Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Python: add models for stdlib #15306

Draft
wants to merge 43 commits into
base: main
Choose a base branch
from
Draft

Python: add models for stdlib #15306

wants to merge 43 commits into from

Conversation

yoff
Copy link
Contributor

@yoff yoff commented Jan 12, 2024

  • urllib.parse.urljoin
  • fnmatch.filter
  • optparse.parse_args

This brings the number of results for py/shell-command-constructed-from-input on a database for tanghaibao/jvci extracted without the standard lib up from 5978 to 17055. With the standard library, we get 17062 results.

@yoff yoff added the no-change-note-required This PR does not need a change note label Jan 12, 2024
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 2, 2024
View reviewed changes
python/ql/src/meta/StdLib/FindUses.ql Fixed Show fixed Hide fixed
python/ql/src/meta/StdLib/FindUses.ql Fixed Show fixed Hide fixed
python/ql/src/meta/StdLib/FindUses.ql Fixed Show fixed Hide fixed
@yoff yoff force-pushed the python/add-stdlib-models branch from fe7523b to e4c22da Compare February 22, 2024 08:21
@yoff yoff force-pushed the python/add-stdlib-models branch from 97e8085 to 28312bd Compare March 20, 2024 19:39
yoff added 23 commits April 9, 2024 21:28
@yoff
Python: add models for stdlib
0072941 
- `urllib.parse.urljoin`
- `fnmatch.filter`
- `optparse.parse_args`

This brings the number of results for `py/shell-command-constructed-from-input`
on a database for `tanghaibao/jvci` extracted without the standard lib
up from 5978 to 17055. With the standard library, we get 17062 results.
@yoff
Python: small refactor
e8ba502 
looks nicer and allows easy evaluation of summaryLocalStep contribution
@yoff
Python: add flow to re.compile
a5ab628
@yoff
Python: convenience for running on dbs with stdlib
74f330f 
this should be removed in final version
@yoff
Python: script to find stdlib uses
a5dcd79 
does not recognize flow summary models yet
@yoff
python: use generated query
c31c0cb
@yoff
python: Start modelling using MaD
d8952e1
@yoff
python: Improve query and add new modelling
6afe275
@yoff
Python: tweak script and use new models
4e68967 
- elide any `Member[__init__]`
@yoff
python: more robust query, more summaries
9f25e39 
- summaries need to be vetted, all generated
@yoff
python: refactor script
3d1e7c7 
Also attempt more modelling, but it seems to not have the intended effect.
I should test the summary syntax for this.
@yoff
python: more robust query
4b91823
@yoff
python: more tests
aaa2aa6
@yoff
python: adapt some models by hand
14ffa6c
@yoff
python: attempt to improve query
1e286c1
@yoff
python: improve FindUses.ql
b12bc20 
- add hardcoded credentials query
- better function names
- better funtion paths
@yoff
python: split up file
7378528 
for easy debug, do not import all path-graphs
import just the one(s) of interest instead
@yoff
python: bit more models
b6c2de4 
and sort the lines
@yoff
python: add handy query predicate
a6e87c0 
it does not get evaluated by MRVA
@yoff
python: improve query
f104192 
- better argument path: collate positional and keyword arguments
- better resturn path: method calls go to `ReturnValue` rather than `Argument[self:]`
@yoff
python: comment out query predicate
237f19c 
it feels like it may get evaluated, just not reported, by MRVA
@yoff
python: use updated models
8a1fd7a
@yoff
python: properly detect writing to self
2c42b78
yoff added 6 commits April 9, 2024 21:28
@yoff yoff force-pushed the python/add-stdlib-models branch from 35e5844 to ad4359e Compare April 9, 2024 19:31
yoff added 14 commits April 10, 2024 22:04
@yoff
python: improved script and new models
0340529 
recpgnise flow from `*args` and `**kwargs`
@yoff
python: do not extract stdlib by default
b7ac6fc
@yoff
python: improve generator and update models
335a02a
@yoff
Python: Model that asyncio.log.logger is a logging.Logger
b03fa93 
recover 3 alerts for `py/log-injection` on `zenml-io/zenml`
@yoff
python: logger detection improvements
15c124f 
- add `self` as class instantiation
@yoff
python: logger detection improvements
b789948 
- understand `logging.getLoggerClass`
@yoff
Merge branch 'main' of https://github.com/github/codeql into python/a…
dc2a7a6 
…dd-stdlib-models
@yoff
Python: models for command injection and cleartext logging
5c3e8f5
@yoff
Python: models for path injection
c80de96
@yoff
python: more path-injection modeling
ca51eed
@yoff
Merge branch 'main' of https://github.com/github/codeql into python/a…
cc77fb1 
…dd-stdlib-models
@yoff
PythonÆ add comments
b0f7235
@yoff
python: do copy.copy/deepcopy as dataflow
64ae950 
this preserves content
@yoff
Merge branch 'main' of https://github.com/github/codeql into python/a…
2a77a49 
…dd-stdlib-models
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
no-change-note-required This PR does not need a change note Python
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@yoff