hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-12 02:24:00 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
4f74d421b9095e06a8642a5615c48f0a0094d7aa
codeql/python/ql/test/query-tests/Security
History
Taus 4f74d421b9 Python: Exclude AF_UNIX sockets from BindToAllInterfaces 
Looking at the results of the the previous DCA run, there was a bunch of
false positives where `bind` was being used with a `AF_UNIX` socket (a
filesystem path encoded as a string), not a `(host, port)` tuple. These
results should be excluded from the query, as they are not vulnerable.

Ideally, we would just add `.TupleElement[0]` to the MaD sink, except we
don't actually support this in Python MaD...

So, instead I opted for a more low-tech solution: check that the
argument in question flows from a tuple in the local scope.

This eliminates a bunch of false positives on `python/cpython` leaving
behind four true positive results.
2026-03-27 16:55:10 +00:00
..
CVE-2018-1281
Python: Exclude AF_UNIX sockets from BindToAllInterfaces
2026-03-27 16:55:10 +00:00
CWE-020-CookieInjection
Move to cwe-20
2024-07-16 16:50:08 +01:00
CWE-020-ExternalAPIs
Python: update test expectations
2024-05-17 10:59:49 +02:00
CWE-020-IncompleteHostnameRegExp
Python: Update all .expected files
2024-04-22 12:00:09 +00:00
CWE-020-IncompleteUrlSubstringSanitization
Python: Update all .expected files
2024-04-22 12:00:09 +00:00
CWE-020-SuspiciousRegexpRange
escape unicode chars in overly-large-range
2023-09-28 20:16:09 +02:00
CWE-022-PathInjection
python: Inline expectation should have space after $
2026-03-04 12:45:05 +00:00
CWE-022-TarSlip
Python: use known sanitiser
2024-09-30 14:22:17 +02:00
CWE-074-TemplateInjection
Update test output
2024-12-09 19:57:52 +00:00
CWE-078-CommandInjection
python: Inline expectation should have space after $
2026-03-04 12:45:05 +00:00
CWE-078-CommandInjection-py2
Python: Update expected output (uninteresting).
2024-04-12 09:20:30 +02:00
CWE-078-UnsafeShellCommandConstruction
python: Inline expectation should have space after $
2026-03-04 12:45:05 +00:00
CWE-079-Jinja2WithoutEscaping
Python: Remove last -p ../lib/ in options files
2022-09-29 18:05:51 +02:00
CWE-079-ReflectedXss
Python: Update expected output (uninteresting).
2024-04-12 09:20:30 +02:00
CWE-089-SqlInjection
Python: Add empty provenance column to expected files.
2024-02-09 11:32:08 +01:00
CWE-089-SqlInjection-local-threat-model
Pretty print model numbers in tests
2026-01-30 09:21:24 +00:00
CWE-090-LdapInjection
Python: Update expected output (uninteresting).
2024-04-12 09:20:30 +02:00
CWE-094-CodeInjection
Python: Update all test util paths to point to the new location.
2024-12-12 13:54:30 +01:00
CWE-113-HeaderInjection
Pretty print model numbers in tests
2026-01-30 09:21:24 +00:00
CWE-116-BadTagFilter
PythonÆ fix test expectations
2023-08-24 21:21:49 +02:00
CWE-117-LogInjection
Python: Update expected output (uninteresting).
2024-04-12 09:20:30 +02:00
CWE-209-StackTraceExposure
py: Inline expectation should have space before $
2026-03-04 13:11:38 +00:00
CWE-215-FlaskDebug
Python: Expand test for py/flask-debug
2022-10-04 20:39:08 +02:00
CWE-285-PamAuthorization
Python: Accept qltest .expected file changes.
2024-05-22 15:43:49 +02:00
CWE-295-MissingHostKeyValidation
Python: Expand modeling of paramiko
2023-04-18 11:57:20 +02:00
CWE-295-RequestWithoutValidation
changes to address reviews
2022-10-07 22:31:00 +02:00
CWE-312-CleartextLogging
Update tests
2024-08-27 14:18:50 +01:00
CWE-312-CleartextStorage
Update tests
2024-08-27 14:18:50 +01:00
CWE-312-CleartextStorage-py3
Update test
2024-08-28 09:11:34 +01:00
CWE-326-WeakCryptoKey
update python test cases
2022-12-01 11:56:44 -05:00
CWE-327-BrokenCryptoAlgorithm
Address review comment.
2023-10-27 10:19:28 +01:00
CWE-327-InsecureDefaultProtocol
Python: Fix test folder for InsecureDefaultProtocol
2021-07-19 16:56:07 +02:00
CWE-327-InsecureProtocol
Merge branch 'main' into python/rewrite-InsecureContextConfiguration
2023-03-27 10:20:53 +02:00
CWE-327-WeakSensitiveDataHashing
Python: Accept qltest .expected file changes.
2024-05-22 15:43:49 +02:00
CWE-377-InsecureTemporaryFile
Python: Restructure security tests to contain query name
2021-07-19 16:54:34 +02:00
CWE-502-UnsafeDeserialization
Python: Update expected output (uninteresting).
2024-04-12 09:20:30 +02:00
CWE-601-UrlRedirect
python: add machinery for MaD barriers
2026-01-22 17:30:24 +01:00
CWE-611-Xxe
Python: Update expected output (uninteresting).
2024-04-12 09:20:30 +02:00
CWE-614-InsecureCookie
python: Inline expectation should have space after $
2026-03-04 12:45:05 +00:00
CWE-643-XPathInjection
Python: Update expected output (uninteresting).
2024-04-12 09:20:30 +02:00
CWE-730-PolynomialReDoS
Python: Update all .expected files
2024-04-22 12:00:09 +00:00
CWE-730-ReDoS
Python: accept improved test output
2023-09-26 20:58:51 +02:00
CWE-730-RegexInjection
Python: Update expected output (uninteresting).
2024-04-12 09:20:30 +02:00
CWE-732-WeakFilePermissions
Python: update test expectations
2024-10-11 15:36:44 +02:00
CWE-776-XmlBomb
Removed lxml.etree.XMLParser from xml bomb sinks
2025-07-15 13:43:00 +02:00
CWE-798-HardcodedCredentials
Python: Update all .expected files
2024-04-22 12:00:09 +00:00
CWE-918-ServerSideRequestForgery
Pretty print for tests.
2026-02-12 08:28:08 -05:00
CWE-942-CorsMisconfigurationMiddleware
Fix tests
2024-09-12 21:30:32 -07:00
CWE-943-NoSqlInjection
py: Inline expectation should have space before $
2026-03-04 13:11:38 +00:00
CWE-1004-NonHttpOnlyCookie
python: Inline expectation should have space after $
2026-03-04 12:45:05 +00:00
CWE-1275-SameSiteNoneCookie
python: Inline expectation should have space after $
2026-03-04 12:45:05 +00:00