mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
Merge pull request #20373 from github/aibaars/drop-nbsp
Remove non-breaking spaces from code
This commit is contained in:
Arthur Baars
2
.github/workflows/query-list.yml
vendored
2
.github/workflows/query-list.yml
vendored
@@ -31,7 +31,7 @@ jobs:
|
||||
with:
|
||||
python-version: 3.8
|
||||
- name: Download CodeQL CLI
|
||||
# Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
|
||||
# Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
|
||||
uses: ./codeql/.github/actions/fetch-codeql
|
||||
- name: Build code scanning query list
|
||||
run: |
|
||||
|
||||
@@ -32,7 +32,7 @@ jobs:
|
||||
|
||||
- uses: actions/setup-node@v1
|
||||
- run: |
|
||||
npm install # scripts in package.json from PR would be executed here
|
||||
npm install # scripts in package.json from PR would be executed here
|
||||
npm build
|
||||
|
||||
- uses: completely/fakeaction@v2
|
||||
|
||||
@@ -32,7 +32,7 @@ jobs:
|
||||
|
||||
- uses: actions/setup-node@v1
|
||||
- run: |
|
||||
npm install # scripts in package.json from PR would be executed here
|
||||
npm install # scripts in package.json from PR would be executed here
|
||||
npm build
|
||||
|
||||
- uses: completely/fakeaction@v2
|
||||
|
||||
@@ -32,7 +32,7 @@ jobs:
|
||||
|
||||
- uses: actions/setup-node@v1
|
||||
- run: |
|
||||
npm install # scripts in package.json from PR would be executed here
|
||||
npm install # scripts in package.json from PR would be executed here
|
||||
npm build
|
||||
|
||||
- uses: completely/fakeaction@v2
|
||||
|
||||
@@ -625,7 +625,7 @@ Then the evaluation of the ``depth`` predicate proceeds as follows:
|
||||
+-----------+--------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| **Stage** | **depth** | **Comments** |
|
||||
+===========+============================================+==========================================================================================================================================================================+
|
||||
| 0 | | We always begin with the empty set. |
|
||||
| 0 | | We always begin with the empty set. |
|
||||
+-----------+--------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| 1 | ``(0, b), (0, d), (0, e)`` | The nodes with no children have depth 0. The recursive step for **a** and **c** fails to produce a value, since some of their children do not have values for ``depth``. |
|
||||
+-----------+--------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
lgtm,codescanning
|
||||
* The extractor now only extracts go.mod files belonging to extracted packages. In particular, vendored go.mod files will no longer be extracted unless the vendored package is explicitly passed to the extractor. This will remove unexpected `GoModExpr` and similar expressions seen by queries.
|
||||
* The extractor now only extracts go.mod files belonging to extracted packages. In particular, vendored go.mod files will no longer be extracted unless the vendored package is explicitly passed to the extractor. This will remove unexpected `GoModExpr` and similar expressions seen by queries.
|
||||
|
||||
@@ -28,7 +28,7 @@ class Architecture extends string {
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the integer and pointer type width for this architecture.
|
||||
* Gets the integer and pointer type width for this architecture.
|
||||
*
|
||||
* As of the time of writing, this appears to always be identical -- there aren't
|
||||
* Go architectures with 64-bit pointers but 32-bit ints, for example.
|
||||
|
||||
@@ -994,7 +994,7 @@ module Public {
|
||||
class ComponentReadNode extends ReadNode {
|
||||
override IR::ComponentReadInstruction insn;
|
||||
|
||||
/** Gets the data-flow node representing the base from which the field or element is read. */
|
||||
/** Gets the data-flow node representing the base from which the field or element is read. */
|
||||
Node getBase() { result = DataFlow::instructionNode(insn.getBase()) }
|
||||
}
|
||||
|
||||
|
||||
@@ -109,7 +109,7 @@ module Beego {
|
||||
|
||||
override string getAContentType() {
|
||||
// Super-method provides content-types for `Body`, which requires us to search
|
||||
// for `ContentType` and `Header` calls against the same `BeegoOutput` instance
|
||||
// for `ContentType` and `Header` calls against the same `BeegoOutput` instance
|
||||
result = super.getAContentType()
|
||||
or
|
||||
// Specifically describe methods that set the content-type and body in one operation:
|
||||
|
||||
@@ -22,7 +22,7 @@ the returned pointer.</p>
|
||||
|
||||
<sample src="MissingErrorCheck.go" />
|
||||
|
||||
<p>The corrected version of <code>user</code> checks <code>err</code> before using <code>ptr</code>.</p>
|
||||
<p>The corrected version of <code>user</code> checks <code>err</code> before using <code>ptr</code>.</p>
|
||||
|
||||
<sample src="MissingErrorCheckGood.go" />
|
||||
|
||||
|
||||
@@ -22,7 +22,7 @@ predicate isNil(DataFlow::Node node) { node = Builtin::nil().getARead() }
|
||||
/**
|
||||
* Matches if `call` may return a nil pointer alongside an error value.
