hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-07 14:28:17 +02:00
Code Issues Packages Projects Releases Wiki Activity
86,439 Commits 1,777 Branches 169 Tags
codeql-cli-2.25.0
Commit Graph

86439 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Michael Nebel
058fcc1a51 Merge pull request #17853 from michaelnebel/csharp/madtests 
C#: Re-factor test for CWE-611/UntrustedDataInsecureXml.ql to pretty print models.
 2024-10-28 13:38:26 +01:00
Tom Hvitved
711dfc3592 Rust: Cache Locatable.getLocation and Location 2024-10-28 13:33:49 +01:00
Arthur Baars
b6c26debef Rust: create single Semantics object for each workspace 2024-10-28 13:29:04 +01:00
Arthur Baars
57cdda3405 Rust: no longer reload files into the RootDatabase 
Files were reloaded to handle cases were there was no content
for a file_id, causing a panic. Missing contents was caused by
files that did not contain valid UTF-8 data. These are skipped
by rust-analyzer when it is loading data into the RootDatabase.
 2024-10-28 13:29:03 +01:00
Paolo Tranquilli
9c95a17882 Rust: add block ids to canonical paths, making them "extended" 2024-10-28 12:41:05 +01:00
Simon Friis Vindum
cab916453d Rust: Update unused value expected test result 2024-10-28 12:18:00 +01:00
Alvaro Muñoz
aecb478e1c Bump qlpack versions 2024-10-28 11:58:45 +01:00
Alvaro Muñoz
18137f58c2 fix: take trigger events into consideration 
Code Injection remote flow sources should be triggerable by the
privileged event
 2024-10-28 11:58:14 +01:00
Alvaro Muñoz
792e8555af fix: remove context 2 events mappings 
client_paylaod (dispatch), commits (push), head_commit (push) and
merge_group are not under external attacker control so remove them
 2024-10-28 11:56:59 +01:00
Alvaro Muñoz
62d9302e8b chore: remove leftover commented out code 2024-10-28 11:55:44 +01:00
Alvaro Muñoz
e34835f71a fix: AstNode.getATriggerEvent() 
getATriggerEvent did not work for nodes outside a Job.
If there is no enclosing job, get the trigger from the enclosing
workflow
 2024-10-28 11:55:23 +01:00
Alvaro Muñoz
6136a98764 Add getEvent to RemoteFlowSource for events able to trigger the source 2024-10-28 11:54:04 +01:00
Simon Friis Vindum
b86a5810b3 Rust: Small refactor based on PR feedback 2024-10-28 11:45:46 +01:00
Simon Friis Vindum
c5b01eb629 Merge branch 'main' into rust-saa-additions 2024-10-28 11:42:32 +01:00
Geoffrey White
e5818f6f2e Rust: Fix unused value cases in the unreachable test (they're not interesting, just distract from the point of these tests. 2024-10-28 10:29:31 +00:00
Arthur Baars
fdf99e2f50 Rust: filter out definitions that are inside expanded macros 2024-10-28 11:27:59 +01:00
Geoffrey White
72606d5a59 Rust: Add missing annotations to unreachable test. 2024-10-28 10:22:46 +00:00
Arthur Baars
c4126e4410 Rust: add tests for Definitions.qll 2024-10-28 11:17:48 +01:00
Rasmus Wriedt Larsen
e3c400b0c8 Add auto labeler support for 'Actions' 2024-10-28 10:46:05 +01:00
Rasmus Wriedt Larsen
01fa95f98a Actions: autoformat 2024-10-28 10:43:46 +01:00
Michael Nebel
b112a9b31e Merge pull request #17851 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2024-10-28 10:38:27 +01:00
Michael Nebel
82ff545424 C#: Re-factor test for CWE-611/UntrustedDataInsecureXml.ql to pretty print models in test case. 2024-10-28 10:36:32 +01:00
Óscar San José
3e77629477 Merge pull request #17838 from github/oscarsj/deprecate-macos-12 
Remove macos-12 and its variants, deprecated
 2024-10-28 10:32:49 +01:00
Paolo Tranquilli
2fa1c5ebcd Merge branch 'main' into redsun82/rust-analysis 2024-10-28 10:30:08 +01:00
Arthur Baars
