codeql

mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00

Author	SHA1	Message	Date
Asger F	d501856519	Update DataFlowImpl.qll copies	2023-09-25 10:05:29 +02:00
Tom Hvitved	8f35c99f16	C#: Improve lambda dispatch using type flow	2023-09-23 11:41:03 +02:00
Anders Schack-Mulligen	66da997b7b	Dataflow: Make use of defaults for language-specific hooks.	2023-09-22 14:54:22 +02:00
Michael Nebel	45432f211c	C#: Identify whether callables in the source code are supported in terms of MaD.	2023-09-20 13:01:24 +02:00
Joe Farebrother	475fe3a2a5	Attempt to improve performance in checksUser	2023-09-20 03:18:20 +01:00
Anders Schack-Mulligen	b13d026434	Dataflow: Review fixes.	2023-09-18 13:15:26 +02:00
Joe Farebrother	68ad5b7c00	Restrict logic for checking for id parameters on index expressions for performance	2023-09-15 16:35:29 +01:00
Joe Farebrother	6d704be7d2	Rewrite checks for index expressions in terms of dataflow	2023-09-15 10:25:27 +01:00
Joe Farebrother	a2dce6be14	Check for authorize attributes in more namespaces and on overridden methods	2023-09-15 10:25:27 +01:00
Joe Farebrother	ac45050545	Add checks for authorization attributes	2023-09-15 10:25:27 +01:00
Joe Farebrother	0a27da08d6	Minor changes from review suggestions to shared logic between this and missing access control Use case insensitive regex, factor out page load to improve possible bad joins make needsAuth not a member predicate	2023-09-15 10:25:27 +01:00
Joe Farebrother	9f25c71ca6	Apply minor reveiw suggstions	2023-09-15 10:25:26 +01:00
Joe Farebrother	f8b1b38438	Update alert message and make user checks more precise	2023-09-15 10:25:26 +01:00
Joe Farebrother	251f875304	Fix filenme typo	2023-09-15 10:25:26 +01:00
Joe Farebrother	5d1289672b	Add IDOR query	2023-09-15 10:25:26 +01:00
Joe Farebrother	a510a7b4c0	Add insecure direct object reference definitions and factor out those from missing access control	2023-09-15 10:25:26 +01:00
Anders Schack-Mulligen	1750d00fbe	C#: Add localMustFlowStep	2023-09-13 15:43:46 +02:00
Tom Hvitved	53302117a1	C#: Implement `missingArgumentCallExclude` and `multipleArgumentCallExclude`	2023-09-12 20:05:11 +02:00
Tom Hvitved	ecbf2d8b13	C#: Exclude CIL arguments from `ArgumentNode` when they are compiled from source	2023-09-08 14:14:06 +02:00
Tom Hvitved	55aedbc46c	C#: Fix logic for flow into property writes	2023-09-04 15:42:50 +02:00
Tom Hvitved	73370e7282	Merge pull request #14100 from hvitved/dataflow/consistency-pack Data flow: Add consistency checks to shared ql pack	2023-08-31 11:47:40 +02:00
Tom Hvitved	756886808d	Merge pull request #14098 from hvitved/csharp/cil-best-impl C#: Speedup `bestImplementation`	2023-08-31 10:57:28 +02:00
Tom Hvitved	5c8367a695	C#: Use data flow consistency checks from shared pack	2023-08-30 15:29:41 +02:00
Tom Hvitved	29982fe30e	C#: Do not embed target callable in `TransitiveCapturedCall`	2023-08-30 13:48:44 +02:00
