github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
58 953 коммитов 1 541 ветка 132 Теги 497 MiB
Граф коммитов

7531 Коммитов

Автор SHA1 Сообщение Дата
Geoffrey White dbde99df91 Python: Add test cases. 2023-07-20 11:06:00 +01:00
Geoffrey White cb6276e5e2 Python: Test layout. 2023-07-19 18:44:15 +01:00
Anders Schack-Mulligen e72a0b2f8c Dataflow: Add change notes. 2023-07-19 11:41:15 +02:00
Anders Schack-Mulligen ae24d68b5d C/C++/C#/Java/Python/Ruby/Swift: Adjust expected output. 2023-07-19 11:41:15 +02:00
Anders Schack-Mulligen 95d17045c9 Dataflow: Sync. 2023-07-19 11:41:15 +02:00
yoff a1aa16f901
Merge pull request #13745 from GeekMasher/py-mad-xss 
Python - Add Models as Data support for Reflected XSS Query
 2023-07-18 13:39:17 +02:00
Mathew Payne 6ef55aa14f
Update python/ql/lib/semmle/python/security/dataflow/ReflectedXSSCustomizations.qll 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2023-07-17 15:44:38 +01:00
yoff d032bf5c0e
Merge pull request #13685 from RasmusWL/captured-variables-default-param-value 
Python: Model parameter with default value as `DefinitionNode`
 2023-07-17 14:25:13 +02:00
Mathew Payne e3d75c488e
Merge branch 'main' into py-mad-xss 2023-07-17 11:08:09 +01:00
Rasmus Wriedt Larsen 13fa08a90a
Python: Move source modeling to shared file 2023-07-14 14:47:50 +02:00
Rasmus Wriedt Larsen aa8ed91993
Python: Accept `.expected` changes 
but it's kinda bad, since it has paths to stdlib in there :(
 2023-07-14 14:47:27 +02:00
Rasmus Wriedt Larsen 9e0f985e23
Python: Fix qlref 2023-07-14 14:33:17 +02:00
Rasmus Wriedt Larsen 8279cf7c9c
Merge branch 'main' into amammad-python-WebAppsConstatntSecretKeys 2023-07-14 14:32:43 +02:00
Mathew Payne cf65ab834d fix: formatting issue 2023-07-14 12:31:40 +01:00
Mathew Payne 4c1612f2dd feat: add change log notes 2023-07-14 12:28:51 +01:00
Mathew Payne c292984338 feat: add MaD to XSS query 2023-07-14 12:25:54 +01:00
Rasmus Wriedt Larsen 0db535bdd7
Python: Minor naming update 2023-07-14 12:54:54 +02:00
Asger F eb5c600a6b Python: fix some whitespace 2023-07-13 15:42:34 +02:00
Asger F 2b0a8097e6 Python: implement Fuzzy for Python 2023-07-13 15:42:34 +02:00
Asger F 919cb07c1e Sync ApiGraphModels.qll 2023-07-13 15:42:33 +02:00
Rasmus Wriedt Larsen 991d5cc54b
Python: Fix test of `HttpResponse.getBody()` 2023-07-13 13:57:08 +02:00
Rasmus Wriedt Larsen 64a7206f3e
Python: Improve aiohttp FileResponse/StreamResponse modeling 
However, notice that the concepts tests use the HttpResponse location
for the `responseBody` tag, which seems a little odd in this situation,
where they are actually separate. Will fix in next commit.
 2023-07-13 13:57:08 +02:00
Rasmus Wriedt Larsen 15269c9166
Python: Add `StreamResponse` test 2023-07-13 13:57:08 +02:00
Rasmus Wriedt Larsen 0f9ab8f53e
Python: Fixup tests 
But notice that keyword argument is not handled yet
 2023-07-13 13:57:08 +02:00
Alvaro Muñoz ee1ba71e5d add tests 2023-07-13 13:07:12 +02:00
Alvaro Muñoz 10cd649ba7 address code review feedback 2023-07-13 12:24:19 +02:00
Alvaro Muñoz 69efddbaef
Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-07-13 12:23:00 +02:00
Anders Schack-Mulligen 837df2ad37 Dataflow: Sync. 2023-07-13 10:55:39 +02:00
Ed Minnix 63299688d5 Add change notes for default implementations of isBarrier and isAdditionalFlowStep 2023-07-12 15:21:16 -04:00
Ed Minnix 3db2644008 Python: Add default implementation of StateConfigSig::isAdditionalFlowStep/4 2023-07-12 15:06:25 -04:00
Ed Minnix 43f870e395 Python: Add default implementation of StateConfigSig::isBarrier/2 2023-07-12 15:06:25 -04:00
Alvaro Muñoz 7a717555aa fix qldocs 2023-07-12 17:27:17 +02:00
Alvaro Muñoz 733e625080 fix change note 2023-07-12 17:26:12 +02:00
Alvaro Muñoz f2cc2af276 aiohttp improvements 2023-07-12 17:19:56 +02:00
yoff 76455d628e
Update python/ql/lib/semmle/python/frameworks/ServerLess.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-07-12 16:50:13 +02:00
Rasmus Lerchedahl Petersen 4d2ce6b2e0 python: create shared serverless module and use it 
Modelled on the javascript serverless module, but
- The predicate that reports YAML files is now public
  so languages can implement their own file conventions.
