hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-13 17:01:10 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,274 Commits 1,785 Branches 169 Tags
codeql-cli-2.25.4
Commit Graph

87274 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Asger F
711a08b0d4 JS: Add TODO about switching to the shared library 2024-03-15 09:26:19 +01:00
Tony Torralba
171ff4d161 Merge pull request #15928 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2024-03-15 09:24:57 +01:00
Ed Minnix
71cf948650 Classes extending SourceNode for local and stored source models 
Queries such as `cs/sql-injection` cast their source to a `SourceNode`
in order to describe them. For example:

```ql
import semmle.code.csharp.security.dataflow.flowsources.FlowSources

string getSourceType(DataFlow::Node source) {
   result = source.(SourceNode).getSourceType()
}
```

Models as data source models are not included in `SourceNode` by
default, they must be wrapped with a class extending `SourceNode`.

This adds such classes, which wrap the
`sourceNode(DataFlow::Node,string)` predicate and assigns a
`getSourceType`.
 2024-03-14 22:23:54 -04:00
github-actions[bot]
7f05743212 Add changed framework coverage reports 2024-03-15 00:16:16 +00:00
Joe Farebrother
f464f1b94e Accept test output + fix qldoc typo 2024-03-14 22:25:37 +00:00
Joe Farebrother
b4ed77343b Add change note + fix qldoc 2024-03-14 22:25:36 +00:00
Joe Farebrother
3e61be1b6a Add test cases 2024-03-14 22:25:36 +00:00
Joe Farebrother
5333c75919 Model additional string attributes 2024-03-14 22:25:36 +00:00
Joe Farebrother
8c31b612ca Model UploadedFile original_filename and read 2024-03-14 22:25:35 +00:00
Alvaro Muñoz
12af3bdf08 resolve conflicts 2024-03-14 22:42:57 +01:00
Alvaro Muñoz
46afa9c1f3 Add new tests 2024-03-14 22:41:01 +01:00
Alvaro Muñoz
f251783c26 Apply suggestions from code review 
Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com>
 2024-03-14 21:52:22 +01:00
Alvaro Muñoz
d21d453d1c Split queries 2024-03-14 21:52:22 +01:00
jorgectf
d26ead7c3b Add security sinks 2024-03-14 21:52:22 +01:00
Mathias Vorreiter Pedersen
6dddae0154 Merge pull request #15925 from MathiasVP/rename-dataflowutil-class 
C++: Follow-up to #15918
 2024-03-14 18:15:14 +00:00
Jorge
4fcd68ba5a Merge pull request #31 from GitHubSecurityLab/new_sinks 
Add security sinks
 2024-03-14 19:11:27 +01:00
Jorge
1e64b18212 Add suite that runs all queries 2024-03-14 19:09:22 +01:00
Alvaro Muñoz
70dd7fe18f Apply suggestions from code review 
Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com>
 2024-03-14 17:47:20 +01:00
Alvaro Muñoz
d011269bf8 Merge pull request #32 from GitHubSecurityLab/choose-suite 2024-03-14 17:42:55 +01:00
Jorge
53209a26b1 build 2024-03-14 16:22:34 +00:00
Jorge
a9aba88bc5 Add alternate value 2024-03-14 17:21:26 +01:00
Jorge
678f99b6be build 2024-03-14 16:14:33 +00:00
Jorge
a9057a7386 Add suite input 2024-03-14 17:10:35 +01:00
Tony Torralba
ee3efbadae Merge pull request #15924 from atorralba/atorralba/go/hardcoded-credentials-fix 
Go: Consider more strings as hardcoded credentials
 2024-03-14 16:52:34 +01:00
Alvaro Muñoz
cfed2d4ce0 Split queries 2024-03-14 16:30:23 +01:00
Tamás Vajk
945121de1b Merge pull request #15922 from tamasvajk/buildless/namespace-extraction 
C#: Handle namespace resolution error more gracefully
 2024-03-14 16:19:48 +01:00
Alvaro Muñoz
8e5eeb2ea3 Merge branch 'untrusted_co' 2024-03-14 16:15:53 +01:00
Alvaro Muñoz
5130135df0 fix(stepsExpression): allow steps from a composite action to communicate 2024-03-14 16:14:55 +01:00
Michael Nebel
2280469564 Merge pull request #15902 from michaelnebel/csharp/uncontrolledformatstring 
C#: Remove hard-coded local sources from the uncontrolled-format-string query.
 2024-03-14 15:21:31 +01:00
Alvaro Muñoz
a3ccc2eba3 Merge pull request #30 from GitHubSecurityLab/untrusted_co 
Improve UntrustedCheckout query
 2024-03-14 14:52:39 +01:00
Alvaro Muñoz
778d8978b0 DF support for untrusted checkout query 2024-03-14 13:55:10 +01:00
Alvaro Muñoz
22d0600da8 Support more PR head checkouts 2024-03-14 13:28:39 +01:00
Alvaro Muñoz
d12b24886f Merge branch 'untrusted_co' of https://github.com/GitHubSecurityLab/codeql-actions into untrusted_co 2024-03-14 12:58:56 +01:00
Alvaro Muñoz
35df9519e1 Support more untrusted checkout cases 2024-03-14 12:58:47 +01:00
Alvaro Muñoz
9ca1ac5bb9 Fix expression regexp 2024-03-14 12:58:02 +01:00
Mathias Vorreiter Pedersen
7fdea27d33 C++: Rename 'IndirectTemporaryExpr' to 'IndirectOperandExprNode'. 2024-03-14 11:46:15 +00:00
Owen Mansel-Chan
2bd08838d4 Add manual neutral models for java.lang.ClassLoader 2024-03-14 11:40:06 +00:00
Owen Mansel-Chan
5b734c76b6 Add manual neutral models for java.util.Locale and its subclasses 2024-03-14 11:39:59 +00:00
Alvaro Muñoz
3150f24d3f Update tests and fix regexp 2024-03-14 12:21:16 +01:00
Alvaro Muñoz
7160f08222 Update ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml 
Co-authored-by: Jaroslav Lobačevski <jarlob@github.com>
 2024-03-14 12:03:40 +01:00
Alvaro Muñoz
03277cc24b Add test for self-referencing jobs 2024-03-14 11:58:44 +01:00
Alvaro Muñoz
8e2c1a4f4e Expose predicates to check local flow 2024-03-14 11:58:07 +01:00
Alvaro Muñoz
3e2dffce8b Rename ContextExpression to SimpleReferenceExpression 2024-03-14 11:57:43 +01:00
Tony Torralba
20691e409c Add change note 2024-03-14 11:56:43 +01:00
Mathias Vorreiter Pedersen
9aefdca7a7 Merge pull request #15875 from MathiasVP/bring-back-type-barriers-in-non-constant-format 
C++: Clean up `cpp/non-constant-format`
 2024-03-14 10:51:23 +00:00
Tony Torralba
30d906d42a Merge pull request #15906 from atorralba/atorralba/java/jdk-neutrals 
Java: Add more neutral JDK models
 2024-03-14 11:07:06 +01:00
Geoffrey White
19cc620f18 C++: Effect of 'Fix dataflow node <> expression problem on prvalues' from main. 2024-03-14 09:47:38 +00:00
Rasmus Wriedt Larsen
7a3ee0f5f8 Python: Make IterableSequenceNode LocalSourceNode 
We do this to remove the inconsistencies, and to be ready for a future
where type-tracking support content tracker of depth > 1.

It works because targets of loadSteps needs to be LocalSourceNodes

predicate loadStep(Node nodeFrom, LocalSourceNode nodeTo, Content content) {
 2024-03-14 10:46:29 +01:00
Geoffrey White
f208594067 Merge branch 'main' into mad 2024-03-14 09:44:45 +00:00
Rasmus Wriedt Larsen
6ffaad1bc8 Python: Expand type-tracking tests with nested tuples 
I was initially surprised to see that this didn't work, until I
remembered that type-tracking only works with content of depth 1.
 2024-03-14 10:44:25 +01:00