hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,347 Commits 1,672 Branches 157 Tags
hmac-cli-injection-from-library-inputs
Commit Graph

3192 Commits

Author SHA1 Message Date
Robert Marsh
a37f746dff C++: fix FP and add paths in InsufficientKeySize 2022-02-22 15:38:50 -05:00
Mathias Vorreiter Pedersen
ea35f56212 C++: Add a query for detecting uses of expired stack pointers that escaped through global variables. 2022-02-22 19:12:08 +00:00
Geoffrey White
4908eaf5ec C++: Typos. 2022-02-22 14:33:11 +00:00
Robert Marsh
103796dfa8 C++: respond to PR comments on InsufficientKeySize 2022-02-16 14:58:29 -05:00
Geoffrey White
703f18b82f C++: Better deduplication. 2022-02-15 17:52:27 +00:00
Geoffrey White
c4d9c1d9e7 C++: Reduce result duplication. 2022-02-11 16:03:38 +00:00
Geoffrey White
00ba76b7e4 C++: Convert to IR taint tracking. 2022-02-11 13:00:42 +00:00
Robert Marsh
dbe4770c7d C++: add initial insufficient key size query 2022-02-10 14:53:40 -05:00
Geoffrey White
b0c2a144cc C++: Remove no longer relevant tests. 2022-02-10 11:11:31 +00:00
Geoffrey White
20ad92a82e C++: Filter noisiest sources. 2022-02-10 11:11:30 +00:00
Geoffrey White
7b5b2fdcd1 C++: Modernize cpp/system-data-exposure as a path-problem using IR taint, RemoteFlowSinkFunction. 2022-02-10 11:11:26 +00:00
Geoffrey White
5490809bcf C++: Expand tests. 2022-02-10 10:43:21 +00:00
Jeroen Ketema
46821fe136 Update C++ variable hiding test 
Structured bindings are now handled better, so the false negative
related to structured bindings is now a true positive.
 2022-02-10 10:58:32 +01:00
Jeroen Ketema
1f2865c7cc Merge pull request #7798 from jketema/missing-open-arg 
C++: Add query for missing mode argument in `open`/`openat` calls
 2022-02-07 12:01:44 +01:00
Mathias Vorreiter Pedersen
2e2913b921 Merge pull request #7839 from rdmarsh2/rdmarsh2/ir-initializer-inheritance-fix 
C++: fix IR generation for constructor base inits when no constructor is present.
 2022-02-04 10:32:57 +00:00
Harry Maclean
ab7fd89653 Merge pull request #7663 from github/hmac/api-graph-subclass 
Ruby: Add basic subclassing support to API Graphs
 2022-02-04 10:19:07 +13:00
Robert Marsh
55cbff7614 C++: fix for constructor init without constructor 2022-02-03 13:44:02 -05:00
Robert Marsh
836c47abb3 C++: test for constructor init without constructor 2022-02-03 13:34:05 -05:00
Geoffrey White
8031c3f699 Merge branch 'main' into clrtxt9 2022-02-03 17:01:59 +00:00
Geoffrey White
02b1774d7f C++: Switch from GVN to localFlow. 2022-02-03 16:00:26 +00:00
Geoffrey White
3cfd1b5052 C++: More test cases. 2022-02-03 15:11:59 +00:00
Geoffrey White
4048ba0a1c C++: Fix false positives around terminal output. 2022-02-02 17:59:28 +00:00
Geoffrey White
39a2ffd438 C++: Fix false positives around 'stdin'. 2022-02-02 17:39:14 +00:00
Arthur Baars
6acf49d4da Merge pull request #7814 from aibaars/fix-ql-alerts 
Ruby: fix all QL-QL alerts
 2022-02-02 18:25:38 +01:00
Jeroen Ketema
f32500306a Address review comments 2022-02-02 17:24:55 +01:00
Geoffrey White
cc20969bdd C++: Add test cases based on some remaining real world FPs. 2022-02-02 16:15:59 +00:00
Jeroen Ketema
92d9e51d2a Extract the value of O_CREAT and O_TMPFILE from the defining macro 
There are operating systems that define `O_CREAT` with a different
value than Linux, which uses `0x40`. For example, OpenBSD uses `0x0200`.
Hence, we cannot use a hardcoded value.

Also handle `O_TMPFILE` while here.
 2022-02-02 15:16:26 +01:00
Mathias Vorreiter Pedersen
1aa32b09be Merge pull request #7802 from geoffw0/clrtxt8 
C++: Recognize password struct fields.
 2022-02-02 14:10:40 +00:00
Arthur Baars
33b97f3e0c Update synchronized files 2022-02-02 13:30:45 +01:00
Jeroen Ketema
bd859d99bf Address review comments 2022-02-02 10:09:47 +01:00
Jeroen Ketema
ff1c971100 Add query for missing mode argument in open/openat calls 2022-02-01 14:52:22 +01:00
Geoffrey White
8a1b49f816 C++: Recognize password struct fields. 2022-01-28 19:10:46 +00:00
Geoffrey White
af09dd8af1 C++: Fixes to gets models. 2022-01-28 16:04:23 +00:00
Geoffrey White
036e1495b8 Merge branch 'main' into getslocal 2022-01-28 15:58:13 +00:00
Mathias Vorreiter Pedersen
b3f4357dc8 Merge pull request #7742 from geoffw0/clrtxt6 
C++: Upgrade cpp/cleartext-storage-buffer
 2022-01-27 14:40:40 +00:00
Geoffrey White
2e1b09fd75 C++: Modernize flow sources. 2022-01-27 13:19:09 +00:00
Dave Bartolomeo
d069d91bf5 Merge pull request #6601 from dbartol/dbartol/side-effect-reorder/work 
Fix order of IR call side effects
 2022-01-26 17:02:02 -05:00
Jeroen Ketema
9194af9b15 Do not report "Declaration hides variable" for unnamed variables 2022-01-26 15:10:37 +01:00
Jeroen Ketema
10a94cfa45 Add test for structured binding declaration hiding variable 2022-01-26 15:08:50 +01:00
Jeroen Ketema
b380ba0d8f Add semmle-extractor-options: -std=c++17 to test 2022-01-26 15:05:21 +01:00
Dave Bartolomeo
4c42013836 Update test expectations 2022-01-25 15:22:13 -05:00
Geoffrey White
340b40e8f3 C++: Modernize cpp/cleartext-storage-buffer. 2022-01-25 13:54:42 +00:00
Harry Maclean
517f2d0823 Add optional results to InlineExpectationsTest 
The idea behind optional results is that there may be instances where
each line of source code has many results and you don't want to annotate
all of them, but you still want to ensure that any annotations you do
have are correct.

This change makes that possible by exposing a new predicate
`hasOptionalResult`, which has the same signature as `hasResult`.

Results produced by `hasOptionalResult` will be matched against any
annotations, but the lack of a matching annotation will not cause a
failure.

We will use this in the inline tests for the API edge getASubclass,
because for each API path that uses getASubclass there is always a
shorter path that does not use it, and thus we can't use the normal
shortest-path matching approach that works for other API Graph tests.
 2022-01-25 16:41:49 +13:00
Dave Bartolomeo
9183a4d7e7 Merge remote-tracking branch 'upstream/main' into dbartol/side-effect-reorder/work 2022-01-24 15:56:38 -05:00
Geoffrey White
764f27f08e C++: Upgrade to path-problem. 2022-01-24 18:32:05 +00:00
Geoffrey White
bbaac556e2 C++: Reveal the FP to be an issue with dataflow / model of strcpy. 2022-01-24 17:53:37 +00:00
Geoffrey White
11929378c7 C++: Upgrade cpp/cleartext-storage-file to full taint flow. 2022-01-24 17:48:45 +00:00
Geoffrey White
4c99d39acf Merge pull request #7701 from MathiasVP/remove-intentional-get-stack-pointer 
C++: Remove FPs from `cpp/return-stack-allocated-memory`
 2022-01-24 11:39:10 +00:00
Geoffrey White
683f909f7a Merge pull request #7704 from geoffw0/clrtxt4 
C++: Another improvement to cpp/cleartext-transmission
 2022-01-24 10:11:11 +00:00
Geoffrey White
4326e6f706 C++: Split 'gets' model and make it a local source. 2022-01-21 17:29:49 +00:00