mirror of
https://github.com/github/codeql.git
synced 2026-06-30 17:15:34 +02:00
Compare commits
17 Commits
tausbn/pyt
...
unified/dc
| Author | SHA1 | Date | |
|---|---|---|---|
|
58bb4c2f4d | ||
|
|
7ee7d670e2 | ||
|
|
0891d91df7 | ||
|
|
2b2613de4e | ||
|
|
cacdc467de | ||
|
|
7b800b1dd6 | ||
|
|
3d1b6b64ed | ||
|
|
5fcaac7cb2 | ||
|
|
336df3ccf4 | ||
|
|
456e33773b | ||
|
|
d1d9df7729 | ||
|
|
9bffcf81b5 | ||
|
|
f7c4e61956 | ||
|
|
575ece6ae2 | ||
|
|
f6ed5c19be | ||
|
|
4298b70f1c | ||
|
|
e88b8c53f3 |
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-all
|
||||
version: 0.4.38
|
||||
version: 0.4.39-dev
|
||||
library: true
|
||||
warnOnImplicitThis: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-queries
|
||||
version: 0.6.30
|
||||
version: 0.6.31-dev
|
||||
library: false
|
||||
warnOnImplicitThis: true
|
||||
groups: [actions, queries]
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-all
|
||||
version: 11.0.0
|
||||
version: 11.0.1-dev
|
||||
groups: cpp
|
||||
dbscheme: semmlecode.cpp.dbscheme
|
||||
extractor: cpp
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-queries
|
||||
version: 1.6.5
|
||||
version: 1.6.6-dev
|
||||
groups:
|
||||
- cpp
|
||||
- queries
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-all
|
||||
version: 1.7.69
|
||||
version: 1.7.70-dev
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-queries
|
||||
version: 1.7.69
|
||||
version: 1.7.70-dev
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-all
|
||||
version: 7.0.0
|
||||
version: 7.0.1-dev
|
||||
groups: csharp
|
||||
dbscheme: semmlecode.csharp.dbscheme
|
||||
extractor: csharp
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-queries
|
||||
version: 1.7.5
|
||||
version: 1.7.6-dev
|
||||
groups:
|
||||
- csharp
|
||||
- queries
|
||||
|
||||
@@ -10,7 +10,7 @@ toolchain go1.26.4
|
||||
// bazel mod tidy
|
||||
require (
|
||||
golang.org/x/mod v0.37.0
|
||||
golang.org/x/tools v0.46.0
|
||||
golang.org/x/tools v0.47.0
|
||||
)
|
||||
|
||||
require github.com/stretchr/testify v1.11.1
|
||||
|
||||
@@ -10,8 +10,8 @@ golang.org/x/mod v0.37.0 h1:vF1DjpVEshcIqoEaauuHebaLk1O1forxjxBaVn884JQ=
|
||||
golang.org/x/mod v0.37.0/go.mod h1:m8S8VeM9r4dzDwjrKO0a1sZP3YjeMamRRlD+fmR2Q/0=
|
||||
golang.org/x/sync v0.21.0 h1:HLII4xRRTtCRkxYp4HNFF0Js/Og6q2i++KXbg0gHCwM=
|
||||
golang.org/x/sync v0.21.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
|
||||
golang.org/x/tools v0.46.0 h1:7jTurBkPZu4moS/Uy4OQT1M+QBlsj3wejyZwsT8Z7rk=
|
||||
golang.org/x/tools v0.46.0/go.mod h1:FrD85F8l+NWL+9XWBSyVSHO6Ne4jutsfIFba7AWQ5Ys=
|
||||
golang.org/x/tools v0.47.0 h1:7Kn5x/d1svx/PzryTsqeoZN4TZwqeH5pGWjefhLi/1Q=
|
||||
golang.org/x/tools v0.47.0/go.mod h1:dFHnyTvFWY212G+h7ZY4Vsp/K3U4/7W9TyVaAul8uCA=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql-go-consistency-queries
|
||||
version: 1.0.52
|
||||
version: 1.0.53-dev
|
||||
groups:
|
||||
- go
|
||||
- queries
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/go-all
|
||||
version: 7.2.0
|
||||
version: 7.2.1-dev
|
||||
groups: go
|
||||
dbscheme: go.dbscheme
|
||||
extractor: go
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/go-queries
|
||||
version: 1.6.5
|
||||
version: 1.6.6-dev
|
||||
groups:
|
||||
- go
|
||||
- queries
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-all
|
||||
version: 9.2.0
|
||||
version: 9.2.1-dev
|
||||
groups: java
|
||||
dbscheme: config/semmlecode.dbscheme
|
||||
extractor: java
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-queries
|
||||
version: 1.11.5
|
||||
version: 1.11.6-dev
|
||||
groups:
|
||||
- java
|
||||
- queries
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added support for Angular's `@HostListener('window:message', ...)` and `@HostListener('document:message', ...)` decorators as `postMessage` event handlers. The decorated method's event parameter is now recognized as a client-side remote flow source, and is considered by the `js/missing-origin-check` query.
