hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-07 06:27:04 +02:00
Code Issues Packages Projects Releases Wiki Activity
86,439 Commits 1,777 Branches 169 Tags
codeql-cli-2.25.0
Commit Graph

86439 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Asger F
62c17d3f4e JS: Update SanitizerGuardNode use in BasicTaintTracking test 2024-12-03 14:30:34 +01:00
Asger F
f620191da4 JS: Deprecate SanitizerGuardNode 2024-12-03 14:30:33 +01:00
Asger F
2ae7386775 JS: Also apply new BarrierGuardLegacy pattern in Xss.qll 2024-12-03 14:30:32 +01:00
Asger F
2ef652da2c JS: Add more deprecation annotations in tests 2024-12-03 14:30:31 +01:00
Asger F
21494fbdff JS: Refactor BarrierGuardLegacy pattern to not depend on SanitizerGuardNode 
Previously our barrier guard classes were direct descendents of SanitizerGuardNode which made it hard to deprecate that class.

Now our barrier guards are not descending from any shared class. Instead they are contributed to SanitizerGuardNode via a private helper class we can remove in the future.
 2024-12-03 14:30:29 +01:00
Asger F
a574ff1669 JS: Remove use of MakeLegacyBarrierGuard in experimental SSRF 2024-12-03 14:30:28 +01:00
Asger F
08d25c122d JS: Deprecate more uses of ConsistencyConfiguration 2024-12-03 14:30:27 +01:00
Asger F
75ab4856b8 Remove unsupported features from PoI 2024-12-03 14:30:25 +01:00
Asger F
e6680dec8f JS: Avoid use of LabeledSanitizerGuardNode in TaintedObject 
Drive-by bugfix: Rename sanitizes -> blocksExpr.
This fixes a bug that caused the sanitizer guard not to work in df2.

The test output reflects the fact that the barrier guard works now.
 2024-12-03 14:30:24 +01:00
Asger F
0ce1fe767d JS: Deprecate ConsistencyChecking to avoid deprecation warnings 2024-12-03 14:30:23 +01:00
Asger F
04a3a6707f JS: Update a reference to AdditionalSanitizerGuardNode 
Unlike most other references to this class, we're not subclassing it here, we're
just trying to reuse some standard barrier guards but with a different flow state.
 2024-12-03 14:30:22 +01:00
Asger F
834d35bc42 JS: Port experimental DecompressionBombs to ConfigSig 2024-12-03 14:30:21 +01:00
Asger F
871bc3b84a JS: Port experimental CorsPermissiveConfiguration to ConfigSig 
The tests show a new (source, sink) pair for an already-flagged sink.

