hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
74,247 Commits 1,671 Branches 157 Tags
codeql-cli-2.20.1
Commit Graph

1422 Commits

Author SHA1 Message Date
Tom Hvitved
6f4311d656 C#: Include type parameters when printing MaD rows with generics 2023-11-09 08:34:06 +01:00
Tom Hvitved
b2512eb212 Merge pull request #14678 from hvitved/csharp/mad-operator-fix 
C#: Correctly parse operator names in MaD
 2023-11-07 15:11:01 +01:00
Tom Hvitved
af7b295c59 Address review comments 2023-11-07 13:01:19 +01:00
Tom Hvitved
12cd1c1011 C#: Deprecate UnboundGenericType::getInstanceType/0 2023-11-06 13:01:57 +01:00
Tom Hvitved
3e3ea51e69 C#: Correctly parse operator names in MaD 2023-11-05 20:58:47 +01:00
Tom Hvitved
2a33a86c9d C#: Merge ExternalFlow.qll and ExternalFlowExtensions.qll, and move to internal 2023-11-05 20:58:47 +01:00
Tom Hvitved
12d856737a Address review comments 2023-11-02 12:38:35 +01:00
Tom Hvitved
c717e346fb C#: Move qualified name computation into QualifiedName.qll 2023-11-01 16:21:55 +01:00
Tom Hvitved
6ad8a4db1c C#: Only use getTypeRef when there is not already a type available 2023-10-27 14:11:55 +02:00
Anders Schack-Mulligen
6882504397 C#: Fix compilation 2023-10-25 14:31:49 +02:00
Anders Schack-Mulligen
5ded55cd9f C#: Sync Bound.qll 2023-10-25 14:08:48 +02:00
Joe Farebrother
fe2468e7d0 Merge pull request #14498 from joefarebrother/csharp-missing-access-control 
C#: Fix FP in Missing Function Level Access Control and Insecure Direct Object Reference
 2023-10-16 10:46:19 +01:00
Joe Farebrother
915352861d Check for generic base types in Missing Function Level Access Control and Insecure Direct Object Reference. 2023-10-13 14:22:45 +01:00
Tony Torralba
0cea3f8531 Remove library annotations 2023-10-13 12:46:56 +02:00
Tamas Vajk
267fd23b26 C#: Include the void type in value types 2023-10-11 12:01:17 +02:00
erik-krogh
4bc4e0845d delete the deprecated isBarrierGuard predicate from the shared dataflow library, and its uses 2023-10-07 21:48:49 +02:00
Asger F
0d96ed8aee Merge pull request #14305 from asgerf/shared/flow-state-inout-barriers 
Shared: add in/out barriers with flow state
 2023-09-28 11:07:23 +02:00
Anders Schack-Mulligen
5feb2f7622 Merge pull request #14321 from aschackmull/shared/filesystem 
All languages: Use shared FileSystem library and minor regex performance improvement.
 2023-09-28 10:51:05 +02:00
Koen Vlaswinkel
0f4f98787c Merge pull request #14200 from github/koesie10/add-csharp-model-editor-queries 
C#: Add VS Code model editor queries
 2023-09-28 10:12:57 +02:00
Anders Schack-Mulligen
20cbab9e8f C#: Minor simplification. 2023-09-28 08:58:55 +02:00
Joe Farebrother
7c230d61a8 Merge pull request #13882 from joefarebrother/csharp-insecure-direct-object-ref 
C#: Add query for Insecure Direct Object Reference
 2023-09-25 20:29:54 +01:00
Tom Hvitved
4183fbe7cb Merge pull request #14295 from hvitved/csharp/lambda-type-flow 
C#: Improve lambda dispatch using type flow
 2023-09-25 19:19:51 +02:00
Joe Farebrother
d7c1be40d9 Fix codescanning alert by tweaking imported modules 2023-09-25 15:47:05 +01:00
Tom Hvitved
ae06040a48 Address review comments 2023-09-25 14:30:08 +02:00
Asger F
d501856519 Update DataFlowImpl.qll copies 2023-09-25 10:05:29 +02:00
Tom Hvitved
8f35c99f16 C#: Improve lambda dispatch using type flow 2023-09-23 11:41:03 +02:00
Anders Schack-Mulligen
66da997b7b Dataflow: Make use of defaults for language-specific hooks. 2023-09-22 14:54:22 +02:00
Michael Nebel
45432f211c C#: Identify whether callables in the source code are supported in terms of MaD. 2023-09-20 13:01:24 +02:00
Joe Farebrother
475fe3a2a5 Attempt to improve performance in checksUser 2023-09-20 03:18:20 +01:00
Anders Schack-Mulligen
b13d026434 Dataflow: Review fixes. 2023-09-18 13:15:26 +02:00
Joe Farebrother
68ad5b7c00 Restrict logic for checking for id parameters on index expressions for performance 2023-09-15 16:35:29 +01:00
Joe Farebrother
6d704be7d2 Rewrite checks for index expressions in terms of dataflow 2023-09-15 10:25:27 +01:00
Joe Farebrother
a2dce6be14 Check for authorize attributes in more namespaces and on overridden methods 2023-09-15 10:25:27 +01:00
Joe Farebrother
ac45050545 Add checks for authorization attributes 2023-09-15 10:25:27 +01:00
Joe Farebrother
0a27da08d6 Minor changes from review suggestions to shared logic between this and missing access control 