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/javascript-all
|
||||
version: 2.8.0
|
||||
version: 2.8.1-dev
|
||||
groups: javascript
|
||||
dbscheme: semmlecode.javascript.dbscheme
|
||||
extractor: javascript
|
||||
|
||||
@@ -195,6 +195,18 @@ class PostMessageEventHandler extends Function {
|
||||
rhs = DataFlow::globalObjectRef().getAPropertyWrite("onmessage").getRhs() and
|
||||
rhs.getABoundFunctionValue(paramIndex).getFunction() = this
|
||||
)
|
||||
or
|
||||
// Angular's `@HostListener('window:message', ['$event'])` decorator registers
|
||||
// a method as a `message` event handler on the global `window` or `document`
|
||||
// target. The decorated method receives the `MessageEvent` as its first
|
||||
// parameter, so it is equivalent to `window.addEventListener('message', ...)`.
|
||||
exists(MethodDefinition method, DataFlow::CallNode decorator |
|
||||
decorator = DataFlow::moduleMember("@angular/core", "HostListener").getACall() and
|
||||
decorator = method.getADecorator().getExpression().flow() and
|
||||
decorator.getArgument(0).mayHaveStringValue(["window:message", "document:message"]) and
|
||||
method.getBody() = this and
|
||||
paramIndex = 0
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/javascript-queries
|
||||
version: 2.4.0
|
||||
version: 2.4.1-dev
|
||||
groups:
|
||||
- javascript
|
||||
- queries
|
||||
|
||||
@@ -0,0 +1,29 @@
|
||||
import { Component, HostListener } from '@angular/core';
|
||||
|
||||
@Component({ selector: 'app-root' })
|
||||
class AngularComponent {
|
||||
// Angular registers this as a `window` message handler via the decorator,
|
||||
// equivalent to `window.addEventListener('message', ...)`.
|
||||
@HostListener('window:message', ['$event'])
|
||||
onWindowMessage(event: MessageEvent): void { // $ Alert - no origin check
|
||||
eval(event.data);
|
||||
}
|
||||
|
||||
@HostListener('document:message', ['$event'])
|
||||
onDocumentMessage(event: MessageEvent): void { // $ Alert - no origin check
|
||||
eval(event.data);
|
||||
}
|
||||
|
||||
@HostListener('window:message', ['$event'])
|
||||
onCheckedMessage(event: MessageEvent): void { // OK - has an origin check
|
||||
if (event.origin === 'https://www.example.com') {
|
||||
eval(event.data);
|
||||
}
|
||||
}
|
||||
|
||||
// Not a message event, so it is not a postMessage handler.
|
||||
@HostListener('window:resize', ['$event'])
|
||||
onResize(event: MessageEvent): void { // OK - not a message handler
|
||||
eval(event.data);
|
||||
}
|
||||
}
|
||||
@@ -1,3 +1,5 @@
|
||||
| Angular.ts:8:19:8:23 | event | Postmessage handler has no origin check. |
|
||||
| Angular.ts:13:21:13:25 | event | Postmessage handler has no origin check. |
|
||||
| tst.js:11:20:11:24 | event | Postmessage handler has no origin check. |
|
||||
| tst.js:24:27:24:27 | e | Postmessage handler has no origin check. |
|
||||
| tst.js:40:27:40:27 | e | Postmessage handler has no origin check. |
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
name: codeql/suite-helpers
|
||||
version: 1.0.52
|
||||
version: 1.0.53-dev
|
||||
groups: shared
|
||||
warnOnImplicitThis: true
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* `Flask::FlaskApp::instance()` will now also return instances of subclasses defined in the source tree. Previously, these were filtered out. `Flask::FlaskApp::classRef()` has been deprecated in favor of `Flask::FlaskApp::subclassRef()` since it already returned some subclasses.