|
||||
*
|
||||
* This is both an over- and under-estimate: over in that we assume opaque functions may use this
|
||||
* This is both an over- and under-estimate: over in that we assume opaque functions may use this
|
||||
* convention, and under in that functions with bodies are only recognized if they use a literal
|
||||
* `nil` for the pointer return value at some return site.
|
||||
*/
|
||||
|
||||
@@ -211,7 +211,7 @@ module TlsInsecureCipherSuitesFlow = TaintTracking::Global<TlsInsecureCipherSuit
|
||||
|
||||
/**
|
||||
* Holds if an insecure TLS cipher suite flows from `source` to `sink`, where `sink`
|
||||
* is written to the CipherSuites list of a `tls.Config` instance. `message` describes
|
||||
* is written to the CipherSuites list of a `tls.Config` instance. `message` describes
|
||||
* the exact problem found.
|
||||
*/
|
||||
predicate isInsecureTlsCipherFlow(
|
||||
|
||||
@@ -297,7 +297,7 @@ func testUtilsPropagators(c *beego.Controller) {
|
||||
c.CustomAbort(500, utils.SlicePad(untainted, 10, genericFiles[0])[0].(*multipart.FileHeader).Filename)
|
||||
c.CustomAbort(500, utils.SlicePad(genericFiles, 10, untainted[0])[0].(*multipart.FileHeader).Filename)
|
||||
c.CustomAbort(500, utils.SliceRand(genericFiles).(*multipart.FileHeader).Filename)
|
||||
// Note this is misnamed -- it's a map operation, not a reduce
|
||||
// Note this is misnamed -- it's a map operation, not a reduce
|
||||
c.CustomAbort(500, utils.SliceReduce(genericFiles, func(x interface{}) interface{} { return x })[0].(*multipart.FileHeader).Filename)
|
||||
c.CustomAbort(500, utils.SliceShuffle(genericFiles)[0].(*multipart.FileHeader).Filename)
|
||||
c.CustomAbort(500, utils.SliceUnique(genericFiles)[0].(*multipart.FileHeader).Filename)
|
||||
|
||||
@@ -26,19 +26,19 @@ type MyRoute struct {
|
||||
// Implement some request handlers on that Controller exhibiting some common problems:
|
||||
|
||||
func (c MyRoute) Handler1() revel.Result {
|
||||
// GOOD: the Render function is likely to properly escape the user-controlled parameter.
|
||||
// GOOD: the Render function is likely to properly escape the user-controlled parameter.
|
||||
return c.Render("someviewparam", c.Params.Form.Get("someField"))
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler2() revel.Result {
|
||||
// BAD: the RenderBinary function copies an `io.Reader` to the user's browser.
|
||||
// BAD: the RenderBinary function copies an `io.Reader` to the user's browser.
|
||||
buf := &bytes.Buffer{}
|
||||
buf.WriteString(c.Params.Form.Get("someField"))
|
||||
return c.RenderBinary(buf, "index.html", revel.Inline, time.Now()) // $ responsebody='buf'
|
||||
}
|
||||
|
||||
func (c MyRoute) Handler3() revel.Result {
|
||||
// GOOD: the RenderBinary function copies an `io.Reader` to the user's browser, but the filename
|
||||
// GOOD: the RenderBinary function copies an `io.Reader` to the user's browser, but the filename
|
||||
// means it will be given a safe content-type.
|
||||
buf := &bytes.Buffer{}
|
||||
buf.WriteString(c.Params.Form.Get("someField"))
|
||||
|
||||
@@ -178,7 +178,7 @@ added by extending ``Dataflow::SourceNode::Range``. Some of its subclasses can s
|
||||
extended. For example, ``DataFlow::ModuleImportNode`` models module imports, and ``DataFlow::ClassNode`` models
|
||||
class definitions. The former provides default implementations covering CommonJS, AMD, and ECMAScript
|
||||
2015 modules, while the latter handles ECMAScript 2015 classes, as well as traditional function-based
|
||||
classes. You can extend their corresponding ``::Range`` classes to add support for other module or
|
||||
classes. You can extend their corresponding ``::Range`` classes to add support for other module or
|
||||
class systems.
