github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
58 953 коммитов 1 541 ветка 132 Теги 497 MiB
Граф коммитов

7531 Коммитов

Автор SHA1 Сообщение Дата
Rasmus Wriedt Larsen bfcc194b85
Python: Move experimental `paramiko` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen acd0f2a8fb
Python: Move experimental `LDAPInsecureAuth` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen c6911c2ae0
Python: Move experimental `UnicodeBypassValidation` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen 2c06394bf3
Python: Move experimental `CookieInjection` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen 2c412707ab
Python: Move experimental `CsvInjection` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen ace1e23c21
Python: Move experimental `ClientSuppliedIpUsedInSecurityCheck` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen d948e103fa
Python: Move experimental `HeaderInjection` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen 53e57dad5c
Python: Move experimental `InsecureRandomness` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen 3bf2705668
Python: Move experimental `TimingAttackAgainstHeaderValue` to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen c88a0ccb7c
Python: Move experimental `TimingAttackAgainstHash` to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen a779547515
Python: Move experimental `PossibleTimingAttackAgainstHash` to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen 8abd3430a2
Python: Move experimental `TimingAttackAgainstSensitiveInfo` to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen 1a4e8d9464
Python: Move experimental `PossibleTimingAttackAgainstSensitiveInfo` to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen 5fd3594f5f
Python: Move TimingAttack.qll to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen 5d8329d9c8
Python: Move experimental `ZipSlip` to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen 67cc3a3935
Python: Move experimental `ReflectedXSS` to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen a0d26741d0
Python: Move experimental `TarSlipImprov` to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen 3cdd875e9f
Python: Move experimental `UnsafeUnpack` to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen 3edb9d1011
Python: Move experimental `TokenBuiltFromUUID` to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen acde1920e7
Python: Move `UntrustedDataToExternalAPI` to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen 657b1997cc
Python: Move `FullServerSideRequestForgery` and `PartialServerSideRequestForgery` to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen dbfe517555
Python: Move `HardcodedCredentials` to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen 46322b717a
Python: Move `XmlBomb` to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen add1077532
Python: Move `RegexInjection` to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen c6caf83dfe
Python: Move `PolynomialReDoS` to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen 4c336990e5
Python: Move `XpathInjection` to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen 60e45335dd
Python: Move `Xxe` to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen 4c76ca6127
Python: Move `UrlRedirect` to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen 6f08e73dbc
Python: Move `UnsafeDeserialization` to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen dd074173d2
Python: Move `WeakSensitiveDataHashing` to new dataflow API 
I adopted helper predicates to do the "heavy" lifting of .asPathNode1(), maybe I like this approach better... let me know what you think 😊
 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen 9d6b96dfd2
Python: Move `CleartextStorage` to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen 70095446b6
Python: Move `CleartextLogging` to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen cca78f31ff
Python: Move `PamAuthorization` to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen dcd96083e8
Python: Move `StackTraceExposure` to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen f75e65c67d
Python: Move `LogInjection` to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen 88cf9c99b0
Python: Move `CodeInjection` to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen 05573904a5
Python: Move `LdapInjection` to new dataflow API 
We could have switched to a stateful config, but I tried to keep changes
as straight forward as possible.
