github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
10 954 коммитов 1 532 Ветки 130 Теги 474 MiB
Граф коммитов

1125 Коммитов

Автор SHA1 Сообщение Дата
Rebecca Valentine e07a003f75 Swaps overridden_call globally 2020-02-25 11:02:18 -08:00
Rebecca Valentine 50c91b99da Swaps correct_args_if_called_as_method globally 2020-02-25 11:01:51 -08:00
Rebecca Valentine fb0cae76cf Swaps wrong_args globally 2020-02-25 11:00:39 -08:00
Rebecca Valentine 3a764ade8d Swaps too_many_args globally 2020-02-25 10:59:55 -08:00
Rebecca Valentine 3b0be46377 Swaps too_few_args globally 2020-02-25 10:59:16 -08:00
Rebecca Valentine 2c32a859cc Swaps illegally_named_parameter globally 2020-02-25 10:58:08 -08:00
Rebecca Valentine 4857a947ac Swaps get_function_or_initializer globally 2020-02-25 10:51:40 -08:00
Rebecca Valentine cf4b7e1270 Swaps arg_count globally 2020-02-25 10:50:30 -08:00
Rebecca Valentine c2a3af7e67 Adds objectapi suffix to private predicates 2020-02-25 10:48:29 -08:00
Rebecca Valentine 930228acc5 Un-autoformats 2020-02-25 09:52:46 -08:00
Rebecca Valentine 3e53e462d6 changes indents to 4 2020-02-25 09:46:21 -08:00
Rebecca Valentine 04951faf86 autoformat 2020-02-25 09:43:51 -08:00
Rasmus Wriedt Larsen f10a86d3ac Python: Remove `--optimize: true` from options files 
Tests will be run with optimizations on by default now.
 2020-02-25 15:52:00 +01:00
Rasmus Wriedt Larsen 8f70101572 Python: docs: Use <code> tag consistently in UseofInput.qhelp 2020-02-25 15:40:08 +01:00
yo-h 43bcd5b26c Add guidelines for experimental CodeQL queries and libraries 2020-02-24 15:08:31 -05:00
Rasmus Wriedt Larsen 2b997ec94a Python: Add Python 3 Imports tests from internal repo 2020-02-24 15:36:45 +01:00
Rasmus Wriedt Larsen 9d629aef95 Python: Highlight py/use-of-input is for Python 2 2020-02-24 15:13:19 +01:00
Taus 285be2893c
Merge pull request #2893 from BekaValentine/python-objectapi-to-valueapi-unnecessarylambda 
Python: ObjectAPI to ValueAPI: UnnecessaryLambda
 2020-02-21 22:23:02 +01:00
Taus e444fb8bfa
Merge pull request #2818 from BekaValentine/objectapi-to-valueapi-hashedbutnohash 
Python: ObjectAPI to ValueAPI: HashedButNoHash
 2020-02-21 22:19:58 +01:00
Rebecca Valentine 14273fc677 Adds missing result to expected file 2020-02-21 11:25:03 -08:00
Rasmus Wriedt Larsen bfa7553095 Python: urlsplit sanitizer handles `in [KNOWN_VALUE]` 2020-02-21 16:03:29 +01:00
Rasmus Wriedt Larsen 798db91f71 Python: Add more urlsplit tests 2020-02-21 15:51:33 +01:00
Rasmus Wriedt Larsen 31ff652cb3 Python: Make Sanitizer available for urlsplit taint 
It isn't used by default, it has to *actively* be enabled.
 2020-02-21 15:18:53 +01:00
Rasmus Wriedt Larsen abbc9293db
Merge pull request #2891 from tausbn/python-special-operations 
Python: Add AST support for special operations.
 2020-02-21 13:16:22 +01:00
Rebecca Valentine 2b1d9c8d16 Updates last library difference 
I'm not entirely sure if `getLiteralObject` and `getLiteralValue` are equivalent, and there don't see to be library tests for this
 2020-02-20 20:20:56 -08:00
Rebecca Valentine 210387a8be Adds bulk of modernizations 2020-02-20 17:32:42 -08:00
Rebecca Valentine df7f43ee86 Adds modernization 2020-02-20 17:07:56 -08:00
Rebecca Valentine 2f3ea10cf8 Move the query and examples over to 2/query-tests 2020-02-20 16:31:58 -08:00
Rebecca Valentine 376638e9c0 Move query over to Rasmus's API for NumericValue 2020-02-20 16:18:54 -08:00
Rebecca Valentine ab1fcb32ae autoformats 2020-02-20 16:17:43 -08:00
Rebecca Valentine 5d9d724d43 Removes conflicting NumericValue definition 2020-02-20 16:17:33 -08:00
Rebecca Valentine 28be3b47fc Replaces name-reference to the class with canonical predicate. 2020-02-20 15:41:51 -08:00
Rebecca Valentine 5acd982d59 Swaps ...obj for ...val 2020-02-20 15:41:51 -08:00
Rebecca Valentine 91ea46f5ee Adds test output. 2020-02-20 15:41:51 -08:00
Rebecca Valentine 115495450d Adds test cases. 2020-02-20 15:41:51 -08:00
Rebecca Valentine 96b8d78650 Adds modernized files. 2020-02-20 15:41:51 -08:00
Taus Brock-Nannestad 913db460b2 Python: Add AST support for special operations. 
These have the form `$name(arg1, arg2, ...)` and currently have no semantics.
They may be useful for testing purposes, however.
 2020-02-20 18:05:37 +01:00
Rasmus Wriedt Larsen fd270cc02c Python: Add basic taint support for urlsplit/urlparse 2020-02-19 16:31:10 +01:00
Rasmus Wriedt Larsen 4f3149d865 Python: Fix error after merge conflict 2020-02-19 16:27:31 +01:00
Rasmus Wriedt Larsen 74345b1c05 Python: Make library-tests/taint/strings tests more transparent 
Following the setup I invented for library-tests/taint/unpacking.