- It also reports framework and runtime.
- The conveninece predicates with files still exist,
  but they only report the path.
- Handler mapping conventions are now documented.
- Use parameterised serverless module in Python,
  tests now pass.
 2023-07-12 16:42:01 +02:00
Rasmus Lerchedahl Petersen a892e83c8e python: add simple test for AWS lambda 
made space for other serverless frameworks in the directory `serverless`
 2023-07-12 16:42:00 +02:00
Rasmus Wriedt Larsen 98ed5cf522
Python: Move `not this instanceof ParameterDefinition` logic 2023-07-12 11:31:27 +02:00
Rasmus Wriedt Larsen 83ca47f32c
Python: Add change-note 2023-07-11 11:33:06 +02:00
Rasmus Wriedt Larsen a1225674ee
Python: Add implementation note about why not targeting ESSA node 2023-07-11 11:32:26 +02:00
Jeroen Ketema 92ee31849c
Merge pull request #13643 from jketema/inline-5 
Rework the remaining inline expectation tests to use the parameterized module
 2023-07-11 11:29:14 +02:00
Mathias Vorreiter Pedersen a4c0063ab1
Merge pull request #13679 from MathiasVP/speedup-big-step 
DataFlow: Speed up the big step relation
 2023-07-11 09:44:17 +01:00
Jeroen Ketema 8cee4f37a4
Merge branch 'main' into inline-5 2023-07-11 10:30:11 +02:00
Asger F d88f557dbe
Merge pull request #13683 from asgerf/rb/api-graph-noobject 
Ruby: exclude Object class from API graph
 2023-07-10 12:51:15 +02:00
Mathias Vorreiter Pedersen 44f23bfa59
Merge pull request #13690 from github/post-release-prep/codeql-cli-2.14.0 
Post-release preparation for codeql-cli-2.14.0
 2023-07-07 23:39:38 +01:00
github-actions[bot] 13cf054a9d Post-release preparation for codeql-cli-2.14.0 2023-07-07 14:55:41 +00:00
Rasmus Wriedt Larsen 44c67171f2
Python: Fix default parameter value flow 
Somehow the previous fix didn't work :O
 2023-07-07 16:17:07 +02:00
Rasmus Wriedt Larsen a850a481d0
Merge pull request #13676 from RasmusWL/aiohttp-ssrf-sink 
Python: Relax restriction of flow through `async with`
 2023-07-07 14:55:57 +02:00
Rasmus Wriedt Larsen 43b025015d
Python: Avoid overlap between `AssignmentDefinition` and `ParameterDefinition` 2023-07-07 14:26:28 +02:00
Rasmus Wriedt Larsen 4e8a1144f2
Python: Remove explicit jumpStep for default parameter values 
tests added in https://github.com/github/codeql/pull/5238
functionality added in https://github.com/github/codeql/pull/6640
 2023-07-07 14:24:51 +02:00
Rasmus Wriedt Larsen 4920557c36
Merge pull request #13670 from jorgectf/seclab/xxe-sanitizer 
Python: Add `markupsafe` as XXE sanitizer
 2023-07-07 12:30:26 +02:00
Rasmus Wriedt Larsen 70994b9c57
Python: Accept points-to .expected changes 
They look pretty safe to me, but haven't given them a whole lot of
thought.
 2023-07-07 12:14:19 +02:00
Rasmus Wriedt Larsen c5e8e232e5
Python: Fix dataflow consistencies for default parameter values 2023-07-07 11:55:07 +02:00
Rasmus Wriedt Larsen 6f3cb67050
Python: Model parameter with default value as `DefinitionNode` 2023-07-07 11:54:50 +02:00
Rasmus Wriedt Larsen 64a86e8fd7
Python: Update inline expectations 2023-07-07 11:32:05 +02:00
Rasmus Wriedt Larsen cfd2d09a61
Python: Add test for `DefinitionNode` default parameter value 2023-07-07 11:00:16 +02:00
Mathias Vorreiter Pedersen 1064efa8b3
Update python/ql/lib/change-notes/released/0.10.0.md 2023-07-07 09:25:03 +01:00
Mathias Vorreiter Pedersen 82ff045315
Update python/ql/lib/CHANGELOG.md 2023-07-07 09:24:50 +01:00
github-actions[bot] 6484ee106e Release preparation for version 2.14.0 2023-07-07 08:22:14 +00:00
Asger F 86b5f0adc7 Revert "Merge pull request #13620 from github/revert-13496-rb/tracking-on-demand" 
This reverts commit 133de56ac2, reversing
changes made to 28a8e48351.
