Robert Marsh
4f23cce63b
C++: Accept more test output
2022-01-07 11:27:45 -05:00
Michael Nebel
23b8444348
C#: Cleanup C# source code file and add a test case for namespace delcarations.
2022-01-07 16:04:43 +01:00
Michael Nebel
b8f6d17bc1
C#: Add test for file scoped namespace.
2022-01-07 16:04:43 +01:00
Michael Nebel
a6d847b532
C#: Make support for FileScoped namespace declaration in the extrator.
2022-01-07 16:04:43 +01:00
Erik Krogh Kristensen
bb94c42a35
explicit this
...
Co-authored-by: Taus <tausbn@github.com >
2022-01-07 15:22:21 +01:00
Mathias Vorreiter Pedersen
4ee653378e
Merge pull request #7517 from MathiasVP/avoid-self-joins-in-toctou-query
...
C++: Remove bad self joins in `cpp/toctou-race-condition`.
2022-01-07 13:08:30 +00:00
Michael Nebel
94c1a489e0
Merge pull request #7507 from michaelnebel/csharp-libdataflow-cleanup
...
C#: Refactor and cleanup LibraryTypeDataFlow
2022-01-07 13:16:08 +01:00
Michael Nebel
17219eff61
Merge pull request #7530 from github/workflow/coverage/update
...
Update CSV framework coverage reports
2022-01-07 13:15:49 +01:00
Michael Nebel
929f6ca578
C#: Address review comments.
2022-01-07 10:26:33 +01:00
Michael Nebel
d3368dcc23
C#: Remove the LibraryTypeDataFlow file as the remaining code is dead.
2022-01-07 10:26:32 +01:00
Michael Nebel
9b47249f6a
C#: Migrate the legacy clearContent flow summaries to the new framework.
2022-01-07 10:26:32 +01:00
Michael Nebel
fd317c2e7b
C#: Move RecordConstructorFlow.
2022-01-07 10:26:32 +01:00
Michael Nebel
fb950848c7
C#: Remove unused case, when converting SummaryComponent stacks.
2022-01-07 10:26:32 +01:00
Michael Nebel
5a0e6ed8e6
C#: Remove unsued predicates in CallableFlowSource and subclasses.
2022-01-07 10:26:32 +01:00
Michael Nebel
19914aba89
C#: Remove CallableFlowSink.
2022-01-07 10:26:32 +01:00
Michael Nebel
ed4d09bc8b
C#: Remove unneeded imports.
2022-01-07 10:26:32 +01:00
Michael Nebel
d042c4b3e4
C#: Remove unsused type,class and module AccessPath.
2022-01-07 10:26:32 +01:00
Michael Nebel
d5768bf4ed
C#: Remove more empty predicates.
2022-01-07 10:26:31 +01:00
Michael Nebel
a6b79926b2
C#: Remove unused predicate toCallableFlowSink.
2022-01-07 10:26:31 +01:00
Michael Nebel
ecc9593f00
C#: Remove the unused predicate callable flow.
2022-01-07 10:26:31 +01:00
Michael Nebel
c52787c741
C#: Move the declaration of synthetic fields to where they are needed.
2022-01-07 10:26:31 +01:00
Michael Nebel
608aba7cff
C#: Delete empty predicate requiresAccessPath.
2022-01-07 10:26:31 +01:00
Felicity Chapman
ad82523b91
Apply suggestions from code review
2022-01-07 08:49:37 +00:00
Felicity Chapman
95c9f89b04
Merge branch 'main' into patch-1
2022-01-07 08:49:13 +00:00
github-actions[bot]
efb1cd4f3b
Add changed framework coverage reports
2022-01-07 00:10:30 +00:00
Erik Krogh Kristensen
9afd360731
QL: recognize dependecies of the form: libraryPathDependencies: library-name
2022-01-06 23:35:28 +01:00
Chris Smowton
6b4a50567a
Merge pull request #659 from smowton/smowton/fix/path-transformer-use-realpath
...
Path transformer: use fully resolved path
2022-01-06 19:11:16 +00:00
Robert Marsh
c6da1f2be0
C++: re-add comment
2022-01-06 12:43:22 -05:00
Robert Marsh
355fc0ae63
C++: Use Guards library in Overflow.qll
...
Replaces the ad-hoc guard handling with the Guards library. Fixes an
observed false positive pattern, and (hopefully) means some pragmas are
no longer necessary for performance.