TestStep is still a bit annoying, since the output is not easy to eyeball; but
for now I guess we can live with it :)

I honestly didn't get the point of DistinctStringKinds.ql, other than showing we
can handle multiple taint kinds
 2020-02-19 16:24:22 +01:00
Rasmus Wriedt Larsen e4b83855d9 Python: Autoformat security/strings/External.qll 2020-02-19 16:24:13 +01:00
Rasmus Wriedt Larsen e7fdfd3d3e Python: Move subprocess.call so super-class detection works 
This is a temporary fix!

Added minimal working example (MWE) as a regression, so it's easier to fix the
real problem.

only Python 3 is facing the problem -- and without --max-import-depth=1 the test
times out at 10 minutes :O
 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen d7b803a859 Python: Fix modernisation of py/iteration-string-and-sequence 
Introduced a regression, since the old code was:

```
predicate is_a_string_type(ClassObject seqtype) {
    seqtype = theBytesType() and major_version() = 2
    or
    seqtype = theUnicodeType()
}
```

but *now* we're good!
 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen 0509228296 Python: Make ModelUsage test language agnostic 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen 87eff7f062 Python: More iterator => iterable renaming 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen 82b29b5698 Python: Recognize shebangs in module usage detection 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen 01f5b3dc63 Python: Add a script that we can't classify usage of 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen 3e7e9636ea Python: Add ModuleValue.{isUsedAsModule, isUsedAsScript} 
and a few test cases
 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen b4ab0b55be Python: Modernise Statements/RedundantAssignment 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen 79a4d7e9cc Python: Add some confusing (but valid) property tests 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen 67e9edb820 Python: Add PropertyValue 
+ Extend PropertyInternal.getSetter to handle non-decorator
+ Add PropertyInternal.getDeleter