 2023-07-07 09:42:34 +02:00
Rasmus Wriedt Larsen bea07002d3
Python: Expand captured-variable test with default param 2023-07-06 17:21:29 +02:00
Dave Bartolomeo 9631e9f2f1 Bump minor version numbers post-GHES 2023-07-06 10:10:01 -04:00
Dave Bartolomeo 2bb9adfbf1 Merge remote-tracking branch 'origin/main' into dbartol/mergeback-3.10 2023-07-06 10:00:46 -04:00
Rasmus Wriedt Larsen 30cf213372
Python: Add change-note 2023-07-06 15:04:49 +02:00
Rasmus Wriedt Larsen a0dfbfd96f
Python: Fix grammar in qldoc 
Co-authored-by: Taus <tausbn@github.com>
 2023-07-06 15:04:21 +02:00
Mathias Vorreiter Pedersen 83d0dec0fb DataFlow: Sync identical files. 2023-07-06 14:00:00 +01:00
Rasmus Wriedt Larsen 1f93e5b58d
Python: Relax restriction of flow through `async with` 2023-07-06 11:51:58 +02:00
Rasmus Wriedt Larsen 43af8d7ac5
Python: Fix test to use `async with` 
It doesn't work if just using plain `with`
 2023-07-06 11:34:05 +02:00
Rasmus Wriedt Larsen 79039dc7b8
Python: Wrap `aiohttp` client request in `async def` 
And I added `await` before all the `resp` assignments
 2023-07-06 11:29:14 +02:00
jorgectf c82ab2b2ab Add `markupsafe` as XXE sanitizer 
Co-authored-by: Kevin Stubbings <Kwstubbs@users.noreply.github.com>
 2023-07-05 20:23:20 +02:00
Michael Nebel 238f390738
Merge pull request #13452 from michaelnebel/refactorstackprinting 
Re-factor printing of summary component stacks.
 2023-07-04 08:29:10 +02:00
Michael Nebel 243c592447 Address review comments. 2023-07-03 17:01:08 +02:00
Michael Nebel bddd22f522 Sync files and make language specific adjustments. 2023-07-03 14:36:07 +02:00
Michael Nebel d62a5524f8 Python: Improve AccessPath printing. 2023-07-03 14:36:06 +02:00
Michael Nebel c18f4b1604 Sync files and make language specific rename. 2023-07-03 14:36:06 +02:00
Jeroen Ketema 5d855594ba
Python: Use correct class in inline expectation test 
These were missed earlier, and still referred to the classes from the legacy
interface and not the parameterized module.
 2023-07-03 10:23:26 +02:00
Jeroen Ketema abe06e5b95
Python: Update remaining inline expectation tests to use the paramterized module 2023-07-03 10:22:35 +02:00
amammad 2ba83022c7 delete old qhelp file 2023-07-01 04:49:35 +10:00
Chuan-kai Lin ce464a7d69 Remove pragma[assume_small_delta] 2023-06-30 11:09:29 -07:00
amammad 931f492df2 cleaning up mistakes 2023-06-30 23:03:29 +10:00
amammad 6f34c3225b
Merge branch 'github:main' into amammad-python-WebAppsConstatntSecretKeys 2023-06-30 22:36:45 +10:00
amammad 816799c4ba upgrade query to detect redash CVE too 2023-06-30 22:14:50 +10:00
github-actions[bot] 668aaa2dc8 Post-release preparation for codeql-cli-2.13.5 2023-06-30 08:51:48 +00:00
Asger F 5d1a437e9c
Revert "Ruby: overhaul API graphs" 2023-06-29 15:39:19 +02:00
amammad 7a17b99c17 V2 2023-06-29 20:55:51 +10:00
github-actions[bot] 9d7987f822 Release preparation for version 2.13.5 2023-06-29 09:26:18 +00:00
Tom Hvitved 9a26fc3178
Merge pull request #13573 from hvitved/ruby/inline-late-members 
Ruby/Python: Use `inline_late` on member predicates
 2023-06-29 09:07:14 +02:00
Asger F f0517028b9
Merge pull request #13496 from asgerf/rb/tracking-on-demand 
Ruby: overhaul API graphs
 2023-06-28 15:01:37 +02:00
Tom Hvitved fa92e79bea Ruby/Python: Use `inline_late` on member predicates 2023-06-28 09:04:06 +02:00
Kasper Svendsen f41276cb7f Python: Enable implicit this warnings for remaining packs 2023-06-27 12:00:13 +02:00
Rasmus Wriedt Larsen 257f9912dd
Python: Remove one more unnecessary taint test 2023-06-26 12:00:55 +02:00
Rasmus Wriedt Larsen 6cb03190fa
Python: Updates from inline test being parameterized 2023-06-26 11:43:51 +02:00
