hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-03 16:51:07 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
cd561dd19cf6189d0528ac093dd85ce72bc5e102
codeql/python/ql/src/CHANGELOG.md
github-actions[bot] f25fc70b7c Release preparation for version 2.8.1
2022-02-10 22:08:24 +00:00

2.6 KiB
Raw Blame History

0.0.9

Bug Fixes

  • The View AST functionality no longer prints detailed information about regular expressions, greatly improving performance.

0.0.8

Major Analysis Improvements

  • User names and other account information is no longer considered to be sensitive data for the queries py/clear-text-logging-sensitive-data and py/clear-text-storage-sensitive-data, since this lead to many false positives.

0.0.7

0.0.6

New Queries

  • Two new queries have been added for detecting Server-side request forgery (SSRF). Full server-side request forgery (py/full-ssrf) will only alert when the URL is fully user-controlled, and Partial server-side request forgery (py/partial-ssrf) will alert when any part of the URL is user-controlled. Only py/full-ssrf will be run by default.

Minor Analysis Improvements

  • To support the new SSRF queries, the PyPI package requests has been modeled, along with http.client.HTTP[S]Connection from the standard library.

0.0.5

Minor Analysis Improvements

  • Added modeling of many functions from the os module that uses file system paths, such as os.stat, os.chdir, os.mkdir, and so on. All of these are new sinks for the Uncontrolled data used in path expression (py/path-injection) query.
  • Added modeling of the tempfile module for creating temporary files and directories, such as the functions tempfile.NamedTemporaryFile and tempfile.TemporaryDirectory. The suffix, prefix, and dir arguments are all vulnerable to path-injection, and these are new sinks for the Uncontrolled data used in path expression (py/path-injection) query.
  • Extended the modeling of FastAPI such that fastapi.responses.FileResponse are considered FileSystemAccess, making them sinks for the Uncontrolled data used in path expression (py/path-injection) query.
  • Added modeling of the posixpath, ntpath, and genericpath modules for path operations (although these are not supposed to be used), resulting in new sinks for the Uncontrolled data used in path expression (py/path-injection) query.
  • Added modeling of wsgiref.simple_server applications, leading to new remote flow sources.

0.0.4

Query Metadata Changes

  • Fixed the query ids of two queries that are meant for manual exploration: python/count-untrusted-data-external-api and python/untrusted-data-to-external-api have been changed to py/count-untrusted-data-external-api and py/untrusted-data-to-external-api.