codeql

mirror of https://github.com/github/codeql.git synced 2025-12-27 22:26:31 +01:00

Author	SHA1	Message	Date
Chris Smowton	5d2f3421d8	Add change notes	2021-03-01 16:59:20 +00:00
Chris Smowton	cdccc1a064	Remove needless typecasts	2021-03-01 16:47:34 +00:00
yoff	92128babef	Apply suggestions from code review Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>	2021-03-01 17:39:17 +01:00
Asger Feldthaus	26924a3378	JS: Regenerate stats for tuple_type_rest_index	2021-03-01 16:30:09 +00:00
Rasmus Lerchedahl Petersen	38748f9e23	Python: restrict attention to `ss.wrap_socket`	2021-03-01 16:35:21 +01:00
Tamás Vajk	2ac94255b7	Merge pull request #5299 from tamasvajk/feature/limit-codescanning-csharp2 C#: Fix codeql analysis workflow	2021-03-01 16:20:03 +01:00
Porcuiney Hairs	14ec148272	refactor to meet experimental guidelines.	2021-03-01 18:46:33 +05:30
Rasmus Wriedt Larsen	0874712c97	C++/Java/Python: Allow Python string prefix in InlineExpectationsTest I've been writing tests for crypto libraries in Python, and have wanted to write code along the lines of ```py md5.hash(b"some message") # $ HashInput=b"some message" ``` which didn't work before this commit, forcing me to store my text in a variable like below. This turned out to be really annoying when dealing with more complex examples, so therefore I'm adding this new functionality to allow this behavior. ```py msg = b"some message" md5.hash(msg) # $ HashInput=msg ```	2021-03-01 13:44:28 +01:00
Chris Smowton	aab9deceef	Remove package from test Java file	2021-03-01 10:32:44 +00:00
Chris Smowton	c32514bf66	Sync dataflow library files	2021-03-01 10:27:28 +00:00
Chris Smowton	e6b1fe9b5f	Fluent interface dataflow: support argument-output flow directly declared by the simpleLocalFlowStep relation This means we will treat fluent interfaces that are modelled the same as those where we determine an argument flows to an output by inspection of the function body.	2021-03-01 10:23:38 +00:00
Chris Smowton	54caf501e7	Switch fluent-methods test to use a plain DataFlow::Configuration No taint edges are involved, so TaintTracking was unnecessary.	2021-03-01 10:16:02 +00:00
Chris Smowton	fadbb32bd6	Add backward dataflow edges through fluent function invocations. This means that much as obj.getA().setB(...) already has a side-effect on `obj`, all three setters in obj.setA(...).setB(...).setC(...) will have a side-effect on `obj`.	2021-03-01 10:11:28 +00:00
Tamas Vajk	1ecbbf6af3	C#: Fix codeql analysis workflow	2021-03-01 09:18:05 +01:00
Anders Schack-Mulligen	37baf77b93	Merge pull request #5273 from intrigus-lgtm/java/unify-main-method-check Java: Remove duplicate code.	2021-03-01 09:05:28 +01:00
Tamás Vajk	3b56e3520c	Merge pull request #5277 from tamasvajk/feature/fix-name-resolution Fix method name resolution issue with nullable suppression	2021-03-01 08:47:21 +01:00
Jonas Jensen	208a374c58	Merge pull request #5256 from MathiasVP/promote-insecure-memset-query C++: Promote insecure removal of memset query	2021-03-01 08:30:16 +01:00
Artem Smotrakov	15a43ffe36	Simplified returnsRemoteInvocationSerializingExporter()	2021-02-27 13:41:20 +01:00
Rasmus Wriedt Larsen	443780f27e	Python/JS: Share modeling of cryptographic algorithms I didn't quite know where to place it for JS, so I tried my best :) The canonical Python version might be changed in the future, but I wanted to keep this change small.	2021-02-27 11:39:35 +01:00
Rasmus Wriedt Larsen	010488c899	Python/JS: Update QLDoc for crypto algorithms before sharing	2021-02-27 11:38:45 +01:00
Rasmus Wriedt Larsen	646ea55944	Python/JS: Update Python copy of crypto algorithm modeling Now to be shared accross both languages, with sync-identical-files	2021-02-27 11:38:45 +01:00
haby0	f795d5e0d3	update JSONP Injection ql	2021-02-27 16:25:17 +08:00
Rasmus Lerchedahl Petersen	8b68912c40	Python: Update help and add example	2021-02-26 20:19:31 +01:00
Rasmus Lerchedahl Petersen	9533c92fcc	Python: Clean up tests and add comment	2021-02-26 19:28:44 +01:00