Rasmus Wriedt Larsen 0121263e03
Merge branch 'main' into python/enable-summaries-from-models 2023-06-26 11:34:12 +02:00
amammad e3e0307db7 V1 2023-06-25 20:36:28 +10:00
Asger F 0039cb141e Merge branch 'main' into rb/tracking-on-demand 2023-06-23 12:55:54 +02:00
yoff 26856a82a6
Apply suggestions from code review 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-23 10:15:20 +02:00
Rasmus Lerchedahl Petersen 86dfc7b66e python: format 2023-06-23 08:18:06 +02:00
Rasmus Lerchedahl Petersen 2264b119a6 python: more consistent tests 
- do not test taint flow whne dataflow is established
- test taint of both the collection and the expected element
 2023-06-22 11:52:25 +02:00
yoff 0f8ebd1519
Update python/ql/test/experimental/dataflow/model-summaries/model_summaries.py 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-06-22 11:31:21 +02:00
Jeroen Ketema 277dbdf410
Merge pull request #13498 from jketema/inline-4 
Rework more inline expectation tests to use the parameterized module
 2023-06-22 10:01:07 +02:00
Henry Mercer 5afdaf8fe1
Merge pull request #13525 from github/rc/3.10 
Merge `rc/3.10` back to `main`
 2023-06-21 17:13:36 +01:00
Jami 5259a6ecfc
Merge pull request #13324 from jcogs33/jcogs33/shared-sink-kind-validation 
Shared: share MaD kind validation across languages
 2023-06-20 11:56:12 -04:00
Rasmus Lerchedahl Petersen cb2de69f5a python: consolidate tests 
also change `Foo` -> `foo`
 2023-06-20 16:13:38 +02:00
Erik Krogh Kristensen 2341c82450
Merge pull request #13342 from erik-krogh/once-again-deps 
Py: delete more old deprecations
 2023-06-20 15:29:17 +02:00
Rasmus Wriedt Larsen 47d0a6d2e3
Python: Restore rest of experimental files 2023-06-20 14:30:43 +02:00
Owen Mansel-Chan d7c97f8759
Merge pull request #13455 from owen-mc/dataflow/add-flowCheckNodeSpecific 
Dataflow: add language-specific hook for breaking up big step relation
 2023-06-20 13:24:26 +01:00
github-actions[bot] 18b678e69e Post-release preparation for codeql-cli-2.13.4 2023-06-20 10:20:05 +00:00
Rasmus Lerchedahl Petersen 5ceac5a771 python: add changenote 2023-06-20 11:53:31 +02:00
yoff 579c56c744
Merge pull request #13178 from yoff/python-ruby/track-through-summaries-pm 
ruby/python: Shared module for typetracking through flow summaries
 2023-06-20 11:19:45 +02:00
Rasmus Lerchedahl Petersen e111a19524 python: split tests into taint and value 
and add summaries
 2023-06-20 10:46:27 +02:00
Jeroen Ketema dba4460526
Python: Update more inline expectation tests to use the paramterized module 2023-06-20 10:16:15 +02:00
Asger F 0110610c6a Ruby: overhaul API graphs 2023-06-19 12:01:42 +02:00
Rasmus Lerchedahl Petersen eb3c33dfe2 python: remove erronous `getACall()` 
`base` is already the `CallNode` we want.
 2023-06-19 11:41:06 +02:00
Tony Torralba 8f6d2ed2f9 Adjust ZipSlip query description according to review suggestions. 2023-06-19 10:27:41 +02:00
Tony Torralba 3c4d938cf1 Apply code review suggestions. 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-19 10:20:19 +02:00
Tony Torralba 433fc680ec
Apply suggestions from code review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2023-06-19 10:17:40 +02:00
Rasmus Lerchedahl Petersen 229641070f python: rename summaries 2023-06-18 22:01:47 +02:00
Rasmus Lerchedahl Petersen 6554e804dd python: add test for model summaries 
(but no summaries yet)
 2023-06-18 21:52:49 +02:00
Rasmus Lerchedahl Petersen 18f4b75f8b python: enable summaries from model 
This requires a change to the shared interface:
Making `getNodeFromPath` public.

This because Python is doing its own thing and identifying call-backs.
