github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
58 442 коммитов 1 541 ветка 130 Теги 483 MiB
Граф коммитов

7687 Коммитов

Автор SHA1 Сообщение Дата
Rasmus Wriedt Larsen ec0529d68c
Merge pull request #14145 from p-/p--asyncio-cmdi-exec 
Python: Support for command injection sinks found in the `asyncio` module
 2023-09-07 11:27:50 +02:00
Rasmus Wriedt Larsen bfb4be26c2
Python: Autoformat 2023-09-07 10:31:39 +02:00
Rasmus Wriedt Larsen 54c456d95d
Python: Apply suggestions from code review 2023-09-07 10:28:46 +02:00
Rasmus Wriedt Larsen c85ea9a0c0
Python: Fix typo in SSRF example 2023-09-07 09:45:02 +02:00
Peter Stöckli 7aa5d2dc8a Python: move asyncio CMDi related tests to stdlib tests 2023-09-06 16:54:18 +02:00
Peter Stöckli ede7d8fb6a Python: apply suggestions from code review for asyncio 2023-09-06 15:47:07 +02:00
Peter Stöckli 9027eac312 Python: add change notes for asyncio CMDi sinks 2023-09-05 16:14:56 +02:00
Peter Stöckli 8c4dccc81b Python: initial support for CMDi via asyncio 2023-09-05 15:33:29 +02:00
Rasmus Wriedt Larsen 49f5d38956
Merge pull request #14068 from RasmusWL/dataflow-config-refactor 
Python: Use new dataflow API
 2023-09-04 21:04:10 +02:00
yoff da64ea40b9
Merge pull request #13782 from jorgectf/jorgectf/shlex-quote 
Python: Add `shlex.quote` as `py/shell-command-constructed-from-input` sanitizer
 2023-08-31 21:08:58 +02:00
Tom Hvitved 253f932d2a Python: Use data flow consistency checks from shared pack 2023-08-30 15:29:41 +02:00
Rasmus Wriedt Larsen 62c2316124
Merge pull request #14084 from RasmusWL/flask-jsonify 
Python: Remove XSS FP from use of `flask.jsonify`
 2023-08-30 13:07:54 +02:00
yoff ae4c76c788
Merge pull request #13975 from yoff/python/parsemodechars-not-chars 2023-08-29 14:05:57 +02:00
Rasmus Wriedt Larsen 49d510018d
Python: Add change-note 2023-08-29 11:11:32 +02:00
Rasmus Wriedt Larsen 0b2458d065
Python: Improve modeling of Flask `jsonify` 
I also tested whether `Flask.jsonify` or `Flask().jsonify` worked, but
they do not.
 2023-08-29 11:11:32 +02:00
Rasmus Wriedt Larsen 26319bfc04
Python: Fix Flask `jsonify` XSS regression 
The reason the result was found before, is that `jsonify(data)` was
modeled as TWO separate subclasses of `Http::Server::HttpResponse`, one
because of the implicit construction in return
(FlaskRouteHandlerReturn), and one from the `jsonify` call
(FlaskJsonifyCall). Due to the QL evaluation, we got a combination from
the two, meaning mime-type from FlaskRouteHandlerReturn and body from
FlaskJsonifyCall...
 2023-08-29 11:11:32 +02:00
Rasmus Wriedt Larsen b36fd9fdab
Python: Add jsonify XSS regression example 2023-08-29 10:38:49 +02:00
Dave Bartolomeo 3343b78015
Merge pull request #14074 from github/post-release-prep/codeql-cli-2.14.3 
Post-release preparation for codeql-cli-2.14.3
 2023-08-28 13:34:10 -04:00
github-actions[bot] 3eba77421a Post-release preparation for codeql-cli-2.14.3 2023-08-28 15:53:49 +00:00
Rasmus Wriedt Larsen ce6335866b
Python: Move `ModificationOfParameterWithDefault` to new dataflow API 2023-08-28 16:19:47 +02:00
Rasmus Wriedt Larsen e8e8d975e3
Python: Remove all usage of DataFlow2+TaintTracking2 
(and any higher number as well)
 2023-08-28 15:34:19 +02:00
Rasmus Wriedt Larsen c665c21d83
Python: More style-guide renaming 
Split it into multiple commits to make it easier to review.
 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen 996364d6ee
Python: Fix naming style guide violations 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen efec4e7ebf
Python: Add missing qldocs 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen 98538d237e
Python: Autoformat 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen 5ba8e102eb
Python: Adopt tests to new `DataflowQueryTest` 
Since we want to know the _sinks_ and not just the flow, we need to
expose the config as well :|
 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen 6961ca5234
Python: Rename to `EmailXss` 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen ed0e441567
Python: Accept missing `DataflowQueryTest` implementation for now 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen 6d4491e0a9
Python: Modernize `WebAppConstantSecretKey` 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen 852b01c65d
Python: Move `SmtpMessageConfig` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen d5e2a30e5b
Python: Modernize `py/azure-storage/unsafe-client-side-encryption-in-use` a bit 
To use consistent naming
 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen bfcc194b85
Python: Move experimental `paramiko` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen acd0f2a8fb
Python: Move experimental `LDAPInsecureAuth` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen c6911c2ae0
Python: Move experimental `UnicodeBypassValidation` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen 2c06394bf3
Python: Move experimental `CookieInjection` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen 2c412707ab
Python: Move experimental `CsvInjection` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen ace1e23c21
Python: Move experimental `ClientSuppliedIpUsedInSecurityCheck` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen d948e103fa
Python: Move experimental `HeaderInjection` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen 53e57dad5c
Python: Move experimental `InsecureRandomness` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen 3bf2705668
Python: Move experimental `TimingAttackAgainstHeaderValue` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen c88a0ccb7c
Python: Move experimental `TimingAttackAgainstHash` to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen a779547515
Python: Move experimental `PossibleTimingAttackAgainstHash` to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen 8abd3430a2
Python: Move experimental `TimingAttackAgainstSensitiveInfo` to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen 1a4e8d9464
Python: Move experimental `PossibleTimingAttackAgainstSensitiveInfo` to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen 5fd3594f5f
Python: Move TimingAttack.qll to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen 5d8329d9c8
Python: Move experimental `ZipSlip` to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen 67cc3a3935
Python: Move experimental `ReflectedXSS` to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen a0d26741d0
Python: Move experimental `TarSlipImprov` to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen 3cdd875e9f
Python: Move experimental `UnsafeUnpack` to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen 3edb9d1011
Python: Move experimental `TokenBuiltFromUUID` to new dataflow API 2023-08-28 15:31:07 +02:00