hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
78,333 Commits 1,672 Branches 157 Tags
ginsbach/NewOverlayLocalJava
Commit Graph

1460 Commits

Author SHA1 Message Date
github-actions[bot]
d2e192020b Post-release preparation for codeql-cli-2.13.3 2023-05-24 11:26:12 +00:00
github-actions[bot]
7aa23cf11d Release preparation for version 2.13.3 2023-05-22 20:47:00 +00:00
Porcupiney Hairs
d536157c1a Go : Add query to detect potential timing attacks 2023-05-11 09:57:50 +05:30
Owen Mansel-Chan
270ba09ffb Merge pull request #11732 from owen-mc/go/fix/model-data-flow-through-varargs 
Go: Allow data flow through varargs parameters
 2023-05-11 05:26:40 +01:00
Owen Mansel-Chan
1c66564ccc address review comments 2023-05-10 14:05:09 +01:00
Owen Mansel-Chan
8f41ff36fb Add change note 2023-05-10 13:50:04 +01:00
Michael Nebel
4ac0396b67 Go/Python/Ruby/Swift: Sync files and make dummy implementation. 2023-05-08 16:18:59 +02:00
Kasper Svendsen
46727af948 Go: Enable warnings for implicit this receivers 2023-05-03 15:41:55 +02:00
Owen Mansel-Chan
3f645e9401 Merge pull request #13006 from kaspersv/kaspersv/go-explicit-this-receivers 
Go: Make implicit this receivers explicit
 2023-05-03 13:47:10 +01:00
Ian Lynagh
b56b843d13 Merge pull request #12987 from github/post-release-prep/codeql-cli-2.13.1 
Post-release preparation for codeql-cli-2.13.1
 2023-05-03 13:12:10 +01:00
Kasper Svendsen
e969018f99 Go: Make implicit this receivers explicit 2023-05-03 12:45:42 +02:00
github-actions[bot]
18d4af994d Post-release preparation for codeql-cli-2.13.1 2023-05-02 10:50:20 +00:00
Anders Schack-Mulligen
ca09649679 Dataflow: Forward hasLocationInfo. 2023-05-02 10:48:32 +02:00
Anders Schack-Mulligen
5927bb2030 Dataflow: Replace "extends Node" with "instanceof Node". 2023-05-02 09:48:34 +02:00
Anders Schack-Mulligen
6c8cb0dc5e Merge pull request #12930 from aschackmull/dataflow/split-typedcontent 
Dataflow: Refactor access paths to split TypedContent into an explicit pair
 2023-05-01 14:58:15 +02:00
github-actions[bot]
3bd29171fb Release preparation for version 2.13.1 2023-04-28 12:14:35 +00:00
Michael B. Gale
edfe2d7ab7 Merge pull request #12944 from github/mbg/go/html-template-sanitizers 
Go: Add `html/template` functions as sanitisers for XSS queries
 2023-04-28 12:15:57 +01:00
Owen Mansel-Chan
8415c4a4eb Remove ArgumentNode assumption 2023-04-28 09:23:38 +01:00
Owen Mansel-Chan
c7c0a73b90 Accept review suggestions 2023-04-28 09:23:37 +01:00
Owen Mansel-Chan
52cc61198d Use CallExpr.hasImplicitArgs() 2023-04-28 09:23:37 +01:00
Owen Mansel-Chan
b928f13d94 Add CallExpr.hasImplicitArgs() 2023-04-28 09:23:36 +01:00
Owen Mansel-Chan
f3c1c53b54 Add CallExpr.getCalleeType() 
This avoids using `getTarget()`, so it works even when that doesn't
exist (for example when calling a variable with function type).