 2023-06-18 21:52:49 +02:00
Rasmus Wriedt Larsen fb6955edf9
Python: Add tests of methods in summaries 2023-06-16 14:43:45 +02:00
Rasmus Wriedt Larsen afafaac0d7
Python: Fix typo 2023-06-16 14:41:36 +02:00
Tony Torralba c97868f774 Add change notes 2023-06-16 09:01:02 +02:00
Tony Torralba 3e96fe60c5 Go/Java/JS/Python/Ruby: Update the description and qhelp of the ZipSlip query 
All filesystem operations, not just writes, with paths built from untrusted archive entry names are dangerous
 2023-06-16 08:52:44 +02:00
Rasmus Lerchedahl Petersen b7bf750174 python: use updated names in test 2023-06-14 22:23:21 +02:00
Rasmus Lerchedahl Petersen 4fded84a49 python: implement missing predicates 2023-06-14 21:30:58 +02:00
Rasmus Lerchedahl Petersen 2491fda58e python: update comment 2023-06-14 21:16:39 +02:00
Rasmus Lerchedahl Petersen 6521a51d93 python: unique strings in tests 2023-06-14 21:14:50 +02:00
Rasmus Lerchedahl Petersen 0e713e6fc1 ruby/python: more consistent naming of parameters 2023-06-14 21:02:42 +02:00
yoff af72509ce6
Update python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackerSpecific.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-06-14 20:57:14 +02:00
yoff 2ae5dae474
Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-06-14 20:55:45 +02:00
yoff f5f822ca2d
Merge pull request #13395 from yoff/python/container-summaries-3 2023-06-14 17:13:49 +02:00
Owen Mansel-Chan 3ff6d033d3
Rename to `neverSkipInPathGraph` 2023-06-14 15:29:54 +01:00
Owen Mansel-Chan ee185ae204
Python: Move hack from CastNode into flowCheckNodeSpecific 2023-06-14 14:46:39 +01:00
Owen Mansel-Chan 5f72ce0935
Add stub implementations of flowCheckNodeSpecific 2023-06-14 14:46:35 +01:00
Owen Mansel-Chan e0f7437d40
Sync dataflow library 2023-06-14 14:29:56 +01:00
Rasmus Lerchedahl Petersen 9a1e895fdc Python: missed removing these 
`set.add` and `list.append` do not return a value
 2023-06-14 14:51:21 +02:00
Jami 35591113c2
Merge branch 'main' into jcogs33/shared-sink-kind-validation 2023-06-14 08:06:34 -04:00
Michael Nebel afec9b05e9
Merge pull request #13147 from michaelnebel/csharp/entityframeworkrefactor 
C#: Use synthetic global in the EntityFramework code instead of jump steps.
 2023-06-14 13:47:56 +02:00
Rasmus Lerchedahl Petersen 3b558a0044 python: remove spurious return flow 2023-06-14 13:35:37 +02:00
yoff 38cca08a86
Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-06-14 13:27:33 +02:00
Anders Schack-Mulligen 1a4fca334f
Merge pull request #13273 from aschackmull/dataflow/summarynode-refactor 
Dataflow: Refactor FlowSummaryImpl to synthesize nodes independently from DataFlow::Node.
 2023-06-14 09:38:36 +02:00
erik-krogh 8663a8ba1c
add change-note 2023-06-14 08:31:57 +02:00
erik-krogh df61c4dd62
reintroduce the experiemental queries that use deprecated features 2023-06-14 08:31:57 +02:00
erik-krogh bfe7e62f35
update some expected outputs - some tests no longer have an edges relation - and XsltSinks lost a result 2023-06-14 08:31:57 +02:00
erik-krogh 1f8f111ef6
reintroduce DataFlowType - otherwise nothing in the old DataFlow library would compile 2023-06-14 08:31:57 +02:00
erik-krogh 6e001ec062
deprecate `SqlInjectionSink` - it's not used anywhere 2023-06-14 08:31:57 +02:00
erik-krogh e463819bc2
get `ParamSource.ql` to compile by deleting import that got deleted - I have no if this is a good change 2023-06-14 08:31:57 +02:00
erik-krogh 3a436d1f84
do a quick-and-dirty conversion of py/hardcoded-credentials to the new dataflow library 2023-06-14 08:31:56 +02:00
erik-krogh ae8bf5ed3c
delete old deprecations 2023-06-14 08:31:51 +02:00
Rasmus Lerchedahl Petersen f1de753400 python: add changenote 2023-06-13 21:59:51 +02:00
Rasmus Lerchedahl Petersen 4b4b9bf9da python: add missing summaries 
For append/add:
The new results in the experimental tar slip query
show that we do not recognize the sanitisers.
