8000 Python: Add Server-side Request Forgery sinks by haby0 · Pull Request #8275 · github/codeql · GitHub
[go: up one dir, main page]
Skip to content

Python: Add Server-side Request Forgery sinks #8275

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Mar 8, 2022
Merged

Python: Add Server-side Request Forgery sinks #8275

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
b23e28a
add Server-side Request Forgery sinks
haby0 Feb 28, 2022
be40b54
add test
haby0 Feb 28, 2022
40feb1f
Python: SPURIOUS results for httpx
RasmusWL Mar 4, 2022
56901ea
Python: Make new SSRF sink modules private
RasmusWL Mar 4, 2022
7d6d8be
Python: Fix httpx modeling
RasmusWL Mar 4, 2022
c65839b
Python: improve urllib3 modeling
RasmusWL Mar 4, 2022
02a97b0
Python: Move `urllib` and `urllib2` to be part of stdlib modeling
RasmusWL Mar 4, 2022
866e615
Python: Add PyPI links in qldocs
RasmusWL Mar 4, 2022
75bc532
Python: Avoid `toString` usage :O
RasmusWL Mar 4, 2022
d86284b
Python: Update frameworks.rst
RasmusWL Mar 4, 2022
e47f726
Python: Add change-note
RasmusWL Mar 4, 2022
f620e25
Merge branch 'main' into py/add-ssrf-sinks
RasmusWL Mar 4, 2022
7e6666b
Merge branch 'main' into py/add-ssrf-sinks
haby0 Mar 7, 2022
8000
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Python: Avoid toString usage :O
  • Loading branch information
@RasmusWL
RasmusWL committed Mar 4, 2022
commit 75bc532d10ed28d758d4b1cf5bb92f88c3848344
2 changes: 1 addition & 1 deletion python/ql/lib/semmle/python/frameworks/Libtaxii.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ private module Libtaxii {
private class ParseCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
ParseCall() {
this = API::moduleImport("libtaxii").getMember("common").getMember("parse").getACall() and
this.getArgByName("allow_url").asExpr().toString() = "True"
this.getArgByName("allow_url").getALocalSource().asExpr() = any(True t)
}

override DataFlow::Node getAUrlPart() { result in [this.getArg(0), this.getArgByName("s")] }
Expand Down
0