Commit Graph

85654 Commits

Author SHA1 Message Date
Robert Marsh
4f23cce63b C++: Accept more test output 2022-01-07 11:27:45 -05:00
Michael Nebel
23b8444348 C#: Cleanup C# source code file and add a test case for namespace delcarations. 2022-01-07 16:04:43 +01:00
Michael Nebel
b8f6d17bc1 C#: Add test for file scoped namespace. 2022-01-07 16:04:43 +01:00
Michael Nebel
a6d847b532 C#: Make support for FileScoped namespace declaration in the extrator. 2022-01-07 16:04:43 +01:00
Erik Krogh Kristensen
bb94c42a35 explicit this
Co-authored-by: Taus <tausbn@github.com>
2022-01-07 15:22:21 +01:00
Mathias Vorreiter Pedersen
4ee653378e Merge pull request #7517 from MathiasVP/avoid-self-joins-in-toctou-query
C++: Remove bad self joins in `cpp/toctou-race-condition`.
2022-01-07 13:08:30 +00:00
Michael Nebel
94c1a489e0 Merge pull request #7507 from michaelnebel/csharp-libdataflow-cleanup
C#: Refactor and cleanup LibraryTypeDataFlow
2022-01-07 13:16:08 +01:00
Michael Nebel
17219eff61 Merge pull request #7530 from github/workflow/coverage/update
Update CSV framework coverage reports
2022-01-07 13:15:49 +01:00
Michael Nebel
929f6ca578 C#: Address review comments. 2022-01-07 10:26:33 +01:00
Michael Nebel
d3368dcc23 C#: Remove the LibraryTypeDataFlow file as the remaining code is dead. 2022-01-07 10:26:32 +01:00
Michael Nebel
9b47249f6a C#: Migrate the legacy clearContent flow summaries to the new framework. 2022-01-07 10:26:32 +01:00
Michael Nebel
fd317c2e7b C#: Move RecordConstructorFlow. 2022-01-07 10:26:32 +01:00
Michael Nebel
fb950848c7 C#: Remove unused case, when converting SummaryComponent stacks. 2022-01-07 10:26:32 +01:00
Michael Nebel
5a0e6ed8e6 C#: Remove unsued predicates in CallableFlowSource and subclasses. 2022-01-07 10:26:32 +01:00
Michael Nebel
19914aba89 C#: Remove CallableFlowSink. 2022-01-07 10:26:32 +01:00
Michael Nebel
ed4d09bc8b C#: Remove unneeded imports. 2022-01-07 10:26:32 +01:00
Michael Nebel
d042c4b3e4 C#: Remove unsused type,class and module AccessPath. 2022-01-07 10:26:32 +01:00
Michael Nebel
d5768bf4ed C#: Remove more empty predicates. 2022-01-07 10:26:31 +01:00
Michael Nebel
a6b79926b2 C#: Remove unused predicate toCallableFlowSink. 2022-01-07 10:26:31 +01:00
Michael Nebel
ecc9593f00 C#: Remove the unused predicate callable flow. 2022-01-07 10:26:31 +01:00
Michael Nebel
c52787c741 C#: Move the declaration of synthetic fields to where they are needed. 2022-01-07 10:26:31 +01:00
Michael Nebel
608aba7cff C#: Delete empty predicate requiresAccessPath. 2022-01-07 10:26:31 +01:00
Felicity Chapman
ad82523b91 Apply suggestions from code review 2022-01-07 08:49:37 +00:00
Felicity Chapman
95c9f89b04 Merge branch 'main' into patch-1 2022-01-07 08:49:13 +00:00
github-actions[bot]
efb1cd4f3b Add changed framework coverage reports 2022-01-07 00:10:30 +00:00
Erik Krogh Kristensen
9afd360731 QL: recognize dependecies of the form: libraryPathDependencies: library-name 2022-01-06 23:35:28 +01:00
Chris Smowton
6b4a50567a Merge pull request #659 from smowton/smowton/fix/path-transformer-use-realpath
Path transformer: use fully resolved path
2022-01-06 19:11:16 +00:00
Robert Marsh
c6da1f2be0 C++: re-add comment 2022-01-06 12:43:22 -05:00
Robert Marsh
355fc0ae63 C++: Use Guards library in Overflow.qll
Replaces the ad-hoc guard handling with the Guards library. Fixes an
observed false positive pattern, and (hopefully) means some pragmas are
no longer necessary for performance.
2022-01-06 12:15:37 -05:00
Robert Marsh
617bdbc5ba C++: test for guard-by-return in Overflow.qll 2022-01-06 12:15:37 -05:00
Robert Marsh
d5682f157a Merge pull request #7525 from MathiasVP/remove-rank-in-ssa-internals
C++: Remove `rank` aggregate in `SsaInternals`
2022-01-06 12:09:57 -05:00
Andrew Eisenberg
6d62227576 Merge pull request #7431 from aeisenberg/aeisenberg/solorigate-publish
Solorigate: Extract to separate qlpack
2022-01-06 08:53:32 -08:00
Mathias Vorreiter Pedersen
173cefd7e4 C++: Respond to PR reviews. 2022-01-06 15:39:40 +00:00
haby0
759ec31508 Delete shutil_path_injection.py file 2022-01-06 21:38:35 +08:00
Michael Nebel
b3cb250ece Merge pull request #7516 from michaelnebel/csharp/improve-csv-validation
C#: Introduce Csv validation on kind.
2022-01-06 14:31:26 +01:00
Michael Nebel
9cafab1b4c Merge pull request #7465 from michaelnebel/csharp-stringvalues-csv
C#: Introduce flow summaries for StringValues.
2022-01-06 14:30:29 +01:00
Rasmus Wriedt Larsen
3e1dcc3d11 Merge pull request #7518 from tausbn/python-extend-unreachable-statement-test
Python: Extend unreachable statement test
2022-01-06 14:07:29 +01:00
Mathias Vorreiter Pedersen
671954025d C++: Fix qldoc. 2022-01-06 11:02:15 +00:00
Asger F
c9fcdb8261 Apply suggestions from code review
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
2022-01-06 11:51:27 +01:00
Mathias Vorreiter Pedersen
2f42054f8f C++: Rename 'hasRankInBlock' to 'hasIndexInBlock' since it's not really a rank computation anymore. 2022-01-06 10:31:05 +00:00
Mathias Vorreiter Pedersen
fdb9fb588c C++: Remove the rank aggregate from 'SsaInternals.qll'. 2022-01-06 10:30:31 +00:00
haby0
05b0daa0b7 Add the test of shutil module in FileSystemAccess.py 2022-01-06 14:14:42 +08:00
Harry Maclean
43ddc54f2b Ruby: Add Module#const_get as a code execution
Module#const_get takes a single string argument and interprets it as the
name of a constant. It then looks up the constant and returns its value.

