hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-15 07:24:49 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,643 Commits 1,681 Branches 158 Tags
alexet/avoid-path-node-java
Commit Graph

82643 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tamás Vajk
456c649c7d Merge pull request #16895 from tamasvajk/feature/fix-glob-pattern-processing 
C#: Fix glob pattern processing: allow `**/` to match empty string
 2024-07-04 10:46:36 +02:00
Ian Lynagh
95a418aa14 JS: Remove call to shouldExtract 
It always returns true nowadays.
 2024-07-04 09:42:07 +01:00
Mathias Vorreiter Pedersen
8e18e7d4e6 Merge pull request #16791 from MathiasVP/collection-content-2 
C++: Add support for `Element` content
 2024-07-04 08:52:33 +01:00
Tom Hvitved
da0909c080 Merge pull request #16896 from hvitved/ssa/dataflow-integration-prep 
SSA: Add `BasicBlock.{getNode/1,length/0}` to the input signature
 2024-07-03 19:56:35 +02:00
Mathias Vorreiter Pedersen
356d928544 C++: Accept test changes. 2024-07-03 18:16:20 +01:00
Mathias Vorreiter Pedersen
af28dd8eb4 C++: Add bsl models for 'array::front' and 'array::back'. 2024-07-03 18:14:10 +01:00
Mathias Vorreiter Pedersen
f9d6c63cbb C++: Add more 'Argument[-1]' to 'ReturnValue' flow. 2024-07-03 17:27:22 +01:00
Mathias Vorreiter Pedersen
246f3fd3e2 C++: Fix 'emplace_after' model in bsl. 2024-07-03 17:21:10 +01:00
Ian Lynagh
ea16f72c6f Java: Add changenote for dropping $SEMMLE_DIST support 2024-07-03 17:12:04 +01:00
Ian Lynagh
3260966e3b Kotlin: Remove unused SEMMLE_DIST 2024-07-03 17:10:41 +01:00
Mathias Vorreiter Pedersen
5351c2734f C++: Fix 'assign' models. 2024-07-03 17:01:43 +01:00
Mathias Vorreiter Pedersen
6d05324724 C++: Make sure the 'emplace' functions that return iterators are modeled via Element content. 2024-07-03 16:47:18 +01:00
Mathias Vorreiter Pedersen
e03f8084e6 C++: Fix yml file name. 2024-07-03 16:04:14 +01:00
Mathias Vorreiter Pedersen
c4dabb94d6 C++: Add models for 'array::front' and 'array::back'. 2024-07-03 16:03:25 +01:00
Porcupiney Hairs
808af28618 Python : Arbitrary codde execution due to Js2Py 
Js2Py is a Javascript to Python translation library written in Python. It allows users to invoke JavaScript code directly from Python.
The Js2Py interpreter by default exposes the entire standard library to it's users. This can lead to security issues if a malicious input were directly.

This PR includes a CodeQL query along with a qhelp and testcases to detect cases where an untrusted input flows to an Js2Py eval call.