 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen c360346e9e
Python: Move `ReflectedXss` to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen b30142c1d7
Python: Move `CommandInjection` to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen 700841e9b0
Python: Move `UnsafeShellCommandConstruction` to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen d4e4e2d426
Python: Move `TarSlip` to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen e97032909a
Python: Move `PathInjection` to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen 245c24077d
Python: Move `SqlInjection` to new dataflow API 2023-08-28 15:27:49 +02:00
yoff 2e981e330b
Merge pull request #14059 from RasmusWL/fix-loginjection-tests 
Python: Fix stdlib sinks in LogInjection query
 2023-08-28 14:44:51 +02:00
yoff 6e05246daa
Merge pull request #13935 from yoff/python/mad-on-externals 
Python: MaD on externals
 2023-08-28 14:04:54 +02:00
Rasmus Wriedt Larsen c807ab4216
Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2023-08-28 14:04:22 +02:00
yoff 826b8e6aa5
Merge pull request #14067 from RasmusWL/modern-dataflowquerytests 
Python: Adopt tests to new `DataflowQueryTest`
 2023-08-28 13:54:34 +02:00
Rasmus Wriedt Larsen 889cb7a95b
Python: Adopt tests to new `DataflowQueryTest` 
Co-authored-by: Rasmus Lerchedahl Petersen <yoff@github.com>
 2023-08-28 11:44:01 +02:00
Rasmus Wriedt Larsen 9c44235782
Python: Modernize DataflowQueryTest.qll 
Co-authored-by: Rasmus Lerchedahl Petersen <yoff@github.com>
 2023-08-28 11:40:41 +02:00
Rasmus Wriedt Larsen 7cba6cd1d8
Python: Update `.expected` files 
Due to change in path-graph, and including LHS of assignments
 2023-08-28 11:33:44 +02:00
Rasmus Wriedt Larsen 0f242475f2
Merge branch 'main' into experimental-cleanup 2023-08-28 11:01:22 +02:00
Rasmus Wriedt Larsen 0dca8a5d86
Python: Remove old points-to modeling file 
Since all of this was ported already
 2023-08-28 10:40:45 +02:00
Rasmus Wriedt Larsen 39e2b133e9
Python: Fix naming 2023-08-28 10:40:33 +02:00
Rasmus Wriedt Larsen bf9a0dab2a
Python: Fix stdlib sinks in LogInjection query 2023-08-25 17:04:48 +02:00
Rasmus Wriedt Larsen 7852429df2
Python: Accept LogInjection `.expected` changes 
I don't know how this had gone unnoticed for so long, but I realized when I tried to run this query locally
 2023-08-25 17:04:40 +02:00
Rasmus Lerchedahl Petersen ad49eada48 Python: Do not alter `codeql-workspaces.yml` 
And remove the qlpack referred to therein.
Instead we rename and duplicate the extesion file
that this qlpack pointed to.
These two extension files are kept in sync by `identical-files.json`.
 2023-08-25 11:46:41 +02:00
Rasmus Lerchedahl Petersen 68cd422788 Python: Fix test expectations 2023-08-25 11:27:53 +02:00
Rasmus Lerchedahl Petersen 137f9e7234 Python: Adress review comments 
- make qldoc accurate
- fix ql4ql alert
 2023-08-24 21:28:07 +02:00
Rasmus Lerchedahl Petersen d3c24ba110 PythonÆ fix test expectations 2023-08-24 21:21:49 +02:00
Rasmus Lerchedahl Petersen 88fc96e8d7 Python: Add test with prefix 2023-08-24 21:21:49 +02:00
Rasmus Lerchedahl Petersen 7ad1a21c2d Python: make mode characters not be characters 
They are simply considered part of the group start.
 2023-08-24 21:21:49 +02:00
yoff a834703195
Merge pull request #13779 from geoffw0/pythonparsemode 
Python: Understand multiple parse mode flags specified in a regular expression string
 2023-08-24 21:20:45 +02:00
Geoffrey White f07f97a94e Python: Accept test changes. I think these reflect the 'parse mode chars should not be considered chars' issue. 2023-08-24 10:52:52 +01:00
Rasmus Wriedt Larsen f33359bd5c
Python: Fix tests 2023-08-23 15:37:55 +02:00
yoff 00c0ebe9e4
Merge pull request #13738 from RasmusWL/path-steps 
Python: Include all assignments in data flow paths
 2023-08-22 11:58:11 +02:00
Michael Nebel ce6fd8ac5f
Merge pull request #13432 from michaelnebel/updateissupported 
Java/C#: Update telemetry queries to report callables with sink/source neutrals as being supported.
 2023-08-22 08:39:38 +02:00
Jeroen Ketema 2d0f73d7c2
Merge pull request #13881 from jketema/shared-taint-tracking 
Introduce shared taint tracking library
 2023-08-21 12:45:49 +02:00
Rasmus Wriedt Larsen c8c69aac9b
Merge pull request #13561 from amammad/amammad-python-WebAppsConstatntSecretKeys 
Python: Flask & Django Constant Secret Key initialization
 2023-08-21 11:39:19 +02:00
Michael Nebel 106ba11e10 Address review comments. 2023-08-21 09:59:02 +02:00
Michael Nebel d66fe08661 Add QLDoc for the getKind predicate. 2023-08-21 09:59:02 +02:00
Michael Nebel 42c7006378 Python: Sync files and make manual changes. 2023-08-21 09:59:01 +02:00
github-actions[bot] 098dfb4242 Release preparation for version 2.14.3 2023-08-18 14:48:15 +00:00
Rasmus Wriedt Larsen b579ab0694
Python: Accept `.expected` change 2023-08-18 11:12:55 +02:00
Rasmus Wriedt Larsen 38577e6a5c
Python: Remove duplicated SSTI tests 
Besides the Cheetah tests, which were missing from the query tests.