 2023-06-13 20:22:21 +02:00
Rasmus Lerchedahl Petersen b72c93ff4f python: remove remaining explicit taint steps 2023-06-13 20:22:20 +02:00
yoff 1d65284011
Merge pull request #13209 from yoff/python/container-summaries-2 
python: Container summaries, part 2
 2023-06-13 18:17:09 +02:00
Rasmus Lerchedahl Petersen 775f3eaf56 python: make copy a dataflow step 2023-06-13 17:07:41 +02:00
yoff 4056358863
Merge pull request #13438 from RasmusWL/flask-render-string 
Python: Add modeling of `flask.render_template_string`
 2023-06-13 14:56:43 +02:00
Rasmus Wriedt Larsen 2b7fc94aef
Python: Fix validTest.py expectation 2023-06-13 12:11:28 +02:00
Rasmus Lerchedahl Petersen e11f6b5107 ruby/python: adjust shared file 
- move `isNonLocal` to the top
- missing backtics
 2023-06-13 11:49:30 +02:00
Rasmus Lerchedahl Petersen 203f8226cb ruby/python: make `SummaryTypeTracker` private 2023-06-13 11:32:06 +02:00
Anders Schack-Mulligen 2d616d494e C#/Ruby: Add fields as per review comments. 2023-06-13 11:26:30 +02:00
yoff 8cae151883
Update python/ql/test/experimental/dataflow/typetracking-summaries/TestSummaries.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-13 11:22:54 +02:00
Rasmus Lerchedahl Petersen b709ed47e1 python: add test 2023-06-13 11:20:15 +02:00
Jeroen Ketema c3ba206b6a
Merge pull request #13346 from jketema/inline-2 
Update inline expectation tests to use parameterized module
 2023-06-13 10:10:55 +02:00
yoff 2a5173c331
Update python/ql/lib/semmle/python/frameworks/Stdlib.qll 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-06-13 10:04:46 +02:00
Rasmus Wriedt Larsen 6526364045
Python: Add modeling of `flask.render_template_string` 2023-06-12 21:18:31 +02:00
Erik Krogh Kristensen 798f3880c9
Merge pull request #13402 from erik-krogh/deps-some-py 
Py: delete some old deprecations
 2023-06-12 11:29:44 +02:00
Calum Grant 0163fb8d9f
Merge pull request #13391 from github/RasmusWL/experimental-query-id 
Python: Avoid duplicated query-id
 2023-06-12 10:10:51 +01:00
Jami Cogswell 9abe3e3da4 Shared: use a module as input to 'KindValidation' 2023-06-09 14:35:37 -04:00
Anders Schack-Mulligen 5062442982 Go/Python/Ruby/Swift: Add stub. 2023-06-09 15:39:28 +02:00
Anders Schack-Mulligen 98f51d7f29 Dataflow: Sync. 2023-06-09 15:39:28 +02:00
Anders Schack-Mulligen 6020e4d0e3 C#/Go/Python/Ruby/Swift: Fix some more references. 2023-06-09 15:30:38 +02:00
Rasmus Lerchedahl Petersen 7e87a7c1f7 python: rewrite `argumentPositionMatch` 
to not use the call graph.
 2023-06-09 15:29:13 +02:00
Anders Schack-Mulligen 1e3b960c1b Python: Adjust to FlowSummaryImpl changes. 2023-06-09 15:27:17 +02:00
Anders Schack-Mulligen 2cc5bde925 Dataflow: Sync. 2023-06-09 15:27:17 +02:00
erik-krogh 42d67d0137
add change-note 2023-06-09 15:24:12 +02:00
erik-krogh 6dfeb2536b
delete old deprecations 2023-06-09 15:12:23 +02:00
Rasmus Lerchedahl Petersen b294f48dbe Merge branch 'main' of https://github.com/github/codeql into python-ruby/track-through-summaries-pm 2023-06-09 14:16:34 +02:00
Jeroen Ketema 8f599faf85
Python: Rewrite inline expectation tests to use parameterized module 2023-06-09 10:42:29 +02:00
Anders Schack-Mulligen d230509905 Dataflow: Address review comments. 2023-06-09 08:37:36 +02:00
Anders Schack-Mulligen 4399138c82 Dataflow: Fix QL4QL alert. 2023-06-09 08:37:36 +02:00
Anders Schack-Mulligen 53f2b8aab0 Dataflow: Sync. 2023-06-09 08:37:36 +02:00
Anders Schack-Mulligen fd832416d8 Dataflow: Add empty type strengthening predicate for languages without type pruning. 2023-06-09 08:37:35 +02:00
Anders Schack-Mulligen e8cea79f1d Dataflow: Sync. 2023-06-09 08:37:35 +02:00
Jami Cogswell da58b2afc8 Shared: move shared file to 'shared' folder and add parameterized module for 'getInvalidModelKind' 2023-06-08 20:05:27 -04:00
github-actions[bot] e4be303a23 Release preparation for version 2.13.4 2023-06-08 19:57:37 +00:00
yoff d59263af0e
Merge pull request #13398 from github/tausbn/python-update-syntax-error-expected-files 
Python: Update expected output for syntax error queries
 2023-06-08 10:10:42 +02:00
Tom Hvitved cee70883f0
Merge pull request #12964 from hvitved/ruby/remove-synth-returns 
Ruby: Remove canonical return nodes
