hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 20:26:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
26,405 Commits 1,672 Branches 157 Tags
remove-javascript
Commit Graph

26405 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tony Torralba
db732918af Add taint step for setExpression 2021-05-13 15:01:36 +02:00
Geoffrey White
e4d2c7cfc4 C++: Rewrite so that we look for additional evidence. 2021-05-13 13:19:39 +01:00
Geoffrey White
123889a671 C++: Fix 'triple DES' false positives. 2021-05-13 10:21:06 +01:00
haby0
02e415045f Delete RedirectBuilderFlowConfig 2021-05-13 15:48:15 +08:00
Geoffrey White
40cf29b625 C++: Rearrange the library. 2021-05-13 08:39:37 +01:00
haby0
effa2b162a Add spring url redirection detect 2021-05-13 09:55:37 +08:00
Taus
79cfe5aca2 Python: Limit py/use-of-input to Python 2 2021-05-12 21:23:16 +00:00
Taus
fad55b3635 Python: Reimplement py/use-of-input 2021-05-12 21:09:51 +00:00
Evgenii Protsenko
470e3eb089 [python] ClickHouseDriver.qll: add support for subclasses 2021-05-13 00:03:53 +03:00
Erik Krogh Kristensen
34fbafafde remove redundant "put" case 2021-05-12 22:34:44 +02:00
Evgenii Protsenko
2efa0ad105 [C++] Implement module ClickHouseDriver.qll 2021-05-12 22:36:24 +03:00
Taus
fe12e620dd Python: Avoid clobbering range in test 
This was an unwanted interaction between two unrelated tests, so I
switched to a different built-in in the second test. I also added a test
case that shows an unfortunate side effect of this more restricted
handling of built-ins.
 2021-05-12 18:42:10 +00:00
Geoffrey White
0450caa73d C++: Exclude array initializers. 2021-05-12 19:39:30 +01:00
Geoffrey White
52a88af6c1 C++: Exclude macro invocations in switch case expressions. 2021-05-12 19:33:18 +01:00
Geoffrey White
9404d0676d C++: Exclude macros that don't generate anything. 2021-05-12 19:28:08 +01:00
Geoffrey White
b6d5f7c315 C++: Fix FPs caused by substring regexp. 2021-05-12 19:23:49 +01:00
Geoffrey White
109fa4d38e C++: Add test cases for BrokenCryptoAlgorithm.ql. 2021-05-12 19:16:00 +01:00
Taus
ff2b6b9737 Python: Correctly locate stores to built-ins 2021-05-12 18:07:18 +00:00
Mathias Vorreiter Pedersen
7d26aca793 C++: Add change-note. 2021-05-12 16:34:23 +02:00
Erik Krogh Kristensen
e0f78dde56 make the axios error catch match the non-error case 2021-05-12 16:23:37 +02:00
Mathias Vorreiter Pedersen
e94dab70b5 C++: Add sanitizers to cpp/uncontrolled-arithmetic. 2021-05-12 15:44:09 +02:00
Jonathan Leitschuh
48b50f93c2 Update java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2021-05-12 08:58:01 -04:00
Taus
3d30efed11 Python: Add exec as a shared built-in 
This is _slightly_ wrong, since `exec` isn't a built-in function in
Python 2. It should be harmless, however, since `exec` is a keyword,
and so cannot be redefined anyway.