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
|
||||
- Temporarily disabled the `instanceFieldStep` disjunct of the internal `TypeTrackingInput::levelStepCall` predicate, which was introduced in 7.2.0 and caused catastrophic query slowdowns on some OOP-heavy Python codebases (e.g. `mypy` and `dask`).
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/python-all
|
||||
version: 7.2.0
|
||||
version: 7.2.1-dev
|
||||
groups: python
|
||||
dbscheme: semmlecode.python.dbscheme
|
||||
extractor: python
|
||||
|
||||
@@ -170,13 +170,7 @@ module TypeTrackingInput implements Shared::TypeTrackingInput<Location> {
|
||||
|
||||
/** Holds if there is a level step from `nodeFrom` to `nodeTo`, which may depend on the call graph. */
|
||||
predicate levelStepCall(Node nodeFrom, LocalSourceNode nodeTo) {
|
||||
// HOTFIX: `instanceFieldStep` is temporarily disabled (via `and none()`).
|
||||
// It uses `classInstanceTracker(cls)` -- itself a type-tracker run --
|
||||
// from inside `levelStepCall`, creating a structural mutual recursion
|
||||
// that causes catastrophic query slowdowns on some OOP-heavy Python
|
||||
// codebases (e.g. mypy and dask). The `and none()` should be removed
|
||||
// once that recursion is redesigned.
|
||||
instanceFieldStep(nodeFrom, nodeTo) and none()
|
||||
instanceFieldStep(nodeFrom, nodeTo)
|
||||
or
|
||||
inheritedFieldStep(nodeFrom, nodeTo)
|
||||
}
|
||||
|
||||
@@ -71,14 +71,21 @@ module Flask {
|
||||
* See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.
|
||||
*/
|
||||
module FlaskApp {
|
||||
/** Gets a reference to the `flask.Flask` class. */
|
||||
API::Node classRef() {
|
||||
result = API::moduleImport("flask").getMember("Flask") or
|
||||
/**
|
||||
* Gets a reference to the `flask.Flask` class or any subclass.
|
||||
*
|
||||
* Deprecated: Use `subclassRef()` instead, this predicate always returned some subclasses.
|
||||
*/
|
||||
deprecated API::Node classRef() { result = subclassRef() }
|
||||
|
||||
/** Gets a reference to the `flask.Flask` class or any subclass. */
|
||||
API::Node subclassRef() {
|
||||
result = API::moduleImport("flask").getMember("Flask").getASubclass*() or
|
||||
result = ModelOutput::getATypeNode("flask.Flask~Subclass").getASubclass*()
|
||||
}
|
||||
|
||||
/** Gets a reference to an instance of `flask.Flask` (a flask application). */
|
||||
API::Node instance() { result = classRef().getReturn() }
|
||||
API::Node instance() { result = subclassRef().getReturn() }
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -132,7 +139,7 @@ module Flask {
|
||||
API::Node classRef() {
|
||||
result = API::moduleImport("flask").getMember("Response")
|
||||
or
|
||||
result = [FlaskApp::classRef(), FlaskApp::instance()].getMember("response_class")
|
||||
result = [FlaskApp::subclassRef(), FlaskApp::instance()].getMember("response_class")
|
||||
or
|
||||
result = ModelOutput::getATypeNode("flask.Response~Subclass").getASubclass*()
|
||||
}
|
||||
|
||||
@@ -351,7 +351,7 @@ class DjangoHttpRequest extends FindSubclassesSpec {
|
||||
class FlaskClass extends FindSubclassesSpec {
|
||||
FlaskClass() { this = "flask.Flask~Subclass" }
|
||||
|
||||
override API::Node getAlreadyModeledClass() { result = Flask::FlaskApp::classRef() }
|
||||
override API::Node getAlreadyModeledClass() { result = Flask::FlaskApp::subclassRef() }
|
||||
}
|
||||
|
||||
class FlaskBlueprint extends FindSubclassesSpec {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/python-queries
|
||||
version: 1.8.5
|
||||
version: 1.8.6-dev
|
||||
groups:
|
||||
- python
|
||||
- queries
|
||||
|
||||
29
python/ql/test/experimental/meta/InlineInstanceTest.qll
Normal file
29
python/ql/test/experimental/meta/InlineInstanceTest.qll
Normal file
@@ -0,0 +1,29 @@
|
||||
/**
|
||||
* Defines an InlineExpectationsTest for class instances, that is,
|
||||
* for any API::Node that is an instance of a class (e.g. `Flask`).