 2023-06-08 10:07:48 +02:00
Taus 19e1bab102 Python: Update expected output for syntax error queries 2023-06-07 15:26:52 +00:00
Rasmus Lerchedahl Petersen 6ddf1f7eaf ruby/python: remove predicates from interface 2023-06-07 14:07:08 +02:00
Rasmus Wriedt Larsen 0c8b4251cf
Python: Avoid duplicated query-id 2023-06-07 10:07:01 +02:00
Tom Hvitved 48ac3e58ee Python: Use `CallGraphConstruction` in call graph construction 2023-06-07 09:02:03 +02:00
Tom Hvitved 4bf124bffe Ruby/Python: Add `CallGraphConstruction` module for recursive type-tracking based call graph construction 2023-06-07 09:02:03 +02:00
Taus c4bfb21f0f
Merge pull request #13371 from github/nickrolfe/python-location-tostring 
Python: avoid selecting `getLocation()`
 2023-06-06 12:05:51 +02:00
Jami Cogswell 5a23421d9a Shared: minor updates to comments 2023-06-05 13:46:56 -04:00
Jami Cogswell 9d5972acc2 Shared: update qldocs 2023-06-05 12:18:34 -04:00
Jami Cogswell 3f1dc8e5c7 Shared: add outdated Swift sink kinds 2023-06-05 12:18:34 -04:00
Jami Cogswell 62ac0dc471 Shared: add outdated sink kind msg to 'getInvalidModelKind' for all languages 2023-06-05 12:18:33 -04:00
Jami Cogswell 76f5dca861 Shared: move 'OutdatedSinkKind' to shared file and add outdated JS and C# sink kinds 2023-06-05 12:18:33 -04:00
Jami Cogswell 7b629f5d63 Shared: include 'qltest%' and 'test-%' 2023-06-05 12:18:33 -04:00
Jami Cogswell 254e447923 JS/Python/Ruby: update getInvalidModelKind 2023-06-05 12:18:33 -04:00
Jami Cogswell 7317c29eea Shared: update kind information 2023-06-05 12:18:33 -04:00
Jami Cogswell 0ab1848b70 JS/Python/Ruby: use 'SharedModelValidation' file 2023-06-05 12:18:33 -04:00
Jami Cogswell ddb5d92ef8 Shared: add source, summary, and neutral shared valid kinds 2023-06-05 12:18:33 -04:00
Jami Cogswell 869f820fcf Shared: add 'SharedModelValidation' file as experiment 2023-06-05 12:18:33 -04:00
Jami Cogswell e24e3a6115 JS/Python/Ruby: add getInvalidModelKind as experiment 2023-06-05 12:18:33 -04:00
Nick Rolfe 02395867c8 Python: avoid selecting getLocation() in py/truncated-division 2023-06-05 13:42:46 +01:00
Nick Rolfe c67a350e36 Python: avoid selecting getLocation() in py/unnecessary-delete 2023-06-05 11:16:13 +01:00
jorgectf 3e8c7f72b6 Add changenote 2023-06-02 18:20:55 +02:00
jorgectf 5608082f35 Update `py/unsafe-deserialization` name 2023-06-02 17:57:24 +02:00
Jeroen Ketema 5f64354a70
Merge pull request #13353 from jketema/expecation 
Fix typo in spelling of expectation
 2023-06-02 12:29:49 +02:00
Jeroen Ketema 7b17b92aca
Fix typo in spelling of expectation 2023-06-02 10:36:11 +02:00
Erik Krogh Kristensen 96a720cfa0
Merge pull request #13285 from erik-krogh/redoshelp 
ReDoS: fix whitespace in the samples in ReDoS.qhelp
 2023-06-01 15:53:58 +02:00
Rasmus Lerchedahl Petersen 6755bb32fb Python: do not add read steps for collections 2023-06-01 15:18:05 +02:00
Michael Nebel 06b02eb3ce Sync files. 2023-06-01 09:30:31 +02:00
Arthur Baars c211b704f3
Merge pull request #13272 from github/post-release-prep/codeql-cli-2.13.3 
Post-release preparation for codeql-cli-2.13.3
 2023-05-31 15:33:12 +02:00
Michael Nebel 2266e28583
Merge pull request #13262 from michaelnebel/flowsummary/refactorgetcomponentstack 
C#: Re-factor getComponent.
 2023-05-31 08:22:44 +02:00
Arthur Baars 490d22d123 Merge remote-tracking branch 'upstream/main' into post-release-prep/codeql-cli-2.13.3 2023-05-30 21:31:28 +02:00
Rasmus Lerchedahl Petersen 820b5f235e python: add change note 2023-05-30 13:36:10 +02:00
Rasmus Lerchedahl Petersen 2daa9577bb ruby/python: implement shared module 
ruby:
- create new shared file `SummaryTypeTracker.qll`
- move much logic into the module
- instantiate the module
- remove old logic, now provided by module

python:
- clone shared file
- instantiate module
- use (some of the) steps provided by the module
 2023-05-30 13:31:24 +02:00
Rasmus Lerchedahl Petersen 47b2d48da2 python: add tests 
- add `getACallSimple` to `SummarizedCallable`
  (by adding it to `LibraryCallable`)
 2023-05-30 13:16:04 +02:00
Rasmus Lerchedahl Petersen 9cb83fcdc9 python: add summaries for 
copy, pop, get, getitem, setdefault

Also add read steps to taint tracking.

