hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
29,686 Commits 1,672 Branches 157 Tags
fb1287d577d09cfd6710b51c466351e47fd624c4
Commit Graph

4503 Commits

Author SHA1 Message Date
Taus
8016715fb6 Python: Add missing QLDoc 2021-06-11 20:35:58 +00:00
Taus
3869ab76d1 Python: Promote shared type tracking library 
This was slightly messier than anticipated, as I hadn't accounted for
the dozen uses of `startInAttr` in our codebase. To circumvent this,
I decided to put the type tracking implementation in the `internal`
directory, and wrap it with a file that ensures the old interface still
works.
 2021-06-11 20:20:22 +00:00
Calum Grant
85467adc5e Merge pull request #5839 from github/security-severities5 
Add security-severity scores
 2021-06-11 15:56:20 +01:00
Rasmus Wriedt Larsen
53f7633662 Python: Model await request.post() as MultiDictProxy 
as highlight as being quite easy to do by @yoff 👍
 2021-06-11 14:53:30 +02:00
Rasmus Wriedt Larsen
dee93783a2 Python: Update .expected for py/weak-sensitive-data-hashing 
Now there is a path from the _imports_ of the functions that would
return sensitive data, so we produce more alerts.

I'm not entirely happy about this "double reporting", but I'm not sure
how to get around it without either:

1. disabling the extra taint-step for calls. Not ideal since we would
   loose good sources.
2. disabling the extra sources based on function name. Not ideal since
   we would loose good sources.
3. disabling the extra sources based on function name, for those calls
   that would be handled with the extra taint-step for calls. Not ideal
   since that would require running the data-flow query initially to
   prune these out :|

