hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-27 07:37:06 +02:00
Code Issues Packages Projects Releases Wiki Activity
86,439 Commits 1,784 Branches 169 Tags
codeql-cli-2.25.0
Commit Graph

86439 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tom Hvitved
d146d816a9 Ruby: Fix semantic merge conflict 2023-03-17 09:59:44 +01:00
Tom Hvitved
e69e90db4a Ruby: Remove some redundant super type qualifiers 2023-03-17 09:32:13 +01:00
Tom Hvitved
75746cbacc Merge pull request #12549 from hvitved/ruby/ssa-write-access 
Ruby: `Ssa::WriteDefinition::getWriteAccess` should return a CFG node
 2023-03-17 09:31:14 +01:00
Tom Hvitved
ee01e9ab35 Merge pull request #12554 from hvitved/ruby/clear-text-logging-hashes 
Ruby: Rely on built-in hash-flow in clear text storage query
 2023-03-17 09:21:11 +01:00
Harry Maclean
5332344e5d Work around github actions bug 2023-03-17 12:13:30 +13:00
Harry Maclean
2abb03304d Install required dependencies for gh in centos 7 2023-03-17 11:56:04 +13:00
Harry Maclean
c447e125bb Ruby: Install gh cli in centos7 test 2023-03-17 10:59:49 +13:00
Harry Maclean
2c63dbad67 Merge pull request #11954 from hmac/sinatra 
Ruby: Model Sinatra
 2023-03-17 10:46:52 +13:00
erik-krogh
f1094cd3d6 bump to stable release 2023-03-16 22:38:54 +01:00
Harry Maclean
d4020ad305 Ruby: Run extractor test on centos 7 2023-03-17 10:38:45 +13:00
erik-krogh
f3c7aed1f9 bump to RC 2023-03-16 22:37:58 +01:00
erik-krogh
e00c41c6e2 add change-note and bump version 2023-03-16 22:37:56 +01:00
erik-krogh
a63739915d add test confirming support for const type parameters 2023-03-16 22:37:35 +01:00
erik-krogh
2c1c41d8a3 add test confirming end-to-end support for well-typed decorators with the new TS 5.0 type ClassMethodDecoratorContext 2023-03-16 22:37:35 +01:00
erik-krogh
d47659b48e upgrade to TypeScript 5.0 beta, and unbreak things that broke 2023-03-16 22:37:35 +01:00
Maiky
37e42bb05b Missing markdown extension 2023-03-16 20:45:35 +01:00
Mathias Vorreiter Pedersen
ebab6ecc30 Merge pull request #12559 from MathiasVP/test9-range-check 2023-03-16 19:18:38 +00:00
Henry Mercer
74cc1a42d0 JS: Update for renamed com.semmle.util.diagnostics package 2023-03-16 18:19:10 +00:00
Geoffrey White
880f948763 Merge pull request #12560 from geoffw0/testcustominterp 
Swift: Add taint test for custom string interpolation.
 2023-03-16 17:44:37 +00:00
Mathias Vorreiter Pedersen
406d02253d C++: Add 'range(x)' call demonstrating missing bounds. 2023-03-16 17:08:53 +00:00
Geoffrey White
3a04e42ae0 Swift: Add taint test for string interpolation. 2023-03-16 17:04:46 +00:00
Chris Smowton
3e9924fcd2 Add change note 2023-03-16 15:35:00 +00:00
Chris Smowton
647bd44666 Go: exclude net/http.Header.Set and .Del from go/untrusted-data-to-external-api 
These functions (and doubtless many others) are write-only with respect to their receiver argument, so it doesn't really make sense to flag externally-controlled data flowing there.