40ef9ad805 Rust: make TDef cached 2024-10-28 10:21:43 +01:00
github-actions[bot]
0e5ba2b23e Add changed framework coverage reports 2024-10-28 00:21:56 +00:00
Dave Bartolomeo
8840f91503 Fix formatting 2024-10-25 20:32:01 -04:00
Dave Bartolomeo
4a567344f5 Fix style alerts 2024-10-25 17:59:49 -04:00
Dave Bartolomeo
dffc9e2e31 Create placeholder Actions QL packs 2024-10-25 17:45:05 -04:00
Dave Bartolomeo
47a7d24a1a Implement Actions extractor 2024-10-25 17:44:46 -04:00
Jeroen Ketema
655fa53cdd Merge pull request #17848 from jketema/wrong-format 
C++: Add wrong format type builtin function test
 2024-10-25 19:11:22 +02:00
Chris Smowton
fa4cc83753 Merge pull request #17837 from smowton/smowton/admin/trim-java-web-jsp-test 
Java: Trim JSP test
 2024-10-25 17:23:51 +01:00
Paolo Tranquilli
652e47177f Rust: format 2024-10-25 17:44:16 +02:00
Simon Friis Vindum
7db90fe073 Merge pull request #17847 from paldepind/rust-unused-variable-trait 
Rust: Don't consider parameters in trait method definitions without bodies as variables
 2024-10-25 17:41:04 +02:00
Paolo Tranquilli
719b5e175f Rust: add missing expected files 2024-10-25 17:06:54 +02:00
Paolo Tranquilli
8f6196d5f1 Rust: accept test changes 2024-10-25 16:58:05 +02:00
Paolo Tranquilli
9789059e9f Rust: add more thourough canonical path testing 2024-10-25 16:58:05 +02:00
Paolo Tranquilli
34b1055c13 Rust: accept test changes 2024-10-25 16:58:04 +02:00
Paolo Tranquilli
194e0daa8c Rust: add canonical_path and crate_origin to Item 2024-10-25 16:58:04 +02:00
yoff
7338eafbd4 Merge pull request #16812 from porcupineyhairs/pyloadSsl 
Python: Pycurl SSL Disabled
 2024-10-25 16:23:25 +02:00
Simon Friis Vindum
bfa6113366 Rust: Fix grammar in comment 
Co-authored-by: Paolo Tranquilli <redsun82@github.com>
 2024-10-25 16:23:04 +02:00
Jeroen Ketema
ccc2a39abc C++: Add wrong format type builtin function test 2024-10-25 16:16:13 +02:00
Simon Friis Vindum
f7a45e6650 Rust: Don't consider parameters in trait method definitions without bodies as variables 2024-10-25 15:56:58 +02:00
Paolo Tranquilli
ab1b48d687 Merge pull request #17843 from github/redsun82/reduce-log-noise 
Rust: reduce log spam and skip debug diagnostics in the DB
 2024-10-25 15:33:29 +02:00
Simon Friis Vindum
a5ce3c1570 Rust: Move trait tests for unused entities into main.rs 2024-10-25 15:15:49 +02:00
Rasmus Wriedt Larsen
1726287bf4 JS: Add e2e threat-model test 2024-10-25 15:03:44 +02:00
Rasmus Wriedt Larsen
d3ae4c930e JS: Model newer yargs command-line parsing pattern 2024-10-25 15:03:43 +02:00
Rasmus Wriedt Larsen
3448751b4c JS: Consolidate command-line argument modeling 
Such that we can reuse the existing modeling, but have it globally
applied as a threat-model as well.

I Basically just moved the modeling. One important aspect is that this
changes is that the previously query-specific `argsParseStep` is now a
globally applied taint-step. This seems reasonable, if someone applied
the argument parsing to any user-controlled string, it seems correct to
propagate that taint for _any_ query.
 2024-10-25 15:03:43 +02:00
Rasmus Wriedt Larsen
412e841d69 JS: Add environment threat-model source 2024-10-25 15:03:43 +02:00
Rasmus Wriedt Larsen
f733ac19a9 JS: Make (most) queries use ActiveThreatModelSource 
7 cases looks something like this:

```
class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource {
  RemoteFlowSourceAsSource() { not this instanceof ClientSideRemoteFlowSource }
}
```

(some have variations like `not this.(ClientSideRemoteFlowSource).getKind().isPathOrUrl()`)

javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
 2024-10-25 15:03:42 +02:00