hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-02 01:08:53 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,643 Commits 1,673 Branches 157 Tags
alexet/avoid-path-node-java
Commit Graph

82643 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
yoff
7338eafbd4 Merge pull request #16812 from porcupineyhairs/pyloadSsl 
Python: Pycurl SSL Disabled
 2024-10-25 16:23:25 +02:00
Simon Friis Vindum
bfa6113366 Rust: Fix grammar in comment 
Co-authored-by: Paolo Tranquilli <redsun82@github.com>
 2024-10-25 16:23:04 +02:00
Jeroen Ketema
ccc2a39abc C++: Add wrong format type builtin function test 2024-10-25 16:16:13 +02:00
Simon Friis Vindum
f7a45e6650 Rust: Don't consider parameters in trait method definitions without bodies as variables 2024-10-25 15:56:58 +02:00
Paolo Tranquilli
ab1b48d687 Merge pull request #17843 from github/redsun82/reduce-log-noise 
Rust: reduce log spam and skip debug diagnostics in the DB
 2024-10-25 15:33:29 +02:00
Simon Friis Vindum
a5ce3c1570 Rust: Move trait tests for unused entities into main.rs 2024-10-25 15:15:49 +02:00
Rasmus Wriedt Larsen
1726287bf4 JS: Add e2e threat-model test 2024-10-25 15:03:44 +02:00
Rasmus Wriedt Larsen
d3ae4c930e JS: Model newer yargs command-line parsing pattern 2024-10-25 15:03:43 +02:00
Rasmus Wriedt Larsen
3448751b4c JS: Consolidate command-line argument modeling 
Such that we can reuse the existing modeling, but have it globally
applied as a threat-model as well.

I Basically just moved the modeling. One important aspect is that this
changes is that the previously query-specific `argsParseStep` is now a
globally applied taint-step. This seems reasonable, if someone applied
the argument parsing to any user-controlled string, it seems correct to
propagate that taint for _any_ query.
 2024-10-25 15:03:43 +02:00
Rasmus Wriedt Larsen
412e841d69 JS: Add environment threat-model source 2024-10-25 15:03:43 +02:00
Rasmus Wriedt Larsen
f733ac19a9 JS: Make (most) queries use ActiveThreatModelSource 
7 cases looks something like this:

```
class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource {
  RemoteFlowSourceAsSource() { not this instanceof ClientSideRemoteFlowSource }
}
```

(some have variations like `not this.(ClientSideRemoteFlowSource).getKind().isPathOrUrl()`)

javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
 2024-10-25 15:03:42 +02:00
Rasmus Wriedt Larsen
4b1c027359 JS: Integrate RemoteFlowSource with ThreatModelSource 2024-10-25 14:52:49 +02:00
Rasmus Wriedt Larsen
dbfbd2c00a JS: Remove 'response' from default threat-models 
I didn't want to put the configuration file in
`semmle/javascript/frameworks/**/*.model.yml`, so created `ext/` as in other
languages
 2024-10-25 14:52:49 +02:00
Rasmus Wriedt Larsen
05dce8a0be JS: Add test showing default active threat-models 2024-10-25 14:50:59 +02:00
Rasmus Wriedt Larsen
17a6d54e4d JS: Setup basic support for threat-models 
Integration with RemoteFlowSource is not straightforward, so postponing
that for later

Naming in other languages:
- `SourceNode` (for QL only modeling)
- `ThreatModelFlowSource` (for active sources from QL or data-extensions)