Use case insensitive regex, factor out page load to improve possible bad joins make needsAuth not a member predicate
 2023-09-15 10:25:27 +01:00
Joe Farebrother
9f25c71ca6 Apply minor reveiw suggstions 2023-09-15 10:25:26 +01:00
Joe Farebrother
f8b1b38438 Update alert message and make user checks more precise 2023-09-15 10:25:26 +01:00
Joe Farebrother
251f875304 Fix filenme typo 2023-09-15 10:25:26 +01:00
Joe Farebrother
5d1289672b Add IDOR query 2023-09-15 10:25:26 +01:00
Joe Farebrother
a510a7b4c0 Add insecure direct object reference definitions and factor out those from missing access control 2023-09-15 10:25:26 +01:00
Anders Schack-Mulligen
1750d00fbe C#: Add localMustFlowStep 2023-09-13 15:43:46 +02:00
Tom Hvitved
53302117a1 C#: Implement missingArgumentCallExclude and multipleArgumentCallExclude 2023-09-12 20:05:11 +02:00
Tom Hvitved
ecbf2d8b13 C#: Exclude CIL arguments from ArgumentNode when they are compiled from source 2023-09-08 14:14:06 +02:00
Tom Hvitved
55aedbc46c C#: Fix logic for flow into property writes 2023-09-04 15:42:50 +02:00
Tom Hvitved
73370e7282 Merge pull request #14100 from hvitved/dataflow/consistency-pack 
Data flow: Add consistency checks to shared ql pack
 2023-08-31 11:47:40 +02:00
Tom Hvitved
756886808d Merge pull request #14098 from hvitved/csharp/cil-best-impl 
C#: Speedup `bestImplementation`
 2023-08-31 10:57:28 +02:00
Tom Hvitved
5c8367a695 C#: Use data flow consistency checks from shared pack 2023-08-30 15:29:41 +02:00
Tom Hvitved
29982fe30e C#: Do not embed target callable in TransitiveCapturedCall 2023-08-30 13:48:44 +02:00
Tom Hvitved
66f5e4a05b C#: Speedup bestImplementation 
Avoids an expensive anti-join:

```
[2023-08-29 15:25:48] Evaluated non-recursive predicate _FileSystem#df18ed9a::Make#File#1a556f64::Input#::Container::toString#0#dispred#bf_Method#621e9e2e::__#antijoin_rhs@96d08bc8 in 272332ms (size: 1841891).
Evaluated relational algebra for predicate _FileSystem#df18ed9a::Make#File#1a556f64::Input#::Container::toString#0#dispred#bf_Method#621e9e2e::__#antijoin_rhs@96d08bc8 with tuple counts:
         4632443     ~2%    {3} r1 = JOIN _cil_instruction_3#antijoin_rhs_cil_method_implementation#shared WITH cil_method_implementation ON FIRST 1 OUTPUT Rhs.1, Lhs.0, Lhs.1

        71945701     ~3%    {3} r2 = JOIN r1 WITH cil_method_implementation_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2
        71945701  ~1329%    {3} r3 = JOIN r2 WITH Method#621e9e2e::MethodImplementation::getNumberOfInstructions#0#dispred#ff ON FIRST 1 OUTPUT Lhs.1, Lhs.2, Rhs.1
         5016836     ~4%    {4} r4 = JOIN r3 WITH Method#621e9e2e::MethodImplementation::getNumberOfInstructions#0#dispred#ff ON FIRST 1 OUTPUT Lhs.0, Lhs.1, Lhs.2, Rhs.1
                            {4} r5 = SELECT r4 ON In.3 < In.2
           65637     ~3%    {2} r6 = SCAN r5 OUTPUT In.0, In.1

        71945701     ~0%    {3} r7 = JOIN r1 WITH cil_method_implementation_10#join_rhs ON FIRST 1 OUTPUT Lhs.2, Lhs.1, Rhs.1
        71945701     ~1%    {4} r8 = JOIN r7 WITH assemblies ON FIRST 1 OUTPUT Lhs.2, Lhs.1, Lhs.0, Rhs.1
        71945701     ~0%    {5} r9 = JOIN r8 WITH cil_method_implementation ON FIRST 1 OUTPUT Rhs.2, Lhs.1, Lhs.2, Lhs.0, Lhs.3
        71945701     ~0%    {5} r10 = JOIN r9 WITH assemblies ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2, Lhs.3, Lhs.4
        71945701     ~0%    {5} r11 = JOIN r10 WITH FileSystem#df18ed9a::Make#File#1a556f64::Input#::Container::toString#0#dispred#bf ON FIRST 1 OUTPUT Lhs.4, Lhs.1, Lhs.2, Lhs.3, Rhs.1
        71945701     ~2%    {5} r12 = JOIN r11 WITH FileSystem#df18ed9a::Make#File#1a556f64::Input#::Container::toString#0#dispred#bf ON FIRST 1 OUTPUT Lhs.1, Lhs.2, Lhs.3, Lhs.4, Rhs.1
                            {5} r13 = SELECT r12 ON In.4 > In.3
        33509342     ~0%    {3} r14 = SCAN r13 OUTPUT In.0, In.1, In.2
        33509342     ~0%    {4} r15 = JOIN r14 WITH Method#621e9e2e::MethodImplementation::getNumberOfInstructions#0#dispred#ff ON FIRST 1 OUTPUT Lhs.2, Rhs.1, Lhs.0, Lhs.1
        33051362  ~1670%    {2} r16 = JOIN r15 WITH Method#621e9e2e::MethodImplementation::getNumberOfInstructions#0#dispred#ff ON FIRST 2 OUTPUT Lhs.2, Lhs.3

        33116999  ~1646%    {2} r17 = r6 UNION r16
                            return r17
```
 2023-08-30 13:46:11 +02:00
Tom Hvitved
7611bfb149 C#: Apply closed-world assumption for type-parameter qualifiers in dynamic calls 2023-08-29 11:27:45 +02:00