 2023-08-18 10:20:16 +02:00
Rasmus Wriedt Larsen 33f8998c2e
Python: Minor fix in test 2023-08-18 10:19:44 +02:00
Rasmus Wriedt Larsen 843f2681bb
Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2023-08-18 10:09:45 +02:00
Rasmus Wriedt Larsen cf54d3f4ca
Python: Move paramiko tests to own folder 2023-08-17 15:45:28 +02:00
Rasmus Wriedt Larsen 4c693b4fc3
Python: Port `py/xslt-injection` to new data-flow 2023-08-17 15:45:07 +02:00
Rasmus Wriedt Larsen ef139f2ee9
Python: Delete `XsltSinks.ql` test 2023-08-17 15:45:07 +02:00
Rasmus Wriedt Larsen 779fe6498c
Python: Rename to `XsltInjection.ql` 2023-08-17 15:45:07 +02:00
Rasmus Wriedt Larsen 0336c76871
Python: Rename template injection tests 2023-08-17 15:45:04 +02:00
Rasmus Wriedt Larsen 91edde72c4
Python: Port `py/template-injection` to new data-flow 
I kept all the modeling in _one_ file, since that makes it easy to work
with such an external contribution... and I would certainly propose this
file setup for the future 👍
 2023-08-17 15:44:26 +02:00
Rasmus Wriedt Larsen 4277be5819
Python: Add change-note 2023-08-17 10:46:36 +02:00
Rasmus Wriedt Larsen 24f9f13790
Python: Fix tests 2023-08-17 10:15:36 +02:00
Jeroen Ketema 33e8310625
Merge branch 'main' into shared-taint-tracking 2023-08-17 00:14:25 +02:00
yoff 7f2f6f14e7
Merge pull request #13729 from yoff/python/model-aws-lambdas 
Python/JavaScript: Shared module for serverless functions
 2023-08-16 15:14:08 +02:00
Rasmus Wriedt Larsen 0443057608
Merge branch 'main' into amammad-python-WebAppsConstatntSecretKeys 2023-08-16 15:06:08 +02:00
yoff b2988e5516
Update python/ql/lib/change-notes/2023-08-07-serverless-sources.md 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-08-16 12:56:39 +02:00
Rasmus Wriedt Larsen c55b0982f7
Merge pull request #13819 from yoff/python/relax-module-resolution 
Python: Relax module resolution
 2023-08-16 12:04:49 +02:00
Rasmus Lerchedahl Petersen 6614e037ae Python: format 2023-08-15 21:40:20 +02:00
yoff 7eb41140ab
Update python/ql/lib/semmle/python/Module.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-08-15 15:47:00 +02:00
Rasmus Lerchedahl Petersen e6943ce98e Python: use standard test format 2023-08-15 15:26:18 +02:00
Rasmus Lerchedahl Petersen 8f70c9f950 Python: add comment about namespace packages 2023-08-15 12:02:02 +02:00
Erik Krogh Kristensen 6a3b9e10eb
Merge pull request #13914 from erik-krogh/escape-unicode 
ReDoS: escape unicode chars in the output for the ReDoS queries
 2023-08-15 11:21:21 +02:00
Rasmus Wriedt Larsen d12743d7c3
Merge pull request #13941 from yoff/python/test-nice-location 
Python: fix nice locations for import aliases
 2023-08-14 21:37:23 +02:00
amammad eb5529eac5 sanitize resutls exist in test/demo/example/sample directories 2023-08-14 23:48:03 +10:00
Rasmus Wriedt Larsen 1c3cc1fa29
Python: Remove flow through stdlib 
This means tests can pass on any machine now 👍
 2023-08-14 11:55:22 +02:00
Rasmus Wriedt Larsen 794d04e4c0
Python: Model `os.getenv[b]` 2023-08-14 11:55:00 +02:00
Rasmus Wriedt Larsen 6e168ff7d8
Python: Only interested in StrConst 2023-08-14 11:46:21 +02:00
Rasmus Wriedt Larsen 0fba38c6d8
Merge branch 'main' into amammad-python-WebAppsConstatntSecretKeys 2023-08-14 11:29:56 +02:00