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.ApiGraphs
|
||||
import utils.test.InlineExpectationsTest
|
||||
private import semmle.python.dataflow.new.internal.PrintNode
|
||||
|
||||
signature API::Node getInstanceSig();
|
||||
|
||||
module MakeInlineInstanceTest<getInstanceSig/0 getInstance> {
|
||||
private module InlineInstanceTest implements TestSig {
|
||||
string getARelevantTag() { result = "instance" }
|
||||
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(location.getFile().getRelativePath()) and
|
||||
exists(API::Node instance | instance = getInstance() |
|
||||
location = instance.getLocation() and
|
||||
element = prettyNode(instance.asSource()) and
|
||||
value = "" and
|
||||
tag = "instance"
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<InlineInstanceTest>
|
||||
}
|
||||
@@ -157,7 +157,7 @@ class MyClass2(object):
|
||||
print(self.foo) # $ tracked MISSING: tracked=foo
|
||||
|
||||
instance = MyClass2()
|
||||
print(instance.foo) # $ MISSING: tracked=foo tracked
|
||||
print(instance.foo) # $ tracked MISSING: tracked=foo
|
||||
instance.print_foo() # $ MISSING: tracked=foo
|
||||
|
||||
|
||||
@@ -195,7 +195,7 @@ class Sub1(Base1):
|
||||
|
||||
sub1 = Sub1()
|
||||
sub1.read_foo()
|
||||
print(sub1.foo) # $ MISSING: tracked=foo tracked
|
||||
print(sub1.foo) # $ tracked MISSING: tracked=foo
|
||||
|
||||
|
||||
# attribute written in a subclass method, read in an inherited base class method
|
||||
@@ -210,7 +210,7 @@ class Sub2(Base2):
|
||||
|
||||
sub2 = Sub2()
|
||||
sub2.read_bar()
|
||||
print(sub2.bar) # $ MISSING: tracked=bar tracked
|
||||
print(sub2.bar) # $ tracked MISSING: tracked=bar
|
||||
|
||||
|
||||
# attribute written in a base class method, read on an instance of the subclass
|
||||
@@ -223,4 +223,4 @@ class Sub3(Base3):
|
||||
pass
|
||||
|
||||
sub3 = Sub3()
|
||||
print(sub3.baz) # $ MISSING: tracked=baz tracked
|
||||
print(sub3.baz) # $ tracked MISSING: tracked=baz
|
||||
|
||||
@@ -0,0 +1,8 @@
|
||||
import python
|
||||
import semmle.python.frameworks.Flask
|
||||
import semmle.python.ApiGraphs
|
||||
import experimental.meta.InlineInstanceTest
|
||||
|
||||
API::Node getInstance() { result = Flask::FlaskApp::instance() }
|
||||
|
||||
import MakeInlineInstanceTest<getInstance/0>
|
||||
@@ -0,0 +1,14 @@
|
||||
from flask import Flask
|
||||
|
||||
|
||||
class Sub(Flask):
|
||||
def __init__(self, *args, **kwargs):
|
||||
Flask.__init__(self, *args, **kwargs)
|
||||
|
||||
|
||||
app = Sub(__name__) # $ instance
|
||||
|
||||
|
||||
@app.route("/") # $ routeSetup="/"
|
||||
def hello(): # $ requestHandler
|
||||
return "world" # $ HttpResponse
|
||||
@@ -1,7 +1,7 @@
|
||||
import flask
|
||||
|
||||
from flask import Flask, request, make_response
|
||||
app = Flask(__name__)
|
||||
app = Flask(__name__) # $ instance
|
||||
|
||||
@app.route("/") # $ routeSetup="/"
|
||||
def hello_world(): # $ requestHandler
|
||||
|
||||
@@ -3,7 +3,7 @@ import json
|
||||
from flask import Flask, make_response, jsonify, Response, request, redirect
|
||||
from werkzeug.datastructures import Headers
|
||||
|
||||
app = Flask(__name__)
|
||||
app = Flask(__name__) # $ instance
|
||||
|
||||
|
||||
@app.route("/html1") # $ routeSetup="/html1"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
import flask
|
||||
|
||||
from flask import Flask, make_response
|
||||
app = Flask(__name__)
|
||||
app = Flask(__name__) # $ instance
|
||||
|
||||
|
||||
SOME_ROUTE = "/some/route"
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
