hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-13 14:34:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
68,860 Commits 1,680 Branches 158 Tags
feb31d20064035ca8a676ed4ba7a8fb53963ba21
Commit Graph

1849 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
f41d2a896c Merge pull request #16771 from porcupineyhairs/js2py 
Python : Arbitrary code execution due to Js2Py
 2024-07-11 15:31:57 +02:00
Rasmus Wriedt Larsen
5ecde387af Python: Fix .expected 2024-07-11 14:42:26 +02:00
Porcupiney Hairs
808af28618 Python : Arbitrary codde execution due to Js2Py 
Js2Py is a Javascript to Python translation library written in Python. It allows users to invoke JavaScript code directly from Python.
The Js2Py interpreter by default exposes the entire standard library to it's users. This can lead to security issues if a malicious input were directly.

This PR includes a CodeQL query along with a qhelp and testcases to detect cases where an untrusted input flows to an Js2Py eval call.

This query successfully detects CVE-2023-0297 in `pyload/pyload`along with it's fix.
The databases can be downloaded from the links bellow.
```
https://file.io/qrMEjSJJoTq1
https://filetransfer.io/data-package/a02eab7V#link
```
 2024-07-03 19:06:34 +05:30
Joe Farebrother
b81d41ba7b Add django header write models for direct subscript write 2024-07-01 11:26:54 +01:00
Joe Farebrother
6b8080a5b3 Update concept tests for header writes 2024-06-24 17:27:02 +01:00
am0o0
8a7fdfa6fe fix conflict 2024-06-18 17:18:59 +02:00
am0o0
b9edcb7943 rename secondary to remote :), complete the previous commit changes 2024-05-29 16:47:37 +02:00
Anders Schack-Mulligen
987d5712b8 Python: Accept qltest .expected file changes. 2024-05-22 15:43:49 +02:00
Rasmus Lerchedahl Petersen
a568873a8e Python: update test expectations 2024-05-17 10:59:49 +02:00
am0o0
37d33186e5 revert classRef deletion, fix secondaryserverCmdInjection expected test results 2024-05-13 15:02:04 +02:00
am0o0
90da07159e fix tests, chore on Find.ql 2024-05-10 08:51:23 +02:00
Joe Farebrother
ab23d0ad23 Merge branch 'main' into python-promote-header-injection 2024-05-08 13:49:00 +01:00
am0o0
8b93e815b9 minor test cases change: remove unused dict 2024-05-06 14:36:10 +02:00
amammad
c4a38d0a2f add twisted SSH client as secondary server command injection sinks, add proper test cases 2024-05-06 14:36:10 +02:00
amammad
0a765cc94a add jsonpickle and pexpect libs in case of unsafe decoding and secondary command execution, add proper test cases 2024-05-06 14:36:10 +02:00
amammad
7e93102097 finalize Secondary server command injection queries and tests. 2024-05-06 14:36:10 +02:00
amammad
4df73f9975 continue to convert paramiko query to a more general query, 
the proxy command is not a secondary command execution
so we can add proxy command to SystemCommandExecution::Range, update QLDocs,
add a proper Paramiko test case
fix a typo
 2024-05-06 14:36:10 +02:00
amammad
5fea71e5d6 convert paramiko query to SecondaryServerCmdInjection query, Add inline tests 2024-05-06 14:36:10 +02:00
Joe Farebrother
8fb2faa89b Add additional info to concept tests 2024-04-24 14:05:41 +01:00
Joe Farebrother
2b935e575a Add concept tests + fix typo 2024-04-24 14:05:41 +01:00
Joe Farebrother
cf8db4e425 Update instances of experimental concept to the main one, and anotate missing experimental test results. 2024-04-24 14:05:39 +01:00
Joe Farebrother
b9984beb16 Add test cases 2024-04-24 14:05:37 +01:00
Rasmus Wriedt Larsen
bb00d6919a Python: Move dataflow TestUtil to importable location 2024-04-23 09:40:59 +02:00
Rasmus Wriedt Larsen
ce711f7d2f Python: Move dataflow tests out of experimental 2024-04-23 09:40:44 +02:00
Taus
58eaddf627 Python: Update all .expected files 
I'm beginning to realise why I didn't do the `toString` overriding way
back when. Thankfully, now that all of our tests are in the same place,
this is actually not a terrible ordeal.