 2023-03-16 15:31:35 +00:00
Chad Bentz
39c52c9ecf add security-severity to code scanning query list 2023-03-16 11:27:23 -04:00
Ian Lynagh
f9bb0df6a2 Kotlin: Update expected PrintAst output 2023-03-16 15:20:07 +00:00
Ian Lynagh
13c2ef8c20 Java: PrintAst: Improve the ranking or callables 
We now look not only at how many parameters each callable has, but what
its full signature is. This allows us to give a consistent order to
    Test(Throwable) { ... }
    Test(String) { ... }
 2023-03-16 15:20:07 +00:00
Maiky
a229f7a832 Solve merge conflict and add a change note 2023-03-16 16:15:02 +01:00
Tom Hvitved
f35fb13723 Add change note 2023-03-16 15:18:47 +01:00
Tom Hvitved
9d3863eccc Ruby: Rely on built-in hash-flow in clear text storage query 2023-03-16 14:55:06 +01:00
Asger F
bce1f29a7e JS: Add change note 2023-03-16 14:55:00 +01:00
Asger F
86a06bde72 JS: Flag crypto operations with weak block mode 2023-03-16 14:52:52 +01:00
Asger F
e907d685f4 JS: Add crypto test with AES-ECB 2023-03-16 14:52:18 +01:00
Tom Hvitved
ae10e6e08f Ruby: Add a test that shows FP/FN for clear text logging query 2023-03-16 14:38:45 +01:00
Jeroen Ketema
66b03dbd1d Apply suggestions from code review 2023-03-16 14:29:16 +01:00
Jeroen Ketema
e7079b35bc Apply suggestions from code review 2023-03-16 14:28:17 +01:00
erik-krogh
880632f536 use Number.qll to parse hex numbers in regex parsing for Python/Java 2023-03-16 14:25:53 +01:00
Michael Nebel
3fea9e4d0b Sync files. 2023-03-16 14:12:29 +01:00
Michael Nebel
2e86bbd6cd Java: Introduce helper predicate to avoid empty predicate in IPA branch. 2023-03-16 14:11:53 +01:00
github-actions[bot]
fe4d27e8cc Release preparation for version 2.12.5 2023-03-16 12:58:50 +00:00
Geoffrey White
170fde5bc0 Swift: Add some more test cases. 2023-03-16 12:53:06 +00:00
Michael Nebel
a9e5b34ad6 Merge pull request #12200 from michaelnebel/csharp/viablestatic 
C#: Support for virtual dispatch for operators.
 2023-03-16 13:36:00 +01:00
erik-krogh
f718d78a9a avoid redundant sources 2023-03-16 13:34:01 +01:00
Mathias Vorreiter Pedersen
d02a50a504 Merge pull request #10817 from github/mathiasvp/replace-ast-with-ir-use-usedataflow 
C++: Replace AST with IR use-use dataflow
 2023-03-16 12:31:01 +00:00
Rasmus Lerchedahl Petersen
f9bffb5454 python: add change note 2023-03-16 12:55:58 +01:00
Rasmus Lerchedahl Petersen
4713ba1e12 python: more results no longer missing 
Adjusted `tracked.ql`
- no need to annotate results on line 0
  this could happen for global SSA variables
- no need to annotate scope entry definitons
  they look a bit weird, as the annotation goes on the
  line of the function definition.
 2023-03-16 12:55:58 +01:00
Rasmus Lerchedahl Petersen
2318752c14 python: add reads of captured variables to 
type tracking and the API graph.

- In `TypeTrackerSpecific.qll` we add a jump step
  - to every scope entry definition
  - from the value of any defining `DefinitionNode`
    (In our example, the definition is the class name, `Users`,
     while the assigned value is the class definition, and it is
     the latter which receives flow in this case.)
- In `LocalSources.qll` we allow scope entry definitions as local sources.
  - This feels natural enough, as they are a local source for the value, they represent.
    It is perhaps a bit funne to see an Ssa variable here,
    rather than a control flow node.
 - This is necessary in order for type tracking to see the local flow
    from the scope entry definition.
- In `ApiGraphs.qll` we no longer restrict the result of `trackUseNode`
  to be an `ExprNode`. To keep the positive formulation, we do not
  prohibit module variable nodes. Instead we restrict to the new
  `LocalSourceNodeNotModule` which avoids those cases.
 2023-03-16 12:55:58 +01:00
Rasmus Lerchedahl Petersen
7e003f63b9 python: add test for flask example 
This is a condensed versio of the user reported example
found [here](eb377d5918/app.py (L278))
The `MISSING` annotation indicates where our API graph falls short.
 2023-03-16 12:53:40 +01:00
erik-krogh
b208988675 Py: add test for problematic regex 2023-03-16 12:21:00 +01:00
erik-krogh
54ec047433 ReDoS: put an artificial limitation on the analysis in polynomial-redos for large regular expressions 2023-03-16 12:20:53 +01:00
Tom Hvitved
1d0b3d4112 Ruby: Ssa::WriteDefinition::getWriteAccess should return a CFG node 2023-03-16 11:28:24 +01:00