It seems like a bit hacky way to do things, since we're not using the
PropertySetterOrDeleter class at all, but for now I'll leave it be.
 2020-02-19 14:12:22 +01:00
Rasmus Wriedt Larsen e747add485 Python: Descriptor tests fixup (3/3) 
Better tests for properties
 2020-02-19 14:10:29 +01:00
Rasmus Wriedt Larsen aed7bfb820 Python: Descriptor tests fixup (2/3) 
Test format improved
 2020-02-19 14:10:29 +01:00
Rasmus Wriedt Larsen 3f49aeecfe Python: Descriptor tests fixup (1/3) 2020-02-19 14:10:29 +01:00
Rasmus Wriedt Larsen 13568b7b9f Python: Modernise Statements/ queries 
Almost. Left out a few things marked with TODO
 2020-02-19 14:10:29 +01:00
Rasmus Wriedt Larsen 83d40f167b Python: Update py/ineffectual-statement 
e.(StrConst).isDocString() can only hold if e instanceof StrConst, since we have
that condition on the line above, we can safely remove this condition.
 2020-02-19 14:05:55 +01:00
Rasmus Wriedt Larsen 6e349eb6e7 Python: Make py/side-effect-in-assert handle example 
Also removed parantheses
 2020-02-19 14:05:55 +01:00
Rasmus Wriedt Larsen ae8dbd81f3 Python: Update test-file for py/redundant-assignment 
now the test code can be pasted, and actually works ;)
 2020-02-19 14:05:55 +01:00
Rasmus Wriedt Larsen 381668871d Python: Autoformat statements 2020-02-19 14:05:55 +01:00
Rebecca Valentine 2fa20eb805 Fixes bug introduced by merge of foresight additions. 2020-02-18 21:37:52 -08:00
Rebecca Valentine 7997e1dc98
Merge branch 'master' into objectapi-to-valueapi-expectedmappingforformatstring 2020-02-18 21:33:12 -08:00
Rebecca Valentine 9e3ed214d0
Python: ObjectAPI to ValueAPI: Foresight Additions (#2819) 
* Adds the...Type() predicates as foresight modernizations.

