hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 12:16:33 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,347 Commits 1,672 Branches 157 Tags
hmac-cli-injection-from-library-inputs
Commit Graph

33347 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Michael Nebel
c0b61d7f73 Merge pull request #7370 from michaelnebel/csharp-mad-textreader 
C#: Flow summaries for virtual members in abstract classes should also apply to overrides.
 2021-12-13 15:00:54 +01:00
Rasmus Wriedt Larsen
35cba17642 Python: Consider taint of client http requests 2021-12-13 14:56:16 +01:00
Rasmus Wriedt Larsen
b68d280129 Python: Add modeling of requests 2021-12-13 14:56:16 +01:00
Alex Ford
124aac23c6 Merge pull request #7371 from github/ruby/comment-new-syntax 
Ruby: use Ruby object instantiation syntax in a comment
 2021-12-13 13:23:03 +00:00
Rasmus Wriedt Larsen
1ff56d5143 Python: Add tests of requests 
Also adjusts test slightly. Writing
`clientRequestDisablesCertValidation=False` to mean that certificate
validation was disabled by the `False` expression is just confusing, as
it easily reads as _certificate validate was NOT disabled_ :|

The new one ties to each request that is being made, which seems like
the right setup.
 2021-12-13 14:07:32 +01:00
Alex Ford
4ae92667e1 Ruby: use Ruby object instantiation syntax in a comment 2021-12-13 12:54:45 +00:00
Michael Nebel
ba23393c0d C#: Update test as we now also implicitly gets flow summary for StreamReader. 2021-12-13 13:51:53 +01:00
Michael Nebel
a6eba04793 C#: Convert System.IO.TextReader flow to CSV format. 2021-12-13 13:51:18 +01:00
Esben Sparre Andreasen
c66d29998e update test output for additional DatabaseAccesses 2021-12-13 13:42:28 +01:00
Michael Nebel
88bb8a2704 C#: Update flow summaries test cases. 2021-12-13 13:14:49 +01:00
Michael Nebel
d699ca9aa8 C#: Flow summaries should also apply for overides or virtual members in abstract classes. 2021-12-13 13:09:40 +01:00
Paolo Tranquilli
5ed7056707 C++: remove deprecation from getMaxData 2021-12-13 11:28:02 +00:00
Paolo Tranquilli
3734e1ca4f C++: auto format 2021-12-13 11:28:02 +00:00
Paolo Tranquilli
06acaef43e C++: fix deprecation comments in BufferWrite 2021-12-13 11:28:02 +00:00
Paolo Tranquilli
a089898220 C++: remove reason from OverrunWrite output 2021-12-13 11:28:02 +00:00
Paolo Tranquilli
85de6dd667 C++: make BufferWrite changes backward compatible 2021-12-13 11:28:02 +00:00
Paolo Tranquilli
88d65b8fcb C++: postpone change-notes addition 
We can add it later when more consistent changes to the queries are made
 2021-12-13 11:28:02 +00:00
Paolo Tranquilli
2020786fb0 C++: fix format 2021-12-13 11:28:02 +00:00
Paolo Tranquilli
b0242dc55b C++: more idiomatic BufferWriteEstimationReason 2021-12-13 11:28:02 +00:00
Paolo Tranquilli
160635ba3c C++: add missing docs for a toString predicate 2021-12-13 11:28:02 +00:00
Paolo Tranquilli
a6cbe6f94c C++: add missing change note and docs 2021-12-13 11:28:02 +00:00
Paolo Tranquilli
fb03561a31 C++: add docstrings to Printf and BufferWrite 2021-12-13 11:28:02 +00:00
Paolo Tranquilli
aa68c51797 C++: preserve Printf and BufferWrite API 2021-12-13 11:28:02 +00:00
Paolo Tranquilli
598f283715 C++: add reason to buffer write estimations 2021-12-13 11:28:02 +00:00
Tamas Vajk
26194be8b6 Add workaround for equal lambda parameter symbols with different hashcodes 2021-12-13 11:59:24 +01:00
Michael Nebel
7ff2ee695d Merge pull request #7348 from michaelnebel/csharp-mad-as-csv-json 
C#: Convert flow summaries for JSon.NET
 2021-12-13 11:57:55 +01:00
Rasmus Wriedt Larsen
7bf285a52e Python: Alter disablesCertificateValidation to fit our needs 
For the snippet below, our current query is able to show _why_ we
consider `var` to be a falsey value that would disable SSL/TLS
verification. I'm not sure we're going to need the part that Ruby did,
for being able to specify _where_ the verification was removed, but
we'll see.

```
requests.get(url, verify=var)
```
 2021-12-13 11:37:12 +01:00
JrXnm
efc9e67ec2 Update javascript/ql/lib/semmle/javascript/dataflow/internal/InterProceduralTypeInference.qll 
Fix multiple declare may mismatch issue

Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2021-12-13 18:36:06 +08:00
JrXnm
fad95d8935 Update javascript/ql/lib/semmle/javascript/dataflow/internal/InterProceduralTypeInference.qll 
Commit coding style suggestion

Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2021-12-13 18:32:11 +08:00
Rasmus Wriedt Larsen
08f6d1ab80 Python: Clearer sourceType for client response body 2021-12-13 11:24:38 +01:00
Rasmus Wriedt Larsen
5de79b4ffe Python: Add HTTP::Client::Request concept 
Taken from Ruby, except that `getURL` member predicate was changed to
`getUrl` to keep consistency with the rest of our concepts, and stick
to our naming convention.
 2021-12-13 11:09:09 +01:00
Michael Nebel
f32d464c0f C#: Ensure bi-directional import for External flow. 2021-12-13 10:50:49 +01:00
Michael Nebel
327cf444f4 C#: Convert Newtonsoft.JSon.Linq.JObject and Newtonsoft.JSon.Linq.JToken flow to CSV format. 2021-12-13 10:50:49 +01:00
Michael Nebel
f3c0eadbce C#: Fix the existing callableFlow for JObject to target the inherited ToString methods from JToken. 2021-12-13 10:50:49 +01:00
Michael Nebel
58f36e4b31 C#: Convert NewtonSoft.Json.JSonSerializer flow to CSV format. 2021-12-13 10:50:49 +01:00
Michael Nebel
90e49508a3 C#: Convert Newtonsoft.Json.JsonConvert flow to CSV format. 2021-12-13 10:50:48 +01:00
Michael Nebel
a4bea05fa7 Merge pull request #7342 from michaelnebel/csharp-mad-as-csv3 
C#: More Flow summaries in CSV format.
 2021-12-13 10:32:28 +01:00
Rasmus Wriedt Larsen
1e45fa9ed4 JS/Py/Ruby: Add more CWEs to bad-tag-filter queries 
CWE-185: Incorrect Regular Expression

The software specifies a regular expression in a way that causes data to
be improperly matched or compared.

https://cwe.mitre.org/data/definitions/185.html

CWE-186: Overly Restrictive Regular Expression

> A regular expression is overly restrictive, which prevents dangerous values from being detected.
>
> (...) [this CWE] is about a regular expression that does not match all
> values that are intended. (...)

https://cwe.mitre.org/data/definitions/186.html

From my understanding,
CWE-625: Permissive Regular Expression, is not applicable. (since this
is about accepting a regex match where there should not be a match).
 2021-12-13 10:23:24 +01:00
Tom Hvitved
6f65f22db6 Update creating-codeql-databases.rst 
Always use `/p:UseSharedCompilation=false` for `msbuild` / `dotnet build`.
 2021-12-13 10:15:42 +01:00
Michael Nebel
be1e75471e C#: Ensure bi-directional import for external flow. 2021-12-13 09:23:11 +01:00
Michael Nebel
1cab177f8a C#: Convert System.Web.HttpUtility flow to CSV format. 2021-12-13 09:19:41 +01:00
Michael Nebel
0e0c3e3937 C#: Convert System.Web.HttpServerUtility flow to CSV format. 2021-12-13 09:19:41 +01:00
Michael Nebel
6301e726ee C#: Update HttpServerUtility stub with HtmlEncode method and update flow summaries test. 2021-12-13 09:19:41 +01:00
Michael Nebel
1cd37dddf5 C#: Convert System.Net.WebUtility flow to CSV format. 2021-12-13 09:19:41 +01:00
Michael Nebel
07a4f5f748 C#: Update FlowSummaries test as the bogus flow summaries for the KeyValuePair default constructor has been removed. 2021-12-13 09:19:41 +01:00
Michael Nebel
679aad138e C#: Convert System.Collections.Generic.KeyValuePair flow to CSV format. 2021-12-13 09:19:36 +01:00
Michael Nebel
42bf866fb3 C#: Convert System.Web.UI.WebControls.Textbox flow to CSV format. 2021-12-13 09:18:34 +01:00
Michael Nebel
9604ed883c C#: Convert System.NET.IPHostEntry flow to CSV format. 2021-12-13 09:17:27 +01:00
Michael Nebel
d804893a49 C#: Convert System.Net.Cookie flow to CSV format. 2021-12-13 09:16:05 +01:00
Michael Nebel
03fb244545 C#: Convert System.Web.HttpCookie flow to CSV format. 2021-12-13 09:13:14 +01:00