Tom Hvitved	66f5e4a05b	C#: Speedup `bestImplementation` Avoids an expensive anti-join: ``` [2023-08-29 15:25:48] Evaluated non-recursive predicate _FileSystem#df18ed9a::Make#File#1a556f64::Input#::Container::toString#0#dispred#bf_Method#621e9e2e::__#antijoin_rhs@96d08bc8 in 272332ms (size: 1841891). Evaluated relational algebra for predicate _FileSystem#df18ed9a::Make#File#1a556f64::Input#::Container::toString#0#dispred#bf_Method#621e9e2e::__#antijoin_rhs@96d08bc8 with tuple counts: 4632443 ~2% {3} r1 = JOIN _cil_instruction_3#antijoin_rhs_cil_method_implementation#shared WITH cil_method_implementation ON FIRST 1 OUTPUT Rhs.1, Lhs.0, Lhs.1 71945701 ~3% {3} r2 = JOIN r1 WITH cil_method_implementation_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2 71945701 ~1329% {3} r3 = JOIN r2 WITH Method#621e9e2e::MethodImplementation::getNumberOfInstructions#0#dispred#ff ON FIRST 1 OUTPUT Lhs.1, Lhs.2, Rhs.1 5016836 ~4% {4} r4 = JOIN r3 WITH Method#621e9e2e::MethodImplementation::getNumberOfInstructions#0#dispred#ff ON FIRST 1 OUTPUT Lhs.0, Lhs.1, Lhs.2, Rhs.1 {4} r5 = SELECT r4 ON In.3 < In.2 65637 ~3% {2} r6 = SCAN r5 OUTPUT In.0, In.1 71945701 ~0% {3} r7 = JOIN r1 WITH cil_method_implementation_10#join_rhs ON FIRST 1 OUTPUT Lhs.2, Lhs.1, Rhs.1 71945701 ~1% {4} r8 = JOIN r7 WITH assemblies ON FIRST 1 OUTPUT Lhs.2, Lhs.1, Lhs.0, Rhs.1 71945701 ~0% {5} r9 = JOIN r8 WITH cil_method_implementation ON FIRST 1 OUTPUT Rhs.2, Lhs.1, Lhs.2, Lhs.0, Lhs.3 71945701 ~0% {5} r10 = JOIN r9 WITH assemblies ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2, Lhs.3, Lhs.4 71945701 ~0% {5} r11 = JOIN r10 WITH FileSystem#df18ed9a::Make#File#1a556f64::Input#::Container::toString#0#dispred#bf ON FIRST 1 OUTPUT Lhs.4, Lhs.1, Lhs.2, Lhs.3, Rhs.1 71945701 ~2% {5} r12 = JOIN r11 WITH FileSystem#df18ed9a::Make#File#1a556f64::Input#::Container::toString#0#dispred#bf ON FIRST 1 OUTPUT Lhs.1, Lhs.2, Lhs.3, Lhs.4, Rhs.1 {5} r13 = SELECT r12 ON In.4 > In.3 33509342 ~0% {3} r14 = SCAN r13 OUTPUT In.0, In.1, In.2 33509342 ~0% {4} r15 = JOIN r14 WITH Method#621e9e2e::MethodImplementation::getNumberOfInstructions#0#dispred#ff ON FIRST 1 OUTPUT Lhs.2, Rhs.1, Lhs.0, Lhs.1 33051362 ~1670% {2} r16 = JOIN r15 WITH Method#621e9e2e::MethodImplementation::getNumberOfInstructions#0#dispred#ff ON FIRST 2 OUTPUT Lhs.2, Lhs.3 33116999 ~1646% {2} r17 = r6 UNION r16 return r17 ```	2023-08-30 13:46:11 +02:00
Tom Hvitved	7611bfb149	C#: Apply closed-world assumption for type-parameter qualifiers in dynamic calls	2023-08-29 11:27:45 +02:00
Tom Hvitved	1da885fae2	C#: Fix bad join in SSA library ``` [2023-08-29 10:10:29] Evaluated non-recursive predicate SsaImpl#75014cd4::Cached::lastRefBeforeRedefExt#4#ffff@4207c208 in 27604ms (size: 7511062). Evaluated relational algebra for predicate SsaImpl#75014cd4::Cached::lastRefBeforeRedefExt#4#ffff@4207c208 with tuple counts: 9905038 ~9% {5} r1 = SCAN Ssa#da392372::Make#SsaImpl#75014cd4::SsaInput#::lastRefRedefExt#5#fffff OUTPUT In.2, In.3, In.1, In.0, In.4 {5} r2 = r1 AND NOT _SsaImpl#75014cd4::SsaInput::variableRead#4#ffff_3012#join_rhs_const_false#antijoin_rhs(Lhs.0, Lhs.1, Lhs.2) 