hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-24 00:16:49 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
2e2cee06c36e7c689ece97d47562889f9efd9638
codeql/python/ql/src/change-notes/released/0.0.5.md
github-actions[bot] 59da2cdf69 Release preparation for version 2.7.4
2021-12-14 21:35:09 +00:00

1.2 KiB
Raw Blame History

0.0.5

Minor Analysis Improvements

  • Added modeling of many functions from the os module that uses file system paths, such as os.stat, os.chdir, os.mkdir, and so on. All of these are new sinks for the Uncontrolled data used in path expression (py/path-injection) query.
  • Added modeling of the tempfile module for creating temporary files and directories, such as the functions tempfile.NamedTemporaryFile and tempfile.TemporaryDirectory. The suffix, prefix, and dir arguments are all vulnerable to path-injection, and these are new sinks for the Uncontrolled data used in path expression (py/path-injection) query.
  • Extended the modeling of FastAPI such that fastapi.responses.FileResponse are considered FileSystemAccess, making them sinks for the Uncontrolled data used in path expression (py/path-injection) query.
  • Added modeling of the posixpath, ntpath, and genericpath modules for path operations (although these are not supposed to be used), resulting in new sinks for the Uncontrolled data used in path expression (py/path-injection) query.
  • Added modeling of wsgiref.simple_server applications, leading to new remote flow sources.