hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 03:36:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,347 Commits 1,672 Branches 157 Tags
hmac-cli-injection-from-library-inputs
Commit Graph

33347 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mathias Vorreiter Pedersen
117795c409 Merge pull request #7682 from MathiasVP/rewrite-return-stack-allocated-memory-to-use-ir 
C++: Use the IR for `cpp/return-stack-allocated-memory`.
 2022-01-21 14:57:30 +00:00
yoff
a77a6ec864 Merge pull request #7684 from erik-krogh/patches 
small refactorizations across CodeQL
 2022-01-21 15:04:14 +01:00
Tom Hvitved
9d89cace95 Merge pull request #7643 from michaelnebel/csharp/struct-improvements 
C#: Struct (and to a minor extent anonymous types) improvements
 2022-01-21 14:51:26 +01:00
Anders Schack-Mulligen
5f7ee337cd Java: Use more set literal syntax. 2022-01-21 13:58:27 +01:00
Anders Schack-Mulligen
41d294229d Java: Add support for bitwise compound assignments in Guards. 2022-01-21 13:56:07 +01:00
Rasmus Lerchedahl Petersen
9aa4c4a6a7 python: Add missing input 
also update test expectation
 2022-01-21 13:55:33 +01:00
Rasmus Lerchedahl Petersen
41908cbf9f python: add missing qldoc 2022-01-21 13:55:08 +01:00
Tony Torralba
1eaa379bb7 Merge pull request #7681 from atorralba/atorralba/improve-android-implicit-intents-query 
Java: Improvements to the Android query Use of implicit PendingIntents
 2022-01-21 13:46:17 +01:00
Rasmus Lerchedahl Petersen
49d4b1480d python: Do not remove ChainedConfigs12.qll 
since it was clearly already used.
Add deprecation message instead.
 2022-01-21 12:27:29 +01:00
Rasmus Lerchedahl Petersen
35c9307baa python: rewrite NoSQLInjection to use flow state 
This allows a bit more precision. Specifically, we could
 require the sanitizer to only affect `ConvertedToDict`.
 In practice, most sanitizers woudl probably fail on raw
 input also, though.
 2022-01-21 12:12:58 +01:00
Tony Torralba
c7e1df5689 Update java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.qhelp 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2022-01-21 11:57:11 +01:00
Erik Krogh Kristensen
a235f8f023 remove redundant inline type casts 2022-01-21 11:46:33 +01:00
Erik Krogh Kristensen
b75c316c27 fix non-us spelling 2022-01-21 11:46:33 +01:00
Erik Krogh Kristensen
f500bccbe4 add explicit this to member call 2022-01-21 11:46:33 +01:00
Erik Krogh Kristensen
ddfc3bc00f use set literals instead of big disjunctions 2022-01-21 11:46:33 +01:00
Tom Hvitved
55f427ca0e Ruby: Use multiple threads in QL test CI job 2022-01-21 11:46:08 +01:00
Benjamin Muskalla
830c2dc90a Merge pull request #7603 from bmuskalla/commonsIoModel 
Java: Replace Commons IO model
 2022-01-21 11:42:27 +01:00
yoff
5b9ae9cede Merge pull request #7659 from RasmusWL/move-regex-injection-files 
Python: Move regex injection configuration files
 2022-01-21 11:42:06 +01:00
Tony Torralba
0846d1f7b6 Merge pull request #7691 from atorralba/atorralba/fix-recursion-entrypointfieldstep 
Java: Fix recursion in `entrypointFieldStep`
 2022-01-21 11:37:58 +01:00
Tony Torralba
3f6e035016 Docs improvements 2022-01-21 11:37:02 +01:00
yoff
4fd0ada9a8 Merge pull request #7652 from RasmusWL/cleartext-remove-fps 
Python: Remove usernames as sensitive source for cleartext queries
 2022-01-21 11:30:40 +01:00
Erik Krogh Kristensen
f9d5cbf017 update qhelp 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2022-01-21 11:26:58 +01:00
Tony Torralba
d22632ef78 Fix recursion in entrypointFieldStep 
When using local taint tracking to define a RemoteFlowSource, a recursion was created because entrypointFieldStep adds new RemoteFlowSources and was a local taint step. This is fixed by converting entrypointFieldStep into a defaultAdditionalTaintStep instead of a localAdditionalTaintStep, i.e. it will only affect global taint tracking from now on.
