content-type for HTTP Response 
Since that's really what we're after (at least for now)
 2020-10-23 14:31:33 +02:00
Rasmus Wriedt Larsen
8aaa36bd99 Python: Port ReflectedXss query (and tests) 2020-10-23 14:31:25 +02:00
yoff
462e839a83 Update python/ql/src/experimental/Security-new-dataflow/CWE-022/PathInjection.ql 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2020-10-23 13:35:13 +02:00
Rasmus Lerchedahl Petersen
f88cc3c98e Python: Use custom PathGraph 2020-10-23 01:10:21 +02:00
Rasmus Lerchedahl Petersen
8ce5f41366 Python: Fix source of second part of path 2020-10-22 12:20:50 +02:00
Rasmus Lerchedahl Petersen
8549c9cfde Python: Rewrite logic to split on nomalization 2020-10-22 11:35:55 +02:00
Rasmus Lerchedahl Petersen
4570c29a11 Python: port query 2020-10-21 21:40:42 +02:00
Rasmus Lerchedahl Petersen
f17720f587 Python: Add test and fix filename 2020-10-19 10:58:57 +02:00
Rasmus Lerchedahl Petersen
d76b2c0023 Python: Add concept and port query 2020-10-19 10:58:57 +02:00
Rasmus Lerchedahl Petersen
ef32488596 Merge branch 'main' of github.com:github/codeql into python-port-unsafe-deserialization 2020-10-15 15:45:35 +02:00
CodeQL CI
ab7d28b3fb Merge pull request #4482 from RasmusWL/promote-script 
Approved by tausbn
 2020-10-15 06:15:55 -07:00
Rasmus Wriedt Larsen
43cee8567c Python: Add script to promote experimental security queries 2020-10-15 13:25:01 +02:00
Rasmus Lerchedahl Petersen
172e058438 Python: unsafe -> mayExecuteInput 2020-10-15 12:56:29 +02:00
Rasmus Wriedt Larsen
ce967e1249 Merge branch 'main' into python-model-python2-specific-command-execution 2020-10-15 10:00:02 +02:00
Rasmus Lerchedahl Petersen
93383747bd Python: Use more common name for concept 2020-10-14 09:28:58 +02:00
Rasmus Lerchedahl Petersen
4685f2d5f2 Python: Address many review comments 
still need to move concept tests
 2020-10-13 12:03:23 +02:00
yoff
433a36225b Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2020-10-12 15:26:53 +02:00
Rasmus Lerchedahl Petersen
0d8bd01e10 Python: Port query and add test 2020-10-09 16:11:37 +02:00
Rasmus Wriedt Larsen
0b0763953e Python: Update description of CodeInjection 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2020-10-08 11:15:36 +02:00
Rasmus Wriedt Larsen
0af86cba50 Python: Port CodeInjection query 
and the dummy test-case we already have
 2020-10-07 18:47:23 +02:00
Rasmus Wriedt Larsen
7721db206e Python: Don't double report paths for platform.popen and popen2.* 
I was a bit surprised that we hadn't double reported for popen2, but it turns
out that the implementation (at least on unix) looks like:

```
def popen2(cmd, bufsize=-1, mode='t'):
    ... = Popen3(cmd, False, bufsize)
    ...
```

but since the modeling I did only considers calls to `Popen3` only if it has
been imported from the `popen2` module, we don't consider that call as a sink.
 2020-10-07 10:57:31 +02:00
Rasmus Wriedt Larsen
eb67986916 Python: Exlucde only command injection sinks in os and subprocess 2020-10-02 14:11:07 +02:00
Rasmus Wriedt Larsen
de07d9e5d9 Python: Highlight that os.popen is not only problem for extra alerts 2020-10-02 13:34:33 +02:00
Rasmus Wriedt Larsen
3247b300ae Python: Fix problem with missing use-use flow 2020-10-01 12:55:11 +02:00
Rasmus Wriedt Larsen
9c1253c8af Python: Remove flow out of CommandInjection sinks 2020-09-30 13:29:40 +02:00
Rasmus Wriedt Larsen
2bdd0284dc Python: Port py-command-line-injection with new dataflow 2020-09-22 16:28:23 +02:00