* Removes predicates that are not currently ported/portable

* Adds range types

* Update python/ql/src/semmle/python/objects/ObjectAPI.qll

Co-Authored-By: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>

* Update python/ql/src/semmle/python/objects/ObjectAPI.qll

Co-Authored-By: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>

* Swaps xType for just x, at least when it's new

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2020-02-18 21:29:20 -08:00
Rebecca Valentine 810efef9de Adds python3 test 2020-02-18 15:02:47 -08:00
Rebecca Valentine e55f01d905 Adds new UseofApply test case and results to the Python2 tests dir 2020-02-18 12:12:25 -08:00
Rebecca Valentine 9338d21aaf Removes unnecessary explanation 2020-02-18 11:43:43 -08:00
Rebecca Valentine 4059a99da6 Autoformats the query 2020-02-18 11:43:31 -08:00
Rebecca Valentine d0617ef7bc Autoformat 2020-02-18 09:00:31 -08:00
Taus ffbb5d0529
Merge pull request #2739 from RasmusWL/python-modernise-security 
Python: modernise Security/ queries
 2020-02-18 16:28:53 +01:00
Rebecca Valentine 4178002d59 Merge branch 'master' into python-objectapi-to-valueapi-useofapply 2020-02-17 17:20:00 -08:00
Rebecca Valentine c36c0aeb88 Fixes renaming bug 2020-02-17 12:09:01 -08:00
Rebecca Valentine 13cd8d2435 Fixes expected results bug 2020-02-17 11:47:03 -08:00
Rebecca Valentine a2c1d5ff45 Moves to higher level API 2020-02-17 11:46:53 -08:00
Rebecca Valentine c5986c52d3 Renames typeErrorType to typeError 2020-02-17 11:28:39 -08:00
Rasmus Wriedt Larsen f3ab52b1fe Python: Use StringValue instead of Value::forString 2020-02-17 14:41:32 +01:00
Rasmus Wriedt Larsen 6d5a8e4995 Python: Fix typos 2020-02-17 14:34:22 +01:00
Taus 03ae7831ad
Merge pull request #2711 from RasmusWL/python-fix-import-deprecated-module 
Python: fix alerts for py/import-deprecated-module
 2020-02-17 11:46:12 +01:00
Taus df3ac49c28
Merge pull request #2700 from RasmusWL/python-taint-iterable-unpacking 
Python: Handle iterable unpacking in taint tracking
 2020-02-17 11:44:25 +01:00
Taus 990d1c1663
Merge pull request #2802 from RasmusWL/python-fix-fp-py/import-own-module 
Python: Fix FP for py/import own module
 2020-02-17 11:23:11 +01:00
Rebecca Valentine 6a04004d94 Adds test cases and qlref. 2020-02-13 14:49:01 -08:00
Rebecca Valentine b665f54a31 Corrects query to use `builtin` instead of `special` 2020-02-13 14:48:46 -08:00
Rebecca Valentine 3b45fbc87c Adds rough modernization. 2020-02-13 14:22:00 -08:00
jack1142 e1644dd68b
Python: Handle __class_getitem__ in py/not-named-self (#2825) 
Fixes #2824
 2020-02-13 13:38:36 +01:00
Rasmus Wriedt Larsen 1558cf2eae Python: Fix typo (decent => descent) 2020-02-13 13:35:29 +01:00
Rebecca Valentine acb3c524dd Updates expected results. 2020-02-12 19:46:43 -08:00
Rebecca Valentine 65cba82c7e Fixes bug w/ use of pointsTo 2020-02-12 19:45:55 -08:00
Rebecca Valentine bfb720c7f3 Adds range and tuple types 2020-02-12 19:36:03 -08:00
Rebecca Valentine 3ce250b2cf Adds some debugging changes. 2020-02-12 19:29:42 -08:00
Taus 895f2f74ab
Merge branch 'master' into python-clean-qltest-options 2020-02-12 13:44:41 +01:00
Taus 12113e947f
Merge pull request #2603 from RasmusWL/python-fix-http-source-sink 
Python: Make web libs use HttpRequestTaintSource and HttpResponseTaintSink
 2020-02-12 13:42:22 +01:00
Rebecca Valentine 2270c6c960 Adds modernized files. 2020-02-11 21:45:49 -08:00
Rebecca Valentine 178acc85b9 Adds main modifications. 2020-02-11 21:25:50 -08:00
Rasmus Wriedt Larsen efedcd26d0 Python: Django tests need --lang=3 2020-02-11 13:16:52 +01:00
Rasmus Wriedt Larsen 1f762841ec Python: In py/import-own-module handle `from foo import *` 2020-02-11 11:45:48 +01:00
Rasmus Wriedt Larsen 5cc2efef8e Python: Fix FPs for py/import-own-module 
Before I added `--max-import-depth=2`, there was a bit of trouble, where it
would alert on `from pkg_ok import foo2` -- since all the `pkg_ok.foo<n>`
modules were missing, I guess the analysis didn't make any assumptions on
whether `foo2` is a module or a regular attribute.
 2020-02-11 11:45:48 +01:00
Rasmus Wriedt Larsen f3f9e340d3 Python: Update tests for py/import-own-module 
So I've been thinking a bit about import pkg_ok.foo1 after reading the Python
references for imports of submodules
https://docs.python.org/3/reference/import.html#submodules

> When a submodule is loaded using any mechanism (...) a binding is placed in the
parent module’s namespace to the submodule object. For example, if package spam
has a submodule foo, after importing spam.foo, spam will have an attribute foo
which is bound to the submodule.

That does at least explain what is going on here.

I feel that import pkg_ok.foo1 might be a very contrived example. In principle
it should be an alert, since the module pkg_ok ends up with an import of itself,
but my gut feeling is that in practice it's not a very important piece of code
to give alerts for. if we really care about giving these import related alerts,
we could probably add a new query for this pattern, as it's kind of surprising
that it works when you're just an ordinary python programmer.
 2020-02-11 11:45:48 +01:00
Rasmus Wriedt Larsen 2bffbf0734 Python: Add testcases for py/import-own-module 
You can try out:

python2 -c "import pkg_ok; print(pkg_ok.foo1); print(pkg_ok.foo2); print(pkg_ok.foo3); print(pkg_ok.foo4); print(pkg_ok.foo5); print(pkg_ok.Foo3); print(pkg_ok.Foo5); print(pkg_ok.pkg_ok)"