    Object.const_get("Math::PI")
    # => 3.141592653589793

By itself, this method is not as dangerous as e.g. eval, but if the
value returned is a class that is then instantiated, this can allow an
attacker to instantiate arbitrary Ruby classes.

As a result, I think it's safe to say that any remote input flowing into
this call is a potential vulnerability. A real-world example of this is
https://github.com/advisories/GHSA-52p9-v744-mwjj.
2022-01-06 13:03:41 +13:00
Tom Hvitved
ac9cac78bc Ruby: Fix typo 2022-01-06 12:27:03 +13:00
Tom Hvitved
c3fd272f9b Ruby: Simplify getValueText logic for StringlikeLiterals 2022-01-06 12:27:03 +13:00
Tom Hvitved
799ec23b0d Ruby: Generalize ExprChildMapping logic to AstNodes 2022-01-06 12:27:03 +13:00
Tom Hvitved
322f8356dd Ruby: Include StringComponents in the CFG 2022-01-06 12:27:03 +13:00
Tom Hvitved
301d0bbdf8 Ruby: Restructure test to avoid dead code 2022-01-06 12:27:03 +13:00
Harry Maclean
23f1352953 Add ReDoS test that uses string interpolation
This exercises the support for resolving string interpolations, and is
based on a real vulnerability:

https://github.com/advisories/GHSA-jxhc-q857-3j6g)
2022-01-06 12:27:03 +13:00
Harry Maclean
32c93e70e2 Include simple interpolations in getValueText
When calculating `StringlikeLiteral.getValueText`, include results from
interpolations where we can determine their string value. For example:

    b = "b" # local variable
    D = "d" # constant

    "a#{b}c"     # getValueText() = "abc"
    "a#{b}c{D}"  # getValueText() = "abcd"
    /#a#{b}c{D}/ # getValueText() = "abcd"
2022-01-06 12:27:03 +13:00