from flask import Flask, request
|
||||
app = Flask(__name__)
|
||||
app = Flask(__name__) # $ instance
|
||||
|
||||
@app.route("/save-uploaded-file") # $ routeSetup="/save-uploaded-file"
|
||||
def test_taint(): # $ requestHandler
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
from flask import Flask, request, render_template_string, stream_template_string
|
||||
app = Flask(__name__)
|
||||
app = Flask(__name__) # $ instance
|
||||
|
||||
@app.route("/test_taint/<name>/<int:number>") # $ routeSetup="/test_taint/<name>/<int:number>"
|
||||
def test_taint(name = "World!", number="0", foo="foo"): # $ requestHandler routedParameter=name routedParameter=number
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
from flask import Flask, Response, stream_with_context, render_template_string, stream_template_string
|
||||
app = Flask(__name__)
|
||||
app = Flask(__name__) # $ instance
|
||||
|
||||
@app.route("/a") # $ routeSetup="/a"
|
||||
def a(): # $ requestHandler
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
#select
|
||||
| app.py:23:20:23:24 | ControlFlowNode for query | app.py:20:18:20:21 | ControlFlowNode for name | app.py:23:20:23:24 | ControlFlowNode for query | This SQL query depends on a $@. | app.py:20:18:20:21 | ControlFlowNode for name | user-provided value |
|
||||
| app.py:30:20:30:24 | ControlFlowNode for query | app.py:27:19:27:22 | ControlFlowNode for name | app.py:30:20:30:24 | ControlFlowNode for query | This SQL query depends on a $@. | app.py:27:19:27:22 | ControlFlowNode for name | user-provided value |
|
||||
| app.py:37:20:37:24 | ControlFlowNode for query | app.py:34:19:34:22 | ControlFlowNode for name | app.py:37:20:37:24 | ControlFlowNode for query | This SQL query depends on a $@. | app.py:34:19:34:22 | ControlFlowNode for name | user-provided value |
|
||||
| app.py:44:20:44:24 | ControlFlowNode for query | app.py:41:19:41:22 | ControlFlowNode for name | app.py:44:20:44:24 | ControlFlowNode for query | This SQL query depends on a $@. | app.py:41:19:41:22 | ControlFlowNode for name | user-provided value |
|
||||
| app.py:51:20:51:24 | ControlFlowNode for query | app.py:48:19:48:22 | ControlFlowNode for name | app.py:51:20:51:24 | ControlFlowNode for query | This SQL query depends on a $@. | app.py:48:19:48:22 | ControlFlowNode for name | user-provided value |
|
||||
| sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value |
|
||||
@@ -24,6 +25,8 @@ edges
|
||||
| app.py:21:5:21:9 | ControlFlowNode for query | app.py:23:20:23:24 | ControlFlowNode for query | provenance | |
|
||||
| app.py:27:19:27:22 | ControlFlowNode for name | app.py:28:5:28:9 | ControlFlowNode for query | provenance | |
|
||||
| app.py:28:5:28:9 | ControlFlowNode for query | app.py:30:20:30:24 | ControlFlowNode for query | provenance | |
|
||||
| app.py:34:19:34:22 | ControlFlowNode for name | app.py:35:5:35:9 | ControlFlowNode for query | provenance | |
|
||||
| app.py:35:5:35:9 | ControlFlowNode for query | app.py:37:20:37:24 | ControlFlowNode for query | provenance | |
|
||||
| app.py:41:19:41:22 | ControlFlowNode for name | app.py:42:5:42:9 | ControlFlowNode for query | provenance | |
|
||||
| app.py:42:5:42:9 | ControlFlowNode for query | app.py:44:20:44:24 | ControlFlowNode for query | provenance | |
|
||||
| app.py:48:19:48:22 | ControlFlowNode for name | app.py:49:5:49:9 | ControlFlowNode for query | provenance | |
|
||||
@@ -51,6 +54,9 @@ nodes
|
||||
| app.py:27:19:27:22 | ControlFlowNode for name | semmle.label | ControlFlowNode for name |
|
||||