python3 -c "import pkg_ok; print(pkg_ok.foo1); print(pkg_ok.foo2); print(pkg_ok.foo3); print(pkg_ok.foo4); print(pkg_ok.foo5); print(pkg_ok.Foo3); print(pkg_ok.Foo5); print(pkg_ok.pkg_ok)"
 2020-02-10 15:16:47 +01:00
Rasmus Wriedt Larsen c0b7dcc019 Python: Remove ignored automatic_locations in qltest options files 2020-02-06 14:28:10 +01:00
Rasmus Wriedt Larsen 397c17c4ff Python: Use --lang=3 in tests 
With internal update to qltest it will not actually do something.

- also remove it from the tests that never needed it.
 2020-02-06 14:20:59 +01:00
Rasmus Wriedt Larsen cb891a1a49 Python: Clean up six tests 
We can't understand the real `six.py` file, so we have some internal plumbing
that enables us to handle six anyway. While updating that, I had a hell of a lot
of trouble with these tests.

What we actually want, is to see that we can understand what the values imported
from six are (i.e., their points-to information). I added a few more, that I
think would be useful. If we can figure out all of these, I don't actually care
if we're doing it by understanding the real `six.py` file, or by some internal
trick.

I verified that we don't get results with the real `six.py` file by disabling
our internal tricks, and putting a copy of six.py just next to test.py.

We used to have an other file that would list all the properties we knew and
their value, but that turned out to be a fragile and annoying test, since the
results differed from which version of python you ran it with (3.5 vs 3.8) and
which machine you ran it on (my machien vs jenkins). I don't care about the
results in this file, and I can certainly not eyeball it to see if it's correct
or not.
 2020-02-06 13:50:51 +01:00
Rasmus Wriedt Larsen d5c6092920 Python: Fix typo (trakcing => tracking) 2020-02-06 11:50:44 +01:00
Rasmus Wriedt Larsen de63eb1450
Merge pull request #2592 from tausbn/python-remove-manual-tc-in-ssashortcut 
Python: Remove manual TC from `ssaShortCut`.
 2020-02-04 14:04:25 +01:00
Rasmus Wriedt Larsen c1d073a54d Python: Add test-cases for py/hardcoded-credentials 2020-02-04 11:42:11 +01:00
Rasmus Wriedt Larsen 2837f987c5 Python: Show how pointsTo handles `0+0 == 0` (2/2) 2020-02-04 11:42:11 +01:00
Rasmus Wriedt Larsen 4231bb1bcf Python: Show how pointsTo handles `0+0 == 0` (1/2) 2020-02-04 11:42:11 +01:00
Rasmus Wriedt Larsen 6b5b28aded Python: Add Value.getABooleanValue and Value.getDefiniteBooleanValue 
Replacing `Value.booleanValue`. We wanted to match `Object.booleanValue` that
only gives a result if it is either `true` or `false`, but also wanted to keep
the flexibility to see if the Value _could_ be `true`/`false`. We don't have a
motivating usecase, so let's see if we ever need it :P