This query successfully detects CVE-2023-0297 in `pyload/pyload`along with it's fix.
The databases can be downloaded from the links bellow.
```
https://file.io/qrMEjSJJoTq1
https://filetransfer.io/data-package/a02eab7V#link
```
 2024-07-03 19:06:34 +05:30
Taus
b779341ba6 Merge pull request #16885 from github/tausbn/python-fix-bad-join-in-function-resolution-type-tracker 
Python: Fix bad join in function resolution
 2024-07-03 13:59:13 +02:00
Tamas Vajk
6a036f4e84 Improve code quality 2024-07-03 12:45:47 +02:00
Alvaro Muñoz
69db192378 Bump qlpack versions 2024-07-03 12:40:48 +02:00
Mathias Vorreiter Pedersen
d7eac4d567 C++: Add change note. 2024-07-03 11:33:52 +01:00
Alvaro Muñoz
c70fb6e911 Consider toJson as a sanitizer for Code Injection in JS 2024-07-03 12:25:24 +02:00
Mathias Vorreiter Pedersen
b8c01e2901 C++: Accept test changes. 2024-07-03 11:18:21 +01:00
Mathias Vorreiter Pedersen
5be948533c C++: Replace 'Element[*@]' with 'Element[@]'. 2024-07-03 11:18:13 +01:00
Rasmus Wriedt Larsen
f9536e9a66 Merge pull request #16883 from github/tausbn/python-fix-bad-join-in-import-resolution 
Python: Fix bad join in `getImmediateModuleReference`
 2024-07-03 11:40:01 +02:00
Tom Hvitved
4ae8720930 SSA: Add BasicBlock.{getNode/1,length/0} to the input signature 2024-07-03 11:32:35 +02:00
Owen Mansel-Chan
dfc59a45c2 Merge pull request #16894 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2024-07-03 10:17:16 +01:00
Mathias Vorreiter Pedersen
640c842969 Merge pull request #16892 from MathiasVP/fix-qldoc-on-GuardCondition 
C++: Update QLDoc on `GuardCondition`
 2024-07-03 09:25:13 +01:00
Mathias Vorreiter Pedersen
284007dbff C++: Fix more QLDoc. 2024-07-03 09:14:06 +01:00
am0o0
7e5f2e2a48 experimentalSinkModel to sinkModel, remove one path injection sink that already exist before 2024-07-03 08:55:12 +02:00
Tamas Vajk
b36db5ad11 C#: Fix glob pattern processing: allow **/ to match empty string 2024-07-03 08:09:34 +02:00
github-actions[bot]
13bb93ea20 Add changed framework coverage reports 2024-07-03 00:17:59 +00:00
Alvaro Muñoz
7e0146d634 Bump qlpack versions 2024-07-02 23:52:01 +02:00
Alvaro Muñoz
4b01cd5be4 Support flow through fromJson 2024-07-02 23:51:19 +02:00
Alvaro Muñoz
45d51a4d00 Add more poisonable steps 2024-07-02 23:29:53 +02:00
Mathias Vorreiter Pedersen
4652003688 C++: Update QLDoc on 'GuardCondition' to reflect the fact that switch statements are supported. 2024-07-02 20:21:54 +01:00
Rasmus Wriedt Larsen
ce177c3450 Merge pull request #15655 from yoff/python/support-model-editor 
Python: Support model editor
 2024-07-02 16:28:58 +02:00
Tom Hvitved
8e8100fd34 Merge pull request #16887 from hvitved/ruby/local-flow-missing-steps 
Ruby: Add missing local flow steps
 2024-07-02 15:43:52 +02:00
Mathias Vorreiter Pedersen
6b025db824 C++: Add QLDoc to 'getParameterTypeName'. 2024-07-02 14:26:15 +01:00
Mathias Vorreiter Pedersen
c104a0a74c C++: Expand QLDoc on 'signatureMatches'. 2024-07-02 14:23:04 +01:00
Rasmus Wriedt Larsen
dc33f0de1d Python: Additional tests for model-editor 
We currently have some problems with these files, that we should fix
later down the line. See PR comment for more details.
 2024-07-02 14:28:46 +02:00
Tom Hvitved
19e910e1b5 Merge pull request #16801 from hvitved/ruby/element-reference-block 
Ruby: Handle element references with blocks
 2024-07-02 13:08:31 +02:00
Owen Mansel-Chan
c7ad0ad406 Merge pull request #16809 from owen-mc/go/mad-sources-beego 
Go: Convert Beego sources to MaD
 2024-07-02 09:36:48 +01:00
Michael Nebel
e05f835683 C#: Update model generator expected output. 2024-07-02 07:52:30 +01:00
Michael Nebel
5639ada3ed C#: Do not generate source models for Overriable callables that overrides or implements something. 2024-07-02 07:52:26 +01:00
Michael Nebel
70494d339d C#: Re-write some of the existing source model generation tests and introduce a new one for ToString. 2024-07-02 07:52:22 +01:00
Michael Nebel
a108b9c37d C#: Fix some bugs in the python script for the model generator. 2024-07-02 07:52:18 +01:00
Michael Nebel
25b20186af Merge pull request #16861 from michaelnebel/modelgen/sourcesinklift 
C#/Java: Do not lift source and sink models.
 2024-07-02 08:50:31 +02:00
Alvaro Muñoz
1281ca8e81 Bump qlpack versions 2024-07-01 23:01:38 +02:00
Tamás Vajk
b4707abf4c Merge pull request #16871 from tamasvajk/fix/quality-issues 
C#: Fix quality issues
 2024-07-01 22:23:43 +02:00
Tom Hvitved
7fdc09c17f Ruby: Add missing local flow steps 2024-07-01 19:46:40 +02:00
aegilops
e2b37f97b0 Added dot to end of test message 2024-07-01 17:41:26 +01:00