| app.py:28:5:28:9 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
|
||||
| app.py:30:20:30:24 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
|
||||
| app.py:34:19:34:22 | ControlFlowNode for name | semmle.label | ControlFlowNode for name |
|
||||
| app.py:35:5:35:9 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
|
||||
| app.py:37:20:37:24 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
|
||||
| app.py:41:19:41:22 | ControlFlowNode for name | semmle.label | ControlFlowNode for name |
|
||||
| app.py:42:5:42:9 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
|
||||
| app.py:44:20:44:24 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
|
||||
|
||||
@@ -31,10 +31,10 @@ async def unsafe2(name: str): # $ Source
|
||||
cursor.close()
|
||||
|
||||
@app.get("/unsafe3/")
|
||||
async def unsafe3(name: str): # $ MISSING: Source
|
||||
async def unsafe3(name: str): # $ Source
|
||||
query = "select * from users where name=" + name
|
||||
cursor = hdb_con3.cursor()
|
||||
cursor.execute(query) # $ MISSING: Alert
|
||||
cursor.execute(query) # $ Alert
|
||||
cursor.close()
|
||||
|
||||
@app.get("/unsafe4/")
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/ruby-all
|
||||
version: 6.0.0
|
||||
version: 6.0.1-dev
|
||||
groups: ruby
|
||||
extractor: ruby
|
||||
dbscheme: ruby.dbscheme
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/ruby-queries
|
||||
version: 1.6.5
|
||||
version: 1.6.6-dev
|
||||
groups:
|
||||
- ruby
|
||||
- queries
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/rust-all
|
||||
version: 0.2.16
|
||||
version: 0.2.17-dev
|
||||
groups: rust
|
||||
extractor: rust
|
||||
dbscheme: rust.dbscheme
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/rust-queries
|
||||
version: 0.1.37
|
||||
version: 0.1.38-dev
|
||||
groups:
|
||||
- rust
|
||||
- queries
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/concepts
|
||||
version: 0.0.26
|
||||
version: 0.0.27-dev
|
||||
groups: shared
|
||||
library: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/controlflow
|
||||
version: 2.0.36
|
||||
version: 2.0.37-dev
|
||||
groups: shared
|
||||
library: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/dataflow
|
||||
version: 2.1.8
|
||||
version: 2.1.9-dev
|
||||
groups: shared
|
||||
library: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/mad
|
||||
version: 1.0.52
|
||||
version: 1.0.53-dev
|
||||
groups: shared
|
||||
library: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/namebinding
|
||||
version: 0.0.1
|
||||
version: 0.0.2-dev
|
||||
groups: shared
|
||||
library: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/quantum
|
||||
version: 0.0.30
|
||||
version: 0.0.31-dev
|
||||
groups: shared
|
||||
library: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/rangeanalysis
|
||||
version: 1.0.52
|
||||
version: 1.0.53-dev
|
||||
groups: shared
|
||||
library: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/regex
|
||||
version: 1.0.52
|
||||
version: 1.0.53-dev
|
||||
groups: shared
|
||||
library: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/ssa
|
||||
version: 2.0.28
|
||||
version: 2.0.29-dev
|
||||
groups: shared
|
||||
library: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/threat-models
|
||||
version: 1.0.52
|
||||
version: 1.0.53-dev
|
||||
library: true
|
||||
groups: shared
|
||||
dataExtensions:
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
name: codeql/tutorial
|
||||
description: Library for the CodeQL detective tutorials, helping new users learn to
|
||||
write CodeQL queries.