However, since we use `LocalSourceNode` in Python, and `SourceNode` in
JS (for local source nodes), it seems a bit confusing to follow the same
naming convention as other languages, and instead I came up with new names.
 2024-10-25 14:50:59 +02:00
Tom Hvitved
c5da712d10 Merge pull request #17840 from hvitved/shared/inline-test-space 
Shared: Add missing spaces in inline test expectation output
 2024-10-25 14:23:55 +02:00
Alvaro Muñoz
fe9c908880 Bump qlpack versions 2024-10-25 14:18:20 +02:00
Paolo Tranquilli
a760b89895 Rust: small tweaks 2024-10-25 14:13:27 +02:00
Paolo Tranquilli
5230b7b041 Rust: reduce log spam and skip debug diagnostics in the DB 2024-10-25 13:47:13 +02:00
Tom Hvitved
7c4d5981dd Shared: Add missing spaces in inline test expectation output 2024-10-25 13:23:03 +02:00
Arthur Baars
f092594a52 Rust: add location definitions for format arguments 2024-10-25 12:57:08 +02:00
Arthur Baars
997a622496 Rust: also implement localReferences.ql 2024-10-25 12:57:06 +02:00
Paolo Tranquilli
45e9c2ff4d Merge pull request #17841 from github/redsun82/rust-fix-qltest-macos 
Rust: fix qltest on macOS, and add CI cross-platform testing of it
 2024-10-25 12:56:23 +02:00
Tom Hvitved
ba600b0791 Merge pull request #17829 from hvitved/rust/cfg-stage 
Rust: Collapse cached CFG logic into one stage
 2024-10-25 12:45:38 +02:00
Arthur Baars
9dc5e2fa36 Merge pull request #17791 from github/aibaars/rust-format-templates 
Rust: parse formatting templates
 2024-10-25 12:42:35 +02:00
Paolo Tranquilli
4485193f57 Rust: skip output redirection QL test on windows for now 2024-10-25 12:33:47 +02:00
Óscar San José
8f7ed21f5d Update macOS version in workflow file 2024-10-25 12:21:27 +02:00
Arthur Baars
8d4bb97b1a Rust: make VariableAccess non-abstract 2024-10-25 12:21:23 +02:00
Óscar San José
c2a644b740 Update macOS version in build workflow 2024-10-25 12:20:25 +02:00
Paolo Tranquilli
4e8b6dc038 Rust: fix qltest on macOS, and add CI cross-platform testing of it 2024-10-25 12:19:46 +02:00
Michael Nebel
0b538313fb Merge pull request #17666 from michaelnebel/csharp/net8models 
C#: Update .NET 8 models.
 2024-10-25 11:24:27 +02:00
Arthur Baars
a08b4b7372 Rust: allow VariableAccess elements to have another primary QL class 2024-10-25 11:02:55 +02:00
Arthur Baars
a6e69eb147 Revert "Rust: avoid classes with multiple getAPrimaryQLClass result" 
This reverts commit 110d2ea775.
 2024-10-25 10:59:31 +02:00
Simon Friis Vindum
334602a50a Rust: Handle calls that might read/write variables through closures 
This implementation is copied and adapted from the Ruby SSA
implementation.
 2024-10-25 10:50:32 +02:00
Simon Friis Vindum
75103f4b26 Merge branch 'main' into rust-saa-additions 2024-10-25 10:43:59 +02:00
Alvaro Muñoz
e6e1704021 Update tests 2024-10-25 10:26:51 +02:00
Alvaro Muñoz
922ae57aba Fix LabelIf ControlCheck so that it recognizes checks not at the beginning of the expression 2024-10-25 10:26:47 +02:00
Alvaro Muñoz
d8f79818d6 Improve extraction of Output/Env assignments 2024-10-25 10:25:47 +02:00
Alvaro Muñoz
6802cd2398 Improve checkout trigger events checks 2024-10-25 10:25:18 +02:00
Paolo Tranquilli
af3be84005 Rust: add codeql analysis workflow 2024-10-25 10:05:28 +02:00
Kylie Stradley
40ec9d623d update existing tests to accomdate for trips from octokit2 example added to support unversioned immutable action ql 2024-10-24 16:55:44 -04:00
Kylie Stradley
030c08e5ae update expected from example originating from main branch merge 2024-10-24 16:54:27 -04:00
Kylie Stradley
f716222801 remove octokit from trusted orgs for now - reduce PR scope 2024-10-24 16:27:53 -04:00
Kylie Stradley
f8be8e768f Merge branch 'master' into immutable-actions 2024-10-24 15:25:31 -04:00
Óscar San José
a467923e9b Remove macos-12 and its variants, deprecated 2024-10-24 18:57:58 +02:00
Paolo Tranquilli
55d092fd3e Merge pull request #17835 from github/redsun82/rust-qltest 
Rust: move `qltest` to rust code, add `options` with cargo check
 2024-10-24 18:29:17 +02:00
Paolo Tranquilli
41d0085918 Rust: address review 2024-10-24 17:54:18 +02:00
Paolo Tranquilli
c79f8180f3 Rust: move down options in query-tests 2024-10-24 17:14:48 +02:00
Arthur Baars
bd19661b60 Address comments 2024-10-24 16:40:19 +02:00
Chris Smowton
4e879e64fc Trim JSP test 
This was only ever testing that Java files relating to the JSPs in question appear in the database, so there's no need for a particularly wide selection.
 2024-10-24 14:19:16 +01:00