 2023-04-28 09:23:36 +01:00
Owen Mansel-Chan
3f095db853 Formatted parameters always a variadic parameter 2023-04-28 06:09:11 +01:00
Owen Mansel-Chan
bc0f9030e3 use CallNode.getSyntacticArgument 2023-04-28 06:09:10 +01:00
Owen Mansel-Chan
17077f3ec5 Update OutParameter.getExitNode for implicit varargs slices 2023-04-28 06:09:10 +01:00
Anders Schack-Mulligen
71ae0909d8 Dataflow: Enforce type pruning in all forward stages. 2023-04-27 14:55:26 +02:00
Anders Schack-Mulligen
9140cbefc0 Dataflow: Sync. 2023-04-27 14:55:23 +02:00
Michael B. Gale
1aa1153ed6 Go: Add html/template as XSS queries sanitizer 2023-04-26 21:21:52 +01:00
Owen Mansel-Chan
39da26e9b5 Update ParameterInput.getEntryNode for implicit varargs slices 2023-04-26 14:35:20 +01:00
Owen Mansel-Chan
1e3d81842e Update CallNode.getArgument for implicit varargs 
It now has one only result corresponding to a variadic parameter. If the
argument is followed by an ellipsis then it is just the argument itself.
Otherwise it is a ImplicitVarargsSlice node.
 2023-04-26 14:35:19 +01:00
Anders Schack-Mulligen
d681671356 Dataflow: Sync. 2023-04-26 14:45:07 +02:00
Owen Mansel-Chan
3e73e02175 Update PostUpdateNodes for implicit varargs slices 
We don't want a post update node for the implicit varargs slice, and we
do want one for each argument which is stored in the implicit varargs
slice.
 2023-04-25 07:33:35 +01:00
Owen Mansel-Chan
73b712a8c9 Allow data flow through varargs parameters 2023-04-25 07:33:34 +01:00
Michael Nebel
656d8d2451 Sync files. 2023-04-20 11:29:51 +02:00
Alex Ford
924ce250dd Merge pull request #12847 from github/post-release-prep/codeql-cli-2.13.0 
Post-release preparation for codeql-cli-2.13.0
 2023-04-18 14:40:40 +01:00
github-actions[bot]
648f0e19ec Post-release preparation for codeql-cli-2.13.0 2023-04-17 15:39:24 +00:00
github-actions[bot]
075d063370 Release preparation for version 2.13.0 2023-04-14 13:31:30 +00:00
Owen Mansel-Chan
8a4ca7fb84 Merge pull request #10026 from pwntester/patch-2 
Go: Partial URLs should not sanitize against SSRF
 2023-04-14 13:52:11 +01:00
Owen Mansel-Chan
352866b52d Add change note 2023-04-14 12:00:38 +01:00
Owen Mansel-Chan
a42dbc5bab Fix formatting again 2023-04-14 12:00:38 +01:00
Owen Mansel-Chan
d407a689fa Fix formatting by deleting spaces no blank line 2023-04-14 12:00:38 +01:00
Owen Mansel-Chan
169bde8671 Fix formatting by deleting blank line 2023-04-14 12:00:38 +01:00
Alvaro Muñoz
8bf4b55309 Partial URLs should not sanitize against SSRF 
As an example:

```go
	urlPath := ctx.Req.URL.Path
	hash := urlPath[strings.LastIndex(urlPath, "/")+1:]
        req, _ := http.NewRequest("GET", source+hash, nil)
```
 2023-04-14 12:00:38 +01:00
Alex Eyers-Taylor
c6a482819a Bump all qlpacks major versions 2023-04-13 19:15:27 +01:00
Michael Nebel
52bc43b22b Merge pull request #12595 from michaelnebel/enhanceprovenance 
Java/C# : Enhance provenance.
 2023-04-13 14:27:53 +02:00
Alex Ford
8c46bfd051 Merge pull request #12816 from github/rc/3.9 
Merge `rc/3.9` into `main`
 2023-04-13 12:35:41 +01:00
Michael Nebel
917cf7bfee Go: Update provenance validation. 2023-04-13 09:21:05 +02:00
Michael Nebel
1d82b09ec1 Sync files. 2023-04-13 09:21:05 +02:00
Chris Smowton
7eefa43f5a Rename and document viableArgParamSpecific to make clear it is a temporary hook. 2023-04-12 14:33:46 +01:00
Chris Smowton
1706367b34 Document DataFlowCallable 2023-04-12 14:24:21 +01:00