2022-01-06 12:15:37 -05:00
Robert Marsh
617bdbc5ba
C++: test for guard-by-return in Overflow.qll
2022-01-06 12:15:37 -05:00
Robert Marsh
d5682f157a
Merge pull request #7525 from MathiasVP/remove-rank-in-ssa-internals
...
C++: Remove `rank` aggregate in `SsaInternals`
2022-01-06 12:09:57 -05:00
Andrew Eisenberg
6d62227576
Merge pull request #7431 from aeisenberg/aeisenberg/solorigate-publish
...
Solorigate: Extract to separate qlpack
2022-01-06 08:53:32 -08:00
Mathias Vorreiter Pedersen
173cefd7e4
C++: Respond to PR reviews.
2022-01-06 15:39:40 +00:00
haby0
759ec31508
Delete shutil_path_injection.py file
2022-01-06 21:38:35 +08:00
Michael Nebel
b3cb250ece
Merge pull request #7516 from michaelnebel/csharp/improve-csv-validation
...
C#: Introduce Csv validation on kind.
2022-01-06 14:31:26 +01:00
Michael Nebel
9cafab1b4c
Merge pull request #7465 from michaelnebel/csharp-stringvalues-csv
...
C#: Introduce flow summaries for StringValues.
2022-01-06 14:30:29 +01:00
Rasmus Wriedt Larsen
3e1dcc3d11
Merge pull request #7518 from tausbn/python-extend-unreachable-statement-test
...
Python: Extend unreachable statement test
2022-01-06 14:07:29 +01:00
Mathias Vorreiter Pedersen
671954025d
C++: Fix qldoc.
2022-01-06 11:02:15 +00:00
Asger F
c9fcdb8261
Apply suggestions from code review
...
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com >
2022-01-06 11:51:27 +01:00
Mathias Vorreiter Pedersen
2f42054f8f
C++: Rename 'hasRankInBlock' to 'hasIndexInBlock' since it's not really a rank computation anymore.
2022-01-06 10:31:05 +00:00
Mathias Vorreiter Pedersen
fdb9fb588c
C++: Remove the rank aggregate from 'SsaInternals.qll'.
2022-01-06 10:30:31 +00:00
haby0
05b0daa0b7
Add the test of shutil module in FileSystemAccess.py
2022-01-06 14:14:42 +08:00
Harry Maclean
43ddc54f2b
Ruby: Add Module#const_get as a code execution
...
Module#const_get takes a single string argument and interprets it as the
name of a constant. It then looks up the constant and returns its value.
Object.const_get("Math::PI")
# => 3.141592653589793
By itself, this method is not as dangerous as e.g. eval, but if the
value returned is a class that is then instantiated, this can allow an
attacker to instantiate arbitrary Ruby classes.
As a result, I think it's safe to say that any remote input flowing into
this call is a potential vulnerability. A real-world example of this is
https://github.com/advisories/GHSA-52p9-v744-mwjj .
2022-01-06 13:03:41 +13:00
Tom Hvitved
ac9cac78bc
Ruby: Fix typo
2022-01-06 12:27:03 +13:00
Tom Hvitved
c3fd272f9b
Ruby: Simplify getValueText logic for StringlikeLiterals
2022-01-06 12:27:03 +13:00
Tom Hvitved
799ec23b0d
Ruby: Generalize ExprChildMapping logic to AstNodes
2022-01-06 12:27:03 +13:00
Tom Hvitved
322f8356dd
Ruby: Include StringComponents in the CFG
2022-01-06 12:27:03 +13:00
Tom Hvitved
301d0bbdf8
Ruby: Restructure test to avoid dead code
2022-01-06 12:27:03 +13:00
Harry Maclean
23f1352953
Add ReDoS test that uses string interpolation
...
This exercises the support for resolving string interpolations, and is
based on a real vulnerability:
https://github.com/advisories/GHSA-jxhc-q857-3j6g )
2022-01-06 12:27:03 +13:00
Harry Maclean
32c93e70e2
Include simple interpolations in getValueText
...
When calculating `StringlikeLiteral.getValueText`, include results from
interpolations where we can determine their string value. For example:
b = "b" # local variable
D = "d" # constant
"a#{b}c" # getValueText() = "abc"
"a#{b}c{D}" # getValueText() = "abcd"
/#a#{b}c{D}/ # getValueText() = "abcd"
2022-01-06 12:27:03 +13:00