 2024-04-22 12:00:09 +00:00
Taus
1c68c987b0 Python: Change all remaining occurrences of StrConst 
Done using
```
git grep StrConst | xargs sed -i 's/StrConst/StringLiteral/g'
```
 2024-04-22 12:00:09 +00:00
Anders Schack-Mulligen
cbcdf1f8b5 Python: Update expected output (interesting). 2024-04-12 09:20:33 +02:00
Anders Schack-Mulligen
bfcfedab8c Python: Update expected output (uninteresting). 2024-04-12 09:20:30 +02:00
yoff
1048cf7c5e Merge pull request #15711 from RasmusWL/tt-content 
Python: Add type tracking for content
 2024-04-09 10:37:43 +02:00
yoff
c520cb6d58 Merge branch 'main' into python/test-MaD-keyword-argument 2024-03-22 10:56:08 +01:00
Rasmus Lerchedahl Petersen
eef60c9ad2 python: add test for "ReturnValue.TupleElement[0,1]" 
also synchronise files
 2024-03-22 10:54:12 +01:00
yoff
ee411cc53a Merge pull request #15936 from yoff/python/test-conflicting-summaries 
Python: No `fieldFlowBranchLimit` for `SummarizedCallable`s
 2024-03-19 16:56:56 +01:00
yoff
f025430431 Merge pull request #15319 from Sim4n6/main 
[Python] Add Unicode DoS (qhelp, tests and the query)
 2024-03-19 10:00:30 +01:00
Tom Hvitved
e53357d376 Update expected test output 2024-03-18 14:49:32 +01:00
Sim4n6
1af8167354 updated the .expected file 2024-03-18 13:26:20 +00:00
Tom Hvitved
a13391bda1 Merge pull request #15802 from hvitved/dataflow/variable-capture-overlapping-paths 
Variable capture: Avoid overlapping and false-positive data flow paths
 2024-03-18 10:45:55 +01:00
Rasmus Lerchedahl Petersen
2a0c451d2d python: No fieldFlowBranchLimit for SummarizedCallables 
Like https://github.com/github/codeql/pull/15689 for Ruby.
 2024-03-18 10:29:36 +01:00
Rasmus Lerchedahl Petersen
45c65b48aa python: make it a real package 
so python2 also respects it
 2024-03-18 08:49:31 +01:00
Rasmus Lerchedahl Petersen
cfbc3f73ec Pyhton: add test for conflicting summaries 
We noticed that when
- a function has more than one summary (with different charpred)
- one summary is subsumed by a subpath (or something happens around the function being extracted)
- the function is called multiple times(we needed at least three)
one of the summaries would no longer lead to flow.
 2024-03-15 15:13:39 +01:00
Sim4n6
3acdd3382c Update the expected file 2024-03-15 14:17:23 +01:00
Sim4n6
3d8868a6c3 Add routes for bad_5 and bad_6, and fix routes for good_3 and good_4 2024-03-15 14:17:23 +01:00
Sim4n6
342465057c Add Unicode DoS (CWE-770) 2024-03-15 14:17:23 +01:00
Rasmus Wriedt Larsen
7eb4419342 Python: Restrict type-tracking content to only be precise 
At least for now :)
 2024-03-15 10:24:57 +01:00
Rasmus Wriedt Larsen
6babb2ff90 Python: Accept .expected for typetracking-summaries 2024-03-15 10:24:33 +01:00
Rasmus Wriedt Larsen
7a3ee0f5f8 Python: Make IterableSequenceNode LocalSourceNode 
We do this to remove the inconsistencies, and to be ready for a future
where type-tracking support content tracker of depth > 1.

It works because targets of loadSteps needs to be LocalSourceNodes

predicate loadStep(Node nodeFrom, LocalSourceNode nodeTo, Content content) {
 2024-03-14 10:46:29 +01:00
Rasmus Wriedt Larsen
6ffaad1bc8 Python: Expand type-tracking tests with nested tuples 
I was initially surprised to see that this didn't work, until I
remembered that type-tracking only works with content of depth 1.
 2024-03-14 10:44:25 +01:00
Rasmus Wriedt Larsen
7de304bf16 Python: Add proper type-tracking tests for content 
Instead of just relying on the call-graph tests
 2024-03-14 10:43:28 +01:00
Rasmus Wriedt Larsen
fa0c4e18fc Python: Expand dict-content tt test even more 
While it might be useful to track content to any lookup, it's not
something we do right now.
 2024-03-14 10:43:28 +01:00
Rasmus Wriedt Larsen
4d78762ba8 Python: Ignore consistency failure 2024-03-14 10:43:28 +01:00
Rasmus Wriedt Larsen
8a7ffac19c Python: Accept consistency failure 2024-03-14 10:43:28 +01:00