+ fix modernisation regression on py/jinja2/autoescape-false
 2020-02-04 11:42:11 +01:00
Rasmus Wriedt Larsen bd1f21fb7a Python: Fix modernisation regression on py/weak-crypto-key 
also fixes test code to use the right argument name
 2020-02-04 11:42:11 +01:00
Rasmus Wriedt Larsen e5abfd0196 Python: Modernise Security/ queries 2020-02-04 11:42:11 +01:00
Rasmus Wriedt Larsen 2802ac2e72 Python: Add NumericValue 
Since `IntObjectInternal` extends `TInt`, and `TInt` is defined for all
instances of `Builtin.intValue`, and `Builtin.intValue` includes both `int` and
`long`, we don't need to handles Longs in a special manner, as we did in NumericObject.
 2020-02-04 11:39:16 +01:00
Rasmus Wriedt Larsen d30e6d2b69 Python: Value::forString and friends returns StringValue 2020-02-03 14:35:09 +01:00
Rasmus Wriedt Larsen 27a7d09c94 Python: Fix minor problems in security examples 2020-02-03 14:35:09 +01:00
Rasmus Wriedt Larsen 5bc592514a Python: Consistenly use "a user-provided value" 
ReflectedXss was the only query that used it with the "a"
 2020-02-03 14:35:09 +01:00
Rasmus Wriedt Larsen cc73352bf6
Merge pull request #2549 from tausbn/python-fix-several-bad-join-orders 
Python: Fix several bad join orders.
 2020-02-03 13:54:36 +01:00
Rasmus Wriedt Larsen 2648e34f1a Python: Autoformat security 2020-01-31 14:49:18 +01:00
Rasmus Wriedt Larsen 72fddaf5ed
Merge pull request #2733 from tausbn/python-add-stringvalue 
Python: Extend `Value` API.
 2020-01-31 13:12:14 +01:00
Taus Brock-Nannestad ba2bbf1788 Python: Extend `Value` API. 
Adds

- `StringValue` as a new class,
- `Value::booleanValue` which returns the boolean interpretation of the given
  value, and
- `ClassValue::str` which returns the value of the `str` class, depending on the
  Python version.
 2020-01-31 12:33:02 +01:00
Taus b89273402d
Merge pull request #2701 from RasmusWL/python-modernise-metrics 
Python: modernise import related queries
 2020-01-30 14:37:39 +01:00
Anders Schack-Mulligen 743b612d0d Javascript/Python: Sync XML.qll 2020-01-29 13:31:25 +01:00
Rasmus Wriedt Larsen 4ca72de4cd Python: Fix recommended module for deprecated posixfile 
$ python2 -W default -c 'import posixfile'
-c:1: DeprecationWarning: The posixfile module is deprecated; fcntl.lockf() provides better locking

https://docs.python.org/2.7/library/posixfile.html
 2020-01-28 16:44:47 +01:00
Rasmus Wriedt Larsen 6c7cddf258 Python: py/import-deprecated-module handle backwards compatible code 2020-01-28 16:36:47 +01:00
Rasmus Wriedt Larsen e92d6c0459 Python: Stop py/import-deprecated-module from double alerting 
This changes the location from the import statement, to the actual expression
 2020-01-28 16:15:46 +01:00
Rasmus Wriedt Larsen 7949acc3ef Python: Autoformat 2020-01-28 16:15:21 +01:00
Rasmus Wriedt Larsen 194228850a Python: Add tests for py/import-deprecated-module 2020-01-28 16:15:21 +01:00
Rasmus Wriedt Larsen c25782d6da Python: For web tests, use more precise name HttpResponseSinks 
Since there are also HttpRedirectTaintSink, using HttpSink is confusing
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen 46f4b74134 Python: Fix tornado lib: a redirect is not a http response 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen ee382bb2ea Python: Fix typo (reques => request) 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen 9bc72450a0 Python: Temporarily disable falcon HttpSinks test 
I will fix this in an other PR
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen 9b2ca0c9c7 Python: Update web libraries to use HttpSources and HttpSinks 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen 2cdbae08b6 Python: Don't make duplicate sink for Tornado handler 
`self.write(...)` would be treated as *both* TornadoConnectionWrite and
TornadoHttpRequestHandlerWrite
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen effa4548ab Python: Add toString to TurboGears HttpResponseTaintSinks 
Naming these were a bit hard, but better than generic "Taint Sink"
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen 6b87458c2e Python: Add explicit tests for HttpSources and HttpSinks 
Some of the tests currently fail, since they can't reproduce the old tests
results (since the sinks/sources defined in the library code are not
HttpResponseTaintSink/HttpRequestTaintSource)
 2020-01-28 13:06:48 +01:00
Rasmus Wriedt Larsen b36a6aa5b5 Python: Remove unused variable from exists expression 2020-01-28 13:05:25 +01:00
Rasmus Wriedt Larsen 0a1c91fbb8 Python: Autoformat web tests QL files 2020-01-28 13:05:25 +01:00
Rasmus Wriedt Larsen d67577e66c Python: Modernise import related queries 
Except for Metrics/Dependencies/ExternalDependenciesSourceLinks.ql, since it is
rather tricky :D
 2020-01-27 16:01:25 +01:00
Rasmus Wriedt Larsen 647b9cdcb0 Python: Autoformat query 2020-01-27 16:01:24 +01:00
Rasmus Wriedt Larsen 081d66eaa3 Python: Recognize taint for extended iterable unpacking 2020-01-27 15:28:53 +01:00
Rasmus Wriedt Larsen 1b670354b2 Python: Add tests for extended iterable unpacking 2020-01-27 15:24:55 +01:00
Rasmus Wriedt Larsen 781024d679 Python: Recognize taint for iterable unpacking 2020-01-27 14:43:07 +01:00
Rasmus Wriedt Larsen a3f1f4cb87 Python: Add iterable unpacking tests 2020-01-27 14:43:07 +01:00
Rasmus Wriedt Larsen fa48fb04f5 Python: Recognize nested tuple/list assignment 
Now we recognize `[(x,y)] = [(1,2)]` -- in itself not a widely used idiom, but
more of a warmup excersize for me
 2020-01-27 14:42:54 +01:00
Rasmus Wriedt Larsen 9763ec71fe Python: Add tests for nested assignment 2020-01-27 14:39:34 +01:00
Rasmus Wriedt Larsen 9502756874 Python: Autoformat dataflow files 2020-01-27 13:07:01 +01:00
Rasmus Wriedt Larsen 1ce77ff600
Merge pull request #2507 from tausbn/python-fix-infinite-tuple-tostring 
Python: Fix divergence in tuple `toString`.
 2020-01-27 11:14:44 +01:00
Taus Brock-Nannestad 3cebffe820 Python: Fix divergence in tuple `toString`. 
Our definition of `toString` for the internal tuple objects we create during the
points-to analysis may have been a _tad_ too ambitious. In particular, it can
easily lead to non-termination, e.g. using the following piece of code:

```python
x = ()
while True:
    x = (x, x)
```