 2021-05-12 11:07:16 +00:00
Anders Schack-Mulligen
7974e3ad38 Merge pull request #5883 from zbazztian/consider-boxed-booleans-to-avoid-xxe-fps 
Consider boxed booleans to avoid false positives for XXE.ql
 2021-05-12 12:51:22 +02:00
Tony Torralba
09b40601a7 Consider ExpressionAccessor 2021-05-12 12:32:38 +02:00
Sebastian Bauersfeld
b05512a958 Add change notes. 2021-05-12 16:58:24 +07:00
Taus
5c7e73d485 Python: Add exception types 2021-05-12 09:53:09 +00:00
Sebastian Bauersfeld
bf4d88175c Consider boxed booleans to avoid false positives for XXE.ql 2021-05-12 16:40:00 +07:00
Geoffrey White
8f152b7380 Merge pull request #5877 from MathiasVP/detect-more-abs-in-overflow-library 
C++: Detect more uses of `abs`
 2021-05-12 10:02:12 +01:00
Tom Hvitved
fc121e1cbd Merge pull request #5865 from tamasvajk/feature/remove-base-class-dependency-id 
C#: Remove base class from type IDs in trap files
 2021-05-12 10:30:31 +02:00
Taus
07a70af344 Python: Limit set of globals that may be built-ins 
I am very tempted to leave out the constants, or at the very least
`False`, `True`, and `None`, as these have _many_ occurrences in the
average codebase, and are not terribly useful at the API-graph level.

If we really do want to capture "nodes that refer to such and such
constant", then I think a better solution would be to create classes
extending `DataFlow::Node` to facilitate this.
 2021-05-12 08:19:35 +00:00
Tom Hvitved
961467e06e C#: Always pass /p:UseSharedCompilation=false to dotnet build in auto builder 2021-05-12 10:15:04 +02:00
Anders Schack-Mulligen
a247ae4357 Merge pull request #5843 from JLLeitschuh/feat/JLL/improve_kryo_support 
[Java] Fix Kryo FP & Kryo 5 Support
 2021-05-12 09:52:24 +02:00
Anders Schack-Mulligen
74ae2e0857 Merge pull request #5773 from hvitved/dataflow/aggressive-caching 
Data flow: Cache most language-dependent predicates
 2021-05-12 09:41:55 +02:00
haby0
12f47bcf24 Add UnsafeDeserialization 2021-05-12 12:37:16 +08:00
thank_you
3e25b14a68 Update NoSQLInjection.expected 2021-05-11 20:07:09 -04:00
Tamas Vajk
8e371fd05a Adjust expected IR test file 2021-05-11 21:54:05 +02:00
Mathias Vorreiter Pedersen
948f1d8e34 C++: Add testcase with INTMAX_MIN. 2021-05-11 19:43:21 +02:00
Marcono1234
8969da7775 Java: Improve not closing resource query; add tests 2021-05-11 19:32:02 +02:00
luchua-bc
e7cd6c9972 Optimize the query 2021-05-11 16:56:12 +00:00
Jonathan Leitschuh
5a68ac88ef Cleanup Jackson logic after code review 2021-05-11 10:48:22 -04:00
Jonathan Leitschuh
bacc3ef5b3 [Java] Jackson add support for 2 step deserialization taint flow 2021-05-11 10:36:47 -04:00
Jonathan Leitschuh
e97bad3b33 Support field access data flow for JacksonDeserializedTaintStep 2021-05-11 10:36:47 -04:00
Jonathan Leitschuh
83d527ed19 Apply suggestions from code review 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2021-05-11 10:36:47 -04:00
Jonathan Leitschuh
b871f48c50 [Java] Add release note to Jackson change 2021-05-11 10:36:47 -04:00
Jonathan Leitschuh
d0b0b767a2 Apply suggestions from code review 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2021-05-11 10:36:47 -04:00
Jonathan Leitschuh
d0638db6e7 [Java] Add data flow through Iterator deserializers for Jackson 2021-05-11 10:36:47 -04:00
Jonathan Leitschuh
56b1f15dda [Java] Add taint tracking through Jackson deserialization 2021-05-11 10:36:47 -04:00
Geoffrey White
d7e560c611 Merge pull request #5767 from ihsinme/ihsinme-patch-268 
CPP: Add query for CWE-1126: Declaration of Variable with Unnecessarily Wide Scope
 2021-05-11 15:24:25 +01:00
Tony Torralba
8754c85a57 Use InlineExpectationsTest 2021-05-11 16:23:12 +02:00