|
||||
version: 1.0.52
|
||||
version: 1.0.53-dev
|
||||
groups: shared
|
||||
library: true
|
||||
warnOnImplicitThis: true
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/typeflow
|
||||
version: 1.0.52
|
||||
version: 1.0.53-dev
|
||||
groups: shared
|
||||
library: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/typeinference
|
||||
version: 0.0.33
|
||||
version: 0.0.34-dev
|
||||
groups: shared
|
||||
library: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/typetracking
|
||||
version: 2.0.36
|
||||
version: 2.0.37-dev
|
||||
groups: shared
|
||||
library: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/typos
|
||||
version: 1.0.52
|
||||
version: 1.0.53-dev
|
||||
groups: shared
|
||||
library: true
|
||||
warnOnImplicitThis: true
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/util
|
||||
version: 2.0.39
|
||||
version: 2.0.40-dev
|
||||
groups: shared
|
||||
library: true
|
||||
dependencies: null
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/xml
|
||||
version: 1.0.52
|
||||
version: 1.0.53-dev
|
||||
groups: shared
|
||||
library: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/yaml
|
||||
version: 1.0.52
|
||||
version: 1.0.53-dev
|
||||
groups: shared
|
||||
library: true
|
||||
warnOnImplicitThis: true
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/swift-all
|
||||
version: 6.7.1
|
||||
version: 6.7.2-dev
|
||||
groups: swift
|
||||
extractor: swift
|
||||
dbscheme: swift.dbscheme
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/swift-queries
|
||||
version: 1.3.5
|
||||
version: 1.3.6-dev
|
||||
groups:
|
||||
- swift
|
||||
- queries
|
||||
|
||||
@@ -5,6 +5,8 @@ column_kind: "utf8"
|
||||
legacy_qltest_extraction: true
|
||||
build_modes:
|
||||
- none
|
||||
default_queries:
|
||||
- codeql/unified-queries
|
||||
github_api_languages:
|
||||
- Swift
|
||||
scc_languages:
|
||||
|
||||
@@ -7,6 +7,7 @@ codeql_rust_binary(
|
||||
name = "extractor",
|
||||
srcs = glob(["src/**/*.rs"]),
|
||||
aliases = aliases(),
|
||||
compile_data = ["ast_types.yml"],
|
||||
proc_macro_deps = all_crate_deps(
|
||||
proc_macro = True,
|
||||
),
|
||||
|
||||
@@ -16,7 +16,9 @@ fn main() {
|
||||
Some(&grammar_js),
|
||||
tree_sitter_generate::ABI_VERSION_MAX,
|
||||
None,
|
||||
None,
|
||||
// Evaluate grammar.js with the embedded QuickJS runtime instead of
|
||||
// spawning `node`, which isn't available inside Bazel's sandbox.
|
||||
Some("native"),
|
||||
true,
|
||||
tree_sitter_generate::OptLevel::default(),
|
||||
)
|
||||
|
||||
14
unified/ql/src/DummyQuery.ql
Normal file
14
unified/ql/src/DummyQuery.ql
Normal file
@@ -0,0 +1,14 @@
|
||||
/**
|
||||
* @name Dummy query
|
||||
* @description Dummy query that flags any name longer than 20 characters
|
||||
* @kind problem
|
||||
* @id unified/dummy
|
||||
* @problem.severity info
|
||||
* @precision low
|
||||
*/
|
||||
|
||||
import unified
|
||||
|
||||
from Identifier id
|
||||
where id.getValue().length() > 20
|
||||
select id, "Name is too long: " + id.getValue()
|
||||
@@ -0,0 +1,3 @@
|
||||
- queries: .
|
||||
- apply: code-quality-extended-selectors.yml
|
||||
from: codeql/suite-helpers
|
||||
3
unified/ql/src/codeql-suites/unified-code-quality.qls
Normal file
3
unified/ql/src/codeql-suites/unified-code-quality.qls
Normal file
@@ -0,0 +1,3 @@
|
||||
- queries: .
|
||||
- apply: code-quality-selectors.yml
|
||||
from: codeql/suite-helpers
|
||||
4
unified/ql/src/codeql-suites/unified-code-scanning.qls
Normal file
4
unified/ql/src/codeql-suites/unified-code-scanning.qls
Normal file
@@ -0,0 +1,4 @@
|
||||
- description: Standard Code Scanning queries
|
||||
- queries: .
|
||||
- apply: code-scanning-selectors.yml
|
||||
from: codeql/suite-helpers
|
||||
@@ -0,0 +1,3 @@
|
||||
- queries: .
|
||||
- apply: security-and-quality-selectors.yml
|
||||
from: codeql/suite-helpers
|
||||
@@ -0,0 +1,4 @@
|
||||
- description: Extended and experimental security queries
|
||||
- queries: .
|
||||
- apply: security-experimental-selectors.yml
|
||||
from: codeql/suite-helpers
|
||||
@@ -0,0 +1,4 @@
|
||||
- description: Security-extended queries
|
||||
- queries: .
|
||||
- apply: security-extended-selectors.yml
|
||||
from: codeql/suite-helpers
|
||||
Reference in New Issue
Block a user