 2022-01-21 10:48:13 +01:00
Erik Krogh Kristensen
debebb2b8c rewrite the qhelp for js/insecure-dependency 2022-01-21 10:41:08 +01:00
Tom Hvitved
f9b906d1e2 C#: Update uses of RequiredSummaryComponentStack 2022-01-21 09:42:16 +01:00
Tom Hvitved
cba733136c Data flow: Sync 2022-01-21 09:42:16 +01:00
Tom Hvitved
f1a2b21e44 Data flow: Restructure RequiredSummaryComponentStack 2022-01-21 09:42:16 +01:00
Rasmus Lerchedahl Petersen
a5bc5373d0 python: Rewrite path injection to use flow state 
This removes the FP cause by chaining
This PR also removes `ChainedConfigs12.qll`,
as we hope to solve future problems via flow states.
 2022-01-21 09:26:48 +01:00
Tom Hvitved
aa9cfebc65 Ruby: Replace getValueText with getConstantValue 2022-01-21 09:19:19 +01:00
CodeQL CI
b02f1c87a1 Merge pull request #7679 from erik-krogh/ql-doc-style 
Approved by esbena
 2022-01-20 23:43:44 -08:00
CodeQL CI
2287b6e549 Merge pull request #7675 from erik-krogh/move-url-sink-to-customizations 
Approved by esbena
 2022-01-20 23:43:15 -08:00
Aditya Sharad
ccc6291844 Merge rc/3.3 into rc/3.4 
Conflicts in *-support.rst resolved in favour of rc/3.3, which has a new paragraph.
Enterprise version numbers updated to LGTM Enterprise 1.30 and CodeQL 2.7.6.
 2022-01-20 15:49:10 -08:00
Erik Krogh Kristensen
15c1ce722a Merge pull request #7678 from erik-krogh/use-set 
JS: use more set literals
 2022-01-20 21:03:48 +01:00
shati-patel
8fc429caf4 Emphasize use case for installing pack deps 2022-01-20 19:03:30 +00:00
Mathias Vorreiter Pedersen
bd1720f797 C++: Add change note. 2022-01-20 18:27:09 +00:00
Mathias Vorreiter Pedersen
e689f6bad2 C++: Use the IR for 'cpp/return-stack-allocated-memory'. 2022-01-20 18:22:49 +00:00
Tom Hvitved
cbea5eaeaa C#: Simplify argument/parameter positions for captured variables 2022-01-20 17:08:12 +01:00
Tony Torralba
6fe0b78978 Remove PendingIntentAsField step and add SliceProviderLifecycle step 2022-01-20 16:52:07 +01:00
Andrew Eisenberg
534f8999b6 Update docs/codeql/codeql-cli/getting-started-with-the-codeql-cli.rst 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2022-01-20 07:09:34 -08:00
Erik Krogh Kristensen
2bffe56580 update expected output 2022-01-20 16:06:57 +01:00
Erik Krogh Kristensen
3155114e36 use more set literals 2022-01-20 16:06:34 +01:00
Anders Schack-Mulligen
fede7dd238 Merge pull request #7676 from aschackmull/java/instanceaccessnode 
Java: Add data flow node encapsulating instance accesses.
 2022-01-20 15:40:21 +01:00
Erik Krogh Kristensen
a77b2b0209 Merge pull request #7668 from erik-krogh/simplify-casts 
simplify expressions that could be type-casts
 2022-01-20 15:20:18 +01:00
Erik Krogh Kristensen
5780161b2c fix most issues found by ql/class-doc-style in JS 2022-01-20 15:10:16 +01:00
Alex Ford
9613ff743b Merge pull request #7611 from github/ruby/protect_from_forgery-without-exception 
Ruby: flag up `protect_from_forgery` calls without an exception strategy
 2022-01-20 13:45:30 +00:00
Tony Torralba
caab1c3332 Merge pull request #6963 from atorralba/atorralba/android-onactivityresult-source 
Android: Add the Intent parameter of the `onActivityResult` method as a source
 2022-01-20 14:27:30 +01:00
Tony Torralba
29e87b3abd Merge pull request #6975 from atorralba/atorralba/android-intent-uri-permission-manipulation 
Java: CWE-266 - Query to detect Intent URI Permission Manipulation in Android applications
 2022-01-20 14:27:02 +01:00
Geoffrey White
b230681bc8 Merge pull request #7650 from geoffw0/clrtxt3 
C++: Improve cpp/cleartext-transmission
 2022-01-20 13:21:54 +00:00
Rasmus Wriedt Larsen
f53dce3a83 Python: Apply suggestions from code review 
Co-authored-by: Taus <tausbn@github.com>
 2022-01-20 14:20:15 +01:00
Anders Schack-Mulligen
43da5aabbe Java: Add dataflow node encapsulating instance accesses. 2022-01-20 14:12:33 +01:00