hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
78,333 Commits 1,672 Branches 157 Tags
ginsbach/NewOverlayLocalJava
Commit Graph

896 Commits

Author SHA1 Message Date
Owen Mansel-Chan
b2deea4606 Avoid duplicate additional flow steps in configs 
`localTaintStep` includes a lot of steps which are already part of value
flow. Instead use `defaultAdditionalTaintStep`, which is just the extra
steps that are added for taint tracking.
 2024-05-23 11:13:35 +01:00
Owen Mansel-Chan
7e5891b443 Remove unnecessary additional flow step 
TaintTracking already adds taint steps for field reads
 2024-05-23 11:08:29 +01:00
Anders Schack-Mulligen
f931c8d836 Go: Accept qltest .expected file changes. 2024-05-22 15:39:47 +02:00
Anders Schack-Mulligen
8db9187698 Go: Accept qltest .expected file changes (interesting). 2024-05-22 15:38:01 +02:00
Rasmus Wriedt Larsen
2451a6d3f6 Accept .expected changes 2024-05-21 14:47:42 +02:00
Erik Krogh Kristensen
bfc95c6f13 Merge pull request #16510 from erik-krogh/go-command 
Go: Update the QHelp for `go/command-injection`.
 2024-05-17 17:45:10 +02:00
erik-krogh
384649b336 changes based on review, and improve the new command-injection test 2024-05-17 08:38:54 +02:00
erik-krogh
2848ccf0e2 fix frontend errors that Go complained about 2024-05-16 20:06:26 +02:00
erik-krogh
08c0d8ec60 autoformat go files 2024-05-16 19:59:40 +02:00
erik-krogh
ea2b73bda2 add a sanitizer that checks that the string does not start with "--" 2024-05-16 09:25:19 +02:00
erik-krogh
b9a7f6a8f7 add regexp check as a sanitizer for command-injection 2024-05-16 08:55:03 +02:00
erik-krogh
761f9cac97 make a new go/command-injection qhelp 2024-05-16 08:54:55 +02:00
Owen Mansel-Chan
21ff705b73 Fix bug with read/store steps and named types 2024-05-16 00:35:45 +01:00
Owen Mansel-Chan
1af3374322 Add tests for data flow through ranged for loops 
Including the case where the type of the domain is a named type rather
than an array type or map type or whatever.
 2024-05-16 00:32:30 +01:00
Owen Mansel-Chan
827d15aaa0 Test changes due to model renumbering 2024-05-14 14:40:57 +01:00
Owen Mansel-Chan
ab5e1f8a69 Fix models for min and max and improve tests 
Although the documentation makes them look variadic (and generic), they
are actually special-cased in the compiler. Like all built-in functions
they don't have a signature type, but the type of `min(a, b, c)` is
`func(int, int, int) int` and not `func(int, ...int) int`.

Go doesn't allow open-ended ranges for argument indices in
models-as-data specifications (though Ruby and Python do), so I've used
`1..1000`.
 2024-05-14 14:40:56 +01:00
Owen Mansel-Chan
f7e6bf7ef5 Two tests have different paths but same results 2024-05-10 23:41:00 +01:00
Owen Mansel-Chan
f8e17fe8cc Accept expected test changes 2024-05-10 23:40:59 +01:00
Owen Mansel-Chan
76946184de Accept MaD renumbering for edge provenance 2024-05-10 23:40:58 +01:00
Owen Mansel-Chan
d5aa08dbf3 Local flow steps for flow summaries for built-in functions 2024-05-10 23:40:57 +01:00
Owen Mansel-Chan
86e2b845f3 Add tests for copy (taint passes, value fails) 2024-05-10 23:40:56 +01:00
Owen Mansel-Chan
eab1569342 Update ExternalValueFlow to use value flow 2024-05-10 23:40:56 +01:00
Owen Mansel-Chan
c816412795 Create copy of ExternalTaintFlow called ExternalValueFlow 2024-05-10 23:40:55 +01:00
Owen Mansel-Chan
84b7319688 Rename test folder ExternalFlow to ExternalTaintFlow 2024-05-10 23:40:54 +01:00
Owen Mansel-Chan
674e65e134 Fix test expectations 2024-05-09 16:26:30 +01:00
Owen Mansel-Chan
4f10cb5fa0 Local flow tests: do not list summary models 
This is so that when we don't change the test results every time we add
a summary model for a built-in function.
 2024-05-08 16:13:37 +01:00
Owen Mansel-Chan
57ff30c5f3 Update tests: built-in models now work 2024-05-08 16:07:02 +01:00
Owen Mansel-Chan
4140942479 Update tests 2024-04-24 14:19:33 +01:00
Owen Mansel-Chan
8962307291 Add second good go file to tests 2024-04-24 14:19:29 +01:00
Owen Mansel-Chan
f828f8ea65 Merge pull request #16250 from owen-mc/go/rename-untrusted-flow-source 
Go: Rename `UntrustedFlowSource` to `RemoteFlowSource` to match other language libraries
 2024-04-24 11:37:00 +01:00
Owen Mansel-Chan
79b4890794 Also rename .expected files 2024-04-18 14:17:04 +01:00
Owen Mansel-Chan
317c335269 Rename test query files 2024-04-18 11:49:42 +01:00
Owen Mansel-Chan
db06c08141 Rename UntrustedSource to RemoteSource 
Including renaming some files (in the experimental folder).
 2024-04-18 11:49:30 +01:00
Owen Mansel-Chan
a6646021d0 Rename Untrusted Flow to Remote Flow 
Not matching case but preserving original case.
 2024-04-18 11:49:05 +01:00
Owen Mansel-Chan
a4df20da85 Rename UntrustedFlowSource to RemoteFlowSource 
Relaxed match case requirement. Again skipped one instance in an old
change note.
 2024-04-17 21:40:46 +01:00
Owen Mansel-Chan
81eaa6e327 Rename UntrustedFlowSource to RemoteFlowSource 
Relaxed whole word requirement. Again skipped one instance in an old
change note.
 2024-04-17 21:35:50 +01:00
Owen Mansel-Chan
5fba9895c6 Rename UntrustedFlowSource to RemoteFlowSource 
Only the whole word. Skipped one instance in an old change note.
 2024-04-17 21:27:32 +01:00
Owen Mansel-Chan
80c3993ddc Remove redundant test 
It was introduced in https://github.com/github/codeql-go/pull/718 in
response to https://github.com/github/codeql-go/issues/717, to check
that we don't have type assertions as sinks. We now have other tests
covering type assertions.
 2024-04-17 16:32:41 +01:00
Owen Mansel-Chan
3ad2d90014 Make type switches tranform flow state 2024-04-17 16:32:36 +01:00
Owen Mansel-Chan
611f98bca4 Make type assertions transform the flow state 2024-04-17 16:32:30 +01:00
Owen Mansel-Chan
f08a598821 Add tests for FPs: type switches, type assertions 2024-04-17 16:32:13 +01:00
Anders Schack-Mulligen
20e91f9cac Go: Update expected output (uninteresting). 2024-04-12 09:20:23 +02:00
Owen Mansel-Chan
d4bb4d4faa Merge pull request #16120 from owen-mc/go/fix/type-switch-control-flow 
Go: Fix data flow through variable defined in type switch guard
 2024-04-11 11:39:40 +01:00
Owen Mansel-Chan
1e8315d797 Merge pull request #16180 from owen-mc/go/tweak-go-tainted-path-additions 
Go: Tweak go tainted path additions
 2024-04-11 11:17:30 +01:00
Owen Mansel-Chan
c3fefa8f69 Add extra sanitizer Part.FileName() 2024-04-11 07:35:45 +01:00
Owen Mansel-Chan
1c0ef90e96 Merge pull request #15865 from owen-mc/go/extractor/no-intermediate-string-values 
Go: extractor: do not store intermediate values in long string concatenations
 2024-04-10 15:31:51 +01:00
Owen Mansel-Chan
dc3ea6c418 Merge pull request #11703 from Kwstubbs/go-taintedpath-additions 
Go: Add and Modify Sanitizers For TaintedPath
 2024-04-10 15:13:13 +01:00
Owen Mansel-Chan
5ec3934ac8 Merge branch 'main' into go/extractor/no-intermediate-string-values 2024-04-10 14:51:22 +01:00
Owen Mansel-Chan
a65b02eb28 Update test expectations 2024-04-09 10:59:06 +01:00
Owen Mansel-Chan
4ffc4f5c62 Add test for dataflow through switches 2024-04-09 10:58:42 +01:00