4605608 ~0% {4} r3 = SCAN r2 OUTPUT In.3, In.0, In.1, In.4 4510888816 ~0% {5} r4 = JOIN _SsaImpl#75014cd4::SsaInput::variableRead#4#ffff_3012#join_rhs_const_false#antijoin_rhs WITH project#Ssa#da392372::Make#SsaImpl#75014cd4::SsaInput#::lastRefRedefExt#5#fffff_1203#join_rhs ON FIRST 2 OUTPUT Rhs.2, Lhs.2, Lhs.0, Lhs.1, Rhs.3 5294405 ~82% {4} r5 = JOIN r4 WITH SsaImpl#75014cd4::adjacentDefReachesReadExt#6#ffffff_014523#join_rhs ON FIRST 4 OUTPUT Lhs.0, Rhs.4, Rhs.5, Lhs.4 9900013 ~28% {4} r6 = r3 UNION r5 return r6 ```	2023-08-29 11:26:30 +02:00
Tom Hvitved	e219281016	C#: Speed up `ForwarderAssertMethod` Avoids the following bad predicate ``` [2023-08-29 10:03:13] (252s) Tuple counts for _Callable#f85cebf6::Callable::getBody#0#dispred#ff_Variable#afb43847::Variable::getAnAccess#0#dispre__#join_rhs/5@43feb6tl after 4m0s: 4416261 ~203% {4} r1 = JOIN _Callable#f85cebf6::Callable::getAParameter#0#dispred#ff_10#join_rhs_Variable#afb43847::Variable::ge__#shared WITH Callable#f85cebf6::Callable::getBody#0#dispred#ff ON FIRST 1 OUTPUT Lhs.1 'arg1', Lhs.2 'arg2', Lhs.0 'arg3', Rhs.1 'arg4' 1189565718 ~152% {5} r2 = JOIN r1 WITH Variable#afb43847::Variable::getAnAccess#0#dispred#ff ON FIRST 1 OUTPUT Rhs.1 'arg0', Lhs.0 'arg1', Lhs.1 'arg2', Lhs.2 'arg3', Lhs.3 'arg4' return r2 ```	2023-08-29 11:25:20 +02:00
Michael Nebel	ce6fd8ac5f	Merge pull request #13432 from michaelnebel/updateissupported Java/C#: Update telemetry queries to report callables with sink/source neutrals as being supported.	2023-08-22 08:39:38 +02:00
Jeroen Ketema	2d0f73d7c2	Merge pull request #13881 from jketema/shared-taint-tracking Introduce shared taint tracking library	2023-08-21 12:45:49 +02:00
Michael Nebel	106ba11e10	Address review comments.	2023-08-21 09:59:02 +02:00
Michael Nebel	d66fe08661	Add QLDoc for the getKind predicate.	2023-08-21 09:59:02 +02:00
Michael Nebel	6840a6dafe	C#: Re-factor NeutralCallable to include all neutrals and introduce NeutralSummaryCallable. Also include printing of the neutral kind in FlowSummaries testcase.	2023-08-21 09:59:00 +02:00
Tom Hvitved	7cc01ea8b5	Merge pull request #13595 from hvitved/csharp/use-shared-cfg-pack C#: Adopt shared CFG construction library from shared `controlflow` pack	2023-08-17 10:37:09 +02:00
Jeroen Ketema	33e8310625	Merge branch 'main' into shared-taint-tracking	2023-08-17 00:14:25 +02:00
Tom Hvitved	26b76171ca	C#: Fix `getMadRepresentationSpecific`	2023-08-15 13:23:21 +02:00
Tom Hvitved	7dac819730	C#: Fix bad join order Before ``` Evaluated recursive predicate Stmt#3baf294a::TryStmt::getATriedElement#ff@8254eapb in 6096ms on iteration 4 (delta size: 592145). Evaluated relational algebra for predicate Stmt#3baf294a::TryStmt::getATriedElement#ff@8254eapb on iteration 4 running pipeline standard with tuple counts: 204507 ~0% {2} r1 = SCAN Stmt#3baf294a::TryStmt::getATriedElement#ff#prev_delta OUTPUT In.1, In.0 204507 ~0% {3} r2 = JOIN r1 WITH _@callable#f_ControlFlowElement#9501aa28::ControlFlowElement::getEnclosingCallable#0#dispred#ff_10#j__#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.0, Lhs.1 17844283 ~0% {3} r3 = JOIN r2 WITH ControlFlowElement#9501aa28::ControlFlowElement::getEnclosingCallable#0#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1, Rhs.1, Lhs.2 592145 ~0% {2} r4 = JOIN r3 WITH Element#baf0c59e::Element::getAChild#0#dispred#ff ON FIRST 2 OUTPUT Lhs.2, Lhs.1 592145 ~0% {2} r5 = r4 AND NOT Stmt#3baf294a::TryStmt::getATriedElement#ff#prev(Lhs.0, Lhs.1) return r5 ``` After ``` Evaluated recursive predicate Stmt#3baf294a::TryStmt::getATriedElement#ff@4adecd47 in 310ms on iteration 4 (delta size: 592145). Evaluated relational algebra for predicate Stmt#3baf294a::TryStmt::getATriedElement#ff@4adecd47 on iteration 4 running pipeline standard with tuple counts: 204507 ~0% {2} r1 = SCAN Stmt#3baf294a::TryStmt::getATriedElement#ff#prev_delta OUTPUT In.1, In.0 204507 ~0% {2} r2 = r1 AND NOT _statements_10#join_rhs#antijoin_rhs#13(Lhs.0) 592145 ~2% {3} r3 = JOIN r2 WITH Element#baf0c59e::Element::getAChild#0#dispred#ff ON FIRST 1 OUTPUT Lhs.0, Lhs.1, Rhs.1 592145 ~0% {3} r4 = JOIN r3 WITH ControlFlowElement#9501aa28::ControlFlowElement::getEnclosingCallable#0#dispred#ff ON FIRST 1 OUTPUT Lhs.2, Rhs.1, Lhs.1 592145 ~0% {2} r5 = JOIN r4 WITH ControlFlowElement#9501aa28::ControlFlowElement::getEnclosingCallable#0#dispred#ff ON FIRST 2 OUTPUT Lhs.2, Lhs.0 592145 ~0% {2} r6 = r5 AND NOT Stmt#3baf294a::TryStmt::getATriedElement#ff#prev(Lhs.0, Lhs.1) return r6 ```	2023-08-09 11:28:06 +02:00
Chad Bentz	d4b5a4d4f4	Merge branch 'main' into csharp-hardcoded-cred-identity-fp	2023-08-07 15:09:01 -04:00
Jeroen Ketema	8b6a7985db	Refactor the traint-tracking library to follow the dataflow library refactoring	2023-08-07 15:23:15 +02:00
Jeroen Ketema	5d2984b7a5	Merge branch 'main' into shared-taint-tracking	2023-08-07 15:22:29 +02:00
Tom Hvitved	05cf796c54	C#: Adjust to data flow refactor	2023-08-07 11:35:21 +02:00
Chad Bentz	5a106fd5d6	Removes false positive creds from NetCore Identity	2023-08-04 21:46:35 +00:00
Jeroen Ketema	747cd1745a	Update all languages to use the shared taint-tracking library	2023-08-04 22:53:25 +02:00
Tom Hvitved	b69188fee9	C#: Adopt shared CFG construction library from shared `controlflow` pack	2023-08-03 14:12:24 +02:00
Mathias Vorreiter Pedersen	3007fdab5e	Sync identical files.	2023-08-02 14:33:33 +02:00
Anders Schack-Mulligen	5c9a839ac7	C#: Adjust to use the qlpack data-flow api.	2023-08-01 13:47:09 +02:00
Owen Mansel-Chan	9b2b58a823	Sync files	2023-07-26 21:48:10 +01:00
Anders Schack-Mulligen	95d17045c9	Dataflow: Sync.	2023-07-19 11:41:15 +02:00
Anders Schack-Mulligen	80a799df01	Merge pull request #13735 from aschackmull/dataflow/forcehighprecision-fix Dataflow: Fix forceHighPrecision for length-2 prefixes.	2023-07-14 11:42:35 +02:00
Anders Schack-Mulligen	91de43f918	C#/Java/Ruby: Remove superfluous module members.	2023-07-13 11:38:35 +02:00

... 9 10 11 12 13 ...

1598 Commits