|
||||
|
||||
Type inference
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
const axios = require('axios');
|
||||
|
||||
export const handler = async (req, res, next) => {
|
||||
const { target } = req.body;
|
||||
const { target } = req.body;
|
||||
|
||||
try {
|
||||
// BAD: `target` is controlled by the attacker
|
||||
|
||||
@@ -2,7 +2,7 @@ const axios = require('axios');
|
||||
const validator = require('validator');
|
||||
|
||||
export const handler = async (req, res, next) => {
|
||||
const { target } = req.body;
|
||||
const { target } = req.body;
|
||||
|
||||
if (!validator.isAlphanumeric(target)) {
|
||||
return next(new Error('Bad request'));
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
type Mapped<MK extends string = ''> = {
|
||||
[mk in MK]: string
|
||||
[mk in MK]: string
|
||||
};
|
||||
|
||||
export function fn(ev: Mapped) {
|
||||
const props: Mapped = {
|
||||
...ev
|
||||
};
|
||||
const props: Mapped = {
|
||||
...ev
|
||||
};
|
||||
}
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
type Mapped<MK extends string = ';'> = {
|
||||
[mk in MK]: string
|
||||
[mk in MK]: string
|
||||
};
|
||||
|
||||
export function fn(ev: Mapped) {
|
||||
const props: Mapped = {
|
||||
...ev
|
||||
};
|
||||
const props: Mapped = {
|
||||
...ev
|
||||
};
|
||||
}
|
||||
|
||||
@@ -159,7 +159,7 @@ class Package(SharedAsset):
|
||||
|
||||
def containsDirectory(self, dir):
|
||||
return self.path.parent.parts == dir.parts[:len(self.path.parent.parts)]
|
||||
# dir.startsWith(self.path.parent)
|
||||
# dir.startsWith(self.path.parent)
|
||||
|
||||
# Constructs a list of transitive depedencies of this package.
|
||||
def calculateDependencies(self, packageNameMap):
|
||||
|
||||
@@ -174,7 +174,7 @@
|
||||
{ let @unaryop.node = (ast-node @unaryop "UnaryOp") }
|
||||
|
||||
(exec_statement) @exec
|
||||
{ let @exec.node = (ast-node @exec "Exec") }
|
||||
{ let @exec.node = (ast-node @exec "Exec") }
|
||||
|
||||
(print_statement) @print
|
||||
{ let @print.node = (ast-node @print "Print") }
|
||||
@@ -3040,7 +3040,7 @@
|
||||
if some @is_kwarg {
|
||||
attr (@lambda.function -> @name.node) kwonlyargs = (named-child-index @param)
|
||||
}
|
||||
else {
|
||||
else {
|
||||
attr (@lambda.function -> @name.node) args = (named-child-index @param)
|
||||
}
|
||||
|
||||
@@ -3153,7 +3153,7 @@
|
||||
if some @is_kwarg {
|
||||
attr (@funcdef.function -> @name.node) kwonlyargs = (named-child-index @param)
|
||||
}
|
||||
else {
|
||||
else {
|
||||
attr (@funcdef.function -> @name.node) args = (named-child-index @param)
|
||||
}
|
||||
|
||||
@@ -3284,7 +3284,7 @@
|
||||
attr (@last.node) func = @exp.node
|
||||
edge @last.node -> @funcdef.funcexpr
|
||||
attr (@last.node -> @funcdef.funcexpr) positional_args = 0
|
||||
attr (@last.node) _location_end = (location-end @exp)
|
||||
attr (@last.node) _location_end = (location-end @exp)
|
||||
}
|
||||
|
||||
(decorated_definition
|
||||
@@ -3296,7 +3296,7 @@
|
||||
attr (@last.node) func = @exp.node
|
||||
edge @last.node -> @class.class_expr
|
||||
attr (@last.node -> @class.class_expr) positional_args = 0
|
||||
attr (@last.node) _location_end = (location-end @exp)
|
||||
attr (@last.node) _location_end = (location-end @exp)
|
||||
}
|
||||
|
||||
;;; Type parameters
|
||||
|
||||
@@ -1 +1 @@
|
||||
known_attr = [1000] #$ writes=known_attr
|
||||
known_attr = [1000] #$ writes=known_attr
|
||||
|
||||
@@ -35,7 +35,7 @@ def set_foo(some_class_instance): # $ tracked=foo
|
||||
some_class_instance.foo = tracked # $ tracked=foo tracked
|
||||
|
||||
def test_set_x():
|
||||
x = SomeClass() # $ MISSING: tracked=foo
|
||||
x = SomeClass() # $ MISSING: tracked=foo
|
||||
set_foo(x) # $ MISSING: tracked=foo
|
||||
print(x.foo) # $ MISSING: tracked=foo tracked
|
||||
|
||||
@@ -51,7 +51,7 @@ def test_create_with_foo():
|
||||
|
||||
def test_global_attribute_assignment():
|
||||
global global_var
|
||||
global_var.foo = tracked # $ tracked tracked=foo
|
||||
global_var.foo = tracked # $ tracked tracked=foo
|
||||
|
||||
def test_global_attribute_read():
|
||||
x = global_var.foo # $ tracked tracked=foo
|
||||
@@ -61,7 +61,7 @@ def test_local_attribute_assignment():
|
||||
# In this case, we don't want flow going to the `ModuleVariableNode` for `local_var`
|
||||
# (which is referenced in `test_local_attribute_read`).
|
||||
local_var = object() # $ tracked=foo
|
||||
local_var.foo = tracked # $ tracked tracked=foo
|
||||
local_var.foo = tracked # $ tracked tracked=foo
|
||||
|
||||
def test_local_attribute_read():
|
||||
x = local_var.foo
|
||||
@@ -129,7 +129,7 @@ def dunder_dict_indirect_write():
|
||||
x = SomeClass() # $ MISSING: tracked=foo
|
||||
x.__dict__[attr] = tracked # $tracked MISSING: tracked=foo
|
||||
y = x.foo # $ MISSING: tracked tracked=foo
|
||||
do_stuff(y) # $ MISSING: tracked
|
||||
do_stuff(y) # $ MISSING: tracked
|
||||
|
||||
def dunder_dict_indirect_read():
|
||||
attr = "foo"
|
||||
@@ -153,7 +153,7 @@ class MyClass2(object):
|
||||
def print_foo(self): # $ MISSING: tracked=foo
|
||||
print(self.foo) # $ MISSING: tracked=foo tracked
|
||||
|
||||
def possibly_uncalled_method(self): # $ MISSING: tracked=foo
|
||||
def possibly_uncalled_method(self): # $ MISSING: tracked=foo
|
||||
print(self.foo) # $ MISSING: tracked=foo tracked
|
||||
|
||||
instance = MyClass2()
|
||||
@@ -170,7 +170,7 @@ class MyClass3(object):
|
||||
def print_foo(self): # $ tracked=foo
|
||||
print(self.foo) # $ tracked=foo tracked
|
||||
|
||||
def possibly_uncalled_method(self): # $ MISSING: tracked=foo
|
||||
def possibly_uncalled_method(self): # $ MISSING: tracked=foo
|
||||
print(self.foo) # $ MISSING: tracked=foo tracked
|
||||
|
||||
instance = MyClass3() # $ tracked=foo
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
def generate_password()
|
||||
chars = ('a'..'z').to_a + ('A'..'Z').to_a + ('0'..'9').to_a + ['!', '@', '#', '$', '%']
|
||||
# BAD: rand is not cryptographically secure
|
||||
# BAD: rand is not cryptographically secure
|
||||
password = (1..10).collect { chars[rand(chars.size)] }.join
|
||||
end
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@ require 'securerandom'
|
||||
|
||||
def generate_password_1(length)
|
||||
chars = ('a'..'z').to_a + ('A'..'Z').to_a + ('0'..'9').to_a + ['!', '@', '#', '$', '%']
|
||||
# BAD: rand is not cryptographically secure
|
||||
# BAD: rand is not cryptographically secure
|
||||
password = (1..length).collect { chars[rand(chars.size)] }.join
|
||||
end
|
||||
|
||||
|
||||
@@ -46,7 +46,7 @@ class UserController < ActionController::Base
|
||||
def create4
|
||||
x = params[:user]
|
||||
x.permit!
|
||||
User.new(x) # BAD
|
||||
User.new(x) # BAD
|
||||
User.new(x.permit(:name,:address)) # GOOD
|
||||
User.new(params.permit(user: {})) # BAD
|
||||
User.new(params.permit(user: [:name, :address, {friends:{}}])) # BAD
|
||||
|
||||
Reference in New Issue
Block a user