hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
80,824 Commits 1,672 Branches 157 Tags
ginsbach/EnableJavaOverlayCompilation
Commit Graph

3397 Commits

Author SHA1 Message Date
erik-krogh
e4d4873d0d remove the dataflow copy for regexp tracking now that type-tracking is used 2023-01-18 11:04:51 +01:00
erik-krogh
1477974bf1 the RegexExecution concept does not need to have getTerm() 2023-01-18 10:10:36 +01:00
erik-krogh
1a3c9c8305 improve performance of regular-expression type-tracking by adding an exploratory initial analysis 2023-01-18 10:10:36 +01:00
erik-krogh
b8f6feb68b delete old test 2023-01-18 10:10:36 +01:00
erik-krogh
45316b6381 rename RegExpConfiguration to RegExpTracking 2023-01-18 10:10:36 +01:00
erik-krogh
25e65e0d9f rewrite the regexp tracking DataFlow::Configuration to TypeTracking 2023-01-18 10:10:36 +01:00
erik-krogh
d0b627b018 move the implementation detail of how regular-expressions are tracked into RegExpConfiguration.qll" 2023-01-18 10:10:05 +01:00
erik-krogh
f516ccb4e2 limit the fieldFlowBranchLimit for the regexp tracker to improve performance 2023-01-18 09:31:04 +01:00
erik-krogh
2fceee4e35 track regular expressions that gets compiled with Regexp.compile 2023-01-18 09:31:04 +01:00
erik-krogh
acf28ebd98 add a RegexExecution, and use it to track regular expressions to their uses in a nice way in rb/polynomial-redos 2023-01-18 09:31:04 +01:00
erik-krogh
8251ad5e99 add unsafe-html-construction query 2023-01-17 15:35:17 +01:00
erik-krogh
8715790fe7 add explicit this 2023-01-17 15:17:48 +01:00
erik-krogh
a562568522 add string concat as a sink for command-construction 2023-01-17 14:48:09 +01:00
erik-krogh
9d9de18bc9 add a generalized AddExprRoot into Operation.qll 2023-01-17 14:48:08 +01:00
erik-krogh
8fc3b268e8 add string concat as a sink for code-construction 2023-01-17 14:48:06 +01:00
Rasmus Wriedt Larsen
a0b1c2ea79 DataFlow: Add uniqueParameterNodePositionExclude 2023-01-17 14:05:22 +01:00
Rasmus Wriedt Larsen
2b0a5fd5d1 DataFlow: Add uniqueParameterNodeAtPositionExclude 2023-01-17 14:05:17 +01:00
Erik Krogh Kristensen
59a8b21851 Merge pull request #10862 from erik-krogh/unsafeCodeConstruction 
Rb: Add an `unsafe-code-construction` query
 2023-01-16 13:22:58 +01:00
Arthur Baars
dc6f5f60d1 Ruby: update stats 2023-01-13 10:22:42 +01:00
Arthur Baars
28c9b52dce Ruby: add change note 2023-01-13 10:22:42 +01:00
Arthur Baars
c4ec674057 Ruby: support anonymous (hash)splat parameters/arguments 2023-01-13 10:22:41 +01:00
Arthur Baars
4d3e2bb814 Ruby: upgrade/downgrade scripts 2023-01-13 10:22:41 +01:00
Arthur Baars
290167e1a3 Ruby: re-generated dbscheme/library 2023-01-13 10:22:41 +01:00
Harry Maclean
33a1469a56 Ruby: Add change note 2023-01-12 16:29:00 +13:00
Harry Maclean
8219465389 Ruby: fix missing doc 2023-01-12 11:35:35 +13:00
Harry Maclean
0626d693f5 Ruby: Recognise rack applications 
This is a basic first step in modelling rack apps. We recognise classes
that look like rack applications and then treat the argument to `call`
in the same way that we treat `request.env` in ActionController classes.

This finds a TP in CVE-2021-43840.
 2023-01-12 11:28:31 +13:00
Michael Nebel
7e4f7a0c17 C#: Address review comments and sync files. 2023-01-11 16:29:24 +01:00
Michael Nebel
67cbe38255 Sync files. 2023-01-11 16:20:55 +01:00
Michael Nebel
c01361a1fd Ruby: Re-factor provenance related predicates for summarized callable. 2023-01-11 16:20:55 +01:00
Michael Nebel
ea173f9516 Sync files. 2023-01-11 16:20:55 +01:00
Tony Torralba
c9d1cd97fb Ruby: Remove omittable exists variables 2023-01-10 13:39:49 +01:00
Erik Krogh Kristensen
5157d4df7b Merge pull request #11581 from erik-krogh/stdin 
Rb: add stdin as source for unsafe-deserialization
 2023-01-09 13:57:47 +01:00
erik-krogh
d67e756f42 make the import of Gem private 2023-01-09 09:13:01 +01:00
Harry Maclean
5b117084db Merge pull request #11534 from hmac/array-inclusion-barrier-guard-constant 
Ruby: Make array inclusion barrier more sensitive
 2023-01-09 20:57:09 +13:00
github-actions[bot]
cdb8f67601 Post-release preparation for codeql-cli-2.12.0 2023-01-06 10:36:34 +00:00
erik-krogh
19d2b49562 drive-by: make Base64.decode64(..) into a flowsummary that is shared with all queries 2023-01-06 09:04:37 +01:00
erik-krogh
1a27441cfb drive-by: delete code-execution sinks from unsafe-deserialization, we risked duplicate alerts 2023-01-06 09:04:36 +01:00
erik-krogh
0e6028a7f3 add stdin as source for unsafe-deserialization 2023-01-06 09:04:36 +01:00
Erik Krogh Kristensen
d9176541c6 Apply suggestions from code review 
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2023-01-05 20:02:54 +01:00
Jeroen Ketema
de37f3b7d5 Properly indent code block in change log 2023-01-05 18:38:33 +01:00
Jeroen Ketema
170242f79c Apply suggestions from code review 2023-01-05 17:57:19 +01:00
github-actions[bot]
b6a8193785 Release preparation for version 2.12.0 2023-01-05 16:32:14 +00:00
Harry Maclean
4d228bcddf Ruby: Recognise more string-valued variables 
This increases the sensitivity of our barrier guards.
 2023-01-04 11:45:10 +13:00
Harry Maclean
0fbb6bf608 Ruby: Make array inclusion barrier more sensitive 2023-01-04 11:45:09 +13:00
Aditya Sharad
9988c19a42 Merge branch 'main' into tutorial/library-pack 2023-01-03 14:08:37 -08:00
Harry Maclean
b70ca77afc Merge pull request #10899 from hmac/flow-summary-docs 
Ruby: Document flow summary syntax
 2022-12-28 10:47:38 +13:00
Jami
c9258effb6 Merge pull request #11572 from jcogs33/jcogs33/model-top-jdk-apis 
Java: model top 100 JDK APIs
 2022-12-20 09:13:53 -05:00
Erik Krogh Kristensen
b1e6a86a4b Merge pull request #11757 from erik-krogh/treesitter-qldoc 
QL/RB: make top TreeSitter.qll comment into a qldoc
 2022-12-20 13:36:31 +01:00
erik-krogh
2ff23a6fc0 make top TreeSitter.qll comment into a qldoc 2022-12-20 11:39:06 +01:00
Aditya Sharad
ed29b3e4d6 Shared packs: Depend on codeql/tutorial from all language libraries 
This allows `import tutorial` from queries targeting
any language, just like before, while removing the
duplicate copies of `tutorial.qll`.
 2022-12-19 15:52:11 -08:00