Mathias Vorreiter Pedersen	d4f7fab7df	Update cpp/change-notes/2021-02-24-memset-may-be-deleted.md Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>	2021-02-26 19:17:13 +01:00
Mathias Vorreiter Pedersen	0f7256752a	Update cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.qhelp Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>	2021-02-26 19:16:28 +01:00
yoff	1670fa0d0e	Update python/change-notes/2021-02-23-port-insecure-default-protocol.md	2021-02-26 18:39:49 +01:00
yoff	9a9bda17ed	Update python/change-notes/2021-02-23-port-insecure-default-protocol.md Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>	2021-02-26 18:38:35 +01:00
Erik Krogh Kristensen	af7a188bbd	add change note	2021-02-26 17:18:30 +01:00
Erik Krogh Kristensen	214aa072b9	support host for http-proxy client requests	2021-02-26 17:18:29 +01:00
Erik Krogh Kristensen	cc48172fd8	add support for events in http-proxy	2021-02-26 17:17:47 +01:00
Erik Krogh Kristensen	ede1a40a02	add ClientRequst models for http-proxy	2021-02-26 17:17:46 +01:00
CodeQL CI	b7c0d18c4a	Merge pull request #5278 from erik-krogh/formData Approved by asgerf	2021-02-26 08:13:41 -08:00
Rasmus Wriedt Larsen	a387496832	Python: Highlight how request.uri works in Tornado	2021-02-26 16:23:21 +01:00
Erik Krogh Kristensen	ae051af9d8	remove redundant code	2021-02-26 14:15:30 +01:00
CodeQL CI	0e70b58a41	Merge pull request #5205 from erik-krogh/ts42 Approved by asgerf	2021-02-26 05:06:40 -08:00
Porcupiney Hairs	42a84a18b0	JAVA : Add query to detect Apache Structs enabled DEvmode This query detects cases where the development mode is enabled for a struts configuration. I can't find a CVE per se but, at present, [Github's fuzzy search](https://github.com/search?q=%3Cconstant+name%3D%22struts.devMode%22+value%3D%22true%22+%2F%3E+language%3Axml&type=Code) returns more than 44000 results. Some of them look like they are classroom projects, so they may be ineligible for a CVE. But we should be flagging them anyways as setting the development on in a production system is a very bad practice and can often lead to remote code execution. So these should be fixed anyways.	2021-02-26 16:30:04 +05:30
Porcupiney Hairs	602f63ad45	[Java] Add QL for detecting Spring View Manipulation Vulnerabilities.	2021-02-26 16:29:18 +05:30
Tom Hvitved	ac67c67ad7	Merge pull request #4998 from hvitved/csharp/shared-base-pre-ssa C#: Use shared SSA implementation for `{Pre,Base}Ssa`	2021-02-26 11:29:07 +01:00
Rasmus Wriedt Larsen	b43533ce8d	Python: Ensure old dataflow queries are not used There seems to have been some cases where the old ones have been picked up instead of the new ones. At least I spotted _one_ case where this happened, in an internal actions run. I'm not sure how to actual debug this, so just removing all the tags that could make these queries to become picked up :\|	2021-02-26 11:22:23 +01:00
yoff	7f7320ae4c	Update python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>	2021-02-26 10:56:48 +01:00
Erik Krogh Kristensen	c59e6fef80	add model for form-data	2021-02-26 10:54:46 +01:00
Erik Krogh Kristensen	00cfc77fc0	Revert "fix file lookup for exclude patterns" This reverts commit `74630b0fd8`.	2021-02-26 10:28:20 +01:00
Erik Krogh Kristensen	4ec3289ecc	update relation name in .stats file	2021-02-26 10:26:08 +01:00
Erik Krogh Kristensen	bd19d5a93c	remove is_abstract_signature.ql	2021-02-26 10:24:40 +01:00
Erik Krogh Kristensen	1cac692b1d	Update javascript/ql/src/semmle/javascript/TypeScript.qll Co-authored-by: Asger F <asgerf@github.com>	2021-02-26 10:23:01 +01:00
Mathias Vorreiter Pedersen	42d2a673c7	C++: Respond to review comments.	2021-02-26 10:06:05 +01:00
Tamas Vajk	b3d6d0c12b	Fix method name resolution issue with nullable suppression	2021-02-26 09:48:37 +01:00
Mathias Vorreiter Pedersen	4e4ffbd790	Update cpp/change-notes/2021-02-24-memset-may-be-deleted.md Co-authored-by: Jonas Jensen <jbj@github.com>	2021-02-26 09:48:21 +01:00
Rasmus Lerchedahl Petersen	311149ab4f	Python: fix spelling	2021-02-26 09:44:24 +01:00

... 115 116 117 118 119 ...

26405 Commits