hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
80,824 Commits 1,672 Branches 157 Tags
ginsbach/EnableJavaOverlayCompilation
Commit Graph

3397 Commits

Author SHA1 Message Date
Edoardo Pirovano
6c33ddcd47 Merge pull request #11349 from github/edoardo/2.11.4-mergeback 
Merge `rc/3.8` into `main`
 2022-11-21 18:08:27 +00:00
Erik Krogh Kristensen
b4661f4a59 Merge pull request #11245 from erik-krogh/rb-redosMod 
Ruby: use the shared regex pack
 2022-11-21 15:34:20 +01:00
Tom Hvitved
e7ed056b6f Sync files 2022-11-21 12:00:36 +01:00
Tom Hvitved
99e70e9a50 Data flow: Sync files 2022-11-20 10:19:23 +01:00
Tom Hvitved
a3a3b46d54 Data flow: Account for return nodes with multiple return kinds when restricting flow through 
For example, flow out via parameters allows for return nodes with multiple
return kinds:

```csharp
void SetXOrY(C x, C y, bool b)
{
    C c = x;
    if (b)
        c = y;
    c.Field = taint; // post-update node for `c` has two return kinds
}
```
 2022-11-20 10:18:46 +01:00
Tom Hvitved
5adf10fcba Data flow: Add return context to pruning stages 2-4 2022-11-20 10:18:46 +01:00
Tom Hvitved
ca17c5b053 Data flow: Add summary context to pruning stages 2-4 2022-11-20 10:18:40 +01:00
github-actions[bot]
5b14ebf22a Post-release preparation for codeql-cli-2.11.4 2022-11-18 11:26:00 +00:00
Harry Maclean
376d4e03a1 Ruby: Cache some barrier guard predicates 2022-11-18 18:17:02 +13:00
Harry Maclean
5deb16e58c Ruby: Remove redundant predicate 
The existing barrier guard machinery recognises guards such as `if x and y`,
so there's no need to explicitly model them.
 2022-11-18 18:14:55 +13:00
github-actions[bot]
e105c13e77 Release preparation for version 2.11.4 2022-11-17 16:40:45 +00:00
Arthur Baars
4e88b8453a Ruby: add flow summary for Enumerable#index_with 2022-11-17 16:22:32 +01:00
Tom Hvitved
f24fa402f3 Adjust CFG 2022-11-17 10:32:28 +01:00
Harry Maclean
a6f6936719 Merge pull request #11058 from hmac/actioncontroller-logger 
Ruby: Model various ActionController methods
 2022-11-17 08:21:00 +13:00
Tom Hvitved
67b6a82cf1 Merge pull request #11198 from hvitved/ssa/expose-phi-reads 
SSA: Expose phi-read nodes
 2022-11-16 15:11:58 +01:00
Anders Schack-Mulligen
94bca4399a Merge pull request #11183 from aschackmull/dataflow/groupflow 
Dataflow: Introduce support for src/sink grouping in path results.
 2022-11-16 12:59:01 +01:00
Erik Krogh Kristensen
7d4ea47611 Merge pull request #10855 from erik-krogh/formatTaint 
Ruby: taint-steps for printf calls - and add a `AdditionalTaintStep` class
 2022-11-16 12:08:45 +01:00
Harry Maclean
ed3270fb04 Ruby: Update for upstream changes 2022-11-16 14:06:32 +13:00
Harry Maclean
2e2fcd49bf Ruby: Consider Object#inspect a log sanitizer 
The behaviour of `Object#inspect` depends on whether it has been
overridden by a subclass, but it will typically produce output on a
single line. Calling `inspect` on a String will replace newlines with
`\n`, which is then safe for interpolation into a log line.
 2022-11-16 13:46:51 +13:00
Harry Maclean
762ebad66e Ruby: Add change note 2022-11-16 13:46:51 +13:00
Harry Maclean
d2c0250b41 Ruby: Model ActionDispatch::Request#body_stream 2022-11-16 13:46:51 +13:00
Harry Maclean
9f357837fa Ruby: Model send_data as an HTTP response 2022-11-16 13:46:51 +13:00
Harry Maclean
b7e14311be Ruby: Model ActionController logger 2022-11-16 13:46:50 +13:00
erik-krogh
f6255e497b Merge branch 'main' into rb-redosMod 2022-11-15 17:14:19 +01:00
Tom Hvitved
67f31ffdf0 Ruby: Add tests for phi reads 2022-11-15 11:45:32 +01:00
Nick Rolfe
8d854e0a6b Merge pull request #11252 from github/nickrolfe/active_support_enumerable 
Ruby: add flow summary for Enumerable#index_by
 2022-11-15 10:40:42 +00:00
erik-krogh
10fff4e2ef Merge branch 'main' into rb-redosMod 2022-11-14 21:31:10 +01:00
Nick Rolfe
c80fbff648 Ruby: add changenote for Enumerable#index_by flow summary 2022-11-14 12:47:50 +00:00
Nick Rolfe
b39e2ef71c Ruby: add stacktrace exposure query 2022-11-14 12:26:40 +00:00
Nick Rolfe
83b3312467 Merge pull request #11207 from github/nickrolfe/arel-sql 
Ruby: add `SqlConstruction` concept, and implement it for calls to `Arel.sql`
 2022-11-14 10:21:37 +00:00
Nick Rolfe
0dadf0bbb4 Ruby: add flow summary for Enumerable#index_by 2022-11-14 10:01:24 +00:00
Arthur Baars
dd519cc9bf Ruby: also treat included/prepended modules as subclasses 2022-11-14 10:56:56 +01:00
Rasmus Wriedt Larsen
ddbcdcb4ba Merge pull request #11160 from RasmusWL/dataflow-consistency-read-store 
DataFlow: Add read/store stepIsLocal consistency checks
 2022-11-11 14:51:45 +01:00
Nick Rolfe
be60a871a3 Ruby: tweak comment 2022-11-11 12:01:23 +00:00
Nick Rolfe
e3ebf1c668 Merge pull request #11187 from github/nickrolfe/actioncable 
Ruby: add ActionCable channel RPC params as remote flow sources
 2022-11-11 11:32:13 +00:00
Harry Maclean
b16cecc8db Ruby: Add missing doc 2022-11-11 18:41:42 +13:00
Harry Maclean
62ea1f0a05 Ruby: Fix performance of string comparison guard 
The `or` case ran extremely slowly before this change. Also exclude
string interpolations from consideration, for correctness, and add some
more tests.
 2022-11-11 18:24:20 +13:00
Harry Maclean
e25e192ef3 Ruby: Change the CFG for while clauses 
The `when` node now acts as a join point for patterns in the when
clause, with match/no-match completions. This is similar to how `or`
expressions work.