Reading from a tainted collection can be done in two situations:
1. There is an acces path
    In this case a read step (possibly from a flow summary)
    gives rise to a taint step.
2. There is no access path
    In this case an explicit taint step (possibly via a flow
    summary) should exist.
 2023-05-26 14:04:15 +02:00
Rasmus Lerchedahl Petersen 144df9a39e python: remove explicit dataflow steps 2023-05-26 13:24:22 +02:00
Rasmus Lerchedahl Petersen 8d4f9447b1 python: remove explicit steps 
copy, pop, get, popitem
 2023-05-26 13:22:54 +02:00
Michael Nebel 915042a881 Minor cleanup and sync files. 2023-05-26 12:25:00 +02:00
Michael Nebel 811eee1f0d Python: Re-factor getComponent. 2023-05-26 12:24:59 +02:00
Asger F 75fd20b3b8 Python: add meta-query for calls to summarized callables 2023-05-26 11:40:58 +02:00
erik-krogh 9f5bf8fb22
also fix the first code-block 2023-05-25 13:56:29 +02:00
erik-krogh 765076bcba
fix whitespace in the samples in ReDoS.qhelp 2023-05-25 13:28:39 +02:00
github-actions[bot] d2e192020b Post-release preparation for codeql-cli-2.13.3 2023-05-24 11:26:12 +00:00
Tom Hvitved 1788c54bd8 Python: Avoid calling `TypeTracker::step` in call graph construction 2023-05-24 11:11:54 +02:00
Tom Hvitved deee314370 Python/Ruby: Optimize join-order in `TypeTracker::[small]step` 2023-05-24 11:11:07 +02:00
Arthur Baars e33f3a6668
Merge pull request #13154 from aibaars/sync-dbscheme-py 
JS/Ruby/QL/Python: sync dbscheme fragments
 2023-05-23 19:14:29 +02:00
Rasmus Wriedt Larsen 5c77edecf7
Merge pull request #12991 from Sim4n6/python-UBV 
[Python] Add Unicode Bypass Validation query tests and help
 2023-05-23 12:21:55 +02:00
github-actions[bot] 7aa23cf11d Release preparation for version 2.13.3 2023-05-22 20:47:00 +00:00
Arthur Baars 5e279f2898 Python: add upgrade/downgrade scripts 2023-05-22 19:37:58 +02:00
Arthur Baars ef3005ea9e Python: sync shared dbscheme fragments 2023-05-22 19:37:58 +02:00
Rasmus Wriedt Larsen c1b90c8f05
Python: Apply suggested change 2023-05-22 11:58:32 +02:00
Rasmus Wriedt Larsen a057365b7e
Python: Accept `.expected` changes 2023-05-22 11:54:50 +02:00
Rasmus Wriedt Larsen 44d806507d
Merge branch 'main' into python-UBV 2023-05-22 11:53:56 +02:00
erik-krogh 710b309142
apply suggestions from doc review 2023-05-21 22:18:48 +02:00
erik-krogh 10bf17c33e
Merge branch 'main' into polyQhelp 2023-05-21 22:17:06 +02:00
Sim4n6 be3f59afab Replaced StringMethod() with a restrained String method calls 2023-05-20 12:17:33 +01:00
Sim4n6 d939f192d5 Deleted the UBV query change note. 2023-05-20 11:46:18 +01:00
Sim4n6 21e99d52c7 Fix a redundant import 2023-05-20 10:23:04 +01:00
Sim4n6 b8969707c5 Delete the vulnerability flow image from the QHelp file. 2023-05-20 10:21:38 +01:00
Sim4n6 16ce024429
Update python/ql/src/experimental/Security/CWE-176/UnicodeBypassValidation.qhelp 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-05-20 10:13:23 +01:00
Sim4n6 8462b14b54
Update python/ql/src/experimental/Security/CWE-176/UnicodeBypassValidation.qhelp 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-05-20 10:12:55 +01:00
Sim4n6 2a8645c447 Fix 'Singleton set literal' warning 2023-05-20 10:11:26 +01:00
Sim4n6 58be109a70 Moved UnicodeBypassValidation Customizations & Query.qll to src/experimental 2023-05-20 10:08:56 +01:00
erik-krogh 480e71fd69
avoid contractions 2023-05-17 08:42:45 +02:00
Rasmus Lerchedahl Petersen 5d68473d12 python: elide nodes without location from basic 2023-05-16 14:38:51 +02:00