hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
78,333 Commits 1,672 Branches 157 Tags
ginsbach/NewOverlayLocalJava
Commit Graph

896 Commits

Author SHA1 Message Date
Alvaro Muñoz
1d0e80c2f5 Apply suggestions from code review 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2023-02-03 17:59:29 +01:00
Alvaro Muñoz
3002230af9 remove duplicated import 2023-02-03 17:48:13 +01:00
Alvaro Muñoz
c517eb89b2 add more sinks 2023-02-03 17:33:08 +01:00
Alvaro Muñoz
20dc30d7e8 add RequestForgery test 2023-02-03 16:38:56 +01:00
Alvaro Muñoz
c7637a7e1f Apply suggestions from code review 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2023-02-03 16:19:48 +01:00
Alvaro Muñoz
50bd0707ce remove redundant import 2023-02-03 10:19:35 +01:00
Alvaro Muñoz
8cb022713e include review feedback 2023-02-03 10:01:55 +01:00
Alvaro Muñoz
d6f1dfa205 update tests 2023-02-01 17:58:32 +01:00
Alvaro Muñoz
4d6b35f891 apply gofmt 2023-02-01 14:51:48 +01:00
Alvaro Muñoz
3502ab6523 fix missing QLDocs and refactor ServiceInterface 2023-02-01 14:37:38 +01:00
Alvaro Muñoz
afa6b1cec5 Initial support for Twirp framework 2023-02-01 13:55:09 +01:00
Owen Mansel-Chan
30f0dd8c03 Add string replacement sanitizer to log injection 2023-01-18 15:24:39 +00:00
Owen Mansel-Chan
015ef4c3ef Add use of strings.Replacer to replace sanitizer 2023-01-18 15:20:14 +00:00
Michael Nebel
48d0eccbf6 Go: Cleanup and renaming. 2023-01-12 11:13:34 +01:00
Michael Nebel
3749a1bd4d Go: Migrate unit tests to use data extensions for Models as Data. 2023-01-12 11:13:33 +01:00
Tony Torralba
7a92970d89 Go: Remove omittable exists variables 2023-01-10 13:36:48 +01:00
yoff
a74062cd51 Update go/ql/test/TestUtilities/InlineExpectationsTest.qll 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2023-01-05 14:12:16 +01:00
Rasmus Lerchedahl Petersen
c3b3c05cf3 Revert "Merge pull request #37 from erik-krogh/shared/inline-tests" 
This reverts commit 65fe9abcfe, reversing
changes made to 08e9d3391f.
 2023-01-05 09:19:43 +01:00
erik-krogh
b3dd50bc36 inline Location into the shared implementation of InlineExpectationsTest 2022-12-22 11:09:43 +01:00
Rasmus Lerchedahl Petersen
b0d7998342 go: use shared inline tests 
- remove from identical-files
 2022-12-22 10:20:07 +01:00
Arthur Baars
0f313231bc AlertSuppression: add more tests 2022-12-19 16:43:11 +01:00
Arthur Baars
06736e3e91 Add .gitattributes for Windows test files 2022-12-19 12:39:01 +01:00
Owen Mansel-Chan
0af530061d Merge pull request #11697 from owen-mc/go/make-dataflowtype-singleton 
Make DataFlowType a singleton
 2022-12-15 12:07:57 +00:00
Owen Mansel-Chan
6ef677b606 Fix test to use hasQualifiedName/2 2022-12-14 15:20:02 +00:00
Owen Mansel-Chan
50414cc748 Make DataFlowType a singleton 2022-12-14 14:40:15 +00:00
Alvaro Muñoz
49eedde58a Merge branch 'main' into new_sudo_like_argument 2022-12-07 09:31:17 +01:00
Porcupiney Hairs
15c58dee5f Golang : Add SQL sinks for gorqlite and GoFrame frameworks 2022-12-03 03:34:07 +05:30
Alvaro Muñoz
8a27660615 change handler function name 2022-11-18 09:43:17 +01:00
Alvaro Muñoz
7496b61b8d Add rsync since both --rsh and --rsync-path admit commands 2022-11-18 09:43:17 +01:00
Owen Mansel-Chan
1a65a27fde Update test expectations 
In https://github.com/github/codeql/pull/8641, `localFlowExit` was
changed to use `Stage2::readStepCand` instead of `read`, which means
that the big-step relation is broken up less. This causes test result
changes. Nothing is lost from the `select` clause, but some results may
have fewer paths, and fewer nodes and edges are output in the test
results.
 2022-11-17 14:27:06 +00:00
Owen Mansel-Chan
71aeeee7c8 Accept trivial change to test output 
In the `subpaths` section, the last node is now printed without its type
if it is the sink of the path.

This comes from the commit "Dataflow: Bugfix: include subpaths ending at
a sink. " in https://github.com/github/codeql/pull/7526
 2022-11-17 14:27:06 +00:00
Owen Mansel-Chan
f2e2c02db6 Rename predicates to avoid clashes 2022-11-17 14:27:06 +00:00
Owen Mansel-Chan
83a3af2fff Go: Summarized Callable 
Corresponds to https://github.com/github/codeql/pull/9270
 2022-11-17 14:27:04 +00:00
Owen Mansel-Chan
10ed4ad3df Go: Split summaryThroughStep into two predicates 
Cf. https://github.com/github/codeql/pull/9195
 2022-11-17 14:27:04 +00:00
Dave Bartolomeo
9d5e5e3ee7 ${workspace} all the things 2022-11-01 13:29:05 -04:00
Arthur Baars
aba87a139d Merge pull request #10668 from aibaars/ruby-deps 
Ruby: update dependencies
 2022-11-01 13:55:42 +01:00
erik-krogh
84a7fddd95 remove explicit versions in lock files, as the dependencies are all installed locally 2022-11-01 09:09:26 +01:00
Chris Smowton
3573e211cc Correct test expectations 2022-10-29 11:40:58 +01:00
Chris Smowton
5c66d87ed6 gofmt 2022-10-29 11:40:57 +01:00
Chris Smowton
0c6c135967 Go: exclude protobuf read steps from cleartext-logging query 
This query already treats structs differently to usual: it includes field -> whole struct taint steps, but explicitly excludes struct -> field steps. This means that a logging framework sinking an entire struct with a tainted field yields an alert, but we don't get FPs caused by writing field `x` but then reading field `y`.

However, protobuf messages have a special treatment, with taint usually associated with the whole struct and getter methods propagating that taint out. Suppressing these getter method steps specifically for the cleartext-logging query mirrors its treatment of structs in general and avoids this sort of field-mismatch FP.

On the downside we will miss same-field propagation like `m.field = password; Log(m.GetField())` if we don't have source code for the implementation of `m`. However this is hopefully unusual since the typical use of protobufs is to serialize and deserialize, rather than using the struct as a general-purpose datastructure.
 2022-10-29 11:40:57 +01:00
Rasmus Wriedt Larsen
8628ff5e52 Merge pull request #10999 from RasmusWL/inline-fail-tag 
InlineExpectationsTest: Fail if missing `getARelevantTag`
 2022-10-28 10:35:49 +02:00
Rasmus Wriedt Larsen
fc7eb5b4fc InlineExpectationsTest: sync 2022-10-27 09:02:28 +02:00
Henry Mercer
c1984ea35f Go: Update expected output 2022-10-26 19:11:21 +01:00
Rasmus Wriedt Larsen
5e9897d150 InlineExpectationsTest: sync 2022-10-26 18:21:13 +02:00
Josh Soref
b1052992fe spelling: against 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-11 00:23:35 -04:00
erik-krogh
d5c45056bd fix some more style-guide violations in the alert-messages 2022-10-07 11:21:01 +02:00
Chris Smowton
812a5e5c74 Autoformat test.go 2022-10-06 14:08:56 +01:00
gregxsunday
9960d11042 added RequestBody source to Beego framework 2022-10-06 13:23:56 +02:00
erik-krogh
175d3acf4d reword alert-message go/user-controlled-bypass to avoid using "here" 2022-09-20 22:51:35 +02:00
erik-krogh
83bedc0320 be more specific about what the source is in go/suspicious-character-in-regex, which also avoids using "here" in the alert-message 2022-09-20 22:51:35 +02:00