Not sure why it was not flagged originally since the data flow path seems valid, given the steps provided by our models.
 2024-12-03 14:30:20 +01:00
Asger F
f5a6485ef2 JS: Port experimental decodeJwtWithoutVerificationLocalSource 2024-12-03 14:30:19 +01:00
Asger F
72e522631d JS: Port experimental jwtDecodeWithoutVerification to ConfigSig 2024-12-03 14:30:18 +01:00
Asger F
7e162f5451 JS: Port experimental EnvValueInjection to ConfigSig 2024-12-03 14:30:17 +01:00
Asger F
4f839070a0 JS: Port experimental EnvValueAndKeyInjection to ConfigSig 2024-12-03 14:30:16 +01:00
Asger F
8887ca1722 JS: Port an experimental CodeInjection variant to ConfigSig 2024-12-03 14:30:15 +01:00
Asger F
1832e93766 JS: Port FormParsers test to ConfigSig 2024-12-03 14:30:14 +01:00
Asger F
4d7401a074 JS: Deprecate tests for deprecated APIs 
Mainly adds 'deprecated' in front of a bunch of tests for deprecated APIs.
 2024-12-03 14:30:12 +01:00
Asger F
3548544970 JS: Avoid some uses of deprecated guard classes in tests 2024-12-03 14:30:11 +01:00
Asger F
a568d8c086 JS: Port threat-model test to ConfigSig 2024-12-03 14:30:10 +01:00
Asger F
f758b67d30 JS: Openly recommend SummarizedCallable 2024-12-03 14:30:09 +01:00
Asger F
249104b8ae JS: Update comments referring to old Configuration style 
Also avoid the term "analysis-specific" because it's not a term we use anywhere else.
 2024-12-03 14:30:08 +01:00
Asger F
13ee597848 JS: Add some proper documentation to SummarizedCallable 2024-12-03 14:30:07 +01:00
Asger F
988fa9c0ef JS: Deprecate AdditionalSanitizerGuardNode 
We're deprecating the class through an alias, but it is still the base class for a non-deprecated class, for backwards compatibility. For this reason we're also deprecating all of its member predicates so we can remove those in the future.
 2024-12-03 14:30:06 +01:00
Asger F
0b1e859e70 JS: Remove uses of AdditionalSanitizerGuardNode 2024-12-03 14:30:05 +01:00
Asger F
c2abb0fbd0 JS: Remove reference to AdditionalSanitizerGuard from CachedStages 2024-12-03 14:30:04 +01:00
Asger F
82682d9a62 JS: Remove a non-deprecated reference to SanitizerGuardNode 2024-12-03 14:30:03 +01:00
Asger F
bc7753de29 JS: Remove non-deprecated reference to AdditionalBarrierGuardNode 2024-12-03 14:30:02 +01:00
Asger F
0cd2e3f9eb JS: Deprecate old data flow library, except some guard-related nodes 2024-12-03 14:30:01 +01:00
Asger F
071189a9e9 Merge pull request #18175 from asgerf/jss/documentation 
JS: Update data flow documentation and tutorials for JavaScript
 2024-12-03 14:23:29 +01:00
Simon Friis Vindum
cac4514eae Rust: Add basic data flow through arrays 2024-12-03 14:15:54 +01:00
Simon Friis Vindum
3346b64e96 Rust: Add variables and data flow array tests 2024-12-03 14:14:41 +01:00
Anders Schack-Mulligen
2c0baff76a Java: Delete deprecated data flow api. 2024-12-03 14:13:03 +01:00
Michael Nebel
4675426241 C#: Update change note with info on private fields. 2024-12-03 14:12:09 +01:00
Tom Hvitved
06b1d8e448 Merge pull request #18177 from hvitved/rust/dataflow-variant-canonical-path 
Rust: Use canonical paths for variants in data flow
 2024-12-03 14:01:28 +01:00
Anders Schack-Mulligen
9734cff15b Java/C#: Update expected files. 2024-12-03 12:57:44 +01:00
Asger F
e1aff15f29 Merge pull request #18125 from asgerf/jss/summary-type-tracker 
JS: Derive type-tracking steps from flow summaries
 2024-12-03 12:40:56 +01:00
Paolo Tranquilli
ebe38bca23 Merge branch 'main' into redsun82/rust-less-canonical-paths 2024-12-03 12:19:08 +01:00
Paolo Tranquilli
952f41e17e Rust: fix broken test 2024-12-03 12:06:39 +01:00
Asger F
27e61a1f3d JS: Also update cheat sheet 2024-12-03 12:00:30 +01:00
Asger F
89463d73f5 JS: Remove mention of isAdditionalTaintStep 2024-12-03 11:51:46 +01:00
Asger F
935e1c065a Update docs/codeql/codeql-language-guides/using-flow-labels-for-precise-data-flow-analysis.rst 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2024-12-03 11:49:45 +01:00
Asger F
89849fae87 Update docs/codeql/codeql-language-guides/using-flow-labels-for-precise-data-flow-analysis.rst 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2024-12-03 11:49:34 +01:00
Asger F
5e27257405 Update docs/codeql/codeql-language-guides/analyzing-data-flow-in-javascript-and-typescript.rst 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2024-12-03 11:49:22 +01:00
Michael Nebel
cc4382c785 Merge pull request #18186 from michaelnebel/csharp/removechangenote 
C#: Remove change note.
 2024-12-03 11:45:34 +01:00
Paolo Tranquilli
db18d1046b Rust: rename getTy -> getTypeRepr 2024-12-03 11:17:08 +01:00
Paolo Tranquilli
8287cdd7b3 Rust: accept test changes 2024-12-03 11:01:05 +01:00
Anders Schack-Mulligen
b65a4e45ab Dataflow: Postpone type pruning until stage 5. 2024-12-03 10:59:12 +01:00