So for now, I think the best approach is to accept some risk on this,
and ship to learn :)
 2021-06-11 13:56:55 +02:00
Rasmus Wriedt Larsen
df67028a1d Python: Model aiohttp.StreamReader 2021-06-11 12:06:53 +02:00
Rasmus Wriedt Larsen
2d31ef7016 Python: Fix last TODOs in aiohttp tests 2021-06-11 12:00:02 +02:00
Rasmus Wriedt Larsen
64a0e3fd0a Merge branch 'main' into aiohttp-modeling 2021-06-11 11:42:24 +02:00
Rasmus Wriedt Larsen
8b8e1334cc Python: Fix syntax error 2021-06-11 11:42:14 +02:00
Rasmus Wriedt Larsen
46f7a2b572 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-06-11 11:28:11 +02:00
Rasmus Wriedt Larsen
6f29b01abc Python: Model rsa 2021-06-11 11:23:06 +02:00
Rasmus Wriedt Larsen
40714c05b7 Python: Add tests for rsa PyPI package 2021-06-11 11:17:13 +02:00
Rasmus Wriedt Larsen
3d5f379b8c Merge branch 'main' into sensitive-improvements 2021-06-11 10:48:20 +02:00
Calum Grant
a594afb828 Add security-severity metadata 2021-06-10 20:11:08 +01:00
Taus
e7b9603c5b Merge pull request #6053 from RasmusWL/fix-tests 
Python: Fix tests
 2021-06-10 16:55:45 +02:00
Rasmus Wriedt Larsen
dd457f9641 Python: Fix tests 2021-06-10 15:58:56 +02:00
CodeQL CI
a241c114da Merge pull request #5836 from RasmusWL/ec-class-improvement 
Approved by tausbn
 2021-06-10 06:20:56 -07:00
Rasmus Wriedt Larsen
04db33513e Merge branch 'main' into sensitive-improvements 2021-06-10 15:11:09 +02:00
Rasmus Wriedt Larsen
ea0c1d7db3 Python: Better handling of sensitive functions 
This solution was the best I could come up with, but it _is_ a bit
brittle since you need to remember to add this additional taint step
to any configuration that relies on sensitive data sources... I don't
see an easy way around this though :|
 2021-06-10 15:08:21 +02:00
Rasmus Wriedt Larsen
f167143a84 Python: Use real config in TestSensitiveDataSources 
This will enable better tests in just one second
 2021-06-10 15:01:31 +02:00
Rasmus Wriedt Larsen
c341643ec1 Python: Add more tests for sensitive function handling 2021-06-10 14:36:05 +02:00
Rasmus Wriedt Larsen
eb4f168dd4 Python: Clarify SensitiveAttributeAccess 
The comment about imports was placed wrong. I also realized we didn't
even have a single test-case for
`this.(DataFlow::AttrRead).getAttributeNameExpr() = sensitiveLookupStringConst(classification)`
so I added that (notice that this is only `getattr(foo, x)` and not
`getattr(foo, "password")`)
 2021-06-10 14:09:47 +02:00
yoff
716627c1dd Merge pull request #5878 from RasmusWL/fix-concept-tests-pretty-print 
Python: Fix concept tests pretty print
 2021-06-10 11:21:08 +02:00
Taus
b14fa8b4cd Merge pull request #5925 from RasmusWL/pep249-import 
Python: Use absolute import for PEP249
 2021-06-09 18:32:28 +02:00
Rasmus Wriedt Larsen
aaddd36236 Python: Add another type-tracking attr test 
This one just works out of the box 💪
 2021-06-09 14:20:50 +02:00
Rasmus Wriedt Larsen
89cba216ca Python: Apply suggestions from code review 
Co-authored-by: Taus <tausbn@github.com>
 2021-06-09 14:15:59 +02:00
Rasmus Wriedt Larsen
dec6723183 Python: Minor refactor 
A bit too much copy paste 😄
 2021-06-09 12:19:11 +02:00
Rasmus Wriedt Larsen
fa6abea465 Python: Add modeling of jmespath 2021-06-09 12:14:35 +02:00
Rasmus Wriedt Larsen
5cdd60d0d6 Python: Add jmespath tests 2021-06-09 12:12:50 +02:00
Rasmus Wriedt Larsen
3d2de03674 Python: Add type-tracking test for attr set in function 2021-06-08 19:03:53 +02:00
Rasmus Wriedt Larsen
dcd448b743 Python: Refactor formatting 2021-06-08 19:03:53 +02:00
Rasmus Wriedt Larsen
09de1bcf44 Python: Add tests for type-tracking attrs on instances 2021-06-08 19:03:53 +02:00
Rasmus Wriedt Larsen
7c758f5c81 Python: Add change-note for twisted 2021-06-08 16:20:29 +02:00
Rasmus Wriedt Larsen
afd35f2e21 Python: Fix wording of change-note 
`aiohttp.web` is a web _framework_, and not a web _server_.
 2021-06-08 16:19:25 +02:00
Rasmus Wriedt Larsen
23f668f8ee Python: Model redirects in twisted 2021-06-08 16:16:56 +02:00
Rasmus Wriedt Larsen
a21039170b Python: Model (most of) twisted 2021-06-08 16:11:18 +02:00
Rasmus Wriedt Larsen
151a733ff2 Python: Add tests for twisted 
These were largely based on the old tests in
6011cb74f8/python/ql/test/library-tests/web/twisted/test.py
 2021-06-08 15:27:51 +02:00
Rasmus Wriedt Larsen
3819a361b5 Python: Autoformat 2021-06-07 14:16:33 +02:00
Rasmus Wriedt Larsen
e82ad6fc22 Python: Add missing QLDoc 2021-06-07 10:13:26 +02:00
Rasmus Wriedt Larsen
9dcb26d151 Python: Autoformat 
I had not set up the pre-commit hook properly
 2021-06-07 10:05:48 +02:00
Rasmus Wriedt Larsen
7f119dd5a9 Python: Add change-note 2021-06-04 15:27:36 +02:00
Rasmus Wriedt Larsen
350f79e1e1 Python: Model sensitive data based on variable names 2021-06-04 11:28:07 +02:00
Rasmus Wriedt Larsen
f5fd0f8d1c Python: Model sensitive data based on parameter names 2021-06-04 11:28:07 +02:00
Rasmus Wriedt Larsen
925e67d734 Python: Model sensitive data from subscripts 2021-06-04 11:28:07 +02:00
Rasmus Wriedt Larsen
d6532e280a Python: minor cleanup in SensitiveDataSources 2021-06-04 11:28:07 +02:00
Rasmus Wriedt Larsen
00a71a1c41 Python: Port sensitive data modeling 
No longer using points-to 🎉
 2021-06-04 11:28:07 +02:00
Rasmus Wriedt Larsen
3b68c87b6c Python: Add sensitive data test-cases 2021-06-03 13:38:29 +02:00
Rasmus Wriedt Larsen
79bef11cf7 Python: Use "new" SensitiveDataHeuristics 2021-06-03 12:10:29 +02:00
Rasmus Wriedt Larsen
e9acea8643 Python: Improve multidict modeling 2021-06-03 11:50:49 +02:00
Rasmus Wriedt Larsen
2e851cd5f0 Python: Improve yarl.URL modeling 2021-06-03 11:38:15 +02:00