Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Python: Add support for threat models #17203

Merged
merged 23 commits into from
Sep 26, 2024
Merged

Python: Add support for threat models #17203

merged 23 commits into from
Sep 26, 2024

Commits on Aug 19, 2024

  1. Python: Setup support for threat-models 

    Naming in other languages:
- `SourceNode` (for QL only modeling)
- `ThreatModelFlowSource` (for active sources from QL or data-extensions)

However, since we use `LocalSourceNode` in Python, and `SourceNode` in
JS (for local source nodes), it seems a bit confusing to follow the same
naming convention as other languages, and instead I came up with new names.
    @RasmusWL
    RasmusWL committed Aug 19, 2024
    Configuration menu
    Copy the full SHA
    5ec8e5d View commit details
    Browse the repository at this point in the history

  2. ThreatModels: Expose knownThreatModel 

    Without, it's impossible to write test showing what threat-models are
active by default... unless I provide a hardcoded list in the test
itself, which is not any fun.
    @RasmusWL
    RasmusWL committed Aug 19, 2024
    Configuration menu
    Copy the full SHA
    766dcc4 View commit details
    Browse the repository at this point in the history

  3. Python: Add test showing default active threat-models

    @RasmusWL
    RasmusWL committed Aug 19, 2024
    Configuration menu
    Copy the full SHA
    617ab27 View commit details
    Browse the repository at this point in the history

  4. Python: Remove 'response' from default threat-models 

    I didn't want to put the configuration file in
`semmle/python/frameworks/**/*.model.yml`, so created `ext/` as in other
languages
    @RasmusWL
    RasmusWL committed Aug 19, 2024
    Configuration menu
    Copy the full SHA
    8f7dec0 View commit details
    Browse the repository at this point in the history

Commits on Sep 10, 2024

  1. Python: Make queries use ActiveThreatModelSource

    @RasmusWL
    RasmusWL committed Sep 10, 2024
    Configuration menu
    Copy the full SHA
    528f08f View commit details
    Browse the repository at this point in the history

  2. Python: Add basic support for environment/commandargs threat-models

    @RasmusWL
    RasmusWL committed Sep 10, 2024
    Configuration menu
    Copy the full SHA
    b9239d7 View commit details
    Browse the repository at this point in the history

  3. Python: Fixup threat-models for os.environ.get() 

    Since using `.DictionaryElementAny` doesn't actually do a store on the
source, (so we can later follow any dict read-steps).

I added the ensure_tainted steps to highlight that the result of the
WHOLE expression ends up "tainted", and that we don't just mark
`os.environ` as the source without further flow.
    @RasmusWL
    RasmusWL committed Sep 10, 2024
    Configuration menu
    Copy the full SHA
    56c85ff View commit details
    Browse the repository at this point in the history

  4. Python: Proper threat-model handling for argparse

    @RasmusWL
    RasmusWL committed Sep 10, 2024
    Configuration menu
    Copy the full SHA
    e1801f3 View commit details
    Browse the repository at this point in the history

  5. Python: Model stdin thread-model

    @RasmusWL
    RasmusWL committed Sep 10, 2024
    Configuration menu
    Copy the full SHA
    66f389a View commit details
    Browse the repository at this point in the history

  6. Python: Model file threat-model

    @RasmusWL
    RasmusWL committed Sep 10, 2024
    Configuration menu
    Copy the full SHA
    d245db5 View commit details
    Browse the repository at this point in the history

  7. Python: Fixup modeling of os.open

    @RasmusWL
    RasmusWL committed Sep 10, 2024
    Configuration menu
    Copy the full SHA
    7483075 View commit details
    Browse the repository at this point in the history

  8. Python: Add basic support for database threat-model

    @RasmusWL
    RasmusWL committed Sep 10, 2024
    Configuration menu
    Copy the full SHA
    8d8cd05 View commit details
    Browse the repository at this point in the history

  9. Python: Add e2e threat-model test

    @RasmusWL
    RasmusWL committed Sep 10, 2024
    Configuration menu
    Copy the full SHA
    a0b24d6 View commit details
    Browse the repository at this point in the history

  10. Python: Add change-note

    @RasmusWL
    RasmusWL committed Sep 10, 2024
    Configuration menu
    Copy the full SHA
    0ccb5b1 View commit details
    Browse the repository at this point in the history

  11. Docs: Update threat-model list to include Python

    @RasmusWL
    RasmusWL committed Sep 10, 2024
    Configuration menu
    Copy the full SHA
    7d3793e View commit details
    Browse the repository at this point in the history

  12. Python: Add threat-modeling of raw_input

    @RasmusWL
    RasmusWL committed Sep 10, 2024
    Configuration menu
    Copy the full SHA
    333367c View commit details
    Browse the repository at this point in the history

  13. Python: Additional threatModelSource annotations

    @RasmusWL
    RasmusWL committed Sep 10, 2024
    Configuration menu
    Copy the full SHA
    cbebf7b View commit details
    Browse the repository at this point in the history

  14. Python: Add links to threat-model docs

    @RasmusWL
    RasmusWL committed Sep 10, 2024
    Configuration menu
    Copy the full SHA
    5ff7b65 View commit details
    Browse the repository at this point in the history

  15. Docs: Include 'Threat models' for Python

    @RasmusWL
    RasmusWL committed Sep 10, 2024
    Configuration menu
    Copy the full SHA
    e35c2b2 View commit details
    Browse the repository at this point in the history

  16. Docs: Fix link

    @RasmusWL
    RasmusWL committed Sep 10, 2024
    Configuration menu
    Copy the full SHA
    e11bfc2 View commit details
    Browse the repository at this point in the history

Commits on Sep 23, 2024

  1. Merge branch 'main' into threat-models

    @RasmusWL
    RasmusWL authored Sep 23, 2024
    Configuration menu
    Copy the full SHA
    4a21a85 View commit details
    Browse the repository at this point in the history

  2. Python: Minor simplification of ActiveThreatModelSource 

    Co-authored-by: Taus <[email protected]>
    @RasmusWL @tausbn
    RasmusWL and tausbn committed Sep 23, 2024
    Configuration menu
    Copy the full SHA
    535db98 View commit details
    Browse the repository at this point in the history

Commits on Sep 26, 2024

  1. Merge branch 'main' into threat-models

    @RasmusWL
    RasmusWL committed Sep 26, 2024
    Configuration menu
    Copy the full SHA
    431a1af View commit details
    Browse the repository at this point in the history