This commit cuts off the infinite recursion by replacing _nested_ tuples with
the string "...". In particular this means even non-recursive tuples will be cut
off at that point, so that the following tuples

```python
(1, "2")
((3, 4), [5, 6])
(1, 2, 3, 4, 5)
```

Get the following string representations.

```
"(int 1, '2', )"
"(..., List, )"
"(int 1, int 2, int 3, 2 more...)"
```
 2020-01-24 17:08:56 +01:00
Taus 5a2dfd40af
Merge pull request #2639 from RasmusWL/python-improve-dict-taint 
Python: Improve tests for tainted collections
 2020-01-24 15:06:01 +01:00
Rasmus Wriedt Larsen 5778764a48 Python: Stop using deprecated getName in collections taint test 2020-01-24 10:32:17 +01:00
Rasmus Wriedt Larsen 3db551d6bc Python: Use variables in collection-taint test 
They are not tainted in assignment, only in use.

I also adopted an attempt at a better test-setup, where it's easy to see if
everything is the way you hoped for, instead of browsing through 100 of lines of
taint-step output :P
 2020-01-24 10:32:17 +01:00
Taus 0627fadbff
Merge pull request #2669 from RasmusWL/python-modernise-resources 
Python: modernise Resources/ queries
 2020-01-23 13:43:33 +01:00
Taus 618a35bb7c
Merge pull request #2664 from RasmusWL/python-fix-redirect-example 
Python: Remove unused variable in example for py/url-redirection
 2020-01-23 13:42:00 +01:00
Taus d06e86f54d
Merge pull request #2662 from RasmusWL/python-taint-on-eq-test 
Python: Only clear taint on constant comparison in if
 2020-01-23 13:41:40 +01:00
Taus ef7eafa849
Merge pull request #2644 from RasmusWL/python-add-deprecated-keyword 
Python: Add deprecated keyword to deprecated functions
 2020-01-23 13:41:15 +01:00