hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,643 Commits 1,672 Branches 157 Tags
alexet/avoid-path-node-java
Commit Graph

1526 Commits

Author SHA1 Message Date
Michael B. Gale
238049a870 Add Go 1.21 builtins 2023-08-11 10:57:10 +01:00
Owen Mansel-Chan
35a300f894 Apply suggestions from code review 
Co-authored-by: Michael B. Gale <mbg@github.com>
 2023-08-11 10:06:14 +01:00
Owen Mansel-Chan
b7dfa2347c Put QLDoc on data flow and taint tracking modules 
We preserve all old QLDocs, but move them from the
config to the Flow module. This makes more sense than
the Config module, which is often private, and is generally
not directly accessed.
 2023-08-11 10:06:12 +01:00
Owen Mansel-Chan
08e1e8a120 Improve inaccurate deprecation comments 2023-08-10 15:50:08 +01:00
Owen Mansel-Chan
0928fa6e1f Give MyFlowstate a less generic name 2023-08-10 15:50:05 +01:00
Owen Mansel-Chan
089ea010d7 Improve QLDoc for Config::FlowState in StringBreak 2023-08-10 15:50:01 +01:00
Owen Mansel-Chan
81d4149a17 Note deprecation in QLDoc for LogInjection 2023-08-10 15:49:52 +01:00
Owen Mansel-Chan
8db3e4a9b4 Make IncorrectIntegerConversion use new API 2023-08-10 15:49:47 +01:00
Owen Mansel-Chan
b5ac0c94c6 Make ZipSlip use new API 2023-08-10 15:49:23 +01:00
Owen Mansel-Chan
7341b6156d Make XPathInjection use new API 2023-08-10 15:49:21 +01:00
Owen Mansel-Chan
a6177b3c92 Make UnsafeUnzipSymlink use new API 2023-08-10 15:49:20 +01:00
Owen Mansel-Chan
7db1daba6e Make TaintedPath use new API 2023-08-10 15:49:19 +01:00
Owen Mansel-Chan
6c91f77776 Make StringBreak use new API 2023-08-10 15:49:17 +01:00
Owen Mansel-Chan
30ae34352b Make StoredXss use new API 2023-08-10 15:49:16 +01:00
Owen Mansel-Chan
4334a51cf3 Make StoredCommand use new API 2023-08-10 15:49:15 +01:00
Owen Mansel-Chan
ac1670c0af Make SqlInjection use new API 
The extra nodes in .expected files are due to the changes from
https://github.com/github/codeql/pull/13717, which are not applied to
configuration classes extending DataFlow::Configuration or
TaintTracking::Configuration.
 2023-08-10 15:49:13 +01:00
Owen Mansel-Chan
a7382e06c2 Make ClearTextLogging use new API 
The extra nodes in .expected files are due to the changes from
https://github.com/github/codeql/pull/13717, which are not applied to
configuration classes extending DataFlow::Configuration or
TaintTracking::Configuration.
 2023-08-10 15:48:59 +01:00
Owen Mansel-Chan
653563fcbc Make StringsNewReplacer use new API 
We don't have to keep a deprecated copy as this is private. This allows
us to delete a copy of the DataFlow library!
 2023-08-10 15:48:57 +01:00
Owen Mansel-Chan
1f6cdc7eda Make OpenURLRedirect use new API 
The extra nodes in .expected files are due to the changes from
https://github.com/github/codeql/pull/13717, which are not applied to
configuration classes extending DataFlow::Configuration or
TaintTracking::Configuration.

Removed nodes and edges were only there originally due to multiple
configurations being in scope. `DataFlow::PathNode` has union semantics
for configurations. Nodes are only generated if they are reachable from
a source, but this includes sources from other configurations.
 2023-08-10 15:48:55 +01:00
Owen Mansel-Chan
d2a5d19439 Make SafeUrlFlow use new API 2023-08-10 15:48:54 +01:00
Owen Mansel-Chan
97c32970a0 Make RequestForgery use new API 
The extra nodes in .expected files are due to the changes from
https://github.com/github/codeql/pull/13717, which are not applied to
configuration classes extending DataFlow::Configuration or
TaintTracking::Configuration.
 2023-08-10 15:48:53 +01:00
Owen Mansel-Chan
1c2536321c Make ReflectedXss use new API 2023-08-10 15:48:51 +01:00
Owen Mansel-Chan
3d9f8d50bc Make InsecureRandomness use new API 2023-08-10 15:48:50 +01:00
Michael B. Gale
87c089e0a8 Make CommandInjection.qll use new API 
The new `edges` and `nodes` sections in the .expected files are because
the PathGraph module was not imported in the tests before, and thus
these query predicates were not in scope.
 2023-08-10 15:48:48 +01:00
Michael B. Gale
957757c271 Make UntrustedDataToUnknownExternalAPI use new API 2023-08-10 15:48:47 +01:00
Michael B. Gale
d6919dd57b Make UntrustedDataToExternalAPI use new API 2023-08-10 15:48:46 +01:00
Michael B. Gale
82a1b15d11 Make AllocationSizeOverflow use new API 
The extra nodes in .expected files are due to the changes from
https://github.com/github/codeql/pull/13717, which are not applied to
configuration classes extending DataFlow::Configuration or
TaintTracking::Configuration.
 2023-08-10 15:48:44 +01:00
github-actions[bot]
432c21d4fb Post-release preparation for codeql-cli-2.14.2 2023-08-09 18:45:18 +00:00
github-actions[bot]
79c90fa36a Release preparation for version 2.14.2 2023-08-07 18:08:52 +00:00
Jeroen Ketema
8b6a7985db Refactor the traint-tracking library to follow the dataflow library refactoring 2023-08-07 15:23:15 +02:00
Jeroen Ketema
5d2984b7a5 Merge branch 'main' into shared-taint-tracking 2023-08-07 15:22:29 +02:00
Tom Hvitved
56e19411d0 Go: Adjust to data flow refactor 2023-08-07 11:35:22 +02:00
Jeroen Ketema
747cd1745a Update all languages to use the shared taint-tracking library 2023-08-04 22:53:25 +02:00
Mathias Vorreiter Pedersen
abe3a816ce Merge pull request #13851 from MathiasVP/sink-without-states 
DataFlow: Support stateless `isSink` in `StateConfigSig`s
 2023-08-04 18:01:42 +02:00
Chris Smowton
8702efda1e Merge pull request #13835 from github/smowton/fix/logrus-with-context 
Don't treat logrus' WithContext method as a logging function
 2023-08-03 09:57:30 +01:00
Kevin Stubbings
8960453662 Add sanitizer to remove http.Error sink 2023-08-02 16:56:14 -07:00
Owen Mansel-Chan
ff5409fec7 Merge pull request #13785 from owen-mc/go/change-golangSpecificParamArgFilter 
Go: Avoid using getTarget() as it may not exist
 2023-08-02 15:40:40 +01:00
Mathias Vorreiter Pedersen
3007fdab5e Sync identical files. 2023-08-02 14:33:33 +02:00
Anders Schack-Mulligen
21eb78ea5e Go: Adjust to use the qlpack data-flow api. 2023-08-01 14:02:33 +02:00
Owen Mansel-Chan
dbc6868bc1 Update go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2023-08-01 12:23:49 +01:00
Owen Mansel-Chan
0895853a23 Delete unused testing predicate 2023-07-28 17:09:53 +01:00
Owen Mansel-Chan
00d5cb737c Different approach to avoiding getTarget() 2023-07-28 17:00:36 +01:00
Owen Mansel-Chan
d2b8d836e9 Avoid using getTarget() as it may not exist 
Try to also deal with the case that we are calling a function
through a variable that it has been assigned to.
 2023-07-28 17:00:34 +01:00
Chris Smowton
f08879a2df Format; add change note 2023-07-28 14:16:30 +01:00
Chris Smowton
6fa2d2764d Don't treat logrus' WithContext method as a logging function 
This isn't output by the default formatters (though a custom formatter could potentially output things stored in it)
 2023-07-28 14:11:03 +01:00
Owen Mansel-Chan
e0cc337c71 Fix DataFlow::MergePathGraph3 
Need to get the signatures correct.
 2023-07-26 21:48:08 +01:00
github-actions[bot]
f91b7a9342 Post-release preparation for codeql-cli-2.14.1 2023-07-21 16:16:25 +00:00
github-actions[bot]
c936a920b0 Release preparation for version 2.14.1 2023-07-20 16:32:27 +00:00
Chris Smowton
8e63bd6c78 Correct Golang change note format 2023-07-20 16:40:18 +01:00
Owen Mansel-Chan
374f13e0dc Revert "Go: Fix missing flow through receiver for function variable" 2023-07-20 13:31:14 +01:00