The result of this is that the `when` clause "controls" the body of the
`when`, which allows us to model barrier guards for multi-pattern when
clauses.

For this code

case x
when 1, 2
  y
end

The old CFG was

x --> when --> 1 --no-match--> 2 ---no-match---> case
                \               \                  ^
                  \               \                |
                   \                --match----+   |
                     \                         |   |
                       \                       |   |
                         ------match---------> y --+

The new CFG is

x --> 1 --no-match--> 2 --no-match--> [no-match] when --no-match--> case
       \               \                                             ^
         \               \                                           |
           \               --match--> [match] when --match--> y -----+
             \                       /
               \                   /
                 -------match-----

i.e. all patterns flow to the `when` node, which is split based on
whether the pattern matched or not. The body of the when clause then has
a single predecessor `[match] when`, which acts as condition block that
controls `y`.
 2022-11-11 11:52:27 +13:00
Erik Krogh Kristensen
90382c4d1c Merge pull request #11178 from erik-krogh/passcode 
JS/RB/PY: Recognize `passcode` as sensitive
 2022-11-10 17:58:34 +01:00
Tom Hvitved
bda4b52395 Merge pull request #11206 from hvitved/ruby/self-toplevel-def 
Ruby: Fix SSA entry definitions for `self` in top-level
 2022-11-10 17:01:59 +01:00
Nick Rolfe
20f76e50c3 Ruby: actually call the isPublic() predicate I added 2022-11-10 15:53:04 +00:00
Nick Rolfe
b91b3148a4 Ruby: add missing qldoc comments for SQL injection query 2022-11-10 15:26:42 +00:00
Nick Rolfe
511fb97273 Ruby: remove redundant import 2022-11-10 14:30:06 +00:00
Nick Rolfe
0337ccb93a Ruby: add change notes for Arel.sql / SqlConstruction changes 2022-11-10 14:11:14 +00:00
Nick Rolfe
5a15558355 Ruby: treat an Arel.sql call as a SqlConstruction 2022-11-10 14:11:14 +00:00
Tom Hvitved
e18442069b Ruby: Fix SSA entry definitions for self in top-level 2022-11-10 15:08:17 +01:00
Erik Krogh Kristensen
5d2ab8adfb Merge pull request #11191 from erik-krogh/arrJoin 
RB: add join(" ") calls as a sink for rb/shell-command-constructed-from-input
 2022-11-10 14:20:42 +01:00
Nick Rolfe
c9d34947b7 Ruby: add SqlConstruction concept 2022-11-10 12:17:56 +00:00
Michael Nebel
9c6875ec0f Merge pull request #10777 from michaelnebel/csharp/generatedataextensions 
C#: Generate data extension files
 2022-11-10 13:08:31 +01:00
Nick Rolfe
4a98ef064e Ruby: use the 'customizations' pattern for the SQL injection query 2022-11-10 11:51:47 +00:00