hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,347 Commits 1,672 Branches 157 Tags
hmac-cli-injection-from-library-inputs
Commit Graph

33347 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris Smowton
27b9e1c01b Docs: Note codeql-go needs an install step before use 2022-02-07 16:11:42 +00:00
Erik Krogh Kristensen
b59c7911a3 update locations of expected output 2022-02-07 15:23:26 +01:00
Erik Krogh Kristensen
ca5f91e587 recognize more startswith sanitizers for path-injection queries 2022-02-07 14:19:13 +01:00
Michael Nebel
f21e084628 C#: Fix issue in naming of class in test file. 2022-02-07 14:15:59 +01:00
Michael Nebel
f5fc15e74d C#: Add some testcases to cover mixed assignment and declarations in tuples. 2022-02-07 14:11:31 +01:00
Michael Nebel
0cf4b3fbcc C#: Added dataflow testcases for tuple mixed initialization and assignment. 2022-02-07 14:11:31 +01:00
Michael Nebel
bcf732a7cb C#: Re-factor tuple tests to use the default value flow configuration. 2022-02-07 14:11:31 +01:00
Michael Nebel
f478bf5b9b Merge pull request #7809 from michaelnebel/csharp/test-pattern-match-flow 
C#: Add flow test cases for undetected value flow, when making variable bindings in pattern matching.
 2022-02-07 14:05:50 +01:00
Nick Rolfe
881776a2ac Ruby: delete commented-out code 2022-02-07 12:50:06 +00:00
Nick Rolfe
e049f08c24 Ruby: update dbscheme stats 2022-02-07 12:42:34 +00:00
Erik Krogh Kristensen
6f28cb9201 lower the precision of js/unsafe-code-construction 2022-02-07 13:35:29 +01:00
Erik Krogh Kristensen
06f9924194 add change note 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
896d2bad0e update expected output now that JSON.stringify() is seen as a sanitizer 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
d1d4ebb3b5 add values written to the global scope as exports 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
91b03f56ad move .qll files from src to lib 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
eb133f59f6 update qhelp to focus on properly documenting potentially unsafe library functions 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
a9f7756788 reuse utility predicate 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
681179dcbb add comment about parameters named "code" 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
53315e6ab6 ignore sources named "code" 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
59cc099008 add missing qldoc 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
d77c28f6a7 add qhelp for unsafe-code-construction 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
d790f3ccbb add test for unsafe-code-construction query 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
198a464346 add js/unsafe-code-construction query 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
955ad8c458 add JSON.stringify as a code-injection sanitizer 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
68a5c1f5b5 add code-injection sink for calls to node 2022-02-07 13:34:18 +01:00
Rasmus Wriedt Larsen
62702d0ca9 Python: Fix setStoreStep to use SetElementContent 2022-02-07 13:18:36 +01:00
Nick Rolfe
b3b2bba618 Ruby: make some generated predicates final 2022-02-07 12:17:50 +00:00
Rasmus Wriedt Larsen
b276b2d48c Python: Clean up taint steps for attributes 2022-02-07 13:12:31 +01:00
Rasmus Wriedt Larsen
59160eeb24 Python: Add test showing taint for attr store 
In `x.arg = TAINTED_STRING` there is a store step to the attribute `arg`
of `x`. In our taint modeling, we allow _any_ store step with the code
below. This means that we also say there is a taint-step directly from
`TAINTED_STRING` to `x` :|

```codeql
  // construction by literal
  // TODO: Not limiting the content argument here feels like a BIG hack, but we currently get nothing for free :|
  DataFlowPrivate::storeStep(nodeFrom, _, nodeTo)
```
 2022-02-07 13:12:28 +01:00
Nick Rolfe
b43cc23277 Ruby: add db downgrade script 2022-02-07 12:10:36 +00:00
Nick Rolfe
e8855c3718 Ruby: add db upgrade script 2022-02-07 12:10:36 +00:00
Nick Rolfe
388d361ec3 Ruby: put AST node locations in a single table 2022-02-07 12:10:36 +00:00
Michael Nebel
99f89f1fe2 C#: Update db stats file. 2022-02-07 12:57:10 +01:00
Mathias Vorreiter Pedersen
55e69d421c Merge pull request #7849 from Yonah125/main 
C/C++: Useless Test : verification of "Fully converted" Type
 2022-02-07 11:46:51 +00:00
Benjamin Muskalla
2f94356899 Run daily 2022-02-07 12:12:29 +01:00
Benjamin Muskalla
bd417769ce Add workflow to upload metrics 2022-02-07 12:08:18 +01:00
Benjamin Muskalla
a1432c47dc Exclude framework coverage query from suites 
We don't want to run this query on any database but rather
in a specific setup. Exclude from suites by default.
 2022-02-07 12:08:18 +01:00
Benjamin Muskalla
9af50f5216 Turn framework coverage into metric query 2022-02-07 12:08:18 +01:00
Jeroen Ketema
1f2865c7cc Merge pull request #7798 from jketema/missing-open-arg 
C++: Add query for missing mode argument in `open`/`openat` calls
 2022-02-07 12:01:44 +01:00
BACK Yonah
61dc9ef12e C/C++: AutoFormat fix 2022-02-07 11:41:17 +01:00
Rasmus Wriedt Larsen
32cd7d6fa7 Add groups to all consistency-queries/qlpack.yml 
as discussed in PR review
 2022-02-07 11:15:48 +01:00
Tom Hvitved
dc09e87cb2 Ruby: Use SimpleSummarizedCallable in a few more places 2022-02-07 11:05:32 +01:00
Erik Krogh Kristensen
0584a6acaf recognize a nodejs re-exports in a loop 2022-02-07 10:12:38 +01:00
Michael Nebel
b2e18ebae1 C#: Lambda improvements change note. 2022-02-07 09:22:46 +01:00
Michael Nebel
782d6da754 C#: Support for lambda expression explicit return types and lambda attributes. 2022-02-07 09:19:47 +01:00
github-actions[bot]
b4ab86c020 Post-release preparation for codeql-cli-2.8.0 2022-02-06 23:34:07 +00:00
Arthur Baars
ac03fab986 Merge pull request #7753 from aibaars/ruby-3.1 
Ruby 3.1 features
 2022-02-06 21:06:16 +01:00
Artem Smotrakov
f53b2fcc62 Updated IgnoredHostnameVerification.ql to cover more uses of HostnameVerifier.verify() 2022-02-06 11:23:20 +00:00
Jonathan Leitschuh
1f47ea5164 Update to new change note format 2022-02-04 17:16:12 -05:00
Jonathan Leitschuh
0268dd9f0a Add file creation sanitizer 2022-02-04 17:10:27 -05:00