hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-21 06:57:09 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
68f526da1f219fbca14fd7ea522e782cd5f260b4
codeql/python/ql/src
History
Rasmus Wriedt Larsen 498703fc81 Python: Escaping only valid with both input/output defined 
Problematic part is

```codeql
  /** A escape from string format with `markupsafe.Markup` as the format string. */
  private class MarkupEscapeFromStringFormat extends MarkupSafeEscape, Markup::StringFormat {
    override DataFlow::Node getAnInput() {
      result in [this.getArg(_), this.getArgByName(_)] and
      not result = Markup::instance()
    }

    override DataFlow::Node getOutput() { result = this }
  }
```

since the char-pred still holds even if `getAnInput` has no results...

I will say that doing it this way feels kinda dirty, and we _could_ fix
this by including the logic in `getAnInput` in the char-pred as well.
But as I see it, that would just lead to a lot of code duplication,
which isn't very nice.
2021-06-16 19:09:00 +02:00
..
.vs
Python: Add QL for VS workspace settings file.
2018-11-26 15:10:12 +00:00
analysis
Autoformat.
2020-11-30 14:42:38 +01:00
Classes
Fix all dead qhelp links
2021-04-23 15:20:21 +01:00
codeql-suites
Drop 'tech-inventory' and 'code duplication' queries from the standard query suites
2020-10-02 17:22:04 +02:00
Diagnostics
Python: Add non-alert data for extractor diagnostics
2021-04-23 13:29:44 +02:00
Exceptions
Python: Autoformat everything using qlformat.
2020-07-07 15:43:52 +02:00
experimental
Python: Promote shared type tracking library
2021-06-11 20:20:22 +00:00
Expressions
Add security-severity metadata
2021-06-10 20:11:08 +01:00
external
Fix all dead qhelp links
2021-04-23 15:20:21 +01:00
Filters
Python: Delete filter queries
2021-03-25 15:06:46 +01:00
Functions
python: Correct the ReturnValueIgnored.qhelp docs
2021-05-26 17:40:57 +01:00
Imports
Fix all dead qhelp links
2021-04-23 15:20:21 +01:00
Lexical
Python: Remove precision tag from metric queries
2021-03-25 15:06:47 +01:00
meta
Python: Rename target => callee
2020-07-14 11:26:05 +02:00
Metrics
Fix all dead qhelp links
2021-04-23 15:20:21 +01:00
Numerics
Python: Autoformat everything using qlformat.
2020-07-07 15:43:52 +02:00
Resources
Python: Autoformat everything using qlformat.
2020-07-07 15:43:52 +02:00
Security
Add security-severity metadata
2021-06-10 20:11:08 +01:00
semmle
Python: Escaping only valid with both input/output defined
2021-06-16 19:09:00 +02:00
Statements
Add security-severity metadata
2021-06-10 20:11:08 +01:00
Summary
Python: Treat py/summary/lines-of-user-code as the primary summary metric
2021-05-27 13:20:24 -07:00
Testing
Python: Autoformat everything using qlformat.
2020-07-07 15:43:52 +02:00
Variables
Fix all dead qhelp links
2021-04-23 15:20:21 +01:00
.project
Add .qlpath and .project files for Python queries.
2018-11-19 16:28:53 +00:00
.qlpath
Add .qlpath and .project files for Python queries.
2018-11-19 16:28:53 +00:00
Customizations.qll
Python: Import Customizations into python
2020-11-03 10:23:05 +01:00
default.qll
Python: Autoformat remaining .qll.
2020-03-20 16:43:10 +01:00
printAst.ql
Replace getEncodedFile with shared getFileBySourceArchiveName predicate
2020-11-10 13:55:27 +00:00
python.qll
Python: Add Unit helper library
2020-11-26 18:17:14 +01:00
qlpack.yml
Add extractor field in base language QL packs
2020-04-06 18:48:01 +02:00
queries.xml
Initial commit of Python queries and QL libraries.
2018-11-19 15:10:42 +00:00
semmlecode.python.dbscheme
Python: Update dbscheme with new comment
2020-07-02 14:17:55 +02:00
semmlecode.python.dbscheme.stats
Python: Add 'special operation' pseudo-expression type, for use in semantic stubs file. No use of it as yet.
2019-02-08 11:31:34 +00:00
site.qll
Python: Autoformat a few final stragglers.
2020-03-30 12:30:14 +02:00