-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Python: stdlib models qa #16843
Draft
yoff
wants to merge
17
commits into
github:main
Choose a base branch
from
yoff:python/stdlib-models-QA
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Python: stdlib models qa #16843
Commits on Jun 25, 2024
-
python: Start modelling using MaD
- empty models for now - `summaryModel` of `codeql/python-all` will be added to shortly.
Configuration menu - View commit details
-
Copy full SHA for df406b4 - Browse repository at this point
Copy the full SHA df406b4View commit details -
python: add modelling for
urlib.parse
- `quote` together with `re.compile` recover regex injection alerts on haiwen/seahub - `quote_plus` recovers the URL redirection alert on DemocracyClub/EveryElection - `unquote` recovers path injection alerts on `cloudera/hue` - it was tedious finding justifications for the rest..
Configuration menu - View commit details
-
Copy full SHA for 281ac05 - Browse repository at this point
Copy the full SHA 281ac05View commit details -
python: move model to
Stdlib.yml
There is already a model there so we add to that one. We did observe that this existing model was blocked by the external MaD model. This is concerning and needs to be cleared up.
Configuration menu - View commit details
-
Copy full SHA for c004ffa - Browse repository at this point
Copy the full SHA c004ffaView commit details -
Configuration menu - View commit details
-
Copy full SHA for d410136 - Browse repository at this point
Copy the full SHA d410136View commit details -
Configuration menu - View commit details
-
Copy full SHA for 1e97600 - Browse repository at this point
Copy the full SHA 1e97600View commit details -
Configuration menu - View commit details
-
Copy full SHA for b80a711 - Browse repository at this point
Copy the full SHA b80a711View commit details -
Configuration menu - View commit details
-
Copy full SHA for 2118f23 - Browse repository at this point
Copy the full SHA 2118f23View commit details -
Configuration menu - View commit details
-
Copy full SHA for 501cda4 - Browse repository at this point
Copy the full SHA 501cda4View commit details -
Configuration menu - View commit details
-
Copy full SHA for bc55117 - Browse repository at this point
Copy the full SHA bc55117View commit details -
Two of the generated summaries have been excluded: - ["re", "Member[split]", "Argument[0,pattern:]", "ReturnValue", "taint"] From the documentation, it is not clear why pattern should figure in the return value, as that is the part denoting split point and thus all those instances are filtered out. From the implementation Spit function: https://github.com/python/cpython/blob/3.12/Lib/re/__init__.py#L199 _compile function being called by split: https://github.com/python/cpython/blob/3.12/Lib/re/__init__.py#L280 We see that in case the pattern is already a compiled `Pattern`, it is returned directly from _compile and could thus be part of the return value from split. This is probably not possible to arrange for an attacker, and so an FP in practice. - ["urllib2", "Member[unquote]", "Argument[0,string:]", "ReturnValue", "taint"] urllib2 seems to be only in Python2 (e.g. https://docs.python.org/2.7/library/urllib2.html) and I cannot locate the function unquote.
Configuration menu - View commit details
-
Copy full SHA for bdc4808 - Browse repository at this point
Copy the full SHA bdc4808View commit details -
Configuration menu - View commit details
-
Copy full SHA for eb32cbe - Browse repository at this point
Copy the full SHA eb32cbeView commit details -
Configuration menu - View commit details
-
Copy full SHA for 571be8b - Browse repository at this point
Copy the full SHA 571be8bView commit details
Commits on Jun 26, 2024
-
Configuration menu - View commit details
-
Copy full SHA for b261145 - Browse repository at this point
Copy the full SHA b261145View commit details -
Configuration menu - View commit details
-
Copy full SHA for a3076f4 - Browse repository at this point
Copy the full SHA a3076f4View commit details -
Configuration menu - View commit details
-
Copy full SHA for 25e6898 - Browse repository at this point
Copy the full SHA 25e6898View commit details
Commits on Jun 27, 2024
-
Configuration menu - View commit details
-
Copy full SHA for 8fabcc6 - Browse repository at this point
Copy the full SHA 8fabcc6View commit details -
Configuration menu - View commit details
-
Copy full SHA for 5667e83 - Browse repository at this point
Copy the full SHA 5667e83View commit details
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.