hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-19 03:41:07 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
018ba92b1e97932ef473d644319eb17e371c398e
codeql/python/ql/test/query-tests/Security
History
Sotiris Dragonas 018ba92b1e Add additional Python prompt-injection sinks for uncovered SDK methods 
Cover prompt-carrying public API methods that were missing from the
framework models:

- OpenAI: videos.create/create_and_poll/edit/remix/extend (Sora, user),
  beta.realtime.sessions.create instructions (system), and role-filtered
  beta.threads.messages.create content (Assistants API).
- Anthropic: legacy completions.create prompt (user).
- agents: Agent.as_tool tool_description (system).
- Google GenAI: caches.create CreateCachedContentConfig system_instruction
  (system) and contents (user).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-18 17:02:14 +03:00
..
CVE-2018-1281
Update test results
2026-05-22 11:43:18 +01:00
CWE-020-CookieInjection
Move to cwe-20
2024-07-16 16:50:08 +01:00
CWE-020-ExternalAPIs
Accept changed edges in test output
2026-06-02 16:15:08 +01:00
CWE-020-IncompleteHostnameRegExp
Python: Update all .expected files
2024-04-22 12:00:09 +00:00
CWE-020-IncompleteUrlSubstringSanitization
Python: Update all .expected files
2024-04-22 12:00:09 +00:00
CWE-020-SuspiciousRegexpRange
escape unicode chars in overly-large-range
2023-09-28 20:16:09 +02:00
CWE-022-PathInjection
python: Inline expectation should have space after $
2026-03-04 12:45:05 +00:00
CWE-022-TarSlip
Python: use known sanitiser
2024-09-30 14:22:17 +02:00
CWE-074-TemplateInjection
Update test output
2024-12-09 19:57:52 +00:00
CWE-078-CommandInjection
python: Inline expectation should have space after $
2026-03-04 12:45:05 +00:00
CWE-078-CommandInjection-py2
Python: Update expected output (uninteresting).
2024-04-12 09:20:30 +02:00
CWE-078-UnsafeShellCommandConstruction
Adjust expected test output
2026-06-02 16:15:06 +01:00
CWE-079-Jinja2WithoutEscaping
Python: Remove last -p ../lib/ in options files
2022-09-29 18:05:51 +02:00
CWE-079-ReflectedXss
Accept changed edges in test output
2026-06-02 16:15:08 +01:00
CWE-089-SqlInjection
Fix MISSING alert
2026-06-15 00:14:52 +01:00
CWE-089-SqlInjection-local-threat-model
Pretty print model numbers in tests
2026-01-30 09:21:24 +00:00
CWE-090-LdapInjection
Python: Update expected output (uninteresting).
2024-04-12 09:20:30 +02:00
CWE-094-CodeInjection
Python: Update all test util paths to point to the new location.
2024-12-12 13:54:30 +01:00
CWE-113-HeaderInjection
Pretty print model numbers in tests
2026-01-30 09:21:24 +00:00
CWE-116-BadTagFilter
PythonÆ fix test expectations
2023-08-24 21:21:49 +02:00
CWE-117-LogInjection
Python: Update expected output (uninteresting).
2024-04-12 09:20:30 +02:00
CWE-209-StackTraceExposure
Python: reset test expectations
2026-05-21 16:59:11 +01:00
CWE-215-FlaskDebug
Python: Expand test for py/flask-debug
2022-10-04 20:39:08 +02:00
CWE-285-PamAuthorization
Python: Accept qltest .expected file changes.
2024-05-22 15:43:49 +02:00
CWE-295-MissingHostKeyValidation
Python: Expand modeling of paramiko
2023-04-18 11:57:20 +02:00
CWE-295-RequestWithoutValidation
changes to address reviews
2022-10-07 22:31:00 +02:00
CWE-312-CleartextLogging
Python: Remove imprecise container steps
2026-05-21 16:57:44 +01:00
CWE-312-CleartextStorage
Accept changed edges in test output
2026-06-02 16:15:08 +01:00
CWE-312-CleartextStorage-py3
Update test
2024-08-28 09:11:34 +01:00
CWE-326-WeakCryptoKey
update python test cases
2022-12-01 11:56:44 -05:00
CWE-327-BrokenCryptoAlgorithm
Address review comment.
2023-10-27 10:19:28 +01:00
CWE-327-InsecureDefaultProtocol
Python: Fix test folder for InsecureDefaultProtocol
2021-07-19 16:56:07 +02:00
CWE-327-InsecureProtocol
Merge branch 'main' into python/rewrite-InsecureContextConfiguration
2023-03-27 10:20:53 +02:00
CWE-327-WeakSensitiveDataHashing
Python: Accept qltest .expected file changes.
2024-05-22 15:43:49 +02:00
CWE-377-InsecureTemporaryFile
Python: Restructure security tests to contain query name
2021-07-19 16:54:34 +02:00
CWE-502-UnsafeDeserialization
Python: Update expected output (uninteresting).
2024-04-12 09:20:30 +02:00
CWE-601-UrlRedirect
python: add machinery for MaD barriers
2026-01-22 17:30:24 +01:00
CWE-611-Xxe
Python: Update expected output (uninteresting).
2024-04-12 09:20:30 +02:00
CWE-614-InsecureCookie
python: Inline expectation should have space after $
2026-03-04 12:45:05 +00:00
CWE-643-XPathInjection
Python: Update expected output (uninteresting).
2024-04-12 09:20:30 +02:00
CWE-730-PolynomialReDoS
Python: Update all .expected files
2024-04-22 12:00:09 +00:00
CWE-730-ReDoS
Python: accept improved test output
2023-09-26 20:58:51 +02:00
CWE-730-RegexInjection
Python: Update expected output (uninteresting).
2024-04-12 09:20:30 +02:00
CWE-732-WeakFilePermissions
Python: update test expectations
2024-10-11 15:36:44 +02:00
CWE-776-XmlBomb
Removed lxml.etree.XMLParser from xml bomb sinks
2025-07-15 13:43:00 +02:00
CWE-798-HardcodedCredentials
Python: Update all .expected files
2024-04-22 12:00:09 +00:00
CWE-918-ServerSideRequestForgery
Python: adjust test expectations
2026-05-21 16:58:51 +01:00
CWE-942-CorsMisconfigurationMiddleware
Fix tests
2024-09-12 21:30:32 -07:00
CWE-943-NoSqlInjection
Accept changed edges in test output
2026-06-02 16:15:08 +01:00
CWE-1004-NonHttpOnlyCookie
python: Inline expectation should have space after $
2026-03-04 12:45:05 +00:00
CWE-1275-SameSiteNoneCookie
python: Inline expectation should have space after $
2026-03-04 12:45:05 +00:00
CWE-1427-SystemPromptInjection
Add additional Python prompt-injection sinks for uncovered SDK methods
2026-06-18 17:02:14 +03:00
CWE-1427-UserPromptInjection
Add additional Python prompt-injection sinks for uncovered SDK